forked from 8gears/keycloak-auth-proxy
-
Notifications
You must be signed in to change notification settings - Fork 0
/
openshift_template.yml
170 lines (167 loc) · 5.53 KB
/
openshift_template.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
kind: Template
apiVersion: v1
metadata:
name: keycloak-auth-proxy
annotations:
'openshift.io/display-name': Reverse Authentication Proxy
description: |
The Keycloak Auth Proxy provides OpenID Connect/OAuth authentication and authorization for web resources that have no build in authentication.
iconClass: fa fa-address-card-o
tags: 'Authentication, Proxy, OIDC, OpenID, Reverse Proxy'
parameters:
- name: NAME
displayName: Name
value: keycloak-auth-proxy
description: The name of the service
required: false
- name: APP_NAME
displayName: The App Name
value: keycloak-auth-proxy
description: The application name, by default same as name.
required: false
- name: HOST_NAME
displayName: The external proxy host name
value: HOST_NAME
description: The full qualified external proxy host name
required: false
- name: DISCOVERY_URL
displayName: Discovery URL
description: Discovery url to retrieve the openid configuration. Normally for keycloak its <server>/auth/realm/<realm_name>
value: https://auth.domain.io/auth/realms/8gears
required: true
- name: CLIENT_ID
displayName: Client ID
description: Specifies ID referenced in URI and tokens. For example 'my-client'. For SAML this is also the expected issuer value from authn requests
value: account
required: true
- name: CLIENT_SECRET
displayName: Client Secret
description: Client secret used to authenticate to the oauth service
required: true
- name: LISTEN
displayName: Proxy Listen Port
description: The interface definition you wish the proxy to listen, all interfaces is specified as ':<port>', unix sockets as unix:https://<REL_PATH>|</ABS PATH>
value: :8080
required: false
- name: ENABLE_REFRESH_TOKENS
displayName: Refresh Token Enabled
description: Enables the handling of the refresh tokens
value: 'true'
required: false
- name: REDIRECTION_URL
displayName: The redirect URL
description: Redirection url for the oauth callback url, defaults to host header is absent.
required: false
- name: SECURE_COOKIE
displayName: Secure Cookie
description: Enforces the cookie to be secure. Works only with Secure redirect URL
value: 'false'
required: false
- name: ENCRYPTION_KEY
displayName: Encryption key
description: Encryption key used to encryption the session state
from: '[a-zA-Z0-9]{32}'
generate: 'expression'
- name: UPSTREAM_URL
displayName: Upstrean URL
description: URL for the upstream endpoint you wish to proxy the traffic too.
value: 'http:https://example.org/'
required: true
- name: RESOURCES
displayName: Resources
description: list of resources 'uri=/admin|methods=GET,PUT|roles=role1,role2'
value: 'uri=/*'
required: true
- name: PROXY_CONFIG
displayName: Proxy Configuration File
description: Provide the complete content of a custom config file that should be used instead of the default one.
required: false
- name: MATCH_CLAIMS
displayName: Token claim matching for additional ACL controls
description: eypair values for matching access token claims e.g. aud=myapp, iss=http:https://example.*, email=^.*@domain.com$
required: false
objects:
- kind: Service
apiVersion: v1
metadata:
name: ${NAME}
labels:
app: ${APP_NAME}
app-component: ${NAME}
spec:
ports:
- name: 8080-tcp
protocol: TCP
port: 8080
targetPort: 8080
selector:
deploymentconfig: ${NAME}
- kind: Route
apiVersion: v1
metadata:
name: ${NAME}
labels:
app: ${APP_NAME}
app-component: ${NAME}
spec:
host: ${HOST_NAME}
to:
kind: Service
name: ${NAME}
tls:
termination: edge
- kind: DeploymentConfig
apiVersion: v1
metadata:
name: ${NAME}
labels:
app: ${APP_NAME}
app-component: ${NAME}
spec:
replicas: 1
selector:
app: ${APP_NAME}
deploymentconfig: ${NAME}
strategy:
type: Rolling
template:
metadata:
labels:
app: ${APP_NAME}
app-component: ${NAME}
deploymentconfig: ${NAME}
spec:
containers:
- name: ${NAME}
image: 8gears/keycloak-auth-proxy:2.1.1
ports:
- containerPort: 8080
protocol: TCP
env:
- name: PROXY_DISCOVERY_URL
value: ${DISCOVERY_URL}
- name: PROXY_CLIENT_ID
value: ${CLIENT_ID}
- name: PROXY_CLIENT_SECRET
value: ${CLIENT_SECRET}
- name: PROXY_LISTEN
value: ${LISTEN}
- name: PROXY_ENABLE_REFRESH_TOKENS
value: ${ENABLE_REFRESH_TOKENS}
- name: PROXY_REDIRECTION_URL
value: ${REDIRECTION_URL}
- name: PROXY_SECURE_COOKIE
value: ${SECURE_COOKIE}
- name: PROXY_ENCRYPTION_KEY
value: ${ENCRYPTION_KEY}
- name: PROXY_UPSTREAM_URL
value: ${UPSTREAM_URL}
- name: PROXY_RESOURCES
value: ${RESOURCES}
- name: PROXY_CONFIG
value: ${PROXY_CONFIG}
- name: PROXY_MATCH_CLAIMS
value: ${MATCH_CLAIMS}
imagePullPolicy: Always
restartPolicy: Always
terminationGracePeriodSeconds: 30