Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Keycloak local testing environment #604

Merged
merged 10 commits into from
Jun 14, 2020

Conversation

EvgeniGordeev
Copy link
Contributor

docker-compose file to provide an example based on keycloak as IDP provider and httpbin as upstream.

@JoelSpeed
Copy link
Member

Hey @EvgeniGordeev, I haven't done a full review just yet, but I wanted to open a discussion about the socat alpine container and the nginx containers that you've added to this example. I wonder if we can simplify the example a little.

In the other example environments, we expose the services on non-standard ports (eg Dex in both examples is on :4190), to reduce the complexity of this example, could we not expose Keycloak on port :8080 or some other port and have OAuth2 Proxy talk to it over that port? I don't think we necessarily need it to talk over port 80

Similarly, in the normal dex example, users can access http://localhost:4180 to access oauth2 proxy, is there any reason for this example they couldn't access via http://oauth2-proxy.localtest.me:4180? That would remove the need for the nginx container

@EvgeniGordeev
Copy link
Contributor Author

EvgeniGordeev commented Jun 6, 2020

Hey @JoelSpeed yeah, the example is not ideal. I just wanted:

  • to have a parity - the same URL http://keycloak.localtest.me - between oauth2 proxy talking to keycloak and a user in the browser going to keycloak and playing with its settings like user groups
  • to pretend it's a real life example with default ports in the address bar. Unfortunately it would require extra containers nginx-proxy and socat.
  • to amuse myself :) - is it achievable at all with a plain docker-compose config? And I got carried away.

I agree to remove nginx and socat and use the URLs like http://oauth2-proxy.localtest.me:4180 and http://keycloak.localtest.me:8080 if the current setup is too confusing.

@EvgeniGordeev
Copy link
Contributor Author

EvgeniGordeev commented Jun 6, 2020

@JoelSpeed the example simplified without socat and nginx.

A side question are you interested in a k8s example (based on minikube) too? I'm upgrading oauth2-proxy from 3.1.0 to the 5.1.1 and have trouble with nginx-ingress and oauth2-proxy with 502 error.

oauth2-proxy successfully authenticates:

10.0.130.42 - [email protected] [2020/06/06 19:43:32] [AuthSuccess] Authenticated via OAuth2: Session{email:[email protected] user:50da7113-ee93-40dd-a252-aab5d9920a09 PreferredUsername:[email protected] token:true id_token:true created:2020-06-06 19:43:32.128714957 +0000 UTC m=+78395.448332767 expires:2020-06-06 19:48:32.128444697 +0000 UTC m=+78695.448062513 refresh_token:true}
10.0.130.42 - - [2020/06/06 19:43:32] oauth2-proxy.example.com GET - "/oauth2/callback?state=5e10f11d736dac68f090987b91dbf24c%3Ahttps%3A%2F%2Fhttpbin.example.com%2F&session_state=5ef6ab33-9b04-4f56-8e73-3388a406c49b&code=30e9488b-427d-4589-b744-f64343d5fa0b.5ef6ab33-9b04-4f56-8e73-3388a406c49b.a08c52d7-8a02-4823-a560-1db7ed97b8cb" HTTP/1.1 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36" 302 52 0.110

but nginx ingress doesn't like:


2020/06/06 19:45:39 [error] 4562#4562: *57308255 upstream sent too big header while reading response header from upstream, client: 10.128.143.63, server: oauth2-proxy.example.com, request: "GET /oauth2/callback?state=e79e44f4fe7d7c14519b8e923412dc4c%3A%2F&session_state=5ef6ab33-9b04-4f56-8e73-3388a406c49b&code=bd3bb0de-814c-4529-b2e5-917fc6ea1628.5ef6ab33-9b04-4f56-8e73-3388a406c49b.a08c52d7-8a02-4823-a560-1db7ed97b8cb HTTP/1.1", upstream: "http://10.0.140.195:4180/oauth2/callback?state=e79e44f4fe7d7c14519b8e923412dc4c%3A%2F&session_state=5ef6ab33-9b04-4f56-8e73-3388a406c49b&code=bd3bb0de-814c-4529-b2e5-917fc6ea1628.5ef6ab33-9b04-4f56-8e73-3388a406c49b.a08c52d7-8a02-4823-a560-1db7ed97b8cb", host: "oauth2-proxy.example.com", referrer: "https://oauth2-proxy.example.com/oauth2/sign_in"
10.128.143.63 - - [06/Jun/2020:19:45:39 +0000] "GET /oauth2/callback?state=e79e44f4fe7d7c14519b8e923412dc4c%3A%2F&session_state=5ef6ab33-9b04-4f56-8e73-3388a406c49b&code=bd3bb0de-814c-4529-b2e5-917fc6ea1628.5ef6ab33-9b04-4f56-8e73-3388a406c49b.a08c52d7-8a02-4823-a560-1db7ed97b8cb HTTP/1.1" 502 559 "https://oauth2-proxy.example.com/oauth2/sign_in" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36" 1054 0.017 [devops-oauth2-proxy-80] [] 10.0.140.195:4180 0 0.012 502 1d5972b26712b33362884075ac8cedac

Which apparently can be fixed with adjusting proxy-buffer-size but I thought a full blown K8S example can be beneficial for the project.

Copy link
Member

@JoelSpeed JoelSpeed left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just tried this out and the bash scripts weren't working for me, is there any way they could be avoided at all? Can the config not be statically loaded as it is in the Dex example?

I managed to get the scripts working (I think), but keycloak still wasn't letting me log in, no client found

To your comment re a K8s example, I think that would be awesome, I wonder if we could achieve it using kind rather than minikube though, it would be much more lightweight

contrib/local-environment/oauth2-proxy-keycloak.cfg Outdated Show resolved Hide resolved
docs/configuration/configuration.md Show resolved Hide resolved
contrib/local-environment/keycloak/init-keycloak.sh Outdated Show resolved Hide resolved
contrib/local-environment/keycloak/init-keycloak.sh Outdated Show resolved Hide resolved
contrib/local-environment/keycloak/oauth2-proxy.json Outdated Show resolved Hide resolved
contrib/local-environment/docker-compose-keycloak.yaml Outdated Show resolved Hide resolved
contrib/local-environment/keycloak/wait-for-keycloak.sh Outdated Show resolved Hide resolved
@EvgeniGordeev
Copy link
Contributor Author

EvgeniGordeev commented Jun 7, 2020

To your comment re a K8s example, I think that would be awesome, I wonder if we could achieve it using kind rather than minikube though, it would be much more lightweight

minikube is just the first option with extensive documentation https://kubernetes.io/docs/setup/learning-environment/minikube/. I never tried kind but if it's more lightweight I'd prefer it too and should give it a try.

I tried to make a lightweight config for keycloak that's why I ended up with extra scripts to load just one client with oauth2-proxy.json instead of loading the full keycloak export which is quite verbose compared to Dex. Now keycloak dir is prepared with their Import/Export scripts https://www.keycloak.org/docs/latest/server_admin/#_export_import with some massaging like setting clientSecret which is masked by default import.

Copy link
Member

@JoelSpeed JoelSpeed left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I haven't thoroughly reviewed the master-realm.json, but everything else looks good.

I need to find some time to manually test this, but assuming that's all good, then I'm happy to get this merged! Thanks for your work so far.

One final thing would be to add a changelog entry please

@EvgeniGordeev
Copy link
Contributor Author

@JoelSpeed changelog entry added.

@JoelSpeed JoelSpeed changed the title keycloak example Add Keycloak local testing environment Jun 14, 2020
JoelSpeed
JoelSpeed previously approved these changes Jun 14, 2020
Copy link
Member

@JoelSpeed JoelSpeed left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just tested this out and it's working great! Thanks for your work on this 🙂

CHANGELOG.md Outdated Show resolved Hide resolved
@JoelSpeed JoelSpeed merged commit 43f214c into oauth2-proxy:master Jun 14, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants