documentation

README.md

@@ -0,0 +1,31 @@
+# Traefik Forward Auth 
+
+Yet another minimal modification of a great minimal forward authentication service that provides OAuth/SSO login and authentication for the [traefik](https://github.com/containous/traefik) reverse proxy/load balancer.
+
+## Why?
+
+The original [traefik-forward-auth](https://github.com/thomseddon/traefik-forward-auth) provides the forwarding of authentication between an Identity Provider like [keycloak](https://www.keycloak.org/) and the [ForwardAuth](https://doc.traefik.io/traefik/middlewares/http/forwardauth/) middleware of [traefik](https://doc.traefik.io/traefik/).
+
+The modification of this project is to add minimal authorization functionality. The [traefik-forward-auth](https://home.hottis.de/gitlab/dockerized/traefik-forward-auth/) is configured with a `REQUIRED_ROLE` and access to the resource is only granted if the access token issued by the Identity Provider contains a claim with that particular role. 
+
+## Configuration
+
+### ... of traefik-forward-auth
+
+In the `examples` directory the ymls to deploy a whoami service ([at GitHub](https://github.com/traefik/whoami/), [at Docker Hub](https://hub.docker.com/r/containous/whoami)) and the related ymls to deploy and configure the traefik-forward-auth service.
+The only relevant modification to the original [advanced separate pod example](https://github.com/thomseddon/traefik-forward-auth/tree/master/examples/traefik-v2/kubernetes/advanced-separate-pod) is the configuration parameter `REQUIRED_ROLE`.
+
+### ... of the Identity Provider
+
+![Keycloak Client General Settings](./images/Keycloak-General-Settings.png)
+
+![Keycloak Client Access Settings](./images/Keycloak-Access-Settings.png)
+
+![Keycloak Client Capability Settings](./images/Keycloak-Capability-Config.png)
+
+![KeyCloak Client Roles](./images/Keycloak-Client-Roles.png)
+
+![Keycloak Client Mapper](./images/Keycloak-Client-Mapper.png)
+
+
+

cmd/main.go

@@ -25,8 +25,6 @@ func main() {
 	http.HandleFunc("/", server.RootHandler)
 
 	// Start
-  log.Info("wn test01 variant")
-	log.WithField("config", config).Debug("Starting with config")
 	log.Infof("Listening on :%d", config.Port)
 	log.Info(http.ListenAndServe(fmt.Sprintf(":%d", config.Port), nil))
 }

