Skip to content

Commit

Permalink
Update docs 2.1.0 (#241)
Browse files Browse the repository at this point in the history
* Enable forward-auth also for Oauth code flow

* Move nolint comment

* Change testing k8s yaml gatekeeper image

* Update docs for 2.1.0
  • Loading branch information
p53 authored Dec 23, 2022
1 parent 0ba1661 commit 1d0b5b6
Show file tree
Hide file tree
Showing 6 changed files with 57 additions and 14 deletions.
12 changes: 6 additions & 6 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ Please remember to provide a good summary, description as well as steps to repro

To run Gatekeeper, please refer to our [building and working with the code base](docs/building.md) guide. Alternatively, you can use the Docker image by running:

docker run -it --rm quay.io/gogatekeeper/gatekeeper:2.0.0 \
docker run -it --rm quay.io/gogatekeeper/gatekeeper:2.1.0 \
--listen 127.0.0.1:8080 \
--upstream-url http://127.0.0.1:80 \
--discovery-url https://keycloak.example.com/realms/<REALM_NAME> \
Expand All @@ -35,16 +35,16 @@ Beside links to archives of binaries we provide also checksum file containing ch
for archives. You can download file gatekeeper-checksum.txt, it contains sha512 checksums e.g.:

```
324b34ece86b6214f835ba9fd79e185864a9005f514458796c22c053de63f428235d2d2a04864065a49c090ad81d2daeb45546544fdd9531a8dea1a43145b8f0 gatekeeper_2.0.0_windows_amd64.zip
38759e75a94d130758cd26958bd9a66b261be8d58a6c7a0fc04845157649aaf628d22a115c95285b405f8e4d6afa8bd78ca8677d1304faf06db93a0cbbc831a6 gatekeeper_2.0.0_linux_amd64.tar.gz
f5322e41b3d78017191246bdd54f99e9b3dd8d5ff9d224e7e81b678a952c1d5aae125ea4c251928969b0a0ea0dc59724308c918993c8227f384f61896f58cbd0 gatekeeper_2.0.0_macOS_amd64.tar.gz
324b34ece86b6214f835ba9fd79e185864a9005f514458796c22c053de63f428235d2d2a04864065a49c090ad81d2daeb45546544fdd9531a8dea1a43145b8f0 gatekeeper_2.1.0_windows_amd64.zip
38759e75a94d130758cd26958bd9a66b261be8d58a6c7a0fc04845157649aaf628d22a115c95285b405f8e4d6afa8bd78ca8677d1304faf06db93a0cbbc831a6 gatekeeper_2.1.0_linux_amd64.tar.gz
f5322e41b3d78017191246bdd54f99e9b3dd8d5ff9d224e7e81b678a952c1d5aae125ea4c251928969b0a0ea0dc59724308c918993c8227f384f61896f58cbd0 gatekeeper_2.1.0_macOS_amd64.tar.gz
```

After you download archive of binary you can calculate it's checksum by using e.g. sha512sum Linux utility:

```
sha512sum /my/path/gatekeeper_2.0.0_linux_amd64.tar.gz
38759e75a94d130758cd26958bd9a66b261be8d58a6c7a0fc04845157649aaf628d22a115c95285b405f8e4d6afa8bd78ca8677d1304faf06db93a0cbbc831a6 gatekeeper_2.0.0_linux_amd64.tar.g
sha512sum /my/path/gatekeeper_2.1.0_linux_amd64.tar.gz
38759e75a94d130758cd26958bd9a66b261be8d58a6c7a0fc04845157649aaf628d22a115c95285b405f8e4d6afa8bd78ca8677d1304faf06db93a0cbbc831a6 gatekeeper_2.1.0_linux_amd64.tar.g
```

As you can see output of command is checksum, you can compare it with the one in gatekeeper-checksum.txt.
Expand Down
2 changes: 1 addition & 1 deletion doc.go
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ import (
)

var (
release = "2.0.0"
release = "2.1.0"
gitsha = "no gitsha provided"
compiled = "0"
version = ""
Expand Down
2 changes: 1 addition & 1 deletion docs/release.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ The release process was automated to release builds based on the Git tag when a
### Steps

1. Visit https://github.com/gogatekeeper/gatekeeper/releases/new
2. Choose a new tag version based on [Semantic Versioning 2.0.0](https://semver.org/) and pick the target branch.
2. Choose a new tag version based on [Semantic Versioning 2.1.0](https://semver.org/) and pick the target branch.
3. Choose the release title and add a proper description
4. Publish the release

Expand Down
47 changes: 42 additions & 5 deletions docs/user-guide.md
Original file line number Diff line number Diff line change
Expand Up @@ -254,7 +254,7 @@ in Keycloak, providing granular role controls over issue tokens.

``` yaml
- name: gatekeeper
image: quay.io/gogatekeeper/gatekeeper:2.0.0
image: quay.io/gogatekeeper/gatekeeper:2.1.0
args:
- --enable-forwarding=true
- --forwarding-username=projecta
Expand All @@ -281,7 +281,7 @@ Example setup client credentials grant:

``` yaml
- name: gatekeeper
image: quay.io/gogatekeeper/gatekeeper:2.0.0
image: quay.io/gogatekeeper/gatekeeper:2.1.0
args:
- --enable-forwarding=true
- --forwarding-domains=projecta.svc.cluster.local
Expand Down Expand Up @@ -537,13 +537,16 @@ MUST have headers 'x-some-header' with value 'somevalue' AND 'x-other-header', w

Traefik, nginx ingress and other gateways usually have feature called forward-auth.
This enables them to forward request to external auth/authz service which returns 2xx in case
auth/authz was successful and otherwise some higher code (usually 401/403). You can use
auth/authz was successful and otherwise some higher code (usually 401/403) or redirects them
for authentication to keycloak server. You can use
gatekeeper as this external auth/authz service by using headers matching feature as describe above
and enabling `--no-proxy` option (this option will not forward request to upstream).

Example:

traefik forward-auth configuration
traefik forward-auth configuration when you don't want to redirect user to authentication
server by gatekeeper (useful for e.g. API authentication or when you are using redirect
to keycloak server on front proxy)

```yaml
apiVersion: traefik.containo.us/v1alpha1
Expand Down Expand Up @@ -572,6 +575,40 @@ gatekeeper configuration
- --resources=headers=x-some-header:somevalue,x-other-header:othervalue
```

traefik forward-auth configuration when you WANT to redirect user to authentication
server by gatekeeper (useful for e.g. frontend application authentication). Please be
aware that in this mode you need to forward headers X-Forwarded-Host, X-Forwarded-Uri, X-Forwarded-Proto, from
front proxy to gatekeeper. You can find more complete example [here](/e2e/manifest_test_forwardauth.yml).
*IMPORTANT*: Please ensure that you are receiving headers only from trusted proxy
and gatekeeper is not exposed directly to internet, otherwise attacker might misuse this!

```yaml
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
labels:
app.kubernetes.io/name: dashboard-apis-oauth
app.kubernetes.io/part-of: dashboard
name: dashboard-apis-oauth
namespace: censored
spec:
forwardAuth:
address: http://gatekeeper-dns-name:4180
```

gatekeeper configuration

```yaml
- args:
- --client-id=dashboard
- --no-redirects=false # this option will ensure there WILL BE redirects to keycloak server
- --no-proxy=true # this option will ensure that request will be not forwarded to upstream
- --listen=0.0.0.0:4180
- --discovery-url=https://keycloak-dns-name/realms/censored
- --enable-default-deny=true # this option will ensure protection of all paths /*, according our traefik config, traefik will send it to /
- --resources=headers=x-some-header:somevalue,x-other-header:othervalue
```

## Custom pages

By default, Gatekeeper Proxy will immediately redirect you
Expand Down Expand Up @@ -673,7 +710,7 @@ token stored in cookie user will retrieve new access token and still will have a

2. There is also option `--enable-logout-redirect` which uses keycloak logout mechanism
and this logout url <https://keycloak.example.com/auth/realms/REALM_NAME/protocol/openid-connect/logout>.
Please note that from 2.0.0 release due to changes in keycloak 17+ there is no possibility to do
Please note that from 2.1.0 release due to changes in keycloak 17+ there is no possibility to do
automatic logout without confirmation.

3. A **/oauth/logout?redirect=url** is provided as a helper to log users
Expand Down
2 changes: 1 addition & 1 deletion kube/reverse.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ spec:
secretName: tls
containers:
- name: proxy
image: quay.io/gogatekeeper/gatekeeper:2.0.0
image: quay.io/gogatekeeper/gatekeeper:2.1.0
imagePullPolicy: Always
args:
- --client-id=broker
Expand Down
6 changes: 6 additions & 0 deletions server.go
Original file line number Diff line number Diff line change
Expand Up @@ -368,6 +368,12 @@ func (r *oauthProxy) createReverseProxy() error {
r.adminRouter = admin
}

if r.config.NoProxy && !r.config.NoRedirects {
r.log.Warn("using noproxy=true and noredirects=false " +
", enabling use of X-FORWARDED-* headers, please " +
"use only behind trusted proxy!")
}

if r.config.EnableSessionCookies {
r.log.Info("using session cookies only for access and refresh tokens")
}
Expand Down

0 comments on commit 1d0b5b6

Please sign in to comment.