diff --git a/node-red/node-red-1.yaml b/node-red/node-red-1.yaml new file mode 100644 index 0000000..4a6adfc --- /dev/null +++ b/node-red/node-red-1.yaml @@ -0,0 +1,138 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + deployment.kubernetes.io/revision: "3" + creationTimestamp: "2023-03-26T23:49:50Z" + generation: 5 + labels: + app: node-red-1 + name: node-red-1 + namespace: node-red + resourceVersion: "114759861" + uid: 437f3f19-da65-4e5e-ac20-e631792825ac +spec: + progressDeadlineSeconds: 600 + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + app: node-red-1 + strategy: + rollingUpdate: + maxSurge: 25% + maxUnavailable: 25% + type: RollingUpdate + template: + metadata: + annotations: + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-inject-secret-config.cfg: x + vault.hashicorp.com/agent-inject-template-config.cfg: | + cookie_secret='0ViLJk3i3NNRaTvoIFlXaA==' + cookie_domains=['werts.us'] + whitelist_domains=[".werts.us"] + # only users with this domain will be let in + email_domains=["werts.us","strudelline.net","andariese.net"] + + {{- with secret "kvv2/data/k8s-ns/node-red/node-red-1-werts-oidc" }} + client_id="{{ .Data.data.client_id }}" + client_secret="{{ .Data.data.client_secret }}" + {{- end }} + cookie_secure="false" + + redirect_url="https://red-1.werts.us/oauth2/callback" + + upstreams = [ "http://localhost:1880" ] + skip_auth_routes = [ + "!=^/admin(/.*)?$" + ] + + reverse_proxy = true + set_xauthrequest = true + + provider="oidc" + oidc_issuer_url="https://auth.werts.us/realms/werts" + vault.hashicorp.com/role: default + creationTimestamp: null + labels: + app: node-red-1 + spec: + containers: + - env: + - name: CHROMIUM_USER_FLAGS + value: --no-sandbox --disable-setuid-sandbox + image: jamesandariese/node-red-with-chrome + imagePullPolicy: Always + name: node-red-1 + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /data + name: data-pv + - image: haproxy + imagePullPolicy: Always + name: haproxy + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /usr/local/etc/haproxy + name: haproxy-config + readOnly: true + - args: + - --http-address=0.0.0.0:4180 + - --config=/vault/secrets/config.cfg + image: quay.io/oauth2-proxy/oauth2-proxy:v7.4.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /ping + port: http + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: oauth2-proxy + ports: + - containerPort: 4180 + name: http + protocol: TCP + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + dnsPolicy: ClusterFirst + restartPolicy: Always + schedulerName: default-scheduler + securityContext: {} + terminationGracePeriodSeconds: 30 + volumes: + - name: data-pv + nfs: + path: /volume1/k8s-volumes/node-red-1 + server: 172.16.18.1 + - configMap: + defaultMode: 420 + name: node-red-1-haproxy-config + name: haproxy-config +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: node-red-1 + namespace: node-red +spec: + ingressClassName: istio + rules: + - host: red-1.werts.us + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: node-red-1 + port: + number: 4180