generated from coop-cloud/example
feat: add keycloak support
continuous-integration/drone/push Build is failing
Details
continuous-integration/drone/push Build is failing
Details
This commit is contained in:
parent
58389e11fd
commit
c285ec4d95
|
@ -14,3 +14,10 @@ COMPOSE_FILE="compose.yml:compose.mssql.yml"
|
||||||
# OIDC_CLIENT_ID=
|
# OIDC_CLIENT_ID=
|
||||||
# OIDC_ISSUER_URL=
|
# OIDC_ISSUER_URL=
|
||||||
# SECRET_OIDC_CLIENT_SECRET=v1
|
# SECRET_OIDC_CLIENT_SECRET=v1
|
||||||
|
|
||||||
|
# Keycloak integration
|
||||||
|
# COMPOSE_FILE="compose.yml:compose.keycloak.yml"
|
||||||
|
# KEYCLOAK_ENABLED=1
|
||||||
|
# KEYCLOAK_CLIENT_ID=
|
||||||
|
# KEYCLOAK_CLIENT_TOKEN_URL=
|
||||||
|
# SECRET_KEYCLOAK_CLIENT_SECRET=v1
|
||||||
|
|
4
abra.sh
4
abra.sh
|
@ -1,2 +1,4 @@
|
||||||
export CUSTOM_ENTRYPOINT_VERSION=v1
|
export CUSTOM_ENTRYPOINT_VERSION=v2
|
||||||
export OIDC_CONF_VERSION=v1
|
export OIDC_CONF_VERSION=v1
|
||||||
|
export PAM_EXEC_OAUTH2_YAML_VERSION=v1
|
||||||
|
export PAM_SCRIPT_AUTH_VERSION=v1
|
||||||
|
|
|
@ -0,0 +1,36 @@
|
||||||
|
---
|
||||||
|
version: "3.8"
|
||||||
|
|
||||||
|
# WARNING: Requires your own Keycloak and is a work-around for the server pro
|
||||||
|
# restrictions for SSO integration. This is experimental. Please speak
|
||||||
|
# to washnote.com folks if you need support, it is being used there.
|
||||||
|
|
||||||
|
services:
|
||||||
|
app:
|
||||||
|
configs:
|
||||||
|
- source: pam_exec_oauth2_yaml
|
||||||
|
target: /opt/pam-exec-oauth2/pam-exec-oauth2.yaml
|
||||||
|
mode: 0600
|
||||||
|
- source: pam_script_auth_sh
|
||||||
|
target: /usr/share/libpam-script/pam_script_auth
|
||||||
|
mode: 0555
|
||||||
|
environment:
|
||||||
|
- KEYCLOAK_ENABLED
|
||||||
|
- KEYCLOAK_CLIENT_ID
|
||||||
|
- KEYCLOAK_TOKEN_URL
|
||||||
|
secrets:
|
||||||
|
- keycloak_client_secret
|
||||||
|
|
||||||
|
configs:
|
||||||
|
pam_exec_oauth2_yaml:
|
||||||
|
name: ${STACK_NAME}_pam_exec_oauth2_yaml_${PAM_EXEC_OAUTH2_YAML_VERSION}
|
||||||
|
file: pam-exec-oauth2.yaml.tmpl
|
||||||
|
template_driver: golang
|
||||||
|
pam_script_auth_sh:
|
||||||
|
name: ${STACK_NAME}_pam_script_auth_sh_${PAM_SCRIPT_AUTH_VERSION}
|
||||||
|
file: pam_script_auth.sh
|
||||||
|
|
||||||
|
secrets:
|
||||||
|
keycloak_client_secret:
|
||||||
|
name: ${STACK_NAME}_keycloak_client_secret_${SECRET_KEYCLOAK_CLIENT_SECRET}
|
||||||
|
external: true
|
|
@ -29,4 +29,13 @@ echo 'auth-openid-issuer={{ env "OIDC_ISSUER_URL"}}' >> /etc/rstudio/rserver.con
|
||||||
echo 'auth-openid-base-uri=https://{{ env "DOMAIN" }}' >> /etc/rstudio/rserver.conf
|
echo 'auth-openid-base-uri=https://{{ env "DOMAIN" }}' >> /etc/rstudio/rserver.conf
|
||||||
{{ end }}
|
{{ end }}
|
||||||
|
|
||||||
|
{{ if eq (env "KEYCLOAK_ENABLED") "1" }}
|
||||||
|
apt install -y libpam-script
|
||||||
|
echo 'auth sufficient pam_exec.so expose_authtok /opt/pam-exec-oauth2/pam-exec-oauth2' >> /etc/pam.d/common-auth
|
||||||
|
echo 'auth optional pam_script.so' >> /etc/pam.d/common-auth
|
||||||
|
mkdir -p /opt/pam-exec-oauth2/
|
||||||
|
wget https://github.com/WASHNote/pam-exec-oauth2/releases/download/v0.0.1/pam-exec-oauth2 -O /opt/pam-exec-oauth2/pam-exec-oauth2
|
||||||
|
chmod +x /opt/pam-exec-oauth2/pam-exec-oauth2
|
||||||
|
{{ end }}
|
||||||
|
|
||||||
exec "$@"
|
exec "$@"
|
||||||
|
|
|
@ -0,0 +1,8 @@
|
||||||
|
{
|
||||||
|
client-id: "{{ env "KEYCLOAK_CLIENT_ID" }}",
|
||||||
|
client-secret: "{{ secret "keycloak_client_secret" }}",
|
||||||
|
scopes: ["profile"],
|
||||||
|
endpoint-token-url: "{{ env "KEYCLOAK_TOKEN_URL" }}",
|
||||||
|
extra-parameters: {
|
||||||
|
},
|
||||||
|
}
|
|
@ -0,0 +1,4 @@
|
||||||
|
#!/bin/bash
|
||||||
|
if ! id "$PAM_USER" &>/dev/null; then
|
||||||
|
adduser $PAM_USER --disabled-password --quiet --gecos ""
|
||||||
|
fi
|
Loading…
Reference in New Issue