diff --git a/configs/prod/file-provider.yml b/configs/prod/file-provider.yml new file mode 100644 index 0000000..3940072 --- /dev/null +++ b/configs/prod/file-provider.yml @@ -0,0 +1,9 @@ +--- +http: + middlewares: + keycloak: + forwardAuth: + address: "http://traefik-forward-auth:4181" + trustForwardHeader: true + authResponseHeaders: + - "X-Forwarded-User" diff --git a/configs/prod/forward.ini.tmpl b/configs/prod/forward.ini.tmpl new file mode 100644 index 0000000..63a48cb --- /dev/null +++ b/configs/prod/forward.ini.tmpl @@ -0,0 +1,13 @@ +secret = {{ secret "secret-nonce-v1" }} + +default-provider = oidc + +providers.oidc.issuer-url = {{ secret "oidc-issuer-url-v1" }} +providers.oidc.client-id = {{ secret "oidc-client-id-v1" }} +providers.oidc.client-secret = {{ secret "oidc-client-secret-v1" }} + +log-level = error + +cookie-domain = swarm.autonomic.zone + +auth-host = auth.swarm.autonomic.zone diff --git a/configs/prod/traefik.yml b/configs/prod/traefik.yml index 1739f3b..a9c9b71 100644 --- a/configs/prod/traefik.yml +++ b/configs/prod/traefik.yml @@ -8,6 +8,8 @@ providers: exposedByDefault: false network: "proxy" swarmMode: true + file: + filename: /etc/traefik/file-provider.yml api: dashboard: true diff --git a/docker-compose.override.yml b/docker-compose.override.yml index b590a37..85db969 100644 --- a/docker-compose.override.yml +++ b/docker-compose.override.yml @@ -1,5 +1,5 @@ --- -version: "3.7" +version: "3.8" services: traefik: diff --git a/docker-compose.production.yml b/docker-compose.production.yml index 8de1bf8..c305a65 100644 --- a/docker-compose.production.yml +++ b/docker-compose.production.yml @@ -1,5 +1,5 @@ --- -version: "3.7" +version: "3.8" services: traefik: @@ -13,6 +13,8 @@ services: configs: - source: traefik-yml-prod-v1 target: /etc/traefik/traefik.yml + - source: file-provider-prod-v1 + target: /etc/traefik/file-provider.yml networks: - proxy deploy: @@ -30,8 +32,30 @@ services: - "traefik.http.routers.traefik.entrypoints=web-secure" - "traefik.http.routers.traefik.tls.certresolver=staging" - "traefik.http.routers.traefik.service=api@internal" - - "traefik.http.routers.traefik.middlewares=traefik-auth" - - "traefik.http.middlewares.traefik-auth.basicauth.users=autonomic:$$apr1$$c2uyXKda$$aRey75.6YpkdA82yGf5VN1" + - "traefik.http.routers.traefik.middlewares=keycloak@file" + + traefik-forward-auth: + image: thomseddon/traefik-forward-auth:2 + configs: + - source: forward-ini-prod-v1 + target: /etc/forward.ini + networks: + - proxy + environment: + - CONFIG=/etc/forward.ini + secrets: + - oidc-client-id-v1 + - oidc-client-secret-v1 + - oidc-issuer-url-v1 + - secret-nonce-v1 + deploy: + labels: + - "traefik.enable=true" + - "traefik.http.services.tfa.loadBalancer.server.port=4181" + - "traefik.http.routers.tfa.rule=Host(`auth.swarm.autonomic.zone`)" + - "traefik.http.routers.tfa.entrypoints=web-secure" + - "traefik.http.routers.tfa.tls.certresolver=staging" + - "traefik.http.routers.tfa.middlewares=keycloak@file" networks: proxy: @@ -40,6 +64,21 @@ networks: configs: traefik-yml-prod-v1: file: configs/prod/traefik.yml + file-provider-prod-v1: + file: configs/prod/file-provider.yml + forward-ini-prod-v1: + file: configs/prod/forward.ini.tmpl + template_driver: golang + +secrets: + secret-nonce-v1: + external: true + oidc-issuer-url-v1: + external: true + oidc-client-id-v1: + external: true + oidc-client-secret-v1: + external: true volumes: letsencrypt: diff --git a/docker-compose.yml b/docker-compose.yml index 685bb9c..1c51e5b 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,5 +1,5 @@ --- -version: "3.7" +version: "3.8" services: traefik: diff --git a/requirements.txt b/requirements.txt index e2fcb03..b538b9c 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1 +1 @@ -docker-compose==1.25.5 +docker-compose==1.26.0-rc4