providers/app_gw: improve templates

passbook/providers/app_gw/templates/app_gw/k8s-manifest.yaml

@@ -2,18 +2,20 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    app.kubernetes.io/name: passbook-gatekeeper
+    app.kubernetes.io/name: "passbook-gatekeeper-{{ provider.name }}"
+    passbook.beryju.org/gatekeeper/provider: "{{ provider.pk }}"
   name: passbook-gatekeeper
-  namespace: kube-system
 spec:
   replicas: 1
   selector:
     matchLabels:
       app.kubernetes.io/name: passbook-gatekeeper
+      passbook.beryju.org/gatekeeper/provider: "{{ provider.pk }}"
   template:
     metadata:
       labels:
         app.kubernetes.io/name: passbook-gatekeeper
+        passbook.beryju.org/gatekeeper/provider: "{{ provider.pk }}"
     spec:
       containers:
       - args:
@@ -27,6 +29,10 @@ spec:
           value: "{{ cookie_secret }}"
         - name: OAUTH2_PROXY_OIDC_ISSUER_URL
           value: "{{ issuer }}"
+        - name: OAUTH2_PROXY_SET_XAUTHREQUEST
+          value: "true"
+        - name: OAUTH2_PROXY_SET_AUTHORIZATION_HEADER
+          value: "true"
         image: beryju/passbook-gatekeeper:{{ version }}
         imagePullPolicy: Always
         name: passbook-gatekeeper
@@ -38,9 +44,9 @@ apiVersion: v1
 kind: Service
 metadata:
   labels:
-    app.kubernetes.io/name: passbook-gatekeeper
+    app.kubernetes.io/name: "passbook-gatekeeper-{{ provider.name }}"
+    passbook.beryju.org/gatekeeper/provider: "{{ provider.pk }}"
   name: passbook-gatekeeper
-  namespace: kube-system
 spec:
   ports:
   - name: http
@@ -49,18 +55,18 @@ spec:
     targetPort: 4180
   selector:
     app.kubernetes.io/name: passbook-gatekeeper
+    passbook.beryju.org/gatekeeper/provider: "{{ provider.pk }}"
 ---
 apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
-  name: passbook-gatekeeper
-  namespace: kube-system
+  name: passbook-gatekeeper-{{ provider.name }}
 spec:
   rules:
   - host: {{ provider.external_host }}
     http:
       paths:
       - backend:
-          serviceName: passbook-gatekeeper
+          serviceName: "passbook-gatekeeper-{{ provider.name }}"
           servicePort: 4180
         path: /oauth2

passbook/providers/app_gw/templates/app_gw/setup_modal.html

@@ -49,8 +49,15 @@
                 <a href="{% url 'passbook_providers_app_gw:k8s-manifest' provider=provider.pk %}">{% trans 'Here' %}</a>
                 <p>{% trans 'Afterwards, add the following annotations to the Ingress you want to secure:' %}</p>
                 <textarea class="codemirror" readonly data-cm-mode="yaml">
-nginx.ingress.kubernetes.io/auth-url: "{{ provider.external_host }}/oauth2/auth"
-nginx.ingress.kubernetes.io/auth-signin: "{{ provider.external_host }}/oauth2/start?rd=$escaped_request_uri"
+nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
+nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth
+nginx.ingress.kubernetes.io/configuration-snippet: |
+    auth_request_set $user_id   $upstream_http_x_auth_request_user;
+    auth_request_set $email     $upstream_http_x_auth_request_email;
+    auth_request_set $user_name $upstream_http_x_auth_request_preferred_username;
+    proxy_set_header X-User-Id  $user_id;
+    proxy_set_header X-User     $user_name;
+    proxy_set_header X-Email    $email;
                 </textarea>
             </div>
             <footer class="pf-c-modal-box__footer pf-m-align-left">