LICENSE.md

@@ -1,8 +1,7 @@
 MIT License
 
-Copyright (c) [2018] [Thom Seddon]
-
 Copyright (c) [2023] [Wolfgang Hottgenroth]
+Copyright (c) [2018] [Thom Seddon]
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -1,48 +0,0 @@
-# Traefik Forward Auth 
-
-Yet another minimal modification of a great minimal forward authentication service that provides OAuth/SSO login and authentication for the [traefik](https://github.com/containous/traefik) reverse proxy/load balancer.
-
-## Why?
-
-The original [traefik-forward-auth](https://github.com/thomseddon/traefik-forward-auth) provides the forwarding of authentication between an Identity Provider like [keycloak](https://www.keycloak.org/) and the [ForwardAuth](https://doc.traefik.io/traefik/middlewares/http/forwardauth/) middleware of [traefik](https://doc.traefik.io/traefik/).
-
-The modification of this project is to add minimal authorization functionality. The [traefik-forward-auth](https://home.hottis.de/gitlab/dockerized/traefik-forward-auth/) is configured with a `REQUIRED_ROLE` and access to the resource is only granted if the access token issued by the Identity Provider contains a claim with that particular role. 
-
-## Docker Image 
-
-The Docker image can be found at [DockerHub wollud1969/traefik-forward-auth](https://hub.docker.com/r/wollud1969/traefik-forward-auth).
-
-## Configuration
-
-### ... of traefik-forward-auth
-
-In the `examples` directory the ymls to deploy a whoami service ([at GitHub](https://github.com/traefik/whoami/), [at Docker Hub](https://hub.docker.com/r/containous/whoami)) and the related ymls to deploy and configure the traefik-forward-auth service.
-The only relevant modification to the original [advanced separate pod example](https://github.com/thomseddon/traefik-forward-auth/tree/master/examples/traefik-v2/kubernetes/advanced-separate-pod) is the configuration parameter `REQUIRED_ROLE`.
-
-### ... of the Identity Provider
-
-![Keycloak Client General Settings](./images/Keycloak-General-Settings.png)
-
-![Keycloak Client Access Settings](./images/Keycloak-Access-Settings.png)
-
-![Keycloak Client Capability Settings](./images/Keycloak-Capability-Config.png)
-
-![KeyCloak Client Roles](./images/Keycloak-Client-Roles.png)
-
-![Keycloak Client Mapper](./images/Keycloak-Client-Mapper.png)
-
-
-
-## Copyright
-
-2018 Thom Seddon
-
-2023 Wolfgang Hottgenroth
-
-## License
-
-[MIT](https://github.com/thomseddon/traefik-forward-auth/blob/master/LICENSE.md)
-
-[MIT](https://home.hottis.de/gitlab/dockerized/traefik-forward-auth/-/blob/master/LICENSE.md)
-
-

cmd/main.go

@@ -25,6 +25,8 @@ func main() {
 	http.HandleFunc("/", server.RootHandler)
 
 	// Start
+  log.Info("wn test01 variant")
+	log.WithField("config", config).Debug("Starting with config")
 	log.Infof("Listening on :%d", config.Port)
 	log.Info(http.ListenAndServe(fmt.Sprintf(":%d", config.Port), nil))
 }

examples/auth.yml

@@ -1,155 +0,0 @@
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: traefik-forward-auth
-data:
-  INSECURE_COOKIE: 'true'
-  COOKIE_DOMAIN: whoami.hottis.de
-  DOMAINS: whoami.hottis.de
-  AUTH_HOST: auth.whoami.hottis.de
-  URL_PATH: /_oauth
-  DEFAULT_PROVIDER: oidc
-  PROVIDERS_OIDC_ISSUER_URL: https://auth2.hottis.de/realms/hottis
-  PROVIDERS_OIDC_CLIENT_ID: whoami
-  REQUIRED_ROLE: whoami_access
-# ---
-# apiVersion: v1
-# kind: Secret
-# metadata:
-#   name: traefik-forward-auth
-# type: Opaque
-# data:
-#   PROVIDERS_OIDC_CLIENT_SECRET: PLACEHOLDER
-#   SECRET: PLACEHOLDER
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: traefik-forward-auth
-  labels:
-    app: traefik-forward-auth
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: traefik-forward-auth
-  template:
-    metadata:
-      labels:
-        app: traefik-forward-auth
-      annotations:
-        container.apparmor.security.beta.kubernetes.io/traefik-forward-auth: runtime/default
-    spec:
-      containers:
-        - name: traefik-forward-auth
-          #image: thomseddon/traefik-forward-auth
-          image: wollud1969/traefik-forward-auth:3.0.0
-          imagePullPolicy: Always
-          securityContext:
-            readOnlyRootFilesystem: true
-            runAsNonRoot: true
-            runAsUser: 65534
-            runAsGroup: 65534
-            capabilities:
-              drop:
-                - ALL
-          livenessProbe:
-            failureThreshold: 3
-            tcpSocket:
-              port: 4181
-            initialDelaySeconds: 10
-            periodSeconds: 10
-          resources:
-            limits:
-              memory: '10Mi'
-              cpu: '100m'
-          ports:
-            - containerPort: 4181
-              protocol: TCP
-          env:
-            - name: PROVIDERS_OIDC_CLIENT_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: traefik-forward-auth
-                  key: PROVIDERS_OIDC_CLIENT_SECRET
-            - name: SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: traefik-forward-auth
-                  key: SECRET
-            - name: LOG_LEVEL
-              value: trace
-          envFrom:
-            - configMapRef:
-                name: traefik-forward-auth
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: traefik-forward-auth
-  labels:
-    app: traefik-forward-auth
-spec:
-  type: ClusterIP
-  selector:
-    app: traefik-forward-auth
-  ports:
-  - name: auth-http
-    port: 4181
-    targetPort: 4181
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: auth-whoami-hottis-de
-spec:
-  secretName: auth-whoami-cert
-  duration: 2160h
-  renewBefore: 360h
-  subject:
-    organizations:
-      - hottis-de
-  isCA: false
-  privateKey:
-    algorithm: RSA
-    encoding: PKCS1
-    size: 2048
-  usages:
-    - server auth
-  dnsNames:
-    - auth.whoami.hottis.de
-  issuerRef:
-    name: letsencrypt-production-http
-    kind: ClusterIssuer
-    group: cert-manager.io
----
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
-metadata:
-  name: traefik-forward-auth
-  labels:
-    app: traefik-forward-auth
-spec:
-  entryPoints:
-    - websecure
-  routes:
-  - match: Host(`auth.whoami.hottis.de`)
-    kind: Rule
-    services:
-    - name: traefik-forward-auth
-      port: 4181
-  tls:
-    secretName: auth-whoami-cert
----
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
-  name: traefik-forward-auth
-spec:
-  forwardAuth:
-    trustForwardHeader: true
-    address: http://traefik-forward-auth.whoami.svc.cluster.local:4181
-    authResponseHeaders:
-      - X-Forwarded-User
-

examples/install.sh

@@ -1,24 +0,0 @@
-#!/bin/bash
-
-SECRET_CONFIG_DIR=~/Workspace/MyKubernetesEnv/secret-configuration
-
-NAMESPACE=$(cat namespace)
-SECRET=$(cat $SECRET_CONFIG_DIR/whoami-secret)
-PROVIDERS_OIDC_CLIENT_SECRET=$(cat $SECRET_CONFIG_DIR/whoami-oidc-secret)
-
-kubectl create namespace $NAMESPACE \
-  --dry-run=client \
-  -o yaml | \
-  kubectl -f - apply
-
-kubectl create secret generic traefik-forward-auth \
-  --dry-run=client \
-  -o yaml \
-  --save-config \
-  --from-literal=PROVIDERS_OIDC_CLIENT_SECRET="$PROVIDERS_OIDC_CLIENT_SECRET" \
-  --from-literal=SECRET="$SECRET" | \
-  kubectl apply -f - -n $NAMESPACE
-
-kubectl -f auth.yml -n $NAMESPACE apply
-kubectl -f install.yml -n $NAMESPACE apply
-

examples/install.yml

@@ -1,78 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: whoami
-  labels:
-    app: whoami
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: whoami
-  template:
-    metadata:
-      labels:
-        app: whoami
-    spec:
-      containers:
-      - image: containous/whoami
-        name: whoami
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: whoami
-  labels:
-    app: whoami
-spec:
-  type: ClusterIP
-  ports:
-  - name: http
-    port: 80
-  selector:
-    app: whoami
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: whoami-hottis-de
-spec:
-  secretName: whoami-cert
-  duration: 2160h
-  renewBefore: 360h
-  subject:
-    organizations:
-      - hottis-de
-  isCA: false
-  privateKey:
-    algorithm: RSA
-    encoding: PKCS1
-    size: 2048
-  usages:
-    - server auth
-  dnsNames:
-    - whoami.hottis.de
-  issuerRef:
-    name: letsencrypt-production-http
-    kind: ClusterIssuer
-    group: cert-manager.io
----
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
-metadata:
-  name: whoami
-  labels:
-    app: whoami
-spec:
-  entryPoints:
-    - websecure
-  routes:
-  - match: Host(`whoami.hottis.de`)
-    kind: Rule
-    services:
-      - name: whoami
-        port: 80
-    middlewares:
-      - name: traefik-forward-auth
-  tls:
-    secretName: whoami-cert

examples/namespace

@@ -1,2 +0,0 @@
-whoami
-