Skip to content

Instantly share code, notes, and snippets.

@dictcp
Last active January 23, 2022 16:00
Show Gist options
  • Save dictcp/61098c1eb4d9a084f231b801a12054cf to your computer and use it in GitHub Desktop.
Save dictcp/61098c1eb4d9a084f231b801a12054cf to your computer and use it in GitHub Desktop.
a docker-compose stack to demonstrate Rundeck + oauth2_proxy (as SSO) + ACL role injection
services:
oauth2_proxy2:
image: quay.io/pusher/oauth2_proxy
restart: unless-stopped
labels:
- traefik.enable=true
- traefik.backend=oauth2_proxy2
- traefik.frontend.rule=Host:xxxxxxxxxxxxx.com
- traefik.port=8080
expose:
- "8080"
command:
- '-upstream=http://nginx_add_role:80'
- '-http-address=0.0.0.0:8080'
- '-redirect-url=https://xxxxxxxxxxxxx.com/oauth2/callback'
- '-provider=github'
- '-email-domain=*'
env_file: .env
# including
# environment:
# - OAUTH2_PROXY_CLIENT_ID=
# - OAUTH2_PROXY_CLIENT_SECRET=
# - OAUTH2_PROXY_COOKIE_SECRET=
nginx_add_role:
image: openresty/openresty:alpine
volumes:
- ./vhost.conf:/etc/nginx/conf.d/default.conf
expose:
- "80"
rundeck:
image: rundeck/rundeck:3.1.2
build: ./
environment:
- JVM_MAX_RAM_FRACTION=6
- RUNDECK_GRAILS_URL=https://xxxxxxxxxxxxx.com
- RUNDECK_SERVER_FORWARDED=true
# db
- RUNDECK_DATABASE_DRIVER=com.mysql.jdbc.Driver
- RUNDECK_DATABASE_USERNAME=rundeck
- RUNDECK_DATABASE_PASSWORD=rundeck
- RUNDECK_DATABASE_URL=jdbc:mysql://mysql/rundeck?autoReconnect=true&useSSL=false
# authn & authz
- RUNDECK_PREAUTH_ENABLED=true
- RUNDECK_PREAUTH_ATTRIBUTE_NAME=REMOTE_USER_GROUPS
- RUNDECK_PREAUTH_DELIMITER=,
- RUNDECK_PREAUTH_USERNAME_HEADER=X-Forwarded-User
- RUNDECK_PREAUTH_ROLES_HEADER=X-Forwarded-Roles
- RUNDECK_PREAUTH_REDIRECT_LOGOUT=false
- RUNDECK_PREAUTH_REDIRECT_URL=/oauth2/sign_in
# s3 storage support
- RUNDECK_PLUGIN_EXECUTIONFILESTORAGE_NAME=com.rundeck.rundeckpro.amazon-s3
- RUNDECK_PLUGIN_EXECUTIONFILESTORAGE_S3_BUCKET=${RUNDECK_PLUGIN_EXECUTIONFILESTORAGE_S3_BUCKET}
- RUNDECK_PLUGIN_EXECUTIONFILESTORAGE_S3_REGION=${RUNDECK_PLUGIN_EXECUTIONFILESTORAGE_S3_REGION}
volumes:
- rundeck-data:/home/rundeck/server/data
expose:
- 4440
mysql:
image: mysql:5.7
expose:
- 3306
environment:
- MYSQL_ROOT_PASSWORD=root
- MYSQL_DATABASE=rundeck
- MYSQL_USER=rundeck
- MYSQL_PASSWORD=rundeck
volumes:
- db-data:/var/lib/mysql
volumes:
db-data:
rundeck-data:
FROM rundeck/rundeck:3.1.2
RUN cd ./libext && wget https://github.com/rundeck-plugins/rundeck-s3-log-plugin/releases/download/v1.0.8/rundeck-s3-log-plugin-1.0.8.jar
RUN cd ./libext && wget https://github.com/rundeck-plugins/rundeck-ec2-nodes-plugin/releases/download/v1.5.12/rundeck-ec2-nodes-plugin-1.5.12.jar
RUN cd ./libext && wget https://github.com/rundeck-plugins/slack-incoming-webhook-plugin/releases/download/v1.2.5/slack-incoming-webhook-plugin-1.2.5.jar
RUN cd ./libext && wget https://github.com/rundeck-plugins/kubernetes/releases/download/1.0.12/kubernetes-plugin-1.0.12.zip
RUN chown -R rundeck:root ./libext
map $http_x_forwarded_email $rundeck_role {
default "";
"root@example.com" "admin";
"user1@example.com" "users";
"user2@example.com" "users";
}
server {
resolver 8.8.8.8 valid=10s;
location / {
proxy_set_header X-Forwarded-Roles $rundeck_role;
proxy_pass http://rundeck:4440;
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment