a07b6311b9
- guacamole-branding ConfigMap with Blue Jay dark theme CSS - guacamole-properties ConfigMap with ban/TOTP/session config - kubectl-proxy sidecar on guacd for K8s pod exec connections - guacd-exec ServiceAccount + ClusterRole/Binding for pod exec RBAC - Volume mounts for branding JAR and properties on guacamole webapp Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
458 lines
18 KiB
YAML
458 lines
18 KiB
YAML
# Apache Guacamole - Remote Desktop Gateway
|
|
# MySQL 8 + guacd + guacamole web
|
|
# ArgoCD managed - BlueJay Lab
|
|
# ALL credentials sourced from 1Password via OnePasswordItem CRD (guacamole-credentials)
|
|
# Fields: username, password, DB-User, DB-Password, DB-Root-Password, DB-Name, URL
|
|
---
|
|
apiVersion: v1
|
|
kind: Namespace
|
|
metadata:
|
|
name: guacamole
|
|
labels:
|
|
app.kubernetes.io/part-of: bluejay-infra
|
|
---
|
|
# MySQL 8 StatefulSet
|
|
apiVersion: apps/v1
|
|
kind: StatefulSet
|
|
metadata:
|
|
name: guac-mysql
|
|
namespace: guacamole
|
|
labels:
|
|
app: guac-mysql
|
|
spec:
|
|
serviceName: guac-mysql
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app: guac-mysql
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: guac-mysql
|
|
spec:
|
|
containers:
|
|
- name: mysql
|
|
image: mysql:8.0
|
|
ports:
|
|
- containerPort: 3306
|
|
name: mysql
|
|
env:
|
|
- name: MYSQL_ROOT_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: guacamole-credentials
|
|
key: DB-Root-Password
|
|
- name: MYSQL_DATABASE
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: guacamole-credentials
|
|
key: DB-Name
|
|
- name: MYSQL_USER
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: guacamole-credentials
|
|
key: DB-User
|
|
- name: MYSQL_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: guacamole-credentials
|
|
key: DB-Password
|
|
volumeMounts:
|
|
- name: guac-mysql-data
|
|
mountPath: /var/lib/mysql
|
|
resources:
|
|
requests:
|
|
memory: 256Mi
|
|
cpu: 100m
|
|
limits:
|
|
memory: 1Gi
|
|
cpu: 500m
|
|
livenessProbe:
|
|
exec:
|
|
command:
|
|
- mysqladmin
|
|
- ping
|
|
- -h
|
|
- localhost
|
|
initialDelaySeconds: 60
|
|
periodSeconds: 10
|
|
readinessProbe:
|
|
exec:
|
|
command:
|
|
- mysqladmin
|
|
- ping
|
|
- -h
|
|
- localhost
|
|
initialDelaySeconds: 30
|
|
periodSeconds: 5
|
|
volumeClaimTemplates:
|
|
- metadata:
|
|
name: guac-mysql-data
|
|
spec:
|
|
accessModes: [ReadWriteOnce]
|
|
resources:
|
|
requests:
|
|
storage: 5Gi
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: guac-mysql
|
|
namespace: guacamole
|
|
spec:
|
|
selector:
|
|
app: guac-mysql
|
|
ports:
|
|
- port: 3306
|
|
targetPort: 3306
|
|
name: mysql
|
|
clusterIP: None
|
|
---
|
|
# DB schema init Job
|
|
# Generates the MySQL schema and pipes it into the database
|
|
apiVersion: batch/v1
|
|
kind: Job
|
|
metadata:
|
|
name: guacamole-initdb
|
|
namespace: guacamole
|
|
annotations:
|
|
argocd.argoproj.io/hook: PostSync
|
|
argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
|
|
spec:
|
|
ttlSecondsAfterFinished: 300
|
|
template:
|
|
spec:
|
|
restartPolicy: OnFailure
|
|
initContainers:
|
|
- name: wait-for-mysql
|
|
image: mysql:8.0
|
|
command:
|
|
- sh
|
|
- -c
|
|
- |
|
|
until mysqladmin ping -h guac-mysql --silent; do
|
|
echo "Waiting for MySQL..."
|
|
sleep 5
|
|
done
|
|
containers:
|
|
- name: initdb
|
|
image: guacamole/guacamole:latest
|
|
command:
|
|
- sh
|
|
- -c
|
|
- |
|
|
# Generate schema SQL
|
|
/opt/guacamole/bin/initdb.sh --mysql > /tmp/initdb.sql
|
|
# Apply schema (ignore errors if tables already exist)
|
|
mysql -h guac-mysql -u root -p"$MYSQL_ROOT_PASSWORD" "$MYSQL_DATABASE" < /tmp/initdb.sql || true
|
|
env:
|
|
- name: MYSQL_ROOT_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: guacamole-credentials
|
|
key: DB-Root-Password
|
|
- name: MYSQL_DATABASE
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: guacamole-credentials
|
|
key: DB-Name
|
|
---
|
|
# guacd (Guacamole daemon)
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: guacd
|
|
namespace: guacamole
|
|
labels:
|
|
app: guacd
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app: guacd
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: guacd
|
|
spec:
|
|
serviceAccountName: guacd-exec
|
|
containers:
|
|
- name: guacd
|
|
image: guacamole/guacd:latest
|
|
ports:
|
|
- containerPort: 4822
|
|
name: guacd
|
|
env:
|
|
- name: LOG_LEVEL
|
|
value: debug
|
|
resources:
|
|
requests:
|
|
memory: 128Mi
|
|
cpu: 100m
|
|
limits:
|
|
memory: 512Mi
|
|
cpu: 500m
|
|
livenessProbe:
|
|
tcpSocket:
|
|
port: 4822
|
|
initialDelaySeconds: 15
|
|
periodSeconds: 10
|
|
- name: kubectl-proxy
|
|
image: bitnami/kubectl:latest
|
|
args:
|
|
- proxy
|
|
- "--port=8001"
|
|
- "--address=127.0.0.1"
|
|
- "--accept-hosts=.*"
|
|
- "--accept-paths=.*"
|
|
- "--disable-filter=true"
|
|
- "--v=2"
|
|
resources:
|
|
requests:
|
|
memory: 32Mi
|
|
cpu: 10m
|
|
limits:
|
|
memory: 64Mi
|
|
cpu: 50m
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: guacd
|
|
namespace: guacamole
|
|
spec:
|
|
selector:
|
|
app: guacd
|
|
ports:
|
|
- port: 4822
|
|
targetPort: 4822
|
|
name: guacd
|
|
---
|
|
# Guacamole Web Application
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: guacamole
|
|
namespace: guacamole
|
|
labels:
|
|
app: guacamole
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app: guacamole
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: guacamole
|
|
spec:
|
|
containers:
|
|
- name: guacamole
|
|
image: guacamole/guacamole:latest
|
|
ports:
|
|
- containerPort: 8080
|
|
name: http
|
|
env:
|
|
- name: GUACD_HOSTNAME
|
|
value: guacd
|
|
- name: GUACD_PORT
|
|
value: "4822"
|
|
- name: MYSQL_HOSTNAME
|
|
value: guac-mysql
|
|
- name: MYSQL_PORT
|
|
value: "3306"
|
|
- name: MYSQL_DATABASE
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: guacamole-credentials
|
|
key: DB-Name
|
|
- name: MYSQL_USER
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: guacamole-credentials
|
|
key: DB-User
|
|
- name: MYSQL_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: guacamole-credentials
|
|
key: DB-Password
|
|
resources:
|
|
requests:
|
|
memory: 256Mi
|
|
cpu: 100m
|
|
limits:
|
|
memory: 1Gi
|
|
cpu: 500m
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /guacamole/
|
|
port: 8080
|
|
initialDelaySeconds: 120
|
|
periodSeconds: 10
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /guacamole/
|
|
port: 8080
|
|
initialDelaySeconds: 60
|
|
periodSeconds: 5
|
|
volumeMounts:
|
|
- name: guac-properties
|
|
mountPath: /etc/guacamole/guacamole.properties
|
|
subPath: guacamole.properties
|
|
- name: bluejay-branding
|
|
mountPath: /etc/guacamole/extensions/bluejay-branding-1.0.0.jar
|
|
subPath: bluejay-branding-1.0.0.jar
|
|
volumes:
|
|
- name: guac-properties
|
|
configMap:
|
|
name: guacamole-properties
|
|
- name: bluejay-branding
|
|
configMap:
|
|
name: guacamole-branding
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: guacamole
|
|
namespace: guacamole
|
|
spec:
|
|
selector:
|
|
app: guacamole
|
|
ports:
|
|
- port: 8080
|
|
targetPort: 8080
|
|
name: http
|
|
---
|
|
# Traefik addPrefix middleware
|
|
# External URL guac.iamworkin.lan/ gets prefix /guacamole added
|
|
apiVersion: traefik.io/v1alpha1
|
|
kind: Middleware
|
|
metadata:
|
|
name: guac-add-prefix
|
|
namespace: guacamole
|
|
spec:
|
|
addPrefix:
|
|
prefix: /guacamole
|
|
---
|
|
# TLS Certificate via cert-manager
|
|
apiVersion: cert-manager.io/v1
|
|
kind: Certificate
|
|
metadata:
|
|
name: guacamole-tls
|
|
namespace: guacamole
|
|
spec:
|
|
secretName: guacamole-tls
|
|
issuerRef:
|
|
name: step-ca-acme
|
|
kind: ClusterIssuer
|
|
dnsNames:
|
|
- guac.iamworkin.lan
|
|
---
|
|
# Traefik IngressRoute
|
|
apiVersion: traefik.io/v1alpha1
|
|
kind: IngressRoute
|
|
metadata:
|
|
name: guacamole
|
|
namespace: guacamole
|
|
spec:
|
|
entryPoints:
|
|
- websecure
|
|
routes:
|
|
- match: Host(`guac.iamworkin.lan`)
|
|
kind: Rule
|
|
middlewares:
|
|
- name: guac-add-prefix
|
|
services:
|
|
- name: guacamole
|
|
port: 8080
|
|
tls:
|
|
secretName: guacamole-tls
|
|
---
|
|
# 1Password secret sync — creates guacamole-credentials K8s Secret
|
|
# Fields: username, password, DB-User, DB-Password, DB-Root-Password, DB-Name, URL
|
|
apiVersion: onepassword.com/v1
|
|
kind: OnePasswordItem
|
|
metadata:
|
|
name: guacamole-credentials
|
|
namespace: guacamole
|
|
spec:
|
|
itemPath: vaults/IAmWorkin/items/Guacamole
|
|
---
|
|
# Blue Jay Branding Extension (CSS + translations)
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: guacamole-branding
|
|
namespace: guacamole
|
|
binaryData:
|
|
bluejay-branding-1.0.0.jar: UEsDBBQAAAAIAPt6g1xRD4M2ewAAAMkAAAASAAAAZ3VhYy1tYW5pZmVzdC5qc29uq+ZSAAKl9NLE5MTc/JzUsNSi4sz8PCUrBSUtJR2IZF5ibipIwCmnNFXBK7FSwakoMS8lMy8dWUFxQWIyWFUSUFVWYiVMLrm4GCgaDeaABaDyuiUZqbmpeiBpsFwsVH0J0OzinMQSoCPQNCLL6Kfm6WUVA90J0ctVywUAUEsDBBQAAAAIABB8g1xT+vHpEBIAADhtAAARAAAAYmx1ZWpheS10aGVtZS5jc3PNPWtz4ji23/tX6PbUVCWz2IEQMmluza0iBNLcIZACMrNdW/tB2AJcMbbXFulOd03V/RH7C/eX3CPJTyy/iN0z3dMTsKQj6bx0XnIufnqHfkK35oGg/8Wv6A67z2i1I3uCNraLBg7WdgTdH7CG97ZJUEe9VttsxNi0PxN3aLsELcjepgQNNI14Hrp1saUb1hY6sX5D2wQ4j9gklJI+e4LQLdaet659sPQ+fEM/tAed68sb0bY8uBusEd7A2jqdzl23m2hDA5P2eRuMuvrZh2m7OnGDYdA26g56Y9HGVmbRqO3y9mYwTrShj/YLH/3D1d2gG7Td26YejoK28fi2226LthX5QuNto5vR3bgXtaGHAyX+/m5uPny49cd9JJhhx+uHMNkffz6XECsC+kP37vbmeiDaFiS+FDbfVe/Kn28OKN+SaH/j8c2Qr/Pi3buLn9Avdf1hs91P57eDKbpAt/O7T+xBbdD5cte2/oq+vWPbWMe4xGcR9F/G3rFdii3637yPxrirH2A/1byxLaps8N4wX/tIwY5jEsV79SjZt4DlDev5AWtL/n0MPVvo/ZJsbYKeJu9baGGvbWq33qHjP+8/EvOFUEPDaEYOBLoOXAObLeRhy1M84hqbxEL+qJ8I0/n9ZIaWw8VoNKufBrDa8cE0FQdvCTLtrWHFaMF66MaLyp8rB6MCsaI+irEH2P0Qty7IBDaVLfsJ0nhGTNNwPIIwRZftH1Gv/WMLuds1Prvqtjrdm9Zlr9dqq+2bc8RaKLC/52CXyfF1+8fzVhm4NwD3MoTLAHZ+/tBqM7C9NFhYwbmEqFOOHDaHvUUadjl2ItT4n/x2CaKEcksjytdlHecL8mzT0AN1ltFTYfs7gEq5gQHpLl8Ub4d1+3MftXmP7iX8j2+73UL+f2rvPM3qbf63E/QG5COGfcSwBUM656nJHKwz7dZHl2SfiS9Aho0ArzgPWyrvJXAGI38lxEE62eCDSWPHEe+0PlAE8yLvsKbwjBpAMIDMFYBhUobJtWtsd9SC8+msrX44B1GlBxdTAt9u0rvYY5etBOSf2nsgQ85e/NXuhFbP29Cu08reLBtPXOjj7zjQa+J0kOu1z4TtqQ8s30514KetqwD7apwcwNV5FCGuC4f0HtDDRD6xCcf/KLp8O9K67AzKkfO+L13dyxa6/iD+SfkmzfGygd2sgaEAXEkEIORJYHLAwTE1WRfd8BwTwxlh2RbhqAkRoIqNy9AQjlqbtvaciVywo/bAiMTUPcCcRbFhAallnOJ3+hZnQmo7+Rxo4jUxiR7MkANX9buK78lpyvC6GCZY1QMLgIOrMqPKfyg+syd5SdhIck73jK+Eke+mJ6FdQhZ6ElmgYI0pXJkzSvTRwXGIq2E4BkpIjWzGI5QBX+Ygjc2OwCIGNvS8z8CtyLCcA62CNj5Aojz83rz5H/TVIb+8Z7O9/2e5vsGC3v+zPoPr5JOrQHCvAcNA/yzyCwaRSbZ9oGDnESHZadZgXGFQwwar218Q3yDMdekhAjzSip2f0dMUoM+GTnewgjZYFdID2PjKd+JPAo+OGaYKL/Q3tnbwqnBElRERX4hRAXfE8NMPfKgCa4P97WaZD5cyi+oxkJIXwzPWhmnQV0Tt7dYkuQLDJDtQMsH6g+9iuBLKXym9E5eFuCFYlmoVFtTfMd/zaFkS9AoEjfYOoERAgtNHIztwUmG4R1/NLAtEykoq4ZA45eUklkhuXLOBubU3KLO+qG3lmnKiS5LLxGiprjoe5s8gUVIZTFhgPUmUVCY3V1JS7LA4NrNK6KhCa047uB7bkGODaQu0zlVjkadWVYkdH5QplSlj+DI0FhxemtIJgUjQWwRnssgUkD2zV1w1MVp2LrN0Uzelm07bONao8ULK71z0l7qKg+vxcFi0dUmvBsIPfgzo9mm1ms+W9Qcg5HpCoKj1Dqt/aYXwXaRZZqocUz1PEuOCFmG0AcHLWkcgGAm+j63krYIgQrUSQbhjoVIXBXIH7CY+qjpviJbgP5AtIcvvTS5B0guWkAB+TIDEY9nM4/H17fVt8eZTvVIzH2M8+Vw297Ddhb/Fc7PYc9Ma6ONocDdagA86G/w2uR+sJvMZuh0s6ldFasJZjeODuRXYjWKLnW5PJ9sWeE4jMJyuW4xTu4PrQStQJpnBi8CRvIzUj4R900cY638jCeVdpWfKUYB/RJvkIarg82X0WaUGC6y9PTQVmwuXA8dtEp1otouFRpQaJQFMqSmdqQpq4xTGdk9L4MeH0ewJnVHbUXi8Eemu7QCxrPMGGPPgAevsiXUoRuQfie4q+78SLM3/WpLCJSCxEBfIg/c94t2y8zcd7768ksa7T96YaaS4NyMcchTBkBn/mad9pyc/1istM/skEbnTTEWR6X8uHaIZG0NDfAUGhS0Zmn+SVlraP3Yu2fzy/oeLMP6Ug8yq+w6Be4RSlm69YKM97m6+DQ40W0Rj9KoDmkc8ryZQDjwgLrE04pXEqPDkbXD/WSq0MgF5hiaMHRTlBITgimh2rphXJbW/jExOL5mByLedAFVPsCbkuPbGAEXpCRYAp0/IQRXcqQGQbzIjoFgHxpTKjUSpVMFfuBR1wxK+Ft7XdcpXX4HtbrFlfOXHfAVhkAPApuLaqQPtpBxDE9br/GGEHgf3o0Zy9w8YuNLHD0+zekHO3iWs1kWJqbAWf66ZhrO2savfGS/iSaBVxDcMvBEblMgcyUNahYpnwZeC4lCDHGqQGZav2J+c24XYNLawANblyI/OmITn6HPQgTg2ou5/Usq+wKo4NWuRTvCHwb4ce6MUppLa94RMAQ/HXWdWGvTSCjsWqOQfTUzJpzMFnCJZXmEYEZUfdjwt95//+zfaHzyKKLAyocgiHiU68hwAh6htM0bB6s7ek9jWW+lHCuMOR9LAQalMrWaOincRIXl1jU0Mxzj4M1kTleyYgJ1qVDXs8EUW98Asgml4VOH2XtA/elLSHC7lzKX2EgVJpA0lcJwJId58AiGqZW5YmeQLQW5KKfnhzLO/n3M7QiJscZ0E7QyO4sMRk9ssZU1fmSTlaQu/W553kT+7v+OCNahp473SphJ4DcF2mj6Wh/PZbDTksaTpZLlCF+h+MX96FF/OqEsIejHI5wac+aSCEsLny55wrI5P4LSs/k8kreVPrVLZ/NNM0540Y89YocpeKvmvfoL0C8ixDn6aaWJW68e8U6Hp8TNBmkmwa76K9DIYiNCms5Ln9bY6nlUO+ltWoVk3XmaWPr9i4pLaxik4qmk1KSk7AScq4TSoHzXc7DQsxS+3uJTFf1j7zvdMpB1iZah+TpbZYJ1jQ+wtZEgiIFeDxeSeHaUsj4jojiB2uBaxZLm4SQ6AE8Qrvl7Nz/vnLZHjI2FcJDi1wEgMeGd3gLPBppxfdLI9jzNTRxLLY6ENhkAcP2EzVCk3Y4IepbwLiapr+GiazVeT8WTIEx0NJFxVy6YsqIebOD9OcIqu31LHnBKA+ObUeAFnccIujYhBe9xOB6wS+BPpEmWN05mI06p5K53D6eXE7lQUqIqjcQmZqBTBA/6fxWE5rr112e0ghhQmhcmZwmYJ62VdJkhyTFfCMUy3bUzGLztD14lVsN1wEWpEubyE34e2yPcJ1dUK0t/5/BefhvughREqCTa5x+5gF3wVykpxJQiNGtMbyatnywSjJoqTK/GRBErFSuBcmNL611K9yR4bZvnu1mG/Jm75/lEhZd4ItmQe8irP+9+rCLci2sMi0yrIrzYoIEG1UccVrWXI8V1rX7m2yqxUbq6CazxfPKDRdPQwmq0aruMKJFMqf3Ipy5KlREERqGRtx54GhGu984gJxt1fUJ6kLvLP+QWjhrUjrkErsMtx0Kd6tVhSnHOENk808wVQRsOgLSmCAT3/jGL0WH01P6yBqUUBfj9Weh1bcPzx0anW611f36RNu3zfcEe0Z9gE8dBZdOft4MF3Vu5NdKSFPc7DxflYDZrCZDDW/BBcUYZfiE+QcOPmRYZI+fc45TyIHQcIywKofYQP1D6eyodp1xi0akBTLker1WR2v0QXaHD3MJnxvF0TLliQcitnYYW9KV6bhBmVDnGpAZxBdxWynln3pgqmOL5EUbRIVfjhyhs8ihgwatum3ETPz85VcKDSk6kiFJG8L/EXOlsE649jdw3ZFY1gG8xD4F6DoKXfoxZWOY6XmGSTdiskc5fjobrFeTW4nY6W6GxLLOJis4FYPt9lqb2JnmWJkF0sKudhH7qeFLa0CPDjsNtuoR6chh968hiKDyyoTI6glooZ1oZgnqWZTsBaRb9NRr+jM1e8ekQn3jOoEeSXUzVAVRZDYXUSUborKfz8T4rtxQCFZY3Kj2IHv5iIl7/4PjKTYH9+VZTFvLkyuVKZ8ElqVLrg3WWF0t+C60gRrnTD86O6UTVbMP1xLVGyfiw2srCULb6pslAbr0y7g5MZOYS/dYcHvUz8is54UZRAH3HPE/hgpp0SDFD9a+xZCyy+GlX7200ms18bsLCOixQynIbiIoVjByvwrLJy6vKydPllGdxnmUlWhZLs/fPtYHAnI35tOBLGrkh/s+sVzOitnwi7TotdLUA74KrdFfwDntpdlyo8b8AUAEMgNJH4227gnEMWfjG2nPZNlO2zaRSYhgWh4Ad/yY6SqcprM2jDaXktz/HEx6KRYYIcl7OrssuueZKRuromFZlcaycveB3bZHjlNLVVqTCWKYAo8Jzjs6vhvc/U9FFTvL92cNmOpAP8tnLaq/SKU3a9pIq3bol7HMxGU+ZJD+ezFTPiBovRoBlf2i/VAyRbxBTpZ5pGYqbfKtxVQYIAijxbUZOpVDeq5zNFvB4M/Tr6dDsfLO4aQLPtPVfXWdzdL/ReOGz1mbzyumQFPpxwiaVun/s4yShdZ05NRcmdRioiDTz7euZbrj4XBwVr4xzfhXvkPCk0Qv2ceVzU/j0KuWU1C/l6JrXKv3YqsH5jc7mM1VoOwPT8bRQrwgTjDOt7oxErzA8UKLzKKvjWCJcUHjWShVQty8rYjupRTMOUSeGVnVwgakLxBJsSLyitCEkzbS/l32QWPtRG+KMK3wtxY3d0N1nNF40F9ffYYrYc9y1KmR7xAdkRniwjuNiJSk7ghUVwgckjvwcsvYxee9kSy7gRd28IdolSWzx2kVi3E3bzsxMnIDcNo0wktolc/NNgKG6OX6Dl5G50O1igsyF1zb8NTPq35c7YiEhgE3owdn+8ggnn+tW1b1V+seBZ1nt/JQtpgATjyXSEVovBbDkeNfESCRaLU4JY3J9xzCQXwL+Wu+wpGVyxWC8PwqmVduLcaTwQ+REsk/niE8jlYjScL1hIDD1OB58a4ZEdHJa2+5qoMXdZGLJEoixX25ZK8ORMf0KReG2o4XbicDGfTkErgkH4O1k/G/SCv7u7AX3Y78OBxmZQPM21zViWOXzBo8TKD24bpBr/kEJkgqBJHWe59EhB7A77dUkfU2Ld96T11ULXxLR6xfVkM4rcrZQBAoaz5DDki2E5b8MlGxsWHZIMSPmTDyKC7FOQ7gwrtff4/Il3H2bPWhvjCVdoGkTeJ/cfp/Bv1QRzi4obuadTJtdTfFYASff2V6X5iWq3AObDpyWaP62mkxmrD8D8l1n4byBtQtPwajYluIb2LVnTF5PBjLCO31WxNxuP+LZY00y6GqwAR5PZHbuIMl804C9F94vYNWx23Yfb/gkXtBV+14Ku4SPFsHRW1Gu7VfxVdmmQ3wpJzcgvi0QTbjDYMdLZSr4dXUz2O3YtlnlNTfdZNMgm8Jv+lFdbTR4e5wsWohn9nX9oylkWu1DIF/ajnEeXHCIS219Zvra6jc0kSMfejtTy6oaMDFqpVzdI3vlYeuNh3iurQ1IwStbRFqnvtuT9DN+5rms+n64mj8Ckj/PH+W+NWOisFJAa7PULju2c+F6t71Finvei2+zXBDZAlIfJcjiaTgez0fypmdPio+0aX9nvVDCRezBFqGiXcb0vM+g05hWJRLyTf+N/qQIjHGOSLbGO/bVMA2Zo6wQYlr24y3b3mLJDLygz16CtxZpOyAXkvqy1nrQXqzoyPBY10xHYente9xRWx+t+U/h61+iBX8sfPQhr54NHRW+T4Dv1X6Fr2azslP0mMl2yQvbru/yqd/7LzMIO8d9cET5ssZdU/OsAzkSagJJT9v8BUEsDBBQAAAAAAAAAIQAAAAAAAAAAAAAAAAANAAAAdHJhbnNsYXRpb25zL1BLAwQUAAAACAAUeYNc092dIJIAAADQAAAAFAAAAHRyYW5zbGF0aW9ucy9lbi5qc29uVY5BCoMwEEX3nmLIuifobqqxprSJJNptKDIUQRNQ21LEuzemFOrs5jH/zZ8TCMOwLNke5rhEIPHCA2GH7kFwur1BU+8nAmwaGkcWD5fdN3xWRyG38UxgoLbgmHG9ekx7dyAcTB7yzr9oSP1AW02h4ss/i5C5sphW4sptbbi2qaplteqwmdongQldWu9+fZIl+QBQSwECFAAUAAAACAD7eoNcUQ+DNnsAAADJAAAAEgAAAAAAAAAAAAAAtoEAAAAAZ3VhYy1tYW5pZmVzdC5qc29uUEsBAhQAFAAAAAgAEHyDXFP68ekQEgAAOG0AABEAAAAAAAAAAAAAALaBqwAAAGJsdWVqYXktdGhlbWUuY3NzUEsBAhQAFAAAAAAAAAAhAAAAAAAAAAAAAAAAAA0AAAAAAAAAAAAQAP9B6hIAAHRyYW5zbGF0aW9ucy9QSwECFAAUAAAACAAUeYNc092dIJIAAADQAAAAFAAAAAAAAAAAAAAAtoEVEwAAdHJhbnNsYXRpb25zL2VuLmpzb25QSwUGAAAAAAQABAD8AAAA2RMAAAAA
|
|
---
|
|
# Guacamole custom properties
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: guacamole-properties
|
|
namespace: guacamole
|
|
data:
|
|
guacamole.properties: |
|
|
# Blue Jay Remote Access — Guacamole Configuration
|
|
# MySQL/guacd settings provided via env vars — do NOT duplicate here
|
|
|
|
# Extension Priority
|
|
extension-priority: mysql, ban, bluejay, *
|
|
|
|
# Ban (brute force)
|
|
ban-max-invalid-attempts: 5
|
|
ban-address-duration: 300000
|
|
ban-max-addresses: 1000
|
|
|
|
# TOTP
|
|
totp-issuer: Blue Jay Remote Access
|
|
totp-digits: 6
|
|
totp-period: 30
|
|
totp-mode: sha256
|
|
|
|
# Session
|
|
api-session-timeout: 60
|
|
---
|
|
# guacd ServiceAccount for K8s exec
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: guacd-exec
|
|
namespace: guacamole
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: guacd-pod-exec
|
|
labels:
|
|
app.kubernetes.io/component: proxy
|
|
app.kubernetes.io/name: guacd
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["pods"]
|
|
verbs: ["get", "list"]
|
|
- apiGroups: [""]
|
|
resources: ["pods/exec", "pods/attach"]
|
|
verbs: ["create", "get"]
|
|
- apiGroups: [""]
|
|
resources: ["namespaces"]
|
|
verbs: ["list", "get"]
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: guacd-pod-exec
|
|
labels:
|
|
app.kubernetes.io/component: proxy
|
|
app.kubernetes.io/name: guacd
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: guacd-pod-exec
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: guacd-exec
|
|
namespace: guacamole
|