diff --git a/examples/Google/README.md b/examples/Google/README.md new file mode 100644 index 0000000..600d1ce --- /dev/null +++ b/examples/Google/README.md @@ -0,0 +1,117 @@ + +# Deploying on Kubernetes and using GCP OAuth 2.0 Client ID + +This example shows a kubernetes deployment and service to running a traefik-forward-auth container. It assumes the namespace is traefik. If you are not using this namespace then change it to suit your environment. + +1. The traefik forward auth deployment. You will need to supply the following environment variables + +| Envronment Variable name | Value | Description | +| :---------------------: | :---: | :---: | +| CLIENT_ID | Your GCP Credential ID | Get this from Oauth 2.0 Credential https://console.cloud.google.com/apis/credentials | +| CLIENT_SECRET | Your GCP Credential Secret | See Above | +| DOMAIN | The E-mail addresses of the GCP accounts | A comma seperated list of e-mails domains | +| PROVIDER_URI | https://accounts.google.com | This is the same URL for all deployments | +| SCOPE | openid https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile | A space seperated string; you can use the example supplied as is as this always the same across deployments | +| SECRET | A-random-secret | A Random secret string | +| ENCRYPTION_KEY | RANDOM-STRING-MINIMUM-OF-16-CHARS-LONG | An AES compatible string which should either be 16, 24, or 32 Bytes long | + +The following deployment will create a traefik forward auth container. + +``` +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: traefik-forward-auth + name: traefik-forward-auth + namespace: traefik +spec: + replicas: 1 + selector: + matchLabels: + app: traefik-forward-auth + strategy: + type: Recreate + template: + metadata: + labels: + app: traefik-forward-auth + spec: + containers: + - env: + - name: DOMAIN + value: myemaildomain.com,myotheremaildomain.org + - name: CLIENT_ID + valueFrom: + secretKeyRef: + name: traefik-forward-auth-secrets + key: client-id + - name: CLIENT_SECRET + valueFrom: + secretKeyRef: + name: traefik-forward-auth-secrets + key: client-secret + - name: PROVIDER_URI + value: https://accounts.google.com + - name: SCOPE + value: openid https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile + - name: SECRET + valueFrom: + secretKeyRef: + name: traefik-forward-auth-secrets + key: secret + - name: ENCRYPTION_KEY + valueFrom: + secretKeyRef: + name: traefik-forward-auth-secrets + key: encryption-key + - name: LOG_LEVEL + value: debug + image: mesosphere/traefik-forward-auth:latest + imagePullPolicy: Always + name: traefik-forward-auth + ports: + - containerPort: 4181 + protocol: TCP + resources: {} +``` + +2. The kubernetes service. + +This service provides the consistent endpoint for Traefik Middleware to send auth requests to. + +``` +apiVersion: v1 +kind: Service +metadata: + labels: + app: traefik-forward-auth + name: traefik-forward-auth + namespace: traefik +spec: + ports: + - name: auth-http + port: 4181 + protocol: TCP + targetPort: 4181 + selector: + app: traefik-forward-auth + sessionAffinity: None + type: ClusterIP +``` + +3. The Traefik Middleware. This makes the Traefik Middleware available for traefik routes. + +``` +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: auth-only-ovo + namespace: traefik +spec: + forwardAuth: + address: http://traefik-forward-auth:4181 + authResponseHeaders: + - X-Forwarded-User + trustForwardHeader: true +``` diff --git a/examples/Google/forward-auth/google-traefik-kube-deploy.yaml b/examples/Google/forward-auth/google-traefik-kube-deploy.yaml new file mode 100644 index 0000000..27ff95f --- /dev/null +++ b/examples/Google/forward-auth/google-traefik-kube-deploy.yaml @@ -0,0 +1,50 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: traefik-forward-auth + name: traefik-forward-auth + namespace: traefik +spec: + replicas: 1 + selector: + matchLabels: + app: traefik-forward-auth + strategy: + type: Recreate + template: + metadata: + labels: + app: traefik-forward-auth + spec: + containers: + - env: + - name: DOMAIN + value: myemaildomain.com,myotheremaildomain.org + - name: CLIENT_ID + valueFrom: + secretKeyRef: + name: traefik-forward-auth-secrets + key: client-id + - name: CLIENT_SECRET + valueFrom: + secretKeyRef: + name: traefik-forward-auth-secrets + key: client-secret + - name: PROVIDER_URI + value: https://accounts.google.com + - name: SCOPE + value: openid https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile + - name: SECRET + value: < A RANDOM SECRET STRING > + - name: ENCRYPTION_KEY + value: < RANDOM-STRING-MINIMUM-OF-16-CHARS-LONG > + - name: LOG_LEVEL + value: debug + image: mesosphere/traefik-forward-auth:latest + imagePullPolicy: Always + name: traefik-forward-auth + ports: + - containerPort: 4181 + protocol: TCP + resources: {} diff --git a/examples/Google/forward-auth/google-traefik-service.yaml b/examples/Google/forward-auth/google-traefik-service.yaml new file mode 100644 index 0000000..69d7112 --- /dev/null +++ b/examples/Google/forward-auth/google-traefik-service.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: traefik-forward-auth + name: traefik-forward-auth + namespace: traefik +spec: + ports: + - name: auth-http + port: 4181 + protocol: TCP + targetPort: 4181 + selector: + app: traefik-forward-auth + sessionAffinity: None + type: ClusterIP diff --git a/examples/Google/forward-auth/secret.yaml b/examples/Google/forward-auth/secret.yaml new file mode 100644 index 0000000..386a85f --- /dev/null +++ b/examples/Google/forward-auth/secret.yaml @@ -0,0 +1,4 @@ +client-id=client-id +client-secret=client-secret +secret=something-random +encryption-key=1234567890123456