Skip to content
Snippets Groups Projects
Commit be3ba040 authored by Bruno Oliveira da Silva's avatar Bruno Oliveira da Silva Committed by Stian Thorgersen
Browse files

[KEYCLOAK-9071] Move kube and Dockerfile content from Gatekeeper repository

parent 2b8ca095
No related branches found
No related tags found
No related merge requests found
FROM alpine:3.7
LABEL Name=keycloak-gatekeeper \
Release=https://github.com/keycloak/keycloak-gatekeeper \
Url=https://github.com/keycloak/keycloak-gatekeeper \
Help=https://github.com/keycloak/keycloak-gatekeeper/issues
RUN apk add --no-cache ca-certificates
ADD templates/ /opt/templates
ADD bin/keycloak-gatekeeper /opt/keycloak-gatekeeper
WORKDIR "/opt"
ENTRYPOINT [ "/opt/keycloak-gatekeeper" ]
...@@ -35,8 +35,8 @@ var ( ...@@ -35,8 +35,8 @@ var (
const ( const (
prog = "keycloak-gatekeeper" prog = "keycloak-gatekeeper"
author = "Rohith Jayawardene" author = "Keycloak"
email = "gambol99@gmail.com" email = "keycloak-user@lists.jboss.org"
description = "is a proxy using the keycloak service for auth and authorization" description = "is a proxy using the keycloak service for auth and authorization"
authorizationHeader = "Authorization" authorizationHeader = "Authorization"
...@@ -287,7 +287,7 @@ type Config struct { ...@@ -287,7 +287,7 @@ type Config struct {
// EncryptionKey is the encryption key used to encrypt the refresh token // EncryptionKey is the encryption key used to encrypt the refresh token
EncryptionKey string `json:"encryption-key" yaml:"encryption-key" usage:"encryption key used to encryption the session state" env:"ENCRYPTION_KEY"` EncryptionKey string `json:"encryption-key" yaml:"encryption-key" usage:"encryption key used to encryption the session state" env:"ENCRYPTION_KEY"`
// InvalidAuthRedirectsWith303 will make requests with invalid auth headers redirect using HTTP 303 instead of HTTP 307. See github.com/gambol99/keycloak-gatekeeper/issues/292 for context. // InvalidAuthRedirectsWith303 will make requests with invalid auth headers redirect using HTTP 303 instead of HTTP 307. See github.com/keycloak/keycloak-gatekeeper/issues/292 for context.
InvalidAuthRedirectsWith303 bool `json:"invalid-auth-redirects-with-303" yaml:"invalid-auth-redirects-with-303" usage:"use HTTP 303 redirects instead of 307 for invalid auth tokens"` InvalidAuthRedirectsWith303 bool `json:"invalid-auth-redirects-with-303" yaml:"invalid-auth-redirects-with-303" usage:"use HTTP 303 redirects instead of 307 for invalid auth tokens"`
// NoRedirects informs we should hand back a 401 not a redirect // NoRedirects informs we should hand back a 401 not a redirect
NoRedirects bool `json:"no-redirects" yaml:"no-redirects" usage:"do not have back redirects when no authentication is present, 401 them"` NoRedirects bool `json:"no-redirects" yaml:"no-redirects" usage:"do not have back redirects when no authentication is present, 401 them"`
......
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: proxy
spec:
replicas: 1
template:
metadata:
labels:
name: proxy
annotations:
repository: https://github.com/keycloak/keycloak-gatekeeper
spec:
containers:
- name: proxy
image: docker.io/jboss/keycloak/keycloak-gatekeeper:latest
imagePullPolicy: Always
args:
- --config /etc/secrets/forwarding.yml
- --discovery-url https://sso.example.com/auth/realms/hod-test
- --client-id broker
- --client-secret
- --listen 127.0.0.1:3000
- --enable-forwarding=true
- --forwarding-username=username
- --forwarding-password=password
- --enable-logging=true
- --enable-json-logging true
- --verbose true
volumeMounts:
- name: secrets
mountPath: /etc/secrets
volumes:
- name: secrets
secret:
secretName: config
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: proxy
spec:
replicas: 1
template:
metadata:
labels:
name: proxy
annotations:
repository: https://github.com/keycloak/keycloak-gatekeeper
spec:
securityContext:
fsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
volumes:
- name: certs
secret:
secretName: tls
containers:
- name: proxy
image: docker.io/jboss/keycloak/keycloak-gatekeeper:latest
imagePullPolicy: Always
args:
- --client-id=broker
- --discovery-url=https://sso.example.com/auth/realms/hod-test
- --enable-default-deny=false
- --enable-json-logging=true
- --enable-logging=true
- --enable-request-id=true
- --enable-security-filter=true
- --http-only-cookie=true
- --listen=127.0.0.1:3000
- --preserve-host=true
- --redirection-url=https://www.example.com
- --resources=uri=/admin/*|roles=admin
- --skip-client-id=true
- --tls-cert=/certs/tls.pem
- --tls-private-key=/certs/tls-key.pem
- --upstream-url=http://127.0.0.1:8080
env:
- name: PROXY_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: openid
key: client.secret
securityContext:
readOnlyRootFilesystem: true
volumeMounts:
- name: certs
mountPath: /certs
readOnly: true
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment