mirror of https://github.com/samply/bridgehead.git
Add oauth2_proxy
This commit is contained in:
juarez
parent
f6965859fe
commit
0cd4ededc7
|
|
@ -52,6 +52,50 @@ services:
|
||||||
- /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
|
- /etc/bridgehead/trusted-ca-certs:/conf/trusted-ca-certs:ro
|
||||||
- /srv/docker/bridgehead/ccp/root.crt.pem:/conf/root.crt.pem:ro
|
- /srv/docker/bridgehead/ccp/root.crt.pem:/conf/root.crt.pem:ro
|
||||||
|
|
||||||
|
traefik:
|
||||||
|
labels:
|
||||||
|
- "traefik.http.middlewares.oidcAuth.forwardAuth.address=http://oauth2_proxy:4180/"
|
||||||
|
- "traefik.http.middlewares.oidcAuth.forwardAuth.trustForwardHeader=true"
|
||||||
|
- "traefik.http.middlewares.oidcAuth.forwardAuth.authResponseHeaders=X-Auth-Request-Access-Token,Authorization"
|
||||||
|
|
||||||
|
|
||||||
|
oauth2_proxy:
|
||||||
|
image: quay.io/oauth2-proxy/oauth2-proxy
|
||||||
|
container_name: bridgehead_oauth2_proxy
|
||||||
|
command: >-
|
||||||
|
--allowed-group=/${KEYCLOAK_USER_GROUP}
|
||||||
|
--oidc-groups-claim=${KEYCLOAK_GROUP_CLAIM}
|
||||||
|
--auth-logging=true
|
||||||
|
--whitelist-domain=${HOST}
|
||||||
|
--http-address="0.0.0.0:4180"
|
||||||
|
--reverse-proxy=true
|
||||||
|
--upstream="static://202"
|
||||||
|
--email-domain="*"
|
||||||
|
--cookie-name="_BRIDGEHEAD_oauth2"
|
||||||
|
--cookie-secret="${OAUTH2_PROXY_SECRET}"
|
||||||
|
--cookie-expire="12h"
|
||||||
|
--cookie-secure="true"
|
||||||
|
--cookie-httponly="true"
|
||||||
|
#OIDC settings
|
||||||
|
--provider="keycloak-oidc"
|
||||||
|
--provider-display-name="VerbIS Login"
|
||||||
|
--client-id="${KEYCLOAK_PRIVATE_CLIENT_ID}"
|
||||||
|
--client-secret="${OIDC_CLIENT_SECRET}"
|
||||||
|
--redirect-url="https://${HOST}/oauth2/callback"
|
||||||
|
--oidc-issuer-url="${KEYCLOAK_ISSUER_URL}"
|
||||||
|
--scope="openid email profile"
|
||||||
|
--code-challenge-method="S256"
|
||||||
|
--skip-provider-button=true
|
||||||
|
#X-Forwarded-Header settings - true/false depending on your needs
|
||||||
|
--pass-basic-auth=true
|
||||||
|
--pass-user-headers=false
|
||||||
|
--pass-access-token=false
|
||||||
|
labels:
|
||||||
|
- "traefik.enable=true"
|
||||||
|
- "traefik.http.routers.oauth2_proxy.rule=Host(`${HOST}`) && PathPrefix(`/oauth2`, `/oauth2/callback`)"
|
||||||
|
- "traefik.http.services.oauth2_proxy.loadbalancer.server.port=4180"
|
||||||
|
- "traefik.http.routers.oauth2_proxy.tls=true"
|
||||||
|
|
||||||
|
|
||||||
volumes:
|
volumes:
|
||||||
blaze-data:
|
blaze-data:
|
||||||
|
|
|
||||||
|
|
@ -8,15 +8,15 @@ services:
|
||||||
#DEFAULT_USER: "rstudio" # This line is kept for informational purposes
|
#DEFAULT_USER: "rstudio" # This line is kept for informational purposes
|
||||||
PASSWORD: "${RSTUDIO_ADMIN_PASSWORD}" # It is required, even if the authentication is disabled
|
PASSWORD: "${RSTUDIO_ADMIN_PASSWORD}" # It is required, even if the authentication is disabled
|
||||||
DISABLE_AUTH: "true" # https://rocker-project.org/images/versioned/rstudio.html#how-to-use
|
DISABLE_AUTH: "true" # https://rocker-project.org/images/versioned/rstudio.html#how-to-use
|
||||||
# TODO: Connect R-Studio with central Keycloak. Currently using Traefik authentication.
|
|
||||||
HTTP_RELATIVE_PATH: "/rstudio"
|
HTTP_RELATIVE_PATH: "/rstudio"
|
||||||
ALL_PROXY: "http://forward_proxy:3128" # https://rocker-project.org/use/networking.html
|
ALL_PROXY: "http://forward_proxy:3128" # https://rocker-project.org/use/networking.html
|
||||||
labels:
|
labels:
|
||||||
- "traefik.enable=true"
|
- "traefik.enable=true"
|
||||||
- "traefik.http.routers.rstudio_ccp.rule=PathPrefix(`/rstudio`)"
|
- "traefik.http.routers.rstudio_ccp.rule=PathPrefix(`/rstudio`)"
|
||||||
- "traefik.http.services.rstudio_ccp.loadbalancer.server.port=8787"
|
- "traefik.http.services.rstudio_ccp.loadbalancer.server.port=8787"
|
||||||
- "traefik.http.routers.rstudio_ccp.tls=true"
|
|
||||||
- "traefik.http.middlewares.rstudio_ccp_strip.stripprefix.prefixes=/rstudio"
|
- "traefik.http.middlewares.rstudio_ccp_strip.stripprefix.prefixes=/rstudio"
|
||||||
|
- "traefik.http.routers.rstudio_ccp.tls=true"
|
||||||
|
- "traefik.http.routers.rstudio_ccp.middlewares=oidcAuth,rstudio_ccp_strip"
|
||||||
|
|
||||||
opal:
|
opal:
|
||||||
container_name: bridgehead-opal
|
container_name: bridgehead-opal
|
||||||
|
|
|
||||||
|
|
@ -9,6 +9,7 @@ if [ "$ENABLE_DATASHIELD" == true ]; then
|
||||||
OPAL_ADMIN_PASSWORD="$(generate_password \"admin password for Opal\")"
|
OPAL_ADMIN_PASSWORD="$(generate_password \"admin password for Opal\")"
|
||||||
RSTUDIO_ADMIN_PASSWORD="$(generate_password \"admin password for R-Studio\")"
|
RSTUDIO_ADMIN_PASSWORD="$(generate_password \"admin password for R-Studio\")"
|
||||||
DATASHIELD_CONNECT_SECRET="$(echo \"This is a salt string to generate one consistent password as the DataShield Connect secret. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
|
DATASHIELD_CONNECT_SECRET="$(echo \"This is a salt string to generate one consistent password as the DataShield Connect secret. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 30)"
|
||||||
|
OAUTH2_PROXY_SECRET="$(echo \"This is a salt string to generate one consistent encryption key for the oauth2_proxy. It is not required to be secret.\" | openssl rsautl -sign -inkey /etc/bridgehead/pki/${SITE_ID}.priv.pem | base64 | head -c 32)"
|
||||||
if [ ! -e /tmp/bridgehead/opal-cert.pem ]; then
|
if [ ! -e /tmp/bridgehead/opal-cert.pem ]; then
|
||||||
mkdir -p /tmp/bridgehead/
|
mkdir -p /tmp/bridgehead/
|
||||||
chown -R bridgehead:docker /tmp/bridgehead/
|
chown -R bridgehead:docker /tmp/bridgehead/
|
||||||
|
|
|
||||||
|
|
@ -34,7 +34,7 @@ services:
|
||||||
KEYCLOAK_URL: "${KEYCLOAK_URL}"
|
KEYCLOAK_URL: "${KEYCLOAK_URL}"
|
||||||
KEYCLOAK_REALM: "${KEYCLOAK_REALM}"
|
KEYCLOAK_REALM: "${KEYCLOAK_REALM}"
|
||||||
KEYCLOAK_CLIENT_ID: "${KEYCLOAK_PUBLIC_CLIENT_ID}"
|
KEYCLOAK_CLIENT_ID: "${KEYCLOAK_PUBLIC_CLIENT_ID}"
|
||||||
KEYCLOAK_TOKEN_GROUP: "${KEYCLOAK_TOKEN_GROUP}"
|
KEYCLOAK_TOKEN_GROUP: "${KEYCLOAK_GROUP_CLAIM}"
|
||||||
TEILER_ADMIN_NAME: "${OPERATOR_FIRST_NAME} ${OPERATOR_LAST_NAME}"
|
TEILER_ADMIN_NAME: "${OPERATOR_FIRST_NAME} ${OPERATOR_LAST_NAME}"
|
||||||
TEILER_ADMIN_EMAIL: "${OPERATOR_EMAIL}"
|
TEILER_ADMIN_EMAIL: "${OPERATOR_EMAIL}"
|
||||||
TEILER_ADMIN_PHONE: "${OPERATOR_PHONE}"
|
TEILER_ADMIN_PHONE: "${OPERATOR_PHONE}"
|
||||||
|
|
|
||||||
3
ccp/vars
3
ccp/vars
|
|
@ -20,7 +20,8 @@ KEYCLOAK_PUBLIC_CLIENT_ID=${SITE_ID}-public
|
||||||
# TODO: Change Keycloak Realm to productive. "test-realm-01" is only for testing
|
# TODO: Change Keycloak Realm to productive. "test-realm-01" is only for testing
|
||||||
KEYCLOAK_REALM="${KEYCLOAK_REALM:-test-realm-01}"
|
KEYCLOAK_REALM="${KEYCLOAK_REALM:-test-realm-01}"
|
||||||
KEYCLOAK_URL="https://login.verbis.dkfz.de"
|
KEYCLOAK_URL="https://login.verbis.dkfz.de"
|
||||||
KEYCLOAK_TOKEN_GROUP="groups"
|
KEYCLOAK_ISSUER_URL="${KEYCLOAK_URL}/realms/${KEYCLOAK_REALM}"
|
||||||
|
KEYCLOAK_GROUP_CLAIM="groups"
|
||||||
POSTGRES_TAG=15.6-alpine
|
POSTGRES_TAG=15.6-alpine
|
||||||
|
|
||||||
for module in $PROJECT/modules/*.sh
|
for module in $PROJECT/modules/*.sh
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue