From 48cee5a1e385b73f892465a0e1413b51b4d34a81 Mon Sep 17 00:00:00 2001 From: SeanOMik Date: Tue, 11 Apr 2023 00:44:45 -0400 Subject: [PATCH] Add Apache Guacamole --- cluster/apps/kustomization.yaml | 3 +- .../utility/guacamole/guacamole.sops.yaml | 60 ++++++++++++++++ .../apps/utility/guacamole/helm-release.yaml | 68 +++++++++++++++++++ .../apps/utility/guacamole/kustomization.yaml | 5 ++ cluster/apps/utility/kustomization.yaml | 4 ++ cluster/apps/utility/namespace.yaml | 6 ++ cluster/apps/utility/network_policy.yaml | 24 +++++++ 7 files changed, 169 insertions(+), 1 deletion(-) create mode 100644 cluster/apps/utility/guacamole/guacamole.sops.yaml create mode 100644 cluster/apps/utility/guacamole/helm-release.yaml create mode 100644 cluster/apps/utility/guacamole/kustomization.yaml create mode 100644 cluster/apps/utility/kustomization.yaml create mode 100644 cluster/apps/utility/namespace.yaml create mode 100644 cluster/apps/utility/network_policy.yaml diff --git a/cluster/apps/kustomization.yaml b/cluster/apps/kustomization.yaml index f952cbb..efc5d8b 100644 --- a/cluster/apps/kustomization.yaml +++ b/cluster/apps/kustomization.yaml @@ -4,4 +4,5 @@ resources: - ./database - ./authentik - ./media -- ./download \ No newline at end of file +- ./download +- ./utility \ No newline at end of file diff --git a/cluster/apps/utility/guacamole/guacamole.sops.yaml b/cluster/apps/utility/guacamole/guacamole.sops.yaml new file mode 100644 index 0000000..b79128a --- /dev/null +++ b/cluster/apps/utility/guacamole/guacamole.sops.yaml @@ -0,0 +1,60 @@ +apiVersion: v1 +kind: Secret +metadata: + name: guacamole-secret + namespace: utility +stringData: + OPENID_CLIENT_ID: ENC[AES256_GCM,data:rIJWHZ9rJQ1jwXL3+Mg00ZrcUwu4CevdOHRuP/EYjbUR5cKccvgwMg==,iv:NU7HCctec1PJeE9RAi7PhSpsNR9jxSTqh/7IJgKm9aw=,tag:vAPLHnK8HbsTaisLPY/vfQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2023-04-11T04:35:01Z" + mac: ENC[AES256_GCM,data:Q+i2p15dIYxhSIfTxXOJF81GZEUaxBNko++GgP8mZolS4FxlRxRzfN7vTbXcjuUtHvXqhaLj5nkHr3D+DHEkQONdX+iGlQ57P69r54+YooxqN+k8xH0itbhkJOBQXsCWy7/du5O5hcaPKosD1mB8h/t4G6l0hmco6/teIr/H1fU=,iv:huBC55AnGpZZa8DLZrGjrialg4DQs41EvxrDFuUdvGo=,tag:qXsUyu9Rj2jNNJUP3EMA8g==,type:str] + pgp: + - created_at: "2023-04-07T01:57:22Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMAzKleRwoSoixAQ/9Hi4VyrUXV7LvbCFiLbyfv314lMGwrAf+2po/4Lr1hANe + KiwpfthiNheAjNaGCG6v2C1rx2Wrr5G3+rMik/1TLWbg2u9zZU4mWO8bwJUGXKDo + /T1nl47f09UPDtQ6KiG0nPf3M0Ovmk3d63R3zpY4Q7uE4uhLNDr0KD9mp7MmRCbZ + PO++tdiZa67z9owNDh/NSnQr9Y6JwjlxlkJl5SJ76vaK/SaOi/j86mOm9CV6SQmk + cLOwiO7JxV8I4gD9jlLdYEPS+nqztX5eHLRoaXsAQrX4DdWNnOF0C2sk9nMHwQTb + W8/SVmg7TiVVL6qVCXgUCgFRXllrlGlXlfv+W6ruuZIBv2MAA1V+afl5A3/KVvE6 + FDq9YrJ4XfZPCD2ZByM2386L8MiUwkfF/3uge38MT/WDU2DTT+g7jV3UQs+Awi8f + N4YBVBcp5jGTkMD0347GPfPF7kdiN/YFZ/Ws1jf/EsS6vOpKNlPn64fVJfTSfdie + rvNxksi8Y4vpwEngy38t7JRfpJniDo9iK9EwhXMChYXnWkiz/B3vMoii496B7TzO + 9gKd4v7kFA6iXI+wqbYrZfOGeLZlMI99pwTatNL4fo9ABJ7JScISzTvS7p/xB6Ae + JPdlA0Tf8wP4RYz8YYRcNlfEQPZYb4kHj5r9Ei59InHzwKfq9GyKKvluS0/k3NHU + aAEJAhCVkPuIHluRLHsjVEbKbFzSJUG8p/hSSmQnfk3CT36/dJhgv3jzoL+1/Sx1 + o8OwWPmNq8TuX9SaXfhfy/EGMulWgRaztxt9D+0+wgc8IOAPp+0SYUsaOa0T9+Pl + pjU1GRaK5AlT + =mItp + -----END PGP MESSAGE----- + fp: 2CC2B3631D5C3393901335DB68F95C5D753EE1E5 + - created_at: "2023-04-07T01:57:22Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA4WLYkVpP8xtAQ/9FQGyKS1wEodU9ZVZ8kxijp6aFtMCmL/I5HBEhbSLj0P9 + TVD0QwnUPZqf7zlWrAh6TspyLQdRMt9JAYZCPyLgu//FdKfBJNYeU3+aWj/lMtJ4 + Twgs7NPtGbRJcpF+a4NmAOIqzKfJI+h714BLFoWrGtUmTE9/dBHh2yxADSgprY1o + /4J8aHQfaqg5JwijP3PhtRMxla4YQfhqf0JRAcmQPKUDuxT2QG/wp59Fq/665aaO + JFWiCOPBqTtEhY4ML4EYNUV+Cd7UT7LOXC+Xzuj1eEGMV1Pmqd1u1UyQKvHOOXhT + AfGeCub+ZONGfmcDcY5gEMnbSCGcQEvipA3dBIIFklgnxM00jmcJ1Ojo1+MYynpl + E1XLOaolRWinlDNXA62k8iWG33hcxHGSzkHrsQjtqrrD2PdHS1RmTJ8Hn+iuRUn6 + /fGk8ZQJ7oMPsZNyfiM0OdwSXxJ4rQUtGkHHd727S4K6nXC6OLxXCzl7lYG7QKcP + RVrbFMNv01aToyNGhLmcSxUYdQ4oc+nv65rNZDsdbi34T+dlULboJDkwV6JrJ5dz + hlu3ySgijZuRD5bfpfKB2RScu2ixEijOIyk1oXBB2Dhyh1ezc3qnAw8xkGr9W2SE + roBuu95mZsIZEtfMS5hxwGyWzSCENnbkSukQhUoIjRXryly7MQgNZ5FMX+f5n3DU + aAEJAhBJcIEidIhFVqDkezzMcofKl3MlXWqkfTUV3vsjz6EpN1FwhpZ3prTexUcM + 9XCx9Wq1kMpjkphWETh2lSAafyIz6R/d4zWV5IWIeDh+USYT9z0Rprp4URka4Wjx + fux0T5xDbgq5 + =eiXM + -----END PGP MESSAGE----- + fp: 8DF31C9F48A24F525FFB1815FC96C52B59328E95 + encrypted_regex: ^(data|stringData)$ + version: 3.7.3 diff --git a/cluster/apps/utility/guacamole/helm-release.yaml b/cluster/apps/utility/guacamole/helm-release.yaml new file mode 100644 index 0000000..8a81022 --- /dev/null +++ b/cluster/apps/utility/guacamole/helm-release.yaml @@ -0,0 +1,68 @@ +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: guacamole + namespace: utility +spec: + interval: 5m + chart: + spec: + chart: app-template + version: 1.3.x + sourceRef: + kind: HelmRepository + name: bjws-charts + namespace: flux-system + + values: + image: + repository: abesnier/guacamole + tag: 1.5.0-alpine + + env: + EXTENSIONS=auth-openid + OPENID_AUTHORIZATION_ENDPOINT=https://auth.${SECRET_NEW_DOMAIN}/application/o/authorize/ + OPENID_ISSUER=https://auth.${SECRET_NEW_DOMAIN}/application/o/apache-guacamole/ + OPENID_JWKS_ENDPOINT=https://auth.${SECRET_NEW_DOMAIN}/application/o/apache-guacamole/jwks/ + OPENID_REDIRECT_URI=https://remote.${SECRET_NEW_DOMAIN}/ + + envFrom: + - secretRef: + name: guacamole-secret + + service: + main: + ports: + http: + port: 8080 + + probes: + liveness: + enabled: false + + ingress: + main: + enabled: true + annotations: + cert-manager.io/cluster-issuer: "letsencrypt-production" + traefik.ingress.kubernetes.io/router.entrypoints: websecure + hosts: + - host: "remote.${SECRET_NEW_DOMAIN}" + paths: + - path: / + pathType: Prefix + + persistence: + config: + enabled: true + type: hostPath + hostPath: /mnt/MainPool/Kubernetes/guacamole + mountPath: /config + + resources: + requests: + cpu: 2m + memory: 830Mi + + limits: + memory: 1200Mi \ No newline at end of file diff --git a/cluster/apps/utility/guacamole/kustomization.yaml b/cluster/apps/utility/guacamole/kustomization.yaml new file mode 100644 index 0000000..fdf1b40 --- /dev/null +++ b/cluster/apps/utility/guacamole/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./guacamole.sops.yaml +- ./helm-release.yaml \ No newline at end of file diff --git a/cluster/apps/utility/kustomization.yaml b/cluster/apps/utility/kustomization.yaml new file mode 100644 index 0000000..3e33643 --- /dev/null +++ b/cluster/apps/utility/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./guacamole \ No newline at end of file diff --git a/cluster/apps/utility/namespace.yaml b/cluster/apps/utility/namespace.yaml new file mode 100644 index 0000000..4a62806 --- /dev/null +++ b/cluster/apps/utility/namespace.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: utility + labels: + name: utility \ No newline at end of file diff --git a/cluster/apps/utility/network_policy.yaml b/cluster/apps/utility/network_policy.yaml new file mode 100644 index 0000000..5b6fc20 --- /dev/null +++ b/cluster/apps/utility/network_policy.yaml @@ -0,0 +1,24 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: deny-most-allow-some + namespace: utility +spec: + # Apply to all pods in this namespace + podSelector: {} + ingress: + - from: + # Allow all pods in this namespace + - namespaceSelector: + matchLabels: + name: "utility" + + # Allow traefik pods + - namespaceSelector: + matchLabels: + name: "traefik" + + # Allow all pods with this label + - podSelector: + matchLabels: + needsUtility: "yes" \ No newline at end of file