BC-6933 - add http auth to operator (#5)

hpi-schul-cloud · Apr 26, 2024 · b3b76fa · b3b76fa
1 parent 1014415
commit b3b76fa
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 1 deletion.
diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
@@ -219,6 +219,12 @@ jobs:
         working-directory: ${{github.workspace }}/ansible/group_vars
         run: |
           echo "TLS_ENABLED: \"true\"" >> develop/dof_deploy.yml
+          
+      - name: 1Password
+        working-directory: ${{github.workspace }}/ansible/group_vars
+        run: |
+          echo "ONEPASSWORD_OPERATOR_VAULT: ${{ secrets.DEV_VAULT_DBC  }}" >> develop/dof_deploy.yml
+
       - run: ansible-galaxy install -r ansible/collections/requirements.yml
       - working-directory: ${{github.workspace }}/ansible/roles/sys
         run: |

diff --git a/ansible/roles/doido-mongo/tasks/main.yaml b/ansible/roles/doido-mongo/tasks/main.yaml
@@ -10,7 +10,14 @@
       namespace: "{{ NAMESPACE }}"
       template: deployment.yml.j2
       apply: yes
-
+
+  - name: http auth secret
+    kubernetes.core.k8s:
+      kubeconfig: ~/.kube/config
+      namespace: "{{ NAMESPACE }}"
+      template: onepassword_basic_auth.yml.j2
+    when: ONEPASSWORD_OPERATOR is defined and ONEPASSWORD_OPERATOR|bool
+
   - name: Ingress
     environment:
       K8S_AUTH_KUBECONFIG: "{{ ansible_env.HOME }}/.kube/config"

diff --git a/ansible/roles/doido-mongo/templates/ingress.yml.j2 b/ansible/roles/doido-mongo/templates/ingress.yml.j2
@@ -6,6 +6,12 @@ metadata:
   namespace: {{ NAMESPACE }}
   annotations:
     nginx.ingress.kubernetes.io/ssl-redirect: "{{ TLS_ENABLED|default("false") }}"
+    # type of authentication
+    nginx.ingress.kubernetes.io/auth-type: basic
+    # name of the secret that contains the user/password definitions
+    nginx.ingress.kubernetes.io/auth-secret: doido-mongo-auth-secret
+    # message to display with an appropriate context why the authentication is required
+    nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'
 {% if CLUSTER_ISSUER is defined %}
     cert-manager.io/cluster-issuer: {{ CLUSTER_ISSUER }}
 {% endif %}

diff --git a/ansible/roles/doido-mongo/templates/onepassword_basic_auth.yml.j2 b/ansible/roles/doido-mongo/templates/onepassword_basic_auth.yml.j2
@@ -0,0 +1,9 @@
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: doido-mongo-auth-secret
+  namespace: {{ NAMESPACE }}
+  labels:
+    app: doido-mongo
+spec:
+  itemPath: "vaults/{{ ONEPASSWORD_OPERATOR_VAULT }}/items/doido-mongo"