oauth env sidecar

cluster-resources/policies/auth-sidecar-injector.yaml

@@ -340,6 +340,96 @@ spec:
               capabilities:
                 drop:
                 - ALL
+  - name: inject-sidecar-oauth
+    skipBackgroundRequests: true
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+          annotations:
+            policies.forteapps.io/auth: "true"
+            policies.forteapps.io/auth-type: "oauth"
+    exclude:
+      any:
+      - resources:
+          namespaces:
+          - kube-system
+          - kyverno
+          - argocd
+          - cert-manager
+          - monitoring
+    context:
+    - name: appPort
+      variable:
+        jmesPath: request.object.spec.containers[?name != 'authn'] | [0].ports[0].containerPort || `3000`
+    mutate:
+      patchStrategicMerge:
+        spec:
+          containers:
+          - name: authn
+            image: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-image\" || 'ghcr.io/fortedigital/auth-sidecar' }}:{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-image-version\" || 'latest' }}"
+            imagePullPolicy: Always
+            ports:
+            - containerPort: 8080
+              name: auth
+              protocol: TCP
+            env:
+            - name: AUTH_MODE
+              value: "oauth"
+            - name: AUTH_LISTEN_ADDR
+              value: ":8080"
+            - name: AUTH_LOG_LEVEL
+              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-log-level\" || 'info' }}"
+            - name: AUTH_UPSTREAM_URL
+              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-upstream-url\" || join('', ['http://localhost:', to_string(appPort)]) }}"
+            - name: AUTH_OAUTH_AUTHORITY
+              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oauth-authority\" }}"
+            - name: AUTH_OAUTH_CLIENT_ID
+              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oauth-client-id\" }}"
+            - name: AUTH_OAUTH_SCOPES
+              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oauth-scopes\" || 'openid,profile,email'  }}"
+            - name: AUTH_OAUTH_DELEGATION_ENABLED
+              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oauth-delegation-enabled\" || 'false'  }}"
+            - name: AUTH_OAUTH_DELEGATION_CLIENT_ID
+              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oauth-delegation-client-id\" || ''  }}"
+            - name: AUTH_OAUTH_DELEGATION_SCOPES
+              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oauth-delegation-scopes\" || ''  }}"
+            - name: AUTH_OAUTH_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: auth-oauth
+                  key: client-secret
+            - name: AUTH_OAUTH_DELEGATION_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: auth-oauth
+                  key: delegation-client-secret
+            resources:
+              limits:
+                cpu: 50m
+                memory: 64Mi
+              requests:
+                cpu: 10m
+                memory: 32Mi
+            readinessProbe:
+              httpGet:
+                path: /healthz
+                port: 8080
+              initialDelaySeconds: 2
+              periodSeconds: 5
+            livenessProbe:
+              httpGet:
+                path: /healthz
+                port: 8080
+              initialDelaySeconds: 5
+              periodSeconds: 10
+            securityContext:
+              allowPrivilegeEscalation: false
+              readOnlyRootFilesystem: true
+              capabilities:
+                drop:
+                - ALL
   - name: generate-auth-network-policy
     skipBackgroundRequests: true
     match: