5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
|
# File 'modules/profile/manifests/thanos/oidc.pp', line 5
class profile::thanos::oidc (
Hash[Stdlib::Fqdn, Hash] $rule_hosts = lookup('profile::thanos::rule_hosts'),
Sensitive[String] $client_secret = lookup('profile::thanos::oidc::client_secret'),
Sensitive[String] $cookie_secret = lookup('profile::thanos::oidc::cookie_secret'),
String $public_domain = lookup('public_domain'),
) {
$virtual_host = "thanos.${public_domain}"
# oauth2-proxy supports only one upstream per path, thus pick either
# a single rule host, or the site rule host
$rule_hostnames = keys($rule_hosts)
if $rule_hostnames.length == 1 {
$rule_host = $rule_hostnames[0]
} else {
$rule_host = filter($rule_hostnames) |$h| {
$h =~ $::site
}[0]
}
if empty($rule_host) {
fail("Unable to pick a rule host amongst ${rule_hosts}")
}
# non-root upstream with and without the trailing slash is needed to
# make sure path-based routing works as expected.
$upstreams = [
'http://localhost:16902/',
'http://localhost:15902/bucket',
'http://localhost:15902/bucket/',
"http://${rule_host}:17902/rule",
"http://${rule_host}:17902/rule/",
]
class { 'profile::oauth2_proxy::oidc':
upstreams => $upstreams,
client_id => 'thanos_oidc',
client_secret => $client_secret,
cookie_secret => $cookie_secret,
cookie_domain => $virtual_host,
redirect_url => "https://${virtual_host}/oauth2/callback",
}
httpd::site { 'thanos-oidc':
content => template('profile/thanos/oidc.conf.erb'),
}
}
|