Panfactum LogoPanfactum
Infrastructure ModulesSubmodulesKuberneteskube_vault_proxy
kube_vault_proxy
Stable
Submodule
Source Code Link

Vault OAuth2 Proxy

This module provides a deployment of the OAuth2 Proxy that requires authentication with the cluster's Vault instance.

Usage

Setup

This module is intended to be used in conjunction with the kube_ingress module. domain should be set to a domain used in kube_ingress and the upstream_ingress_annotations output should be passed to the extra_annotations input of kube_ingress.

Once this is configured, request to the kube_ingress endpoints will trigger a request to an oauth2-proxy deployment via the NGINX external authentication stanza. Clients will be required to authenticate with Vault before the main request is allowed to be forwarded to the upstream.

The authentication response is cached via a cookie so this sequence only occurs on the initial request, ensuring the whole process adds very little overhead.

Authorization

There are a few means to validate users. Each of these can be used simultaneously, and a user must meet all the constraints to be authorized.

  • allowed_email_domains: Email domains that are allowed (sourced from Authentik)
  • allowed_vault_roles: The user's role in the cluster's Vault instance (one of rbac-superusers, rbac-admins, rbac-readers, rbac-restricted-readers)

Providers

The following providers are needed by this module:

  • helm (2.12.1)

  • kubectl (2.0.4)

  • kubernetes (2.27.0)

  • pf (0.0.3)

  • random (3.6.0)

  • vault (3.25.0)

Required Inputs

The following input variables are required:

domain

Description: The domain the proxy is served from

Type: string

namespace

Description: The namespace to deploy the proxy into

Type: string

vault_domain

Description: The domain of the Vault instance running in the cluster.

Type: string

Optional Inputs

The following input variables are optional (have default values):

allowed_email_domains

Description: Email domains allowed to authenticate with the proxy

Type: list(string)

Default:

[
  "*"
]

allowed_vault_roles

Description: Roles from Vault that are allowed to access the upstream resources

Type: set(string)

Default:

[
  "rbac-superusers",
  "rbac-admins",
  "rbac-readers",
  "rbac-restricted-readers"
]

az_spread_preferred

Description: Whether to enable topology spread constraints to spread pods across availability zones (with ScheduleAnyways)

Type: bool

Default: true

instance_type_anti_affinity_required

Description: Whether to enable anti-affinity to prevent pods from being scheduled on the same instance type

Type: bool

Default: true

oauth2_proxy_helm_version

Description: The version of the descheduler helm chart to deploy

Type: string

Default: "7.5.4"

panfactum_scheduler_enabled

Description: Whether to use the Panfactum pod scheduler with enhanced bin-packing

Type: bool

Default: true

path_prefix

Description: Path prefix for the ingress resource. Should be the same path prefix used by the upstream ingress resource.

Type: string

Default: "/"

pull_through_cache_enabled

Description: Whether to use the ECR pull through cache for the deployed images

Type: bool

Default: true

vpa_enabled

Description: Whether the VPA resources should be enabled

Type: bool

Default: true

Outputs

The following outputs are exported:

upstream_ingress_annotations

Description: Annotations to add to the upstream ingress

Usage

No notes