diff --git a/entrypoint.sh b/entrypoint.sh index 1083260..84e8981 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -41,6 +41,13 @@ VOTE_HOST="${VOTE_HOST:-vote}" VOTE_PORT="${VOTE_PORT:-9013}" CLIENT_HOST="${CLIENT_HOST:-client}" CLIENT_PORT="${CLIENT_PORT:-9001}" +KEYCLOAK_HOST="${KEYCLOAK_HOST:-keycloak-server}" +KEYCLOAK_HOST_PORT="${KEYCLOAK_HOST_PORT:-8080}" +OIDC_KEYCLOAK_URL="${OIDC_KEYCLOAK_URL:-http://localhost:8080/realms/openslides}" +OIDC_KEYCLOAK_URL_DOCKER="${OIDC_KEYCLOAK_URL_DOCKER:-http://keycloak-server:8080/realms/openslides}" +OIDC_CLIENT_ID="${OIDC_CLIENT_ID:-proxy-client}" +OIDC_CLIENT_SECRET="${OIDC_CLIENT_SECRET:-proxy-secret}" +OIDC_SECRET="${OIDC_SECRET:-qvAcTGWBIGg7aWKCKRyUsTf33jK3lsmK}" # ================================= @@ -50,6 +57,18 @@ CLIENT_PORT="${CLIENT_PORT:-9001}" # Generate base config from template envsubst < /templates/traefik.yml > "$TRAEFIK_CONFIG" +# Add OIDC plugin +echo "Adding OIDC Plugin" +cat >> "$TRAEFIK_CONFIG" << 'EOF' + +experimental: + plugins: + traefik-oidc-auth: + moduleName: github.com/sevensolutions/traefik-oidc-auth + version: v0.19.0 +EOF + + # Add dashboard if enabled if [ -n "$ENABLE_DASHBOARD" ]; then echo "Enabling dashboard. 'debug: true' for now. NOT FOR PRODUCTION" @@ -174,6 +193,23 @@ for service in $SERVICES; do envsubst < "$SERVICES_DIR/${service}.service" >> "$DYNAMIC_CONFIG" done +# OIDC Middleware +echo "Enabling OIDC authentication middleware" + cat >> "$DYNAMIC_CONFIG" << EOF + + middlewares: + oidc-auth: + plugin: + traefik-oidc-auth: + Secret: "${OIDC_SECRET}" + Provider: + Url: "${OIDC_KEYCLOAK_URL_DOCKER}" + ClientId: "${OIDC_CLIENT_ID}" + ClientSecret: "${OIDC_CLIENT_SECRET}" + ValidateIssuer: true + ValidIssuer: "${OIDC_KEYCLOAK_URL}" + Scopes: ["openid", "profile", "email"] +EOF # Finally start CMD exec "$@" diff --git a/services/action.router b/services/action.router index 8cdc6b6..5f7db26 100644 --- a/services/action.router +++ b/services/action.router @@ -3,3 +3,5 @@ service: action entryPoints: - main + middlewares: + - oidc-auth diff --git a/services/autoupdate.router b/services/autoupdate.router index 19a3806..9aeda44 100644 --- a/services/autoupdate.router +++ b/services/autoupdate.router @@ -3,3 +3,5 @@ service: autoupdate entryPoints: - main + middlewares: + - oidc-auth diff --git a/services/client.router b/services/client.router index 5064e01..a962d0e 100644 --- a/services/client.router +++ b/services/client.router @@ -5,3 +5,5 @@ - main # Priority ensures this catch-all route is evaluated last priority: 1 + middlewares: + - oidc-auth diff --git a/services/icc.router b/services/icc.router index eb7ac0f..9ec790a 100644 --- a/services/icc.router +++ b/services/icc.router @@ -3,3 +3,5 @@ service: icc entryPoints: - main + middlewares: + - oidc-auth diff --git a/services/media.router b/services/media.router index c428375..f44a71b 100644 --- a/services/media.router +++ b/services/media.router @@ -3,3 +3,5 @@ service: media entryPoints: - main + middlewares: + - oidc-auth diff --git a/services/presenter.router b/services/presenter.router index 62fd449..b9a9b64 100644 --- a/services/presenter.router +++ b/services/presenter.router @@ -3,3 +3,5 @@ service: presenter entryPoints: - main + middlewares: + - oidc-auth diff --git a/services/projector.router b/services/projector.router index 5e43d5c..7e94244 100644 --- a/services/projector.router +++ b/services/projector.router @@ -3,3 +3,5 @@ service: projector entryPoints: - main + middlewares: + - oidc-auth diff --git a/services/search.router b/services/search.router index d6af74c..bb0e24f 100644 --- a/services/search.router +++ b/services/search.router @@ -3,3 +3,5 @@ service: search entryPoints: - main + middlewares: + - oidc-auth diff --git a/services/vote.router b/services/vote.router index a357117..5c654eb 100644 --- a/services/vote.router +++ b/services/vote.router @@ -3,3 +3,5 @@ service: vote entryPoints: - main + middlewares: + - oidc-auth