From 1c46d4d27ac3e80e05b379da92abfdd1350b341d Mon Sep 17 00:00:00 2001 From: Raphael Frank <04.raphael.frank@gmail.com> Date: Wed, 10 Jun 2026 22:51:29 +0200 Subject: [PATCH 1/8] fix auth requirement for cluster --- .github/workflows/cd.yml | 1 + .../helm/team-devoops/files/realm-config.json | 2 + .../team-devoops/templates/forward-auth.yaml | 63 +++++++++++++++++++ .../helm/team-devoops/templates/ingress.yaml | 57 ++++++++++++++++- infra/helm/team-devoops/values.yaml | 15 +++++ infra/keycloak/realm-config.json | 2 + 6 files changed, 138 insertions(+), 2 deletions(-) create mode 100644 infra/helm/team-devoops/templates/forward-auth.yaml diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index ffa8c15..ba7f950 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -166,4 +166,5 @@ jobs: --namespace "$NAMESPACE" \ --set global.image.tag=${{ github.sha }} \ --set keycloak.hostname=https://ge83mom-devops26.stud.k8s.aet.cit.tum.de/auth \ + --set forwardAuth.cookieSecret="${{ secrets.FORWARD_AUTH_COOKIE_SECRET }}" \ --rollback-on-failure --timeout 15m diff --git a/infra/helm/team-devoops/files/realm-config.json b/infra/helm/team-devoops/files/realm-config.json index 091e210..33b7506 100644 --- a/infra/helm/team-devoops/files/realm-config.json +++ b/infra/helm/team-devoops/files/realm-config.json @@ -70,10 +70,12 @@ "directAccessGrantsEnabled": false, "redirectUris": [ "https://team-devoops.uaenorth.cloudapp.azure.com/_oauth", + "https://ge83mom-devops26.stud.k8s.aet.cit.tum.de/_oauth", "http://localhost/_oauth" ], "webOrigins": [ "https://team-devoops.uaenorth.cloudapp.azure.com", + "https://ge83mom-devops26.stud.k8s.aet.cit.tum.de", "http://localhost" ] } diff --git a/infra/helm/team-devoops/templates/forward-auth.yaml b/infra/helm/team-devoops/templates/forward-auth.yaml new file mode 100644 index 0000000..2ad3809 --- /dev/null +++ b/infra/helm/team-devoops/templates/forward-auth.yaml @@ -0,0 +1,63 @@ +{{- if .Values.forwardAuth.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: traefik-forward-auth + labels: + {{- include "team-devoops.labels" (dict "name" "traefik-forward-auth" "root" $) | nindent 4 }} +spec: + replicas: 1 + strategy: + type: RollingUpdate + selector: + matchLabels: + {{- include "team-devoops.selectorLabels" (dict "name" "traefik-forward-auth") | nindent 6 }} + template: + metadata: + labels: + {{- include "team-devoops.selectorLabels" (dict "name" "traefik-forward-auth") | nindent 8 }} + spec: + {{- with .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: traefik-forward-auth + image: thomseddon/traefik-forward-auth:2 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 4181 + env: + - name: DEFAULT_PROVIDER + value: oidc + - name: PROVIDERS_OIDC_ISSUER_URL + value: {{ .Values.forwardAuth.oidcIssuerUrl | quote }} + - name: PROVIDERS_OIDC_CLIENT_ID + value: {{ .Values.forwardAuth.clientId | quote }} + - name: PROVIDERS_OIDC_CLIENT_SECRET + value: {{ .Values.forwardAuth.clientSecret | quote }} + - name: SECRET + value: {{ .Values.forwardAuth.cookieSecret | quote }} + - name: INSECURE_COOKIE + value: "false" + resources: + requests: + cpu: 10m + memory: 16Mi + limits: + cpu: 50m + memory: 64Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: traefik-forward-auth + labels: + {{- include "team-devoops.labels" (dict "name" "traefik-forward-auth" "root" $) | nindent 4 }} +spec: + selector: + {{- include "team-devoops.selectorLabels" (dict "name" "traefik-forward-auth") | nindent 4 }} + ports: + - port: 4181 + targetPort: 4181 +{{- end }} diff --git a/infra/helm/team-devoops/templates/ingress.yaml b/infra/helm/team-devoops/templates/ingress.yaml index 61a8484..163ca57 100644 --- a/infra/helm/team-devoops/templates/ingress.yaml +++ b/infra/helm/team-devoops/templates/ingress.yaml @@ -1,10 +1,12 @@ {{- if .Values.ingress.enabled }} {{- $host := .Values.ingress.host }} {{- $tls := .Values.ingress.tls }} +{{- $fa := .Values.forwardAuth }} # --------------------------------------------------------------------------- # Stripped ingress: services whose path prefix must be removed before the # request reaches the backend (Traefik stripPrefix parity). Uses a regex # capture group so `/api/v1/members/foo` -> `/foo`. +# Auth-protected when forwardAuth is enabled. # --------------------------------------------------------------------------- apiVersion: networking.k8s.io/v1 kind: Ingress @@ -18,6 +20,12 @@ metadata: {{- if and $tls.enabled $tls.clusterIssuer }} cert-manager.io/cluster-issuer: {{ $tls.clusterIssuer | quote }} {{- end }} + {{- if $fa.enabled }} + nginx.ingress.kubernetes.io/auth-url: "http://traefik-forward-auth:4181" + nginx.ingress.kubernetes.io/auth-signin: "https://{{ $host }}/_oauth" + nginx.ingress.kubernetes.io/auth-snippet: | + proxy_set_header X-Forwarded-Uri $request_uri; + {{- end }} spec: ingressClassName: {{ .Values.ingress.className }} {{- if $tls.enabled }} @@ -46,6 +54,7 @@ spec: --- # --------------------------------------------------------------------------- # Plain ingress: services served at their path as-is (web-client, api-docs). +# Auth-protected when forwardAuth is enabled. # --------------------------------------------------------------------------- apiVersion: networking.k8s.io/v1 kind: Ingress @@ -53,10 +62,16 @@ metadata: name: team-devoops-plain labels: {{- include "team-devoops.labels" (dict "name" "ingress-plain" "root" $) | nindent 4 }} - {{- if and $tls.enabled $tls.clusterIssuer }} annotations: + {{- if and $tls.enabled $tls.clusterIssuer }} cert-manager.io/cluster-issuer: {{ $tls.clusterIssuer | quote }} - {{- end }} + {{- end }} + {{- if $fa.enabled }} + nginx.ingress.kubernetes.io/auth-url: "http://traefik-forward-auth:4181" + nginx.ingress.kubernetes.io/auth-signin: "https://{{ $host }}/_oauth" + nginx.ingress.kubernetes.io/auth-snippet: | + proxy_set_header X-Forwarded-Uri $request_uri; + {{- end }} spec: ingressClassName: {{ .Values.ingress.className }} {{- if $tls.enabled }} @@ -82,6 +97,35 @@ spec: number: {{ $svc.port }} {{- end }} {{- end }} +--- +# --------------------------------------------------------------------------- +# Open ingress: Keycloak (auth provider) and the forward-auth OAuth callback +# must never be behind forward-auth to avoid redirect loops. +# --------------------------------------------------------------------------- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: team-devoops-open + labels: + {{- include "team-devoops.labels" (dict "name" "ingress-open" "root" $) | nindent 4 }} + {{- if and $tls.enabled $tls.clusterIssuer }} + annotations: + cert-manager.io/cluster-issuer: {{ $tls.clusterIssuer | quote }} + {{- end }} +spec: + ingressClassName: {{ .Values.ingress.className }} + {{- if $tls.enabled }} + tls: + - hosts: + - {{ $host | quote }} + {{- if $tls.secretName }} + secretName: {{ $tls.secretName }} + {{- end }} + {{- end }} + rules: + - host: {{ $host | quote }} + http: + paths: {{- if .Values.keycloak.enabled }} - path: {{ .Values.keycloak.path }} pathType: Prefix @@ -91,4 +135,13 @@ spec: port: number: 8080 {{- end }} + {{- if $fa.enabled }} + - path: /_oauth + pathType: Prefix + backend: + service: + name: traefik-forward-auth + port: + number: 4181 + {{- end }} {{- end }} diff --git a/infra/helm/team-devoops/values.yaml b/infra/helm/team-devoops/values.yaml index f6a8c7c..5e62c38 100644 --- a/infra/helm/team-devoops/values.yaml +++ b/infra/helm/team-devoops/values.yaml @@ -95,6 +95,21 @@ ingress: # Adds the cert-manager.io/cluster-issuer annotation on the ingresses. clusterIssuer: letsencrypt-prod +# --------------------------------------------------------------------------- +# Forward-auth: deploys thomseddon/traefik-forward-auth as an OIDC session +# proxy and wires all nginx ingresses through it (parity with the VM's +# traefik-forward-auth middleware). Keycloak and /_oauth are excluded. +# --------------------------------------------------------------------------- +forwardAuth: + enabled: true + oidcIssuerUrl: "https://ge83mom-devops26.stud.k8s.aet.cit.tum.de/auth/realms/devops" + clientId: "traefik-forward-auth" + clientSecret: "traefik-forward-auth-secret" + # 32+ character random string used to sign session cookies. + # Override at deploy time: --set forwardAuth.cookieSecret="$FORWARD_AUTH_COOKIE_SECRET" + # Generate with: openssl rand -base64 32 + cookieSecret: "" + # Rolling update strategy — maxSurge: 0 ensures the old pod is terminated before # scheduling the new one, which is required to stay within the namespace CPU quota. strategy: diff --git a/infra/keycloak/realm-config.json b/infra/keycloak/realm-config.json index 091e210..33b7506 100644 --- a/infra/keycloak/realm-config.json +++ b/infra/keycloak/realm-config.json @@ -70,10 +70,12 @@ "directAccessGrantsEnabled": false, "redirectUris": [ "https://team-devoops.uaenorth.cloudapp.azure.com/_oauth", + "https://ge83mom-devops26.stud.k8s.aet.cit.tum.de/_oauth", "http://localhost/_oauth" ], "webOrigins": [ "https://team-devoops.uaenorth.cloudapp.azure.com", + "https://ge83mom-devops26.stud.k8s.aet.cit.tum.de", "http://localhost" ] } From a238634860776a32c7a3cb56c02e33f7183cda75 Mon Sep 17 00:00:00 2001 From: Raphael Frank <04.raphael.frank@gmail.com> Date: Wed, 10 Jun 2026 23:22:51 +0200 Subject: [PATCH 2/8] fix cluster deploy --- .github/workflows/cd.yml | 7 +++++++ infra/helm/team-devoops/templates/forward-auth.yaml | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index ba7f950..e2e26d5 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -160,6 +160,13 @@ jobs: fi done + - name: Pre-upgrade ingress migration + run: | + # team-devoops-plain previously contained the /auth (Keycloak) path. + # It has been moved to team-devoops-open. Delete the old ingress so + # the nginx admission webhook does not reject the new one for duplicate paths. + kubectl -n "$NAMESPACE" delete ingress team-devoops-plain --ignore-not-found + - name: Helm upgrade run: | helm upgrade --install team-devoops infra/helm/team-devoops \ diff --git a/infra/helm/team-devoops/templates/forward-auth.yaml b/infra/helm/team-devoops/templates/forward-auth.yaml index 2ad3809..6418644 100644 --- a/infra/helm/team-devoops/templates/forward-auth.yaml +++ b/infra/helm/team-devoops/templates/forward-auth.yaml @@ -46,7 +46,7 @@ spec: memory: 16Mi limits: cpu: 50m - memory: 64Mi + memory: 32Mi --- apiVersion: v1 kind: Service From 94a3c8b440827818fca4dbba518dac882efefd72 Mon Sep 17 00:00:00 2001 From: Raphael Frank <04.raphael.frank@gmail.com> Date: Wed, 10 Jun 2026 23:36:58 +0200 Subject: [PATCH 3/8] fix cluster deploy again --- infra/helm/team-devoops/templates/ingress.yaml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/infra/helm/team-devoops/templates/ingress.yaml b/infra/helm/team-devoops/templates/ingress.yaml index 163ca57..9ab4acd 100644 --- a/infra/helm/team-devoops/templates/ingress.yaml +++ b/infra/helm/team-devoops/templates/ingress.yaml @@ -23,8 +23,6 @@ metadata: {{- if $fa.enabled }} nginx.ingress.kubernetes.io/auth-url: "http://traefik-forward-auth:4181" nginx.ingress.kubernetes.io/auth-signin: "https://{{ $host }}/_oauth" - nginx.ingress.kubernetes.io/auth-snippet: | - proxy_set_header X-Forwarded-Uri $request_uri; {{- end }} spec: ingressClassName: {{ .Values.ingress.className }} @@ -69,8 +67,6 @@ metadata: {{- if $fa.enabled }} nginx.ingress.kubernetes.io/auth-url: "http://traefik-forward-auth:4181" nginx.ingress.kubernetes.io/auth-signin: "https://{{ $host }}/_oauth" - nginx.ingress.kubernetes.io/auth-snippet: | - proxy_set_header X-Forwarded-Uri $request_uri; {{- end }} spec: ingressClassName: {{ .Values.ingress.className }} From abbe3da5253ac3d94f476380436751f0e0bc65df Mon Sep 17 00:00:00 2001 From: Raphael Frank <04.raphael.frank@gmail.com> Date: Thu, 11 Jun 2026 00:10:38 +0200 Subject: [PATCH 4/8] fix cluster deploy hopefully --- infra/helm/team-devoops/templates/forward-auth.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/infra/helm/team-devoops/templates/forward-auth.yaml b/infra/helm/team-devoops/templates/forward-auth.yaml index 6418644..ea9a70d 100644 --- a/infra/helm/team-devoops/templates/forward-auth.yaml +++ b/infra/helm/team-devoops/templates/forward-auth.yaml @@ -40,6 +40,8 @@ spec: value: {{ .Values.forwardAuth.cookieSecret | quote }} - name: INSECURE_COOKIE value: "false" + - name: AUTH_HOST + value: {{ .Values.ingress.host | quote }} resources: requests: cpu: 10m From 01db2759e8c93078c3f335b587690bdbd5d16ddd Mon Sep 17 00:00:00 2001 From: Raphael Frank <04.raphael.frank@gmail.com> Date: Thu, 11 Jun 2026 00:40:50 +0200 Subject: [PATCH 5/8] fix cluster deploy now --- .../helm/team-devoops/files/realm-config.json | 2 +- .../team-devoops/templates/forward-auth.yaml | 56 ++++++++++++------- .../helm/team-devoops/templates/ingress.yaml | 27 ++++++--- infra/helm/team-devoops/values.yaml | 7 ++- infra/keycloak/realm-config.json | 2 +- 5 files changed, 60 insertions(+), 34 deletions(-) diff --git a/infra/helm/team-devoops/files/realm-config.json b/infra/helm/team-devoops/files/realm-config.json index 33b7506..f9648eb 100644 --- a/infra/helm/team-devoops/files/realm-config.json +++ b/infra/helm/team-devoops/files/realm-config.json @@ -70,7 +70,7 @@ "directAccessGrantsEnabled": false, "redirectUris": [ "https://team-devoops.uaenorth.cloudapp.azure.com/_oauth", - "https://ge83mom-devops26.stud.k8s.aet.cit.tum.de/_oauth", + "https://ge83mom-devops26.stud.k8s.aet.cit.tum.de/oauth2/callback", "http://localhost/_oauth" ], "webOrigins": [ diff --git a/infra/helm/team-devoops/templates/forward-auth.yaml b/infra/helm/team-devoops/templates/forward-auth.yaml index ea9a70d..f2f94e3 100644 --- a/infra/helm/team-devoops/templates/forward-auth.yaml +++ b/infra/helm/team-devoops/templates/forward-auth.yaml @@ -2,46 +2,60 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: traefik-forward-auth + name: oauth2-proxy labels: - {{- include "team-devoops.labels" (dict "name" "traefik-forward-auth" "root" $) | nindent 4 }} + {{- include "team-devoops.labels" (dict "name" "oauth2-proxy" "root" $) | nindent 4 }} spec: replicas: 1 strategy: type: RollingUpdate selector: matchLabels: - {{- include "team-devoops.selectorLabels" (dict "name" "traefik-forward-auth") | nindent 6 }} + {{- include "team-devoops.selectorLabels" (dict "name" "oauth2-proxy") | nindent 6 }} template: metadata: labels: - {{- include "team-devoops.selectorLabels" (dict "name" "traefik-forward-auth") | nindent 8 }} + {{- include "team-devoops.selectorLabels" (dict "name" "oauth2-proxy") | nindent 8 }} spec: {{- with .Values.global.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} containers: - - name: traefik-forward-auth - image: thomseddon/traefik-forward-auth:2 + - name: oauth2-proxy + image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0 imagePullPolicy: IfNotPresent ports: - - containerPort: 4181 + - containerPort: 4180 env: - - name: DEFAULT_PROVIDER + - name: OAUTH2_PROXY_PROVIDER value: oidc - - name: PROVIDERS_OIDC_ISSUER_URL + - name: OAUTH2_PROXY_OIDC_ISSUER_URL value: {{ .Values.forwardAuth.oidcIssuerUrl | quote }} - - name: PROVIDERS_OIDC_CLIENT_ID + - name: OAUTH2_PROXY_CLIENT_ID value: {{ .Values.forwardAuth.clientId | quote }} - - name: PROVIDERS_OIDC_CLIENT_SECRET + - name: OAUTH2_PROXY_CLIENT_SECRET value: {{ .Values.forwardAuth.clientSecret | quote }} - - name: SECRET + - name: OAUTH2_PROXY_COOKIE_SECRET value: {{ .Values.forwardAuth.cookieSecret | quote }} - - name: INSECURE_COOKIE - value: "false" - - name: AUTH_HOST - value: {{ .Values.ingress.host | quote }} + - name: OAUTH2_PROXY_EMAIL_DOMAINS + value: "*" + - name: OAUTH2_PROXY_UPSTREAM + value: "static://202" + - name: OAUTH2_PROXY_HTTP_ADDRESS + value: "0.0.0.0:4180" + - name: OAUTH2_PROXY_REDIRECT_URL + value: {{ printf "https://%s/oauth2/callback" .Values.ingress.host | quote }} + - name: OAUTH2_PROXY_COOKIE_SECURE + value: "true" + - name: OAUTH2_PROXY_SKIP_PROVIDER_BUTTON + value: "true" + - name: OAUTH2_PROXY_INSECURE_OIDC_ALLOW_UNVERIFIED_EMAIL + value: "true" + - name: OAUTH2_PROXY_COOKIE_CSRF_PER_REQUEST + value: "true" + - name: OAUTH2_PROXY_COOKIE_CSRF_EXPIRE + value: "5m" resources: requests: cpu: 10m @@ -53,13 +67,13 @@ spec: apiVersion: v1 kind: Service metadata: - name: traefik-forward-auth + name: oauth2-proxy labels: - {{- include "team-devoops.labels" (dict "name" "traefik-forward-auth" "root" $) | nindent 4 }} + {{- include "team-devoops.labels" (dict "name" "oauth2-proxy" "root" $) | nindent 4 }} spec: selector: - {{- include "team-devoops.selectorLabels" (dict "name" "traefik-forward-auth") | nindent 4 }} + {{- include "team-devoops.selectorLabels" (dict "name" "oauth2-proxy") | nindent 4 }} ports: - - port: 4181 - targetPort: 4181 + - port: 80 + targetPort: 4180 {{- end }} diff --git a/infra/helm/team-devoops/templates/ingress.yaml b/infra/helm/team-devoops/templates/ingress.yaml index 9ab4acd..8e25ca1 100644 --- a/infra/helm/team-devoops/templates/ingress.yaml +++ b/infra/helm/team-devoops/templates/ingress.yaml @@ -21,8 +21,8 @@ metadata: cert-manager.io/cluster-issuer: {{ $tls.clusterIssuer | quote }} {{- end }} {{- if $fa.enabled }} - nginx.ingress.kubernetes.io/auth-url: "http://traefik-forward-auth:4181" - nginx.ingress.kubernetes.io/auth-signin: "https://{{ $host }}/_oauth" + nginx.ingress.kubernetes.io/auth-url: "http://oauth2-proxy.{{ $.Release.Namespace }}.svc.cluster.local/oauth2/auth" + nginx.ingress.kubernetes.io/auth-signin: "https://{{ $host }}/oauth2/start?rd=$escaped_request_uri" {{- end }} spec: ingressClassName: {{ .Values.ingress.className }} @@ -65,8 +65,8 @@ metadata: cert-manager.io/cluster-issuer: {{ $tls.clusterIssuer | quote }} {{- end }} {{- if $fa.enabled }} - nginx.ingress.kubernetes.io/auth-url: "http://traefik-forward-auth:4181" - nginx.ingress.kubernetes.io/auth-signin: "https://{{ $host }}/_oauth" + nginx.ingress.kubernetes.io/auth-url: "http://oauth2-proxy.{{ $.Release.Namespace }}.svc.cluster.local/oauth2/auth" + nginx.ingress.kubernetes.io/auth-signin: "https://{{ $host }}/oauth2/start?rd=$escaped_request_uri" {{- end }} spec: ingressClassName: {{ .Values.ingress.className }} @@ -83,7 +83,7 @@ spec: http: paths: {{- range $name, $svc := .Values.services }} - {{- if not $svc.stripPrefix }} + {{- if and (not $svc.stripPrefix) (not $svc.open) }} - path: {{ $svc.path }} pathType: Prefix backend: @@ -132,12 +132,23 @@ spec: number: 8080 {{- end }} {{- if $fa.enabled }} - - path: /_oauth + - path: /oauth2/ pathType: Prefix backend: service: - name: traefik-forward-auth + name: oauth2-proxy port: - number: 4181 + number: 80 + {{- end }} + {{- range $name, $svc := .Values.services }} + {{- if $svc.open }} + - path: {{ $svc.path }} + pathType: Prefix + backend: + service: + name: {{ $name }} + port: + number: {{ $svc.port }} + {{- end }} {{- end }} {{- end }} diff --git a/infra/helm/team-devoops/values.yaml b/infra/helm/team-devoops/values.yaml index 5e62c38..521f4d3 100644 --- a/infra/helm/team-devoops/values.yaml +++ b/infra/helm/team-devoops/values.yaml @@ -96,9 +96,9 @@ ingress: clusterIssuer: letsencrypt-prod # --------------------------------------------------------------------------- -# Forward-auth: deploys thomseddon/traefik-forward-auth as an OIDC session -# proxy and wires all nginx ingresses through it (parity with the VM's -# traefik-forward-auth middleware). Keycloak and /_oauth are excluded. +# Forward-auth: deploys oauth2-proxy as an OIDC session proxy and wires all +# nginx ingresses through it via auth_request. Keycloak and /oauth2/ are +# excluded from auth to prevent redirect loops. # --------------------------------------------------------------------------- forwardAuth: enabled: true @@ -231,6 +231,7 @@ services: port: 8080 db: false stripPrefix: false + open: true resources: requests: cpu: 50m diff --git a/infra/keycloak/realm-config.json b/infra/keycloak/realm-config.json index 33b7506..f9648eb 100644 --- a/infra/keycloak/realm-config.json +++ b/infra/keycloak/realm-config.json @@ -70,7 +70,7 @@ "directAccessGrantsEnabled": false, "redirectUris": [ "https://team-devoops.uaenorth.cloudapp.azure.com/_oauth", - "https://ge83mom-devops26.stud.k8s.aet.cit.tum.de/_oauth", + "https://ge83mom-devops26.stud.k8s.aet.cit.tum.de/oauth2/callback", "http://localhost/_oauth" ], "webOrigins": [ From 7f4cf84dae069a416c6dd3e401ca67a9c9be6c0c Mon Sep 17 00:00:00 2001 From: Raphael Frank <04.raphael.frank@gmail.com> Date: Thu, 11 Jun 2026 01:02:21 +0200 Subject: [PATCH 6/8] fix cluster sub claim --- infra/helm/team-devoops/templates/forward-auth.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/infra/helm/team-devoops/templates/forward-auth.yaml b/infra/helm/team-devoops/templates/forward-auth.yaml index f2f94e3..e8d904d 100644 --- a/infra/helm/team-devoops/templates/forward-auth.yaml +++ b/infra/helm/team-devoops/templates/forward-auth.yaml @@ -52,6 +52,8 @@ spec: value: "true" - name: OAUTH2_PROXY_INSECURE_OIDC_ALLOW_UNVERIFIED_EMAIL value: "true" + - name: OAUTH2_PROXY_OIDC_EMAIL_CLAIM + value: "sub" - name: OAUTH2_PROXY_COOKIE_CSRF_PER_REQUEST value: "true" - name: OAUTH2_PROXY_COOKIE_CSRF_EXPIRE From 342ffff8e5ca9af8bd613411f0eecdabcf67e9c6 Mon Sep 17 00:00:00 2001 From: Raphael Frank <04.raphael.frank@gmail.com> Date: Thu, 11 Jun 2026 17:57:11 +0200 Subject: [PATCH 7/8] fix local traefik websecure labels --- infra/docker-compose.override.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/infra/docker-compose.override.yml b/infra/docker-compose.override.yml index fa850f7..8339da7 100644 --- a/infra/docker-compose.override.yml +++ b/infra/docker-compose.override.yml @@ -123,6 +123,11 @@ services: - "traefik.http.services.web-client.loadbalancer.server.port=8080" keycloak: + labels: !override + - "traefik.enable=true" + - "traefik.http.routers.keycloak.entrypoints=web" + - "traefik.http.routers.keycloak.rule=PathPrefix(`/auth`)" + - "traefik.http.services.keycloak.loadbalancer.server.port=8080" environment: KC_HOSTNAME: "http://localhost:8081/auth" From bc10be07411160f6647f2befc40774563215921f Mon Sep 17 00:00:00 2001 From: Raphael Frank <04.raphael.frank@gmail.com> Date: Thu, 11 Jun 2026 20:36:43 +0200 Subject: [PATCH 8/8] fix local authentication --- infra/docker-compose.override.yml | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/infra/docker-compose.override.yml b/infra/docker-compose.override.yml index 8339da7..a592764 100644 --- a/infra/docker-compose.override.yml +++ b/infra/docker-compose.override.yml @@ -25,6 +25,8 @@ services: - "--providers.docker=true" - "--providers.docker.exposedByDefault=false" - "--providers.docker.network=proxy" + - "--providers.file.directory=/etc/traefik/dynamic" + - "--providers.file.watch=true" - "--entrypoints.web.address=:80" ports: !override - "80:80" @@ -36,7 +38,7 @@ services: - "traefik.http.routers.py-genai-helper.entrypoints=web" - "traefik.http.routers.py-genai-helper.rule=PathPrefix(`/api/v1/helper`)" - "traefik.http.middlewares.helper-stripprefix.stripprefix.prefixes=/api/v1/helper" - - "traefik.http.routers.py-genai-helper.middlewares=helper-stripprefix" + - "traefik.http.routers.py-genai-helper.middlewares=helper-stripprefix,forward-auth@file" - "traefik.http.services.py-genai-helper.loadbalancer.server.port=5000" organization-service: @@ -47,7 +49,7 @@ services: - "traefik.http.routers.organization-service.entrypoints=web" - "traefik.http.routers.organization-service.rule=PathPrefix(`/api/v1/organization`)" - "traefik.http.middlewares.organization-stripprefix.stripprefix.prefixes=/api/v1/organization" - - "traefik.http.routers.organization-service.middlewares=organization-stripprefix" + - "traefik.http.routers.organization-service.middlewares=organization-stripprefix,forward-auth@file" - "traefik.http.services.organization-service.loadbalancer.server.port=8080" member-service: @@ -58,7 +60,7 @@ services: - "traefik.http.routers.member-service.entrypoints=web" - "traefik.http.routers.member-service.rule=PathPrefix(`/api/v1/members`)" - "traefik.http.middlewares.member-stripprefix.stripprefix.prefixes=/api/v1/members" - - "traefik.http.routers.member-service.middlewares=member-stripprefix" + - "traefik.http.routers.member-service.middlewares=member-stripprefix,forward-auth@file" - "traefik.http.services.member-service.loadbalancer.server.port=8080" event-service: @@ -69,7 +71,7 @@ services: - "traefik.http.routers.event-service.entrypoints=web" - "traefik.http.routers.event-service.rule=PathPrefix(`/api/v1/events`)" - "traefik.http.middlewares.event-stripprefix.stripprefix.prefixes=/api/v1/events" - - "traefik.http.routers.event-service.middlewares=event-stripprefix" + - "traefik.http.routers.event-service.middlewares=event-stripprefix,forward-auth@file" - "traefik.http.services.event-service.loadbalancer.server.port=8080" feedback-service: @@ -80,7 +82,7 @@ services: - "traefik.http.routers.feedback-service.entrypoints=web" - "traefik.http.routers.feedback-service.rule=PathPrefix(`/api/v1/feedback`)" - "traefik.http.middlewares.feedback-stripprefix.stripprefix.prefixes=/api/v1/feedback" - - "traefik.http.routers.feedback-service.middlewares=feedback-stripprefix" + - "traefik.http.routers.feedback-service.middlewares=feedback-stripprefix,forward-auth@file" - "traefik.http.services.feedback-service.loadbalancer.server.port=8080" finance-service: @@ -91,7 +93,7 @@ services: - "traefik.http.routers.finance-service.entrypoints=web" - "traefik.http.routers.finance-service.rule=PathPrefix(`/api/v1/finance`)" - "traefik.http.middlewares.finance-stripprefix.stripprefix.prefixes=/api/v1/finance" - - "traefik.http.routers.finance-service.middlewares=finance-stripprefix" + - "traefik.http.routers.finance-service.middlewares=finance-stripprefix,forward-auth@file" - "traefik.http.services.finance-service.loadbalancer.server.port=8080" letter-service: @@ -102,7 +104,7 @@ services: - "traefik.http.routers.letter-service.entrypoints=web" - "traefik.http.routers.letter-service.rule=PathPrefix(`/api/v1/letters`)" - "traefik.http.middlewares.letter-stripprefix.stripprefix.prefixes=/api/v1/letters" - - "traefik.http.routers.letter-service.middlewares=letter-stripprefix" + - "traefik.http.routers.letter-service.middlewares=letter-stripprefix,forward-auth@file" - "traefik.http.services.letter-service.loadbalancer.server.port=8080" api-docs: @@ -120,6 +122,7 @@ services: - "traefik.enable=true" - "traefik.http.routers.web-client.entrypoints=web" - "traefik.http.routers.web-client.rule=PathPrefix(`/`)" + - "traefik.http.routers.web-client.middlewares=forward-auth@file" - "traefik.http.services.web-client.loadbalancer.server.port=8080" keycloak: @@ -132,6 +135,8 @@ services: KC_HOSTNAME: "http://localhost:8081/auth" traefik-forward-auth: + extra_hosts: + - "localhost:host-gateway" labels: !override - "traefik.enable=false" environment: