- Authentik (Proxy too) + Traefik + App + Portainer docker-compose file.
- Locust load testing script.
Created
December 30, 2022 22:37
-
-
Save viniciusao/eb61dfcf1b15a18f7e962244afc4b6d6 to your computer and use it in GitHub Desktop.
Authentik docker-compose file and Locust test script.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
version: '3.4' | |
services: | |
portainer: | |
image: portainer/portainer:latest | |
ports: | |
- "9443:9443" | |
- "8000:8000" | |
# command: --admin-password 'WRITE_YOUR_PASS' => https://gist.github.com/deviantony/62c009b41bde5e078b1a7de9f11f5e55 | |
volumes: | |
- /var/run/docker.sock:/var/run/docker.sock | |
- portainer-data:/data | |
traefik: | |
image: traefik:v2.8 | |
container_name: traefik | |
volumes: | |
- /var/run/docker.sock:/var/run/docker.sock | |
ports: | |
- "80:80" | |
- "8080:8080" | |
depends_on: | |
- server | |
- whoami | |
command: | |
- "--api.insecure=true" | |
- "--providers.docker=true" | |
- "--providers.docker.exposedByDefault=false" | |
- "--entrypoints.web.address=:80" | |
server: | |
image: ghcr.io/goauthentik/server:2022.12.0 | |
command: server | |
environment: | |
- AUTHENTIK_REDIS__HOST=redis | |
- AUTHENTIK_POSTGRESQL__HOST=postgresql | |
- AUTHENTIK_POSTGRESQL__USER=authentik | |
- AUTHENTIK_POSTGRESQL__NAME=authentik | |
- AUTHENTIK_POSTGRESQL__PASSWORD=authentik | |
- AUTHENTIK_ERROR_REPORTING__ENABLED=true | |
- AUTHENTIK_SECRET_KEY=iO6XOk2wSIa5Q3bWt7G4263LqTlCKu4o | |
- AUTHENTIK_WEB__THREADS=12 | |
volumes: | |
- ./media:/media | |
- ./custom-templates:/templates | |
ports: | |
- "9000-9007:9000" | |
depends_on: | |
- worker | |
- postgresql | |
- redis | |
labels: | |
- "traefik.enable=true" | |
- "traefik.port=9000" | |
- "traefik.http.routers.server.rule=Host(`auth.docker.localhost`)" | |
worker: | |
image: ghcr.io/goauthentik/server:2022.12.0 | |
command: worker | |
environment: | |
- AUTHENTIK_REDIS__HOST=redis | |
- AUTHENTIK_POSTGRESQL__HOST=postgresql | |
- AUTHENTIK_POSTGRESQL__USER=authentik | |
- AUTHENTIK_POSTGRESQL__NAME=authentik | |
- AUTHENTIK_POSTGRESQL__PASSWORD=authentik | |
- AUTHENTIK_ERROR_REPORTING__ENABLED=true | |
- AUTHENTIK_SECRET_KEY=iO6XOk2wSIa5Q3bWt7G4263LqTlCKu4o | |
- AUTHENTIK_WEB__THREADS=12 | |
user: root | |
volumes: | |
- /var/run/docker.sock:/var/run/docker.sock | |
- ./media:/media | |
- ./certs:/certs | |
- ./custom-templates:/templates | |
authentik-proxy: | |
image: ghcr.io/goauthentik/proxy | |
ports: | |
- "9091:9000" | |
environment: | |
- AUTHENTIK_HOST=http://server:9000 | |
- AUTHENTIK_INSECURE=true | |
- AUTHENTIK_TOKEN=WRITE_YOUR_OUTPOST_TOKEN_INFO #generated by authentik when outpost is created | |
- AUTHENTIK_HOST_BROWSER=http://auth.docker.localhost | |
- AUTHENTIK_DEBUG=true | |
depends_on: | |
- server | |
labels: | |
- "traefik.enable=true" | |
- "traefik.port=9000" | |
- "traefik.http.routers.authentik-proxy.rule=Host(`app.docker.localhost`) && PathPrefix(`/outpost.goauthentik.io/`)" | |
- "traefik.http.middlewares.authentik.forwardauth.address=http://authentik-proxy:9000/outpost.goauthentik.io/auth/traefik" | |
- "traefik.http.middlewares.authentik.forwardauth.trustForwardHeader=true" | |
- "traefik.http.middlewares.authentik.forwardauth.authResponseHeaders=X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version" | |
whoami: | |
image: containous/whoami | |
depends_on: | |
- authentik-proxy | |
labels: | |
- "traefik.enable=true" | |
- "traefik.port=80" | |
- "traefik.http.routers.whoami.rule=Host(`app.docker.localhost`)" | |
- "traefik.http.routers.whoami.middlewares=authentik@docker" | |
postgresql: | |
image: postgres:12-alpine | |
command: postgres -c "max_connections=2100" | |
healthcheck: | |
test: [ "CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}" ] | |
start_period: 20s | |
interval: 30s | |
retries: 5 | |
timeout: 5s | |
volumes: | |
- database:/var/lib/postgresql/data | |
environment: | |
- POSTGRES_PASSWORD=authentik | |
- POSTGRES_USER=authentik | |
- POSTGRES_DB=authentik | |
ports: | |
- "5433:5432" | |
redis: | |
image: docker.io/library/redis:alpine | |
command: --save 60 1 --loglevel warning | |
restart: unless-stopped | |
healthcheck: | |
test: ["CMD-SHELL", "redis-cli ping | grep PONG"] | |
start_period: 20s | |
interval: 30s | |
retries: 5 | |
timeout: 3s | |
volumes: | |
- redis:/data | |
volumes: | |
database: | |
driver: local | |
redis: | |
driver: local | |
portainer-data: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import json | |
import random | |
from locust import HttpUser, task, constant_pacing | |
USERNAME = 'WRITE_AUTHENