From a07b6311b9c079cc13e4204c366b476f1851956b Mon Sep 17 00:00:00 2001
From: Andrew Stoltz <andrew@flowercore.io>
Date: Sat, 4 Apr 2026 14:22:51 -0500
Subject: [PATCH] Add Blue Jay branding, kubectl-proxy, RBAC, and properties to
 Guacamole

- guacamole-branding ConfigMap with Blue Jay dark theme CSS
- guacamole-properties ConfigMap with ban/TOTP/session config
- kubectl-proxy sidecar on guacd for K8s pod exec connections
- guacd-exec ServiceAccount + ClusterRole/Binding for pod exec RBAC
- Volume mounts for branding JAR and properties on guacamole webapp

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 apps/guacamole/guacamole.yaml | 113 ++++++++++++++++++++++++++++++++++
 1 file changed, 113 insertions(+)

diff --git a/apps/guacamole/guacamole.yaml b/apps/guacamole/guacamole.yaml
index 3963e86..5e13f7c 100644
--- a/apps/guacamole/guacamole.yaml
+++ b/apps/guacamole/guacamole.yaml
@@ -175,12 +175,16 @@ spec:
       labels:
         app: guacd
     spec:
+      serviceAccountName: guacd-exec
       containers:
         - name: guacd
           image: guacamole/guacd:latest
           ports:
             - containerPort: 4822
               name: guacd
+          env:
+            - name: LOG_LEVEL
+              value: debug
           resources:
             requests:
               memory: 128Mi
@@ -193,6 +197,23 @@ spec:
               port: 4822
             initialDelaySeconds: 15
             periodSeconds: 10
+        - name: kubectl-proxy
+          image: bitnami/kubectl:latest
+          args:
+            - proxy
+            - "--port=8001"
+            - "--address=127.0.0.1"
+            - "--accept-hosts=.*"
+            - "--accept-paths=.*"
+            - "--disable-filter=true"
+            - "--v=2"
+          resources:
+            requests:
+              memory: 32Mi
+              cpu: 10m
+            limits:
+              memory: 64Mi
+              cpu: 50m
 ---
 apiVersion: v1
 kind: Service
@@ -274,6 +295,20 @@ spec:
               port: 8080
             initialDelaySeconds: 60
             periodSeconds: 5
+          volumeMounts:
+            - name: guac-properties
+              mountPath: /etc/guacamole/guacamole.properties
+              subPath: guacamole.properties
+            - name: bluejay-branding
+              mountPath: /etc/guacamole/extensions/bluejay-branding-1.0.0.jar
+              subPath: bluejay-branding-1.0.0.jar
+      volumes:
+        - name: guac-properties
+          configMap:
+            name: guacamole-properties
+        - name: bluejay-branding
+          configMap:
+            name: guacamole-branding
 ---
 apiVersion: v1
 kind: Service
@@ -342,3 +377,81 @@ metadata:
   namespace: guacamole
 spec:
   itemPath: vaults/IAmWorkin/items/Guacamole
+---
+# Blue Jay Branding Extension (CSS + translations)
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: guacamole-branding
+  namespace: guacamole
+binaryData:
+  bluejay-branding-1.0.0.jar: UEsDBBQAAAAIAPt6g1xRD4M2ewAAAMkAAAASAAAAZ3VhYy1tYW5pZmVzdC5qc29uq+ZSAAKl9NLE5MTc/JzUsNSi4sz8PCUrBSUtJR2IZF5ibipIwCmnNFXBK7FSwakoMS8lMy8dWUFxQWIyWFUSUFVWYiVMLrm4GCgaDeaABaDyuiUZqbmpeiBpsFwsVH0J0OzinMQSoCPQNCLL6Kfm6WUVA90J0ctVywUAUEsDBBQAAAAIABB8g1xT+vHpEBIAADhtAAARAAAAYmx1ZWpheS10aGVtZS5jc3PNPWtz4ji23/tX6PbUVCWz2IEQMmluza0iBNLcIZACMrNdW/tB2AJcMbbXFulOd03V/RH7C/eX3CPJTyy/iN0z3dMTsKQj6bx0XnIufnqHfkK35oGg/8Wv6A67z2i1I3uCNraLBg7WdgTdH7CG97ZJUEe9VttsxNi0PxN3aLsELcjepgQNNI14Hrp1saUb1hY6sX5D2wQ4j9gklJI+e4LQLdaet659sPQ+fEM/tAed68sb0bY8uBusEd7A2jqdzl23m2hDA5P2eRuMuvrZh2m7OnGDYdA26g56Y9HGVmbRqO3y9mYwTrShj/YLH/3D1d2gG7Td26YejoK28fi2226LthX5QuNto5vR3bgXtaGHAyX+/m5uPny49cd9JJhhx+uHMNkffz6XECsC+kP37vbmeiDaFiS+FDbfVe/Kn28OKN+SaH/j8c2Qr/Pi3buLn9Avdf1hs91P57eDKbpAt/O7T+xBbdD5cte2/oq+vWPbWMe4xGcR9F/G3rFdii3637yPxrirH2A/1byxLaps8N4wX/tIwY5jEsV79SjZt4DlDev5AWtL/n0MPVvo/ZJsbYKeJu9baGGvbWq33qHjP+8/EvOFUEPDaEYOBLoOXAObLeRhy1M84hqbxEL+qJ8I0/n9ZIaWw8VoNKufBrDa8cE0FQdvCTLtrWHFaMF66MaLyp8rB6MCsaI+irEH2P0Qty7IBDaVLfsJ0nhGTNNwPIIwRZftH1Gv/WMLuds1Prvqtjrdm9Zlr9dqq+2bc8RaKLC/52CXyfF1+8fzVhm4NwD3MoTLAHZ+/tBqM7C9NFhYwbmEqFOOHDaHvUUadjl2ItT4n/x2CaKEcksjytdlHecL8mzT0AN1ltFTYfs7gEq5gQHpLl8Ub4d1+3MftXmP7iX8j2+73UL+f2rvPM3qbf63E/QG5COGfcSwBUM656nJHKwz7dZHl2SfiS9Aho0ArzgPWyrvJXAGI38lxEE62eCDSWPHEe+0PlAE8yLvsKbwjBpAMIDMFYBhUobJtWtsd9SC8+msrX44B1GlBxdTAt9u0rvYY5etBOSf2nsgQ85e/NXuhFbP29Cu08reLBtPXOjj7zjQa+J0kOu1z4TtqQ8s30514KetqwD7apwcwNV5FCGuC4f0HtDDRD6xCcf/KLp8O9K67AzKkfO+L13dyxa6/iD+SfkmzfGygd2sgaEAXEkEIORJYHLAwTE1WRfd8BwTwxlh2RbhqAkRoIqNy9AQjlqbtvaciVywo/bAiMTUPcCcRbFhAallnOJ3+hZnQmo7+Rxo4jUxiR7MkANX9buK78lpyvC6GCZY1QMLgIOrMqPKfyg+syd5SdhIck73jK+Eke+mJ6FdQhZ6ElmgYI0pXJkzSvTRwXGIq2E4BkpIjWzGI5QBX+Ygjc2OwCIGNvS8z8CtyLCcA62CNj5Aojz83rz5H/TVIb+8Z7O9/2e5vsGC3v+zPoPr5JOrQHCvAcNA/yzyCwaRSbZ9oGDnESHZadZgXGFQwwar218Q3yDMdekhAjzSip2f0dMUoM+GTnewgjZYFdID2PjKd+JPAo+OGaYKL/Q3tnbwqnBElRERX4hRAXfE8NMPfKgCa4P97WaZD5cyi+oxkJIXwzPWhmnQV0Tt7dYkuQLDJDtQMsH6g+9iuBLKXym9E5eFuCFYlmoVFtTfMd/zaFkS9AoEjfYOoERAgtNHIztwUmG4R1/NLAtEykoq4ZA45eUklkhuXLOBubU3KLO+qG3lmnKiS5LLxGiprjoe5s8gUVIZTFhgPUmUVCY3V1JS7LA4NrNK6KhCa047uB7bkGODaQu0zlVjkadWVYkdH5QplSlj+DI0FhxemtIJgUjQWwRnssgUkD2zV1w1MVp2LrN0Uzelm07bONao8ULK71z0l7qKg+vxcFi0dUmvBsIPfgzo9mm1ms+W9Qcg5HpCoKj1Dqt/aYXwXaRZZqocUz1PEuOCFmG0AcHLWkcgGAm+j63krYIgQrUSQbhjoVIXBXIH7CY+qjpviJbgP5AtIcvvTS5B0guWkAB+TIDEY9nM4/H17fVt8eZTvVIzH2M8+Vw297Ddhb/Fc7PYc9Ma6ONocDdagA86G/w2uR+sJvMZuh0s6ldFasJZjeODuRXYjWKLnW5PJ9sWeE4jMJyuW4xTu4PrQStQJpnBi8CRvIzUj4R900cY638jCeVdpWfKUYB/RJvkIarg82X0WaUGC6y9PTQVmwuXA8dtEp1otouFRpQaJQFMqSmdqQpq4xTGdk9L4MeH0ewJnVHbUXi8Eemu7QCxrPMGGPPgAevsiXUoRuQfie4q+78SLM3/WpLCJSCxEBfIg/c94t2y8zcd7768ksa7T96YaaS4NyMcchTBkBn/mad9pyc/1istM/skEbnTTEWR6X8uHaIZG0NDfAUGhS0Zmn+SVlraP3Yu2fzy/oeLMP6Ug8yq+w6Be4RSlm69YKM97m6+DQ40W0Rj9KoDmkc8ryZQDjwgLrE04pXEqPDkbXD/WSq0MgF5hiaMHRTlBITgimh2rphXJbW/jExOL5mByLedAFVPsCbkuPbGAEXpCRYAp0/IQRXcqQGQbzIjoFgHxpTKjUSpVMFfuBR1wxK+Ft7XdcpXX4HtbrFlfOXHfAVhkAPApuLaqQPtpBxDE9br/GGEHgf3o0Zy9w8YuNLHD0+zekHO3iWs1kWJqbAWf66ZhrO2savfGS/iSaBVxDcMvBEblMgcyUNahYpnwZeC4lCDHGqQGZav2J+c24XYNLawANblyI/OmITn6HPQgTg2ou5/Usq+wKo4NWuRTvCHwb4ce6MUppLa94RMAQ/HXWdWGvTSCjsWqOQfTUzJpzMFnCJZXmEYEZUfdjwt95//+zfaHzyKKLAyocgiHiU68hwAh6htM0bB6s7ek9jWW+lHCuMOR9LAQalMrWaOincRIXl1jU0Mxzj4M1kTleyYgJ1qVDXs8EUW98Asgml4VOH2XtA/elLSHC7lzKX2EgVJpA0lcJwJId58AiGqZW5YmeQLQW5KKfnhzLO/n3M7QiJscZ0E7QyO4sMRk9ssZU1fmSTlaQu/W553kT+7v+OCNahp473SphJ4DcF2mj6Wh/PZbDTksaTpZLlCF+h+MX96FF/OqEsIejHI5wac+aSCEsLny55wrI5P4LSs/k8kreVPrVLZ/NNM0540Y89YocpeKvmvfoL0C8ixDn6aaWJW68e8U6Hp8TNBmkmwa76K9DIYiNCms5Ln9bY6nlUO+ltWoVk3XmaWPr9i4pLaxik4qmk1KSk7AScq4TSoHzXc7DQsxS+3uJTFf1j7zvdMpB1iZah+TpbZYJ1jQ+wtZEgiIFeDxeSeHaUsj4jojiB2uBaxZLm4SQ6AE8Qrvl7Nz/vnLZHjI2FcJDi1wEgMeGd3gLPBppxfdLI9jzNTRxLLY6ENhkAcP2EzVCk3Y4IepbwLiapr+GiazVeT8WTIEx0NJFxVy6YsqIebOD9OcIqu31LHnBKA+ObUeAFnccIujYhBe9xOB6wS+BPpEmWN05mI06p5K53D6eXE7lQUqIqjcQmZqBTBA/6fxWE5rr112e0ghhQmhcmZwmYJ62VdJkhyTFfCMUy3bUzGLztD14lVsN1wEWpEubyE34e2yPcJ1dUK0t/5/BefhvughREqCTa5x+5gF3wVykpxJQiNGtMbyatnywSjJoqTK/GRBErFSuBcmNL611K9yR4bZvnu1mG/Jm75/