diff --git a/cluster-resources/policies/auth-sidecar-injector.yaml b/cluster-resources/policies/auth-sidecar-injector.yaml index 6b41047..2445a8c 100644 --- a/cluster-resources/policies/auth-sidecar-injector.yaml +++ b/cluster-resources/policies/auth-sidecar-injector.yaml @@ -340,6 +340,96 @@ spec: capabilities: drop: - ALL + - name: inject-sidecar-oauth + skipBackgroundRequests: true + match: + any: + - resources: + kinds: + - Pod + annotations: + policies.forteapps.io/auth: "true" + policies.forteapps.io/auth-type: "oauth" + exclude: + any: + - resources: + namespaces: + - kube-system + - kyverno + - argocd + - cert-manager + - monitoring + context: + - name: appPort + variable: + jmesPath: request.object.spec.containers[?name != 'authn'] | [0].ports[0].containerPort || `3000` + mutate: + patchStrategicMerge: + spec: + containers: + - name: authn + image: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-image\" || 'ghcr.io/fortedigital/auth-sidecar' }}:{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-image-version\" || 'latest' }}" + imagePullPolicy: Always + ports: + - containerPort: 8080 + name: auth + protocol: TCP + env: + - name: AUTH_MODE + value: "oauth" + - name: AUTH_LISTEN_ADDR + value: ":8080" + - name: AUTH_LOG_LEVEL + value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-log-level\" || 'info' }}" + - name: AUTH_UPSTREAM_URL + value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-upstream-url\" || join('', ['http://localhost:', to_string(appPort)]) }}" + - name: AUTH_OAUTH_AUTHORITY + value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oauth-authority\" }}" + - name: AUTH_OAUTH_CLIENT_ID + value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oauth-client-id\" }}" + - name: AUTH_OAUTH_SCOPES + value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oauth-scopes\" || 'openid,profile,email' }}" + - name: AUTH_OAUTH_DELEGATION_ENABLED + value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oauth-delegation-enabled\" || 'false' }}" + - name: AUTH_OAUTH_DELEGATION_CLIENT_ID + value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oauth-delegation-client-id\" || '' }}" + - name: AUTH_OAUTH_DELEGATION_SCOPES + value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oauth-delegation-scopes\" || '' }}" + - name: AUTH_OAUTH_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: auth-oauth + key: client-secret + - name: AUTH_OAUTH_DELEGATION_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: auth-oauth + key: delegation-client-secret + resources: + limits: + cpu: 50m + memory: 64Mi + requests: + cpu: 10m + memory: 32Mi + readinessProbe: + httpGet: + path: /healthz + port: 8080 + initialDelaySeconds: 2 + periodSeconds: 5 + livenessProbe: + httpGet: + path: /healthz + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 10 + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL - name: generate-auth-network-policy skipBackgroundRequests: true match: