Last active
August 5, 2024 23:16
-
-
Save carlosedp/80ea54104cc6303f04b3755033f9c4fe to your computer and use it in GitHub Desktop.
NGINX Keycloak Authentication
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: apps/v1 | |
| kind: Deployment | |
| metadata: | |
| name: nginx | |
| namespace: default | |
| spec: | |
| replicas: 1 | |
| selector: | |
| matchLabels: | |
| app: nginx | |
| template: | |
| metadata: | |
| labels: | |
| app: nginx | |
| spec: | |
| containers: | |
| - name: nginx | |
| image: nginx | |
| - name: gatekeeper | |
| image: carlosedp/keycloak-gatekeeper:latest | |
| args: | |
| - --config=/etc/keycloak-gatekeeper.conf | |
| ports: | |
| - containerPort: 3000 | |
| name: service | |
| volumeMounts: | |
| - name: gatekeeper-config | |
| mountPath: /etc/keycloak-gatekeeper.conf | |
| subPath: keycloak-gatekeeper.conf | |
| - name: gatekeeper-files | |
| mountPath: /html | |
| volumes: | |
| - name : gatekeeper-config | |
| configMap: | |
| name: gatekeeper-config | |
| - name : gatekeeper-files | |
| configMap: | |
| name: gatekeeper-files | |
| --- | |
| apiVersion: v1 | |
| kind: ConfigMap | |
| metadata: | |
| name: gatekeeper-config | |
| namespace: default | |
| creationTimestamp: null | |
| data: | |
| keycloak-gatekeeper.conf: |+ | |
| # is the url for retrieve the OpenID configuration - normally the <server>/auth/realms/<realm_name> | |
| discovery-url: https://keycloak.192.168.164.1.nip.io:8443/auth/realms/local | |
| # skip tls verify | |
| skip-openid-provider-tls-verify: true | |
| # the client id for the 'client' application | |
| client-id: gatekeeper | |
| # the secret associated to the 'client' application | |
| client-secret: 3d87097b-9f31-4457-89b3-a6578d21f759 | |
| # the interface definition you wish the proxy to listen, all interfaces is specified as ':<port>', unix sockets as unix://<REL_PATH>|</ABS PATH> | |
| listen: :3000 | |
| # whether to enable refresh tokens | |
| enable-refresh-tokens: true | |
| # the location of a certificate you wish the proxy to use for TLS support | |
| tls-cert: | |
| # the location of a private key for TLS | |
| tls-private-key: | |
| # the redirection url, essentially the site url, note: /oauth/callback is added at the end | |
| redirection-url: http://nginx.192.168.164.130.nip.io | |
| secure-cookie: false | |
| # the encryption key used to encode the session state | |
| encryption-key: vGcLt8ZUdPX5fXhtLZaPHZkGWHZrT6aa | |
| # the upstream endpoint which we should proxy request | |
| upstream-url: http://127.0.0.1:80/ | |
| forbidden-page: /html/access-forbidden.html | |
| resources: | |
| - uri: /* | |
| groups: | |
| - my-app | |
| --- | |
| apiVersion: v1 | |
| kind: ConfigMap | |
| metadata: | |
| name: gatekeeper-files | |
| namespace: default | |
| creationTimestamp: null | |
| data: | |
| access-forbidden.html: |+ | |
| <html lang="en"><head> <title>Access Forbidden</title><style>*{font-family: "Courier", "Courier New", "sans-serif"; margin:0; padding: 0;}body{background: #233142;}.whistle{width: 20%; fill: #f95959; margin: 100px 40%; text-align: left; transform: translate(-50%, -50%); transform: rotate(0); transform-origin: 80% 30%; animation: wiggle .2s infinite;}@keyframes wiggle{0%{transform: rotate(3deg);}50%{transform: rotate(0deg);}100%{transform: rotate(3deg);}}h1{margin-top: -100px; margin-bottom: 20px; color: #facf5a; text-align: center; font-size: 90px; font-weight: 800;}h2, a{color: #455d7a; text-align: center; font-size: 30px; text-transform: uppercase;}</style> </head><body> <use> <svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" viewBox="0 0 1000 1000" enable-background="new 0 0 1000 1000" xml:space="preserve" class="whistle"><g><g transform="translate(0.000000,511.000000) scale(0.100000,-0.100000)"><path d="M4295.8,3963.2c-113-57.4-122.5-107.2-116.8-622.3l5.7-461.4l63.2-55.5c72.8-65.1,178.1-74.7,250.8-24.9c86.2,61.3,97.6,128.3,97.6,584c0,474.8-11.5,526.5-124.5,580.1C4393.4,4001.5,4372.4,4001.5,4295.8,3963.2z"/><path d="M3053.1,3134.2c-68.9-42.1-111-143.6-93.8-216.4c7.7-26.8,216.4-250.8,476.8-509.3c417.4-417.4,469.1-463.4,526.5-463.4c128.3,0,212.5,88.1,212.5,224c0,67-26.8,97.6-434.6,509.3c-241.2,241.2-459.5,449.9-488.2,465.3C3181.4,3180.1,3124,3178.2,3053.1,3134.2z"/><path d="M2653,1529.7C1644,1445.4,765.1,850,345.8-32.7C62.4-628.2,22.2-1317.4,234.8-1960.8C451.1-2621.3,947-3186.2,1584.6-3500.2c1018.6-501.6,2228.7-296.8,3040.5,515.1c317.8,317.8,561,723.7,670.1,1120.1c101.5,369.5,158.9,455.7,360,553.3c114.9,57.4,170.4,65.1,1487.7,229.8c752.5,93.8,1392,181.9,1420.7,193.4C8628.7-857.9,9900,1250.1,9900,1328.6c0,84.3-67,172.3-147.4,195.3c-51.7,15.3-790.8,19.1-2558,15.3l-2487.2-5.7l-55.5-63.2l-55.5-61.3v-344.6V719.8h-411.7h-411.7v325.5c0,509.3,11.5,499.7-616.5,494C2921,1537.3,2695.1,1533.5,2653,1529.7z"/></g></g></svg></use><h1>403</h1><h2>Not this time, access forbidden!</h2><h2><a href="/oauth/logout?redirect=https://google.com">Logout</h2></body></html> | |
| --- | |
| apiVersion: v1 | |
| kind: Service | |
| metadata: | |
| labels: | |
| app: nginx | |
| name: nginx | |
| namespace: default | |
| spec: | |
| ports: | |
| - name: http | |
| port: 80 | |
| protocol: TCP | |
| targetPort: service | |
| selector: | |
| app: nginx | |
| type: ClusterIP | |
| --- | |
| apiVersion: networking.k8s.io/v1beta1 | |
| kind: Ingress | |
| metadata: | |
| name: nginx | |
| namespace: default | |
| annotations: | |
| nginx.ingress.kubernetes.io/rewrite-target: / | |
| spec: | |
| rules: | |
| - host: nginx.192.168.164.130.nip.io | |
| http: | |
| paths: | |
| - path: / | |
| backend: | |
| serviceName: nginx | |
| servicePort: 80 |
The above configuration is not relevant anymore, it would not work in today's k8 environment, do you have configuration written for oauth2-proxy instead of gatekeeper
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-- check to see if all failed files within an export went out in a subsequent export within the last 7 days
select er.id export_run_id,
ec.name,
er.start_timestamp
,
er.complete_timestamp
from coordinator_exporter.export_log el
inner join coordinator_exporter.export_run er on el.export_run_id = er.id
inner join coordinator_exporter.export_configuration ec on ec.id = er.export_configuration_id
join scheduler.scheduler_configuration sc on ec.id = sc.task_id
where er.succeeded = false
and er.start_timestamp > :runTimestamp :: date - INTERVAL '7 days'
and sc.active = false
and (el.had_configured_tenants = true or ec.filter_by_tenant = false)
and not exists(select 1
from coordinator_exporter.export_log el2
inner join coordinator_exporter.export_run er2 on el2.export_run_id = er2.id
where er2.id <> er.id
and er2.succeeded = true
and er2.export_configuration_id = er.export_configuration_id
and er2.start_timestamp > er.start_timestamp
and el2.import_file_id = el.import_file_id)
group by 1, 2, 3, 4;