public/geek-cookbook
1
0
Fork 0
mirror of https://github.com/funkypenguin/geek-cookbook/ synced 2025-12-13 09:46:23 +00:00
Code Issues Releases Wiki Activity

Update traefik-forward-auth for official image supporting multiple OIDC providers

Browse Source
This commit is contained in:
David Young
2020-06-11 14:07:31 +12:00
parent 7845f45066
commit 3a156e4e92
4 changed files with 32 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
manuscript/CHANGELOG.md
View File

File diff suppressed because one or more lines are too long

21
manuscript/ha-docker-swarm/traefik-forward-auth.md
View File

@@ -29,16 +29,17 @@ Log into https://console.developers.google.com/, create a new project then searc
Fill out the "OAuth Consent Screen" tab, and then click, "**Create Credentials**" > "**OAuth client ID**". Select "**Web Application**", fill in the name of your app, skip "**Authorized JavaScript origins**" and fill "**Authorized redirect URIs**" with either all the domains you will allow authentication from, appended with the url-path (*e.g. https://radarr.example.com/_oauth, https://radarr.example.com/_oauth, etc*), or if you don't like frustration, use a "auth host" URL instead, like "*https://auth.example.com/_oauth*" (*see below for details*)
!!! tip
Store your client ID and secret safely - you'll need them for the next step.
### Prepare environment
Create `/var/data/config/traefik/traefik-forward-auth.env` as follows:
Create `/var/data/config/traefik-forward-auth/traefik-forward-auth.env` as follows:
```
CLIENT_ID=<your client id>
CLIENT_SECRET=<your client secret>
GOOGLE_CLIENT_ID=<your client id>
GOOGLE_CLIENT_SECRET=<your client secret>
OIDC_ISSUER=https://accounts.google.com
SECRET=<a random string, make it up>
# uncomment this to use a single auth host instead of individual redirect_uris (recommended but advanced)
@@ -48,12 +49,12 @@ COOKIE_DOMAINS=example.com
### Prepare the docker service config
This is a small container, you can simply add the following content to the existing `traefik-app.yml` deployed in the previous [Traefik](/recipes/traefik/) recipe:
Create `/var/data/config/traefik-forward-auth/traefik-forward-auth.yml` as follows:
```
traefik-forward-auth:
image: funkypenguin/traefik-forward-auth
env_file: /var/data/config/traefik/traefik-forward-auth.env
image: thomseddon/traefik-forward-auth:2.1.0
env_file: /var/data/config/traefik-forward-auth/traefik-forward-auth.env
networks:
- traefik_public
# Uncomment these lines if you're using auth host mode
@@ -65,7 +66,7 @@ This is a small container, you can simply add the following content to the exist
# - traefik.frontend.auth.forward.trustForwardHeader=true
```
If you're not confident that forward authentication is working, add a simple "whoami" test container, to help debug traefik forward auth, before attempting to add it to a more complex container.
If you're not confident that forward authentication is working, add a simple "whoami" test container to the above .yml, to help debug traefik forward auth, before attempting to add it to a more complex container.
```
# This simply validates that traefik forward authentication is working
@@ -91,7 +92,7 @@ If you're not confident that forward authentication is working, add a simple "wh
### Launch
Redeploy traefik with ```docker stack deploy traefik-app -c /var/data/traefik/traeifk-app.yml```, to launch the traefik-forward-auth container.
Redeploy traefik with ```docker stack deploy traefik-forward-auth -c /var/data/traefik-forward-auth/traefik-forward-auth.yml```, to launch the traefik-forward-auth stack.
### Test
@@ -111,6 +112,4 @@ What have we achieved? By adding an additional three simple labels to any servic
## Chef's Notes 📓
1. Traefik forward auth replaces the use of [oauth_proxy containers](/reference/oauth_proxy/) found in some of the existing recipes
2. [@thomaseddon's original version](https://github.com/thomseddon/traefik-forward-auth) of traefik-forward-auth only works with Google currently, but I've created a [fork](https://www.github.com/funkypenguin/traefik-forward-auth) of a [fork](https://github.com/noelcatt/traefik-forward-auth), which implements generic OIDC providers.
3. I reviewed several implementations of forward authenticators for Traefik, but found most to be rather heavy-handed, or specific to a single auth provider. @thomaseddon's go-based docker image is 7MB in size, and with the generic OIDC patch (above), it can be extended to work with any OIDC provider.
4. No, not github natively, but you can ferderate GitHub into KeyCloak, and then use KeyCloak as the OIDC provider.
2. I reviewed several implementations of forward authenticators for Traefik, but found most to be rather heavy-handed, or specific to a single auth provider. @thomaseddon's go-based docker image is 7MB in size, and can be extended to work with any OIDC provider.

21
manuscript/premix/ansible/operation.md
View File

@@ -25,7 +25,7 @@ k3s_masters
k3s_workers
[proxmox_servers]
splinter ansible_host=192.168.29.3 ansible_user=root
splinter ansible_host=192.168.29.3 ansible_user=root template_vm_id=201
# Declare your desired proxmox VMs here. Note that the MAC address "lines up" with_
# the IP address - this makes troubleshooting L2 issues easier under some circumstances,
@@ -33,12 +33,12 @@ splinter ansible_host=192.168.29.3 ansible_user=root
# when re-running the playbook.
[proxmox_vms]
raphael ansible_host=192.168.38.101 mac=52:54:00:38:01:01
donatello ansible_host=192.168.38.102 mac=52:54:00:38:01:02
leonardo ansible_host=192.168.38.103 mac=52:54:00:38:01:03
shredder ansible_host=192.168.38.201 mac=52:54:00:38:02:01
rocksteady ansible_host=192.168.38.202 mac=52:54:00:38:02:02
bebop ansible_host=192.168.38.203 mac=52:54:00:38:02:03
donatello ansible_host=192.168.38.102 mac=52:54:00:38:01:02 proxmox_node=splinter
leonardo ansible_host=192.168.38.103 mac=52:54:00:38:01:03 proxmox_node=splinter
shredder ansible_host=192.168.38.201 mac=52:54:00:38:02:01 proxmox_node=splinter
raphael ansible_host=192.168.38.101 mac=52:54:00:38:01:01 proxmox_node=splinter
rocksteady ansible_host=192.168.38.202 mac=52:54:00:38:02:02 proxmox_node=splinter
bebop ansible_host=192.168.38.203 mac=52:54:00:38:02:03 proxmox_node=splinter
[swarm_nodes]
raphael ansible_host=192.168.38.101 keepalived_priority=101
@@ -60,12 +60,11 @@ bebop ansible_host=192.168.38.203
### Config
The variables used in the playbook are defined in `ansible/group_vars/all/main.yml`. **Your** variables are going to be defined in a group_vars file based on your username, so that they're [treated with a higher preference](https://docs.ansible.com/ansible/latest/user_guide/playbooks_variables.html#variable-precedence-where-should-i-put-a-variable) than the default values.
The variables used in the playbook are defined in the `ansible/group_vars/all/main.yml`. **Your** variables are going to be defined in a group_vars file based on your username, so that they're [treated with a higher preference](https://docs.ansible.com/ansible/latest/user_guide/playbooks_variables.html#variable-precedence-where-should-i-put-a-variable) than the default values.
Create a folder under `ansible/group_vars/<your-username>` to match the group name you inserted in line \#1 of your hosts file, and copy `ansible/group_vars/all/main.yml` into this folder. Any values found in this file will override any values specified in `ansible/group_vars/all/main.yml`, but any values _not_ found in your file will be inherited from `ansible/group_vars/all/main.yml`.
Create a folder under `ansible/group_vars/<your-username>` to match the group name you inserted in line \#1 of your hosts file, and copy `ansible/group_vars/all/main.yml` into this folder. Any variables found in this file will override any variables specified in `ansible/group_vars/all/main.yml`, but any variables _not_ found in your file will be inherited from `ansible/group_vars/all/main.yml`.
!!! tip "Go to town with your delete key"
To keep your version clean, edit `ansible/group_vars/<your-username>/main.yml` and delete anything you don't care to change. This will keep your "override" file nice and clean.
To further streamline config, a "empty" dictionary variable named `recipe_config` is configured in `ansible/group_vars/all/main.yml`. In your own vars file (`ansible/group_vars/<your-username>/main.yml`), populate this variable with your own preferred values, copied from `recipe_default_config`. When the playbook runs, your values will be combined with the default values.
!!! tip "Commit `ansible/group_vars/<your-username>/` to your own repo"
For extra geek-fu, you could commit the contents of ``ansible/group_vars/<your-username>/` to your own repo, so that you can version/track your own config!

4
scripts/recipe-footer.md
View File

File diff suppressed because one or more lines are too long