lEhZd4ItmQe8irP+9+rCLci2sMi0yrIrzYoIEG1UccVrWXI8V1rX7m2yqxUbq6CazxfPKDRdPQwmq0aruMKJFMqf3Ipy5KlREERqGRtx54GhGu984gJxt1fUJ6kLvLP+QWjhrUjrkErsMtx0Kd6tVhSnHOENk808wVQRsOgLSmCAT3/jGL0WH01P6yBqUUBfj9Weh1bcPzx0anW611f36RNu3zfcEe0Z9gE8dBZdOft4MF3Vu5NdKSFPc7DxflYDZrCZDDW/BBcUYZfiE+QcOPmRYZI+fc45TyIHQcIywKofYQP1D6eyodp1xi0akBTLker1WR2v0QXaHD3MJnxvF0TLliQcitnYYW9KV6bhBmVDnGpAZxBdxWynln3pgqmOL5EUbRIVfjhyhs8ihgwatum3ETPz85VcKDSk6kiFJG8L/EXOlsE649jdw3ZFY1gG8xD4F6DoKXfoxZWOY6XmGSTdiskc5fjobrFeTW4nY6W6GxLLOJis4FYPt9lqb2JnmWJkF0sKudhH7qeFLa0CPDjsNtuoR6chh968hiKDyyoTI6glooZ1oZgnqWZTsBaRb9NRr+jM1e8ekQn3jOoEeSXUzVAVRZDYXUSUborKfz8T4rtxQCFZY3Kj2IHv5iIl7/4PjKTYH9+VZTFvLkyuVKZ8ElqVLrg3WWF0t+C60gRrnTD86O6UTVbMP1xLVGyfiw2srCULb6pslAbr0y7g5MZOYS/dYcHvUz8is54UZRAH3HPE/hgpp0SDFD9a+xZCyy+GlX7200ms18bsLCOixQynIbiIoVjByvwrLJy6vKydPllGdxnmUlWhZLs/fPtYHAnI35tOBLGrkh/s+sVzOitnwi7TotdLUA74KrdFfwDntpdlyo8b8AUAEMgNJH4227gnEMWfjG2nPZNlO2zaRSYhgWh4Ad/yY6SqcprM2jDaXktz/HEx6KRYYIcl7OrssuueZKRuromFZlcaycveB3bZHjlNLVVqTCWKYAo8Jzjs6vhvc/U9FFTvL92cNmOpAP8tnLaq/SKU3a9pIq3bol7HMxGU+ZJD+ezFTPiBovRoBlf2i/VAyRbxBTpZ5pGYqbfKtxVQYIAijxbUZOpVDeq5zNFvB4M/Tr6dDsfLO4aQLPtPVfXWdzdL/ReOGz1mbzyumQFPpxwiaVun/s4yShdZ05NRcmdRioiDTz7euZbrj4XBwVr4xzfhXvkPCk0Qv2ceVzU/j0KuWU1C/l6JrXKv3YqsH5jc7mM1VoOwPT8bRQrwgTjDOt7oxErzA8UKLzKKvjWCJcUHjWShVQty8rYjupRTMOUSeGVnVwgakLxBJsSLyitCEkzbS/l32QWPtRG+KMK3wtxY3d0N1nNF40F9ffYYrYc9y1KmR7xAdkRniwjuNiJSk7ghUVwgckjvwcsvYxee9kSy7gRd28IdolSWzx2kVi3E3bzsxMnIDcNo0wktolc/NNgKG6OX6Dl5G50O1igsyF1zb8NTPq35c7YiEhgE3owdn+8ggnn+tW1b1V+seBZ1nt/JQtpgATjyXSEVovBbDkeNfESCRaLU4JY3J9xzCQXwL+Wu+wpGVyxWC8PwqmVduLcaTwQ+REsk/niE8jlYjScL1hIDD1OB58a4ZEdHJa2+5qoMXdZGLJEoixX25ZK8ORMf0KReG2o4XbicDGfTkErgkH4O1k/G/SCv7u7AX3Y78OBxmZQPM21zViWOXzBo8TKD24bpBr/kEJkgqBJHWe59EhB7A77dUkfU2Ld96T11ULXxLR6xfVkM4rcrZQBAoaz5DDki2E5b8MlGxsWHZIMSPmTDyKC7FOQ7gwrtff4/Il3H2bPWhvjCVdoGkTeJ/cfp/Bv1QRzi4obuadTJtdTfFYASff2V6X5iWq3AObDpyWaP62mkxmrD8D8l1n4byBtQtPwajYluIb2LVnTF5PBjLCO31WxNxuP+LZY00y6GqwAR5PZHbuIMl804C9F94vYNWx23Yfb/gkXtBV+14Ku4SPFsHRW1Gu7VfxVdmmQ3wpJzcgvi0QTbjDYMdLZSr4dXUz2O3YtlnlNTfdZNMgm8Jv+lFdbTR4e5wsWohn9nX9oylkWu1DIF/ajnEeXHCIS219Zvra6jc0kSMfejtTy6oaMDFqpVzdI3vlYeuNh3iurQ1IwStbRFqnvtuT9DN+5rms+n64mj8Ckj/PH+W+NWOisFJAa7PULju2c+F6t71Finvei2+zXBDZAlIfJcjiaTgez0fypmdPio+0aX9nvVDCRezBFqGiXcb0vM+g05hWJRLyTf+N/qQIjHGOSLbGO/bVMA2Zo6wQYlr24y3b3mLJDLygz16CtxZpOyAXkvqy1nrQXqzoyPBY10xHYente9xRWx+t+U/h61+iBX8sfPQhr54NHRW+T4Dv1X6Fr2azslP0mMl2yQvbru/yqd/7LzMIO8d9cET5ssZdU/OsAzkSagJJT9v8BUEsDBBQAAAAAAAAAIQAAAAAAAAAAAAAAAAANAAAAdHJhbnNsYXRpb25zL1BLAwQUAAAACAAUeYNc092dIJIAAADQAAAAFAAAAHRyYW5zbGF0aW9ucy9lbi5qc29uVY5BCoMwEEX3nmLIuifobqqxprSJJNptKDIUQRNQ21LEuzemFOrs5jH/zZ8TCMOwLNke5rhEIPHCA2GH7kFwur1BU+8nAmwaGkcWD5fdN3xWRyG38UxgoLbgmHG9ekx7dyAcTB7yzr9oSP1AW02h4ss/i5C5sphW4sptbbi2qaplteqwmdongQldWu9+fZIl+QBQSwECFAAUAAAACAD7eoNcUQ+DNnsAAADJAAAAEgAAAAAAAAAAAAAAtoEAAAAAZ3VhYy1tYW5pZmVzdC5qc29uUEsBAhQAFAAAAAgAEHyDXFP68ekQEgAAOG0AABEAAAAAAAAAAAAAALaBqwAAAGJsdWVqYXktdGhlbWUuY3NzUEsBAhQAFAAAAAAAAAAhAAAAAAAAAAAAAAAAAA0AAAAAAAAAAAAQAP9B6hIAAHRyYW5zbGF0aW9ucy9QSwECFAAUAAAACAAUeYNc092dIJIAAADQAAAAFAAAAAAAAAAAAAAAtoEVEwAAdHJhbnNsYXRpb25zL2VuLmpzb25QSwUGAAAAAAQABAD8AAAA2RMAAAAA
+---
+# Guacamole custom properties
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: guacamole-properties
+  namespace: guacamole
+data:
+  guacamole.properties: |
+    # Blue Jay Remote Access — Guacamole Configuration
+    # MySQL/guacd settings provided via env vars — do NOT duplicate here
+
+    # Extension Priority
+    extension-priority: mysql, ban, bluejay, *
+
+    # Ban (brute force)
+    ban-max-invalid-attempts: 5
+    ban-address-duration: 300000
+    ban-max-addresses: 1000
+
+    # TOTP
+    totp-issuer: Blue Jay Remote Access
+    totp-digits: 6
+    totp-period: 30
+    totp-mode: sha256
+
+    # Session
+    api-session-timeout: 60
+---
+# guacd ServiceAccount for K8s exec
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: guacd-exec
+  namespace: guacamole
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: guacd-pod-exec
+  labels:
+    app.kubernetes.io/component: proxy
+    app.kubernetes.io/name: guacd
+rules:
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list"]
+  - apiGroups: [""]
+    resources: ["pods/exec", "pods/attach"]
+    verbs: ["create", "get"]
+  - apiGroups: [""]
+    resources: ["namespaces"]
+    verbs: ["list", "get"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: guacd-pod-exec
+  labels:
+    app.kubernetes.io/component: proxy
+    app.kubernetes.io/name: guacd
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: guacd-pod-exec
+subjects:
+  - kind: ServiceAccount
+    name: guacd-exec
+    namespace: guacamole