-
-
Save miradam/4833ae106e46f20da6ad9ad089752ba7 to your computer and use it in GitHub Desktop.
NGINX Keycloak Authentication
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: apps/v1 | |
| kind: Deployment | |
| metadata: | |
| name: nginx | |
| namespace: default | |
| spec: | |
| replicas: 1 | |
| selector: | |
| matchLabels: | |
| app: nginx | |
| template: | |
| metadata: | |
| labels: | |
| app: nginx | |
| spec: | |
| containers: | |
| - name: nginx | |
| image: nginx | |
| - name: gatekeeper | |
| image: carlosedp/keycloak-gatekeeper:latest | |
| args: | |
| - --config=/etc/keycloak-gatekeeper.conf | |
| ports: | |
| - containerPort: 3000 | |
| name: service | |
| volumeMounts: | |
| - name: gatekeeper-config | |
| mountPath: /etc/keycloak-gatekeeper.conf | |
| subPath: keycloak-gatekeeper.conf | |
| - name: gatekeeper-files | |
| mountPath: /html | |
| volumes: | |
| - name : gatekeeper-config | |
| configMap: | |
| name: gatekeeper-config | |
| - name : gatekeeper-files | |
| configMap: | |
| name: gatekeeper-files | |
| --- | |
| apiVersion: v1 | |
| kind: ConfigMap | |
| metadata: | |
| name: gatekeeper-config | |
| namespace: default | |
| creationTimestamp: null | |
| data: | |
| keycloak-gatekeeper.conf: |+ | |
| # is the url for retrieve the OpenID configuration - normally the <server>/auth/realms/<realm_name> | |
| discovery-url: https://keycloak.192.168.164.1.nip.io:8443/auth/realms/local | |
| # skip tls verify | |
| skip-openid-provider-tls-verify: true | |
| # the client id for the 'client' application | |
| client-id: gatekeeper | |
| # the secret associated to the 'client' application | |
| client-secret: 3d87097b-9f31-4457-89b3-a6578d21f759 | |
| # the interface definition you wish the proxy to listen, all interfaces is specified as ':<port>', unix sockets as unix://<REL_PATH>|</ABS PATH> | |
| listen: :3000 | |
| # whether to enable refresh tokens | |
| enable-refresh-tokens: true | |
| # the location of a certificate you wish the proxy to use for TLS support | |
| tls-cert: | |
| # the location of a private key for TLS | |
| tls-private-key: | |
| # the redirection url, essentially the site url, note: /oauth/callback is added at the end | |
| redirection-url: http://nginx.192.168.164.130.nip.io | |
| secure-cookie: false | |
| # the encryption key used to encode the session state | |
| encryption-key: vGcLt8ZUdPX5fXhtLZaPHZkGWHZrT6aa | |
| # the upstream endpoint which we should proxy request | |
| upstream-url: http://127.0.0.1:80/ | |
| forbidden-page: /html/access-forbidden.html | |
| resources: | |
| - uri: /* | |
| groups: | |
| - my-app | |
| --- | |
| apiVersion: v1 | |
| kind: ConfigMap | |
| metadata: | |
| name: gatekeeper-files | |
| namespace: default | |
| creationTimestamp: null | |
| data: | |
| access-forbidden.html: |+ | |
| <html lang="en"><head> <title>Access Forbidden</title><style>*{font-family: "Courier", "Courier New", "sans-serif"; margin:0; padding: 0;}body{background: #233142;}.whistle{width: 20%; fill: #f95959; margin: 100px 40%; text-align: left; transform: translate(-50%, -50%); transform: rotate(0); transform-origin: 80% 30%; animation: wiggle .2s infinite;}@keyframes wiggle{0%{transform: rotate(3deg);}50%{transform: rotate(0deg);}100%{transform: rotate(3deg);}}h1{margin-top: -100px; margin-bottom: 20px; color: #facf5a; text-align: center; font-size: 90px; font-weight: 800;}h2, a{color: #455d7a; text-align: center; font-size: 30px; text-transform: uppercase;}</style> </head><body> <use> <svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" viewBox="0 0 1000 1000" enable-background="new 0 0 1000 1000" xml:space="preserve" class="whistle"><g><g transform="translate(0.000000,511.000000) scale(0.100000,-0.100000)"><path d="M4295.8,3963.2c-113-57.4-122.5-107.2-116.8-622.3l5.7-461.4l63.2-55.5c72.8-65.1,178.1-74.7,250.8-24.9c86.2,61.3,97.6,128.3,97.6,584c0,474.8-11.5,526.5-124.5,580.1C4393.4,4001.5,4372.4,4001.5,4295.8,3963.2z"/><path d="M3053.1,3134.2c-68.9-42.1-111-143.6-93.8-216.4c7.7-26.8,216.4-250.8,476.8-509.3c417.4-417.4,469.1-463.4,526.5-463.4c128.3,0,212.5,88.1,212.5,224c0,67-26.8,97.6-434.6,509.3c-241.2,241.2-459.5,449.9-488.2,465.3C3181.4,3180.1,3124,3178.2,3053.1,3134.2z"/><path d="M2653,1529.7C1644,1445.4,765.1,850,345.8-32.7C62.4-628.2,22.2-1317.4,234.8-1960.8C451.1-2621.3,947-3186.2,1584.6-3500.2c1018.6-501.6,2228.7-296.8,3040.5,515.1c317.8,317.8,561,723.7,670.1,1120.1c101.5,369.5,158.9,455.7,360,553.3c114.9,57.4,170.4,65.1,1487.7,229.8c752.5,93.8,1392,181.9,1420.7,193.4C8628.7-857.9,9900,1250.1,9900,1328.6c0,84.3-67,172.3-147.4,195.3c-51.7,15.3-790.8,19.1-2558,15.3l-2487.2-5.7l-55.5-63.2l-55.5-61.3v-344.6V719.8h-411.7h-411.7v325.5c0,509.3,11.5,499.7-616.5,494C2921,1537.3,2695.1,1533.5,2653,1529.7z"/></g></g></svg></use><h1>403</h1><h2>Not this time, access forbidden!</h2><h2><a href="/oauth/logout?redirect=https://google.com">Logout</h2></body></html> | |
| --- | |
| apiVersion: v1 | |
| kind: Service | |
| metadata: | |
| labels: | |
| app: nginx | |
| name: nginx | |
| namespace: default | |
| spec: | |
| ports: | |
| - name: http | |
| port: 80 | |
| protocol: TCP | |
| targetPort: service | |
| selector: | |
| app: nginx | |
| type: ClusterIP | |
| --- | |
| apiVersion: networking.k8s.io/v1beta1 | |
| kind: Ingress | |
| metadata: | |
| name: nginx | |
| namespace: default | |
| annotations: | |
| nginx.ingress.kubernetes.io/rewrite-target: / | |
| spec: | |
| rules: | |
| - host: nginx.192.168.164.130.nip.io | |
| http: | |
| paths: | |
| - path: / | |
| backend: | |
| serviceName: nginx | |
| servicePort: 80 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment