From f6f681c4b4da5b17192f3fd8e966c128de104773 Mon Sep 17 00:00:00 2001
From: James Pace <jpace121@gmail.com>
Date: Sun, 29 Jan 2023 16:18:10 -0500
Subject: [PATCH] Best effort kanboard behind oauth proxy with passthrough
 login.

---
 deployments/kanboard-deployment.yaml | 99 ++++++++++++++++++++++++++++
 images/Dockerfile_kanboard           |  2 +
 images/kanboard-conf.php             | 20 ++++++
 3 files changed, 121 insertions(+)
 create mode 100644 deployments/kanboard-deployment.yaml
 create mode 100644 images/Dockerfile_kanboard
 create mode 100644 images/kanboard-conf.php

diff --git a/deployments/kanboard-deployment.yaml b/deployments/kanboard-deployment.yaml
new file mode 100644
index 0000000..13c10f2
--- /dev/null
+++ b/deployments/kanboard-deployment.yaml
@@ -0,0 +1,99 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: kanboard-pvc
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: local-path
+  resources:
+    requests:
+      storage: 2Gi
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kanboard-deployment
+  labels:
+    app: kanboard
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: kanboard
+  template:
+    metadata:
+      labels:
+        app: kanboard
+    spec:
+      containers:
+      - name: oauth-proxy
+        image: quay.io/oauth2-proxy/oauth2-proxy:v7.4.0
+        args:
+        - --cookie-secret=RWqAKjoAp1-kDc2QRtITP8xx6WsXQzDGl33ExDh8mcs=
+        - --cookie-secure=false
+        - --email-domain=*
+        - --provider=keycloak-oidc
+        - --client-id=kanboard
+        - --client-secret=oT6dMBS87jc385utLumMoffJ9MqLEGRY
+        - --redirect-url=http://kanboard.jpace121.net
+        - --oidc-issuer-url=https://auth.jpace121.net/realms/jpace121-main
+        - --pass-user-headers=true
+        - --reverse-proxy=true
+        - --upstream=http://localhost:80/
+        - --http-address=0.0.0.0:8080
+        ports:
+        - containerPort: 8080
+      - name: kanboard-app
+        image: 192.168.1.128:8443/kanboard:latest
+        ports:
+        - containerPort: 80
+        - containerPort: 443
+        env:
+        - name: DATABASE_URL
+          value: "postgres://postgres:jdsjkksksklw@localhost/kanboard"
+      - name: kanboard-db
+        image: docker.io/library/postgres:bullseye
+        env:
+        - name: POSTGRES_DB
+          value: "kanboard"
+        - name: POSTGRES_PASSWORD
+          value: "jdsjkksksklw"
+        volumeMounts:
+        - name: db-storage
+          mountPath: "/var/lib/postgresql/data"
+      volumes:
+      - name: db-storage
+        persistentVolumeClaim:
+          claimName: kanboard-pvc
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: kanboard-service
+spec:
+  selector:
+    app: kanboard
+  ports:
+    - protocol: TCP
+      targetPort: 8080
+      port: 80
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: kanboard-ingress
+spec:
+  rules:
+  - host: kanboard.jpace121.net
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: kanboard-service
+            port:
+              number: 80
\ No newline at end of file
diff --git a/images/Dockerfile_kanboard b/images/Dockerfile_kanboard
new file mode 100644
index 0000000..8a24969
--- /dev/null
+++ b/images/Dockerfile_kanboard
@@ -0,0 +1,2 @@
+FROM docker.io/kanboard/kanboard:latest
+COPY kanboard-conf.php /var/www/app/config.php
diff --git a/images/kanboard-conf.php b/images/kanboard-conf.php
new file mode 100644
index 0000000..c873d1d
--- /dev/null
+++ b/images/kanboard-conf.php
@@ -0,0 +1,20 @@
+<?php
+
+define('DEBUG', false);
+define('LOG_DRIVER', 'stdout');
+
+// Enable/disable reverse proxy authentication
+define('REVERSE_PROXY_AUTH', true); // Set this value to true
+
+// The HTTP header to retrieve. If not specified, REMOTE_USER is the default
+define('REVERSE_PROXY_USER_HEADER', 'HTTP_FORWARDED_USER');
+
+// The default Kanboard admin for your organization.
+// Since everything should be filtered by the reverse proxy,
+// you should want to have a bootstrap admin user.
+define('REVERSE_PROXY_DEFAULT_ADMIN', 'jimmy');
+
+// The default domain to assume for the email address.
+// In case the username is not an email address, it
+// will be updated automatically as USER@mydomain.com
+define('REVERSE_PROXY_DEFAULT_DOMAIN', 'internal.jpace121.net');