{"id":24226663,"url":"https://github.com/stakater/proxyinjector","last_synced_at":"2025-09-22T17:31:56.590Z","repository":{"id":57556345,"uuid":"151706045","full_name":"stakater/ProxyInjector","owner":"stakater","description":"A Kubernetes controller to inject an authentication proxy container to relevant pods - [✩Star] if you're using it!","archived":false,"fork":false,"pushed_at":"2023-12-15T08:59:57.000Z","size":234,"stargazers_count":87,"open_issues_count":9,"forks_count":15,"subscribers_count":7,"default_branch":"master","last_synced_at":"2025-01-14T09:16:25.570Z","etag":null,"topics":["authentication","k8s","keycloak","kubernetes","openshift","proxy","stakater"],"latest_commit_sha":null,"homepage":"https://stakater.com","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/stakater.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-10-05T10:39:55.000Z","updated_at":"2025-01-03T21:52:30.000Z","dependencies_parsed_at":"2024-06-20T08:28:16.886Z","dependency_job_id":null,"html_url":"https://github.com/stakater/ProxyInjector","commit_stats":null,"previous_names":[],"tags_count":23,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stakater%2FProxyInjector","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stakater%2FProxyInjector/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stakater%2FProxyInjector/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stakater%2FProxyInjector/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/stakater","download_url":"https://codeload.github.com/stakater/ProxyInjector/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":233869025,"owners_count":18743095,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","k8s","keycloak","kubernetes","openshift","proxy","stakater"],"created_at":"2025-01-14T09:16:27.927Z","updated_at":"2025-09-22T17:31:51.276Z","avatar_url":"https://github.com/stakater.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ![](assets/web/proxyinjector-round-100px.png) Proxy Injector\nA Kubernetes controller to inject an authentication proxy container to relevant pods\n\n[![Get started with Stakater](https://stakater.github.io/README/stakater-github-banner.png)](http://stakater.com/?utm_source=ProxyInjector\u0026utm_medium=github)\n\n## Problem Statement\n\nWe want to automatically inject an authentication proxy container in a pod, for any deployment that requires to connect\n to our SSO provider, instead of manually adding a sidecar container with each deployment \n\n## Solution\n\nThis controller will continuously watch deployments in specific or all namespaces, and automatically add a sidecar container\n for the authentication proxy. Configuration for the proxy is managed through annotations of the respective deployment\n or with ConfigMap of the ProxyInjector.\n\n### Supported proxies\n\nFor now the ProxyInjector only supports [Keycloak Gatekeeper](https://github.com/keycloak/keycloak-gatekeeper)\n as the authentication proxy, to work with [Keycloak Server](https://github.com/keycloak/keycloak)\n\n\n## Usage\n\nThe following quickstart let's you set up ProxyInjector:\n\n1. Add configuration to the ProxyInjector\n The following arguments can either be added to the proxy injector `config.yaml` in the ConfigMap/Secret for centralized configuration,\n or as annotations on the individual target deployments with a `authproxy.stakater.com/` prefix. In case of both,\n the deployment annotation values will override the central configuration. \n\n | Key | Description |\n |------------------|---------------------------------------------------------------------------|\n | listen | the interface address and port the proxy should be listening on |\n | upstream-url | url for the upstream endpoint you wish to proxy |\n | resources | list of resources to proxy uri, methods, roles |\n | client-id | client id used to authenticate to the oauth service |\n | client-secret | client secret used to authenticate to the oauth service |\n | gatekeeper-image | Keycloak Gatekeeper image e.g. `keycloak/keycloak-gatekeeper:6.0.1` |\n\nThe rest of the available options can be found at the [Keycloak Gatekeeper documentation](https://www.keycloak.org/docs/latest/securing_apps/index.html#configuration-options)\n\nNote 1: See the section `Using Secrets` below if you do not want to use ConfigMap (because `client-id` and `client-secret` in plain text) and want to use Secrets to hide them.\n\n2. Deploy the controller by running the following command:\n\n For Kubernetes Cluster using kubectl\n ```bash\n kubectl apply -f https://raw.githubusercontent.com/stakater/ProxyInjector/master/deployments/kubernetes/proxyinjector.yaml -n default\n\n3. When deploying any application that needs Keycloak authentication, add the following annotations to the `deployment`. The `service` will not need changes as such, all configuration can be provided as annotations in the deployment for the app. And proxy injector automatically modifies the service when injecting the sidecar container.\n \n | Key | Description |\n |--------------------------------------------|--------------------------------------------------------|\n | authproxy.stakater.com/enabled | (true/false, default=false) Enables Keycloak gatekeeper configuration |\n | authproxy.stakater.com/source-service-name | Name of service that needs to be reconfigured to connect to the proxy. instead of the service directly routing to the app container, it will now route to the proxy sidecar instead. |\n | authproxy.stakater.com/target-port | (default=80) the port on the pod where the proxy sidecar (keycloak gatekeeper) will be listening. If not specified, the default value of 80 is used. This port should match the `listen` configuration |\n | authproxy.stakater.com/resources | String of resources separated by `\u0026` e.g. (`uri=/*|white-listed=true\u0026uri=/css/*|white-listed=false|methods=GET,POST`)\n\n The `authproxy.stakater.com/listen` annotation or the `listen` property in the ProxyInjector ConfigMap should\n specify where the proxy sidecar will listen for incoming requests, e.g. \"0.0.0.0:80\" i.e. local port 80\n \n\n### Using Secrets\n\nTo use secrets:\n \n 1. Open [values.yaml](https://github.com/stakater/ProxyInjector/blob/master/deployments/kubernetes/chart/proxyinjector/values.yaml) file by navigating to `deployments/kubernetes/chart/proxyinjector/`\n \n 2. Set `proxyinjector.mount` equals to `\"secret\"` and pass the data in the data section at the bottom.\n \n 3. Run `helm template . \u003e proxyinjector.yaml`\n \n 4. Deploy using the `Deploying` section below.\n\nTo use existing Secrets:\n\n 1. Set `proxyinjector.mount` equals to `\"secret\"`\n 2. set `proxyinjector.existingSecret` equals to `EXISTING_SECRET_NAME`\n\n### Using ConfigMap\n\nTo pass user credentials/ API keys in secrets:\n \n 1. Open [values.yaml](https://github.com/stakater/ProxyInjector/blob/master/deployments/kubernetes/chart/proxyinjector/values.yaml) file by navigating to `deployments/kubernetes/chart/proxyinjector/`\n \n 2. Set `proxyinjector.mount` equals to `\"configmap\"` and pass the data in the data section at the bottom.\n \n 3. Run `helm template . \u003e proxyinjector.yaml`\n \n 4. Deploy using the `Deploying` section below.\n\n### Deploying\n\nYou can deploy the controller in the namespace you want to monitor by running the following kubectl command:\n\n```bash\nkubectl apply -f proxyinjector.yaml -n \u003cnamespace\u003e\n```\n\n*Note*: Before applying `proxyinjector.yaml`, You need to modify the namespace in the `RoleBinding` subjects section to the namespace you want to apply RBAC to.\n\n## Help\n\n### Documentation\nYou can find more documentation [here](docs/)\n\n### Have a question?\nFile a GitHub [issue](https://github.com/stakater/ProxyInjector/issues), or send us an [email](mailto:hello@stakater.com).\n\n### Talk to us on Slack\nJoin and talk to us on the #tools-proxyinjector channel for discussing the ProxyInjector\n\n[![Join Slack](https://stakater.github.io/README/stakater-join-slack-btn.png)](https://slack.stakater.com/)\n[![Chat](https://stakater.github.io/README/stakater-chat-btn.png)](https://stakater-community.slack.com/messages/CFCP3MUR4)\n\n## License\n\nApache2 © [Stakater](http://stakater.com)\n\n## About\n\nThe `ProxyInjector` is maintained by [Stakater][website]. Like it? Please let us know at \u003chello@stakater.com\u003e\n\nSee [our other projects][community]\nor contact us in case of professional services and queries on \u003chello@stakater.com\u003e\n\n [website]: http://stakater.com/\n [community]: https://www.stakater.com/projects-overview.html\n\n## Contributers\n\nStakater Team and the Open Source community! :trophy:\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstakater%2Fproxyinjector","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstakater%2Fproxyinjector","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstakater%2Fproxyinjector/lists"}