feat: add oauth2 proxy for dagster

apps/base/dagster/.env.example.oauth2-proxy

@@ -0,0 +1,2 @@
+OAUTH2_PROXY_COOKIE_SECRET=CONFIGUREME
+OAUTH2_PROXY_CLIENT_SECRET=CONFIGUREME

apps/base/dagster/.gitignore

@@ -0,0 +1,2 @@
+.oauth2-secret.env
+oauth2-proxy-dagster-secrets.yaml

apps/base/dagster/kustomization.yaml

@@ -6,5 +6,9 @@ resources:
   - codeserver-configuration.yaml
   - codeserver-secrets-sealed.yaml
   - postgres-auth-sealed.yaml
+  # Oauth2 Proxy
+  - oauth2-proxy-dagster-config.yaml
+  - oauth2-proxy-dagster-helmrelease.yaml
+  - oauth2-proxy-dagster-secrets-sealed.yaml
   # frontend
   - ingress.yaml

apps/base/dagster/oauth2-proxy-dagster-config.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: oauth2-dagster-proxy-config
+  namespace: dagster
+data:
+  OAUTH2_PROXY_PROVIDER: keycloak-oidc
+  OAUTH2_PROXY_CLIENT_ID: dagster-webserver
+  OAUTH2_PROXY_REDIRECT_URL: https://dagster.local.reinthal.cc/oauth2/callback
+  OAUTH2_PROXY_OIDC_ISSUER_URL: https://keycloak.local.reinthal.cc/auth/realms/reinthal
+  OAUTH2_PROXY_EMAIL_DOMAINS: reinthal.me
+  OAUTH2_PROXY_ALLOWED_ROLES: dagster-operator
+  OAUTH2_PROXY_CODE_CHALLENGE_METHOD: S256
+  OAUTH2_PROXY_UPSTREAMS: "http://dagster-dagster-webserver.dagster.svc"

apps/base/dagster/oauth2-proxy-dagster-helmrelease.yaml

@@ -0,0 +1,51 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: oauth2-proxy
+  namespace: dagster
+spec:
+  interval: 1m0s
+  url: https://oauth2-proxy.github.io/manifests
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
+kind: HelmRelease
+metadata:
+  name: oauth2-proxy
+  namespace: dagster
+spec:
+  chart:
+    spec:
+      chart: oauth2-proxy
+      reconcileStrategy: ChartVersion
+      sourceRef:
+        kind: HelmRepository
+        name: oauth2-proxy
+        namespace: dagster
+      version: 7.8.0
+  install:
+    createNamespace: false
+  interval: 1m0s
+  releaseName: oauth2-dagster-webui-proxy
+  targetNamespace: dagster
+  values:
+
+    config:
+
+      existingSecret: oauth2-proxy-secrets
+      existingConfig: oauth2-dagster-proxy-config
+
+    image:
+      pullPolicy: IfNotPresent
+      repository: quay.io/oauth2-proxy/oauth2-proxy
+      tag: "v7.7.1"
+    kubeVersion: null
+    namespaceOverride: ""
+    replicaCount: 2
+    resources:
+      limits:
+        cpu: 100m
+        memory: 300Mi
+      requests:
+        cpu: 100m
+        memory: 300Mi

apps/base/dagster/oauth2-proxy-dagster-secrets-sealed.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: oauth2-proxy-secrets
+  namespace: dagster
+spec:
+  encryptedData:
+    OAUTH2_PROXY_CLIENT_SECRET: AgB5JWtR4e7oD7QgBOMYPc6oLqUtAZa3LpkSPp4+3DRnNzdbZyGDmSf256/9X8bdmYAWBn17Iqbnb/UVu8iN6NhpxoPkIErrgV0ZzWnl+qcTE44KyMFX1PwMdHuOf070DvkmboanX+gjHaPGgXdhMZffuGPKpBp2M7XYRHpydHf6EMpkfx7GlrfEKvcRlQcEh9img2Ujb7sR/TMM/zVVUf4zDryrirADs0Sj7nhtUv5jt+j0foTWsyJRaQvEJv8Ky04IWAGZ9G0Dgw4KEssLf6s/DhJz0yrb+KKvc538S33gBb5Jj0JnyRrubHVWLoZIDmXIujQ1F4ed9ZqfsfB86aBG/n0EovkKLan6oUKFM/rT/Ye6MdSxrkuH7l3dP+HRFq5HByktmNVAzOrkc1Jf3Ug4Ex1MjBSuw6ZcIaOt8vBwOCYMMZdkZ1Ffy5IbNIBZzCLu9eucxT+LEnlXra8dPsOxJ+I7uIm6fs60Mp8AKX4bZWZaULcLh5sU9LvX8f/hVT2qzMgA9+6xDq6Dy+UDJB9j9zf5S7DLOdYMUvubqL5KwPykiXXCuDf4FahM9Ry8a1BXYkwlHQCrtw83cGd5yKQQlzTdw5BbS/vSl16uMxNQhCnplEF4QXqNOnlgzw3/U9Qc2NejeOCUurAw5M/jPiheJxlUJ72XszOauvKKeMgn+Szd+ggJ8JW9Xg371DIBuv4nohfvEMwIEFTb/dmhPYJX9X3RMoPYAFb3HYQawVcy0A==
+    OAUTH2_PROXY_COOKIE_SECRET: AgBk/qFv/TmS1HEl2RhKsNyVKmuS4fY6j0fEwVJ9Aas5m1Qizq1HjTOFiCmJ4O9UKDcsxwmAa5BIPgWyB6x9PPH9N3jG/sKSdO99N2zjETmyssp5Rz+cBQexRcmVSdhiQtendcd5aBlkKFKhlSo6+SgfdO6gxgpEw5BaphEB1A7as/huS8LbjvWOqOKioh9KY3nZ6fJP036zz+3YCrUXDSdJMKfFVXQcgGVhZjohQXta2yg07E5vQugS2uj0kKCtoi4l+FMFoupgVwRkXgzVXm7g7ZHKpQYU1olGvvmHrGqF6iKYUIE+W1CzidPaQUXehqQokRlERw/S3t0wRzlIKGhP1oDrOw7/2MPRBbkj6myRY4zrVRzrksLuzDlUlRVjoKBJskgwlMkHLJTcQVa6WTNNMTFfJcpI9pZ+meFYO99WMZCb844PZwy4RFjgT5K64z5HM8NC/g61pM/P/U4QsPGp80vBs4+T3J8Gqs/RCx6DaMUKI7RaKaXjr8FPP4xPar9N4imX5AgqnBaKiOMRNcV+rIXbESh1WjDbSdKtSNZg3kJyvaJU5opE12yd/eZ3IqW0ZMUyBhSi9VXyLrMPrsrIwK23uneopoL5W0jtZBQpsUIa7jXU3VRMeatFk6Qp4Rel7iW8c2woVZMrdjafvCXcMv987fsGIHxeilhYcrXlSjCwa1+3+9bhX6/a2mewEYW7fTWuTdvM1gHQ2Wb6Y+PTijByn2oN8qWIV3Q8i3/ZxeMFdtWUytPMhUm1aA==
+  template:
+    metadata:
+      creationTimestamp: null
+      name: oauth2-proxy-secrets
+      namespace: dagster

apps/base/dagster/readme.md

@@ -1,26 +1,29 @@
 # Oauth2 Proxy
 
 ## Generating a Cookie Secret
+
 ```bash
 python -c 'import os,base64; print(base64.urlsafe_b64encode(os.urandom(32)).decode())'
 ```
 
 ## Generating the Client Secret
 
 TODO
+
 ## Generating the sealed secret
 
 ```bash
 cp .env.example.oauth2-proxy .oauth2-secret.env
 ```
 
 Perform the above steps and put the secrets in `.oauth2-secret.env`. Then perform the below command.
+
 ```bash
 kubectl create secret generic oauth2-proxy-secrets \
 -n dagster --from-env-file=.oauth2-secret.env -o yaml \
---dry-run | tee oauth2-secret.yaml | \
+--dry-run | tee oauth2-proxy-dagster-secrets.yaml | \
 kubeseal --format=yaml --cert=../../../keys/pub-sealed-secrets.pem | \
-tee snowflake-secrets-sealed.yaml
+tee oauth2-proxy-dagster-secrets-sealed.yaml
 ```
 
 Commit changes and push using `deploy` script.