examples/auth.yml

@@ -0,0 +1,155 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: traefik-forward-auth
+data:
+  INSECURE_COOKIE: 'true'
+  COOKIE_DOMAIN: whoami.hottis.de
+  DOMAINS: whoami.hottis.de
+  AUTH_HOST: auth.whoami.hottis.de
+  URL_PATH: /_oauth
+  DEFAULT_PROVIDER: oidc
+  PROVIDERS_OIDC_ISSUER_URL: https://auth2.hottis.de/realms/hottis
+  PROVIDERS_OIDC_CLIENT_ID: whoami
+  REQUIRED_ROLE: whoami_access
+# ---
+# apiVersion: v1
+# kind: Secret
+# metadata:
+#   name: traefik-forward-auth
+# type: Opaque
+# data:
+#   PROVIDERS_OIDC_CLIENT_SECRET: PLACEHOLDER
+#   SECRET: PLACEHOLDER
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: traefik-forward-auth
+  labels:
+    app: traefik-forward-auth
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: traefik-forward-auth
+  template:
+    metadata:
+      labels:
+        app: traefik-forward-auth
+      annotations:
+        container.apparmor.security.beta.kubernetes.io/traefik-forward-auth: runtime/default
+    spec:
+      containers:
+        - name: traefik-forward-auth
+          #image: thomseddon/traefik-forward-auth
+          image: wollud1969/tfa:test18
+          imagePullPolicy: Always
+          securityContext:
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 65534
+            runAsGroup: 65534
+            capabilities:
+              drop:
+                - ALL
+          livenessProbe:
+            failureThreshold: 3
+            tcpSocket:
+              port: 4181
+            initialDelaySeconds: 10
+            periodSeconds: 10
+          resources:
+            limits:
+              memory: '10Mi'
+              cpu: '100m'
+          ports:
+            - containerPort: 4181
+              protocol: TCP
+          env:
+            - name: PROVIDERS_OIDC_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: traefik-forward-auth
+                  key: PROVIDERS_OIDC_CLIENT_SECRET
+            - name: SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: traefik-forward-auth
+                  key: SECRET
+            - name: LOG_LEVEL
+              value: trace
+          envFrom:
+            - configMapRef:
+                name: traefik-forward-auth
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: traefik-forward-auth
+  labels:
+    app: traefik-forward-auth
+spec:
+  type: ClusterIP
+  selector:
+    app: traefik-forward-auth
+  ports:
+  - name: auth-http
+    port: 4181
+    targetPort: 4181
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: auth-whoami-hottis-de
+spec:
+  secretName: auth-whoami-cert
+  duration: 2160h
+  renewBefore: 360h
+  subject:
+    organizations:
+      - hottis-de
+  isCA: false
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS1
+    size: 2048
+  usages:
+    - server auth
+  dnsNames:
+    - auth.whoami.hottis.de
+  issuerRef:
+    name: letsencrypt-production-http
+    kind: ClusterIssuer
+    group: cert-manager.io
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: traefik-forward-auth
+  labels:
+    app: traefik-forward-auth
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`auth.whoami.hottis.de`)
+    kind: Rule
+    services:
+    - name: traefik-forward-auth
+      port: 4181
+  tls:
+    secretName: auth-whoami-cert
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: traefik-forward-auth
+spec:
+  forwardAuth:
+    trustForwardHeader: true
+    address: http://traefik-forward-auth.whoami.svc.cluster.local:4181
+    authResponseHeaders:
+      - X-Forwarded-User
+

examples/install.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+
+SECRET_CONFIG_DIR=~/Workspace/MyKubernetesEnv/secret-configuration
+
+NAMESPACE=$(cat namespace)
+SECRET=$(cat $SECRET_CONFIG_DIR/whoami-secret)
+PROVIDERS_OIDC_CLIENT_SECRET=$(cat $SECRET_CONFIG_DIR/whoami-oidc-secret)
+
+kubectl create namespace $NAMESPACE \
+  --dry-run=client \
+  -o yaml | \
+  kubectl -f - apply
+
+kubectl create secret generic traefik-forward-auth \
+  --dry-run=client \
+  -o yaml \
+  --save-config \
+  --from-literal=PROVIDERS_OIDC_CLIENT_SECRET="$PROVIDERS_OIDC_CLIENT_SECRET" \
+  --from-literal=SECRET="$SECRET" | \
+  kubectl apply -f - -n $NAMESPACE
+
+kubectl -f auth.yml -n $NAMESPACE apply
+kubectl -f install.yml -n $NAMESPACE apply
+

examples/install.yml

@@ -0,0 +1,78 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: whoami
+  labels:
+    app: whoami
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: whoami
+  template:
+    metadata:
+      labels:
+        app: whoami
+    spec:
+      containers:
+      - image: containous/whoami
+        name: whoami
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: whoami
+  labels:
+    app: whoami
+spec:
+  type: ClusterIP
+  ports:
+  - name: http
+    port: 80
+  selector:
+    app: whoami
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: whoami-hottis-de
+spec:
+  secretName: whoami-cert
+  duration: 2160h
+  renewBefore: 360h
+  subject:
+    organizations:
+      - hottis-de
+  isCA: false
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS1
+    size: 2048
+  usages:
+    - server auth
+  dnsNames:
+    - whoami.hottis.de
+  issuerRef:
+    name: letsencrypt-production-http
+    kind: ClusterIssuer
+    group: cert-manager.io
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: whoami
+  labels:
+    app: whoami
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`whoami.hottis.de`)
+    kind: Rule
+    services:
+      - name: whoami
+        port: 80
+    middlewares:
+      - name: traefik-forward-auth
+  tls:
+    secretName: whoami-cert

examples/namespace

@@ -0,0 +1,2 @@
+whoami
+