josephmilla/Rockerfile

## oauth2_proxy.cfg
provider = "github"
http_address = "0.0.0.0:4180"
redirect_url = "http://localhost:4180/oauth2/callback"
upstreams = [
    "http://127.0.0.1:4440/"
 ]
request_logging = true
 email_domains = [
  "<yourdomain.com>"
 ]

github_org="<yourorg>"
client_id = "<your clientid>"
client_secret = "{{ var `OAUTH_CLIENT_SECRET` }}"
pass_host_header = true
# passes roles that Rundeck uses for authorization
pass_roles_header = true
pass_access_token = true
cookie_secret = "{{ var `COOKIE_SECRET` | default `50v3ry53kr17,dud3z` }}"
# sets rate of role refresh
cookie_secure = false

## Rockerfile
#build us a binary for https://github.com/bitly/oauth2_proxy/pull/277
FROM golang
WORKDIR /go/src/github.com/bitly
RUN git clone https://github.com/kindlyops/oauth2_proxy.git
WORKDIR /go/src/github.com/bitly/oauth2_proxy
RUN git checkout github-teams-tweaks
RUN go get
# include patch from https://github.com/bitly/oauth2_proxy/pull/295
RUN curl https://github.com/donaldguy/oauth2_proxy/commit/8965e6b58a3afd8ad9f0f326f91b25253c88d523.patch | git apply --apply -
RUN go build
TAG build/oauth2_proxy:withroles
EXPORT oauth2_proxy


FROM jordan/rundeck

#include https://github.com/progrium/entrykit
RUN curl -sL https://github.com/progrium/entrykit/releases/download/v0.4.0/entrykit_0.4.0_Linux_x86_64.tgz | tar -xzC /bin && \
    /bin/entrykit --symlink
#include above oauth2_proxy
IMPORT oauth2_proxy /bin/oauth2_proxy
EXPOSE 4180

#enable HTTP preauth (github.com/rundeck/rundeck/pull/1883)
RUN /bin/echo -e "rundeck.security.authorization.preauthenticated.enabled=true\n"\
                 "rundeck.security.authorization.preauthenticated.attributeName=REMOTE_USER_GROUPS\n"\
                 "rundeck.security.authorization.preauthenticated.delimiter=,\n"\
                 "rundeck.security.authorization.preauthenticated.userNameHeader=X-Forwarded-User\n"\
                 "rundeck.security.authorization.preauthenticated.userRolesHeader=X-Forwarded-Roles\n"\
                 "rundeck.security.authorization.preauthenticated.redirectLogout=true\n"\
                 "rundeck.security.authorization.preauthenticated.redirectUrl=/oauth2/sign_in\n"\
                 | sed 's/^ \+//' >> /opt/rundeck-defaults/rundeck-config.properties
# per http://rundeck.org/docs/administration/authenticating-users.html#preauthenticated-mode and https://github.com/rundeck/rundeck/pull/1883
RUN sed -e "/<auth-constraint>/,/<\/auth-constraint>/d" /var/lib/rundeck/exp/webapp/WEB-INF/web.xml > /tmp/modified-web.xml

ENTRYPOINT [ \
  "render", "/etc/oauth2_proxy.cfg", "--", \
  "prehook", "cp /opt/rundeck-defaults/rundeck-config.properties /etc/rundeck/rundeck-config.properties", "--", \
  "prehook", "mv /tmp/modified-web.xml /var/lib/rundeck/exp/webapp/WEB-INF/web.xml ", "--", \
  "switch", \
    "bash=/bin/bash", "--",  \
  "codep", \
    "/opt/run", \
    "/bin/oauth2_proxy -config /etc/oauth2_proxy.cfg" \
]

## config files (last for cache)
COPY oauth2_proxy.cfg /etc/oauth2_proxy.cfg.tmpl
TAG rundeck-oauth
	provider = "github"
	http_address = "0.0.0.0:4180"
	redirect_url = "http://localhost:4180/oauth2/callback"
	upstreams = [
	"http://127.0.0.1:4440/"
	]
	request_logging = true
	email_domains = [
	"<yourdomain.com>"
	]

	github_org="<yourorg>"
	client_id = "<your clientid>"
	client_secret = "{{ var `OAUTH_CLIENT_SECRET` }}"
	pass_host_header = true
	# passes roles that Rundeck uses for authorization
	pass_roles_header = true
	pass_access_token = true
	cookie_secret = "{{ var `COOKIE_SECRET` \| default `50v3ry53kr17,dud3z` }}"
	# sets rate of role refresh
	cookie_secure = false
	#build us a binary for https://github.com/bitly/oauth2_proxy/pull/277
	FROM golang
	WORKDIR /go/src/github.com/bitly
	RUN git clone https://github.com/kindlyops/oauth2_proxy.git
	WORKDIR /go/src/github.com/bitly/oauth2_proxy
	RUN git checkout github-teams-tweaks
	RUN go get
	# include patch from https://github.com/bitly/oauth2_proxy/pull/295
	RUN curl https://github.com/donaldguy/oauth2_proxy/commit/8965e6b58a3afd8ad9f0f326f91b25253c88d523.patch \| git apply --apply -
	RUN go build
	TAG build/oauth2_proxy:withroles
	EXPORT oauth2_proxy


	FROM jordan/rundeck

	#include https://github.com/progrium/entrykit
	RUN curl -sL https://github.com/progrium/entrykit/releases/download/v0.4.0/entrykit_0.4.0_Linux_x86_64.tgz \| tar -xzC /bin && \
	/bin/entrykit --symlink
	#include above oauth2_proxy
	IMPORT oauth2_proxy /bin/oauth2_proxy
	EXPOSE 4180

	#enable HTTP preauth (github.com/rundeck/rundeck/pull/1883)
	RUN /bin/echo -e "rundeck.security.authorization.preauthenticated.enabled=true\n"\
	"rundeck.security.authorization.preauthenticated.attributeName=REMOTE_USER_GROUPS\n"\
	"rundeck.security.authorization.preauthenticated.delimiter=,\n"\
	"rundeck.security.authorization.preauthenticated.userNameHeader=X-Forwarded-User\n"\
	"rundeck.security.authorization.preauthenticated.userRolesHeader=X-Forwarded-Roles\n"\
	"rundeck.security.authorization.preauthenticated.redirectLogout=true\n"\
	"rundeck.security.authorization.preauthenticated.redirectUrl=/oauth2/sign_in\n"\
	\| sed 's/^ \+//' >> /opt/rundeck-defaults/rundeck-config.properties
	# per http://rundeck.org/docs/administration/authenticating-users.html#preauthenticated-mode and https://github.com/rundeck/rundeck/pull/1883
	RUN sed -e "/<auth-constraint>/,/<\/auth-constraint>/d" /var/lib/rundeck/exp/webapp/WEB-INF/web.xml > /tmp/modified-web.xml

	ENTRYPOINT [ \
	"render", "/etc/oauth2_proxy.cfg", "--", \
	"prehook", "cp /opt/rundeck-defaults/rundeck-config.properties /etc/rundeck/rundeck-config.properties", "--", \
	"prehook", "mv /tmp/modified-web.xml /var/lib/rundeck/exp/webapp/WEB-INF/web.xml ", "--", \
	"switch", \
	"bash=/bin/bash", "--", \
	"codep", \
	"/opt/run", \
	"/bin/oauth2_proxy -config /etc/oauth2_proxy.cfg" \
	]

	## config files (last for cache)
	COPY oauth2_proxy.cfg /etc/oauth2_proxy.cfg.tmpl
	TAG rundeck-oauth