https://github.com/vshn/oauth-proxy-demo
Demo project of the oauth-proxy sidecar container in APPUiO
https://github.com/vshn/oauth-proxy-demo
Last synced: 3 months ago
JSON representation
Demo project of the oauth-proxy sidecar container in APPUiO
- Host: GitHub
- URL: https://github.com/vshn/oauth-proxy-demo
- Owner: vshn
- Created: 2019-12-02T15:47:57.000Z (over 5 years ago)
- Default Branch: master
- Last Pushed: 2019-12-02T15:49:06.000Z (over 5 years ago)
- Last Synced: 2025-01-29T01:46:34.849Z (4 months ago)
- Language: Makefile
- Homepage: https://vshn-oauth-proxy-demo.appuioapp.ch/
- Size: 12.7 KB
- Stars: 0
- Watchers: 2
- Forks: 1
- Open Issues: 0
-
Metadata Files:
- Readme: README.adoc
Awesome Lists containing this project
README
:author: VSHN AG
:revdate: {docdate}
:revnumber: 1.0
:email: [email protected]
:copyright: CC-BY-SA 3.0
:doctitle: Demo Project for the `oauth-proxy` Sidecar Container
:producer: VSHN AG
:creator: VSHN AG
:description: A guide to use the `oauth-proxy` container in OpenShift.
:keywords: VSHN, OpenShift, OAuth
:lang: en
= Demo Project for the `oauth-proxy` Sidecar Container
This project demonstrates how to use the https://github.com/openshift/oauth-proxy[`oauth-proxy`] sidecar container in an OpenShift cluster.
* Running instance at https://vshn-oauth-proxy-demo.appuioapp.ch/[APPUiO].
* Source code at https://git.vshn.net/education/vshn-oauth-proxy-demo[GitLab].
NOTE: This information comes from the effort required to deploy the https://vshn-oc-docs.appuioapp.ch/[OpenShift Documentation] website (https://git.vshn.net/education/openshift-documentation/[source code])
== Integration
In order to deploy the `oauth-proxy` correctly, pay attention to the following points:
=== ServiceAccount
Create a Dedicated `ServiceAccount` for the purposes of this container:
[source,yaml]
--
include::deployment/sa.yaml[]
--
<1> Make sure the `reference/name` value in the JSON referenced by `metadata:annotations:serviceaccounts…` points to a valid route, defined in the deployment.
=== Deployment
Reference the newly created service account in the following locations:
. In the `Deployment`, at `spec:template:spec:serviceAccountName` key
+
[source,yaml]
--
include::deployment/deployment.yaml[tag=service_name]
--
<1> The name of the service account created above.
. Also in the `Deployment`, in the arguments of the `oauth-proxy` itself:
+
[source,yaml]
--
include::deployment/deployment.yaml[tag=args,indent=none]
--
<1> The port of the `oauth-proxy` container goes in the `-https-address` argument.
<2> The port of the container protected by the `oauth-proxy` container goes in the `-upstream` argument.
<3> Specify the service account name under the `-openshift-service-account` argument.
=== Route
[source,yaml]
--
include::deployment/route.yaml[tag=reencrypt,indent=none]
--
<1> Use the same port name as the one defined in the `Service`.
<2> Use the `reencrypt` parameter here.
<3> And point to the corresponding `Service` as required.
=== ClusterRole and ClusterRoleBinding
Create the required `ClusterRole` and `ClusterRoleBinding` objects, including all required rules:
CAUTION: You *must* use `ClusterRole` and `ClusterRoleBinding` *instead of* `Role` and `RoleBinding` for this system to work.
[source,yaml]
--
include::deployment/role.yaml[]
--
=== Volumes
Specify the volumes and secrets containing the TLS certicate:
. In the `Deployment`:
+
[source,yaml]
--
include::deployment/deployment.yaml[tags=volume_1,indent=no]
--
+
[source,yaml]
--
include::deployment/deployment.yaml[tags=volume_2,indent=no]
--
. In the `Service`:
+
[source,yaml]
--
include::deployment/service.yaml[tags=tls,indent=no]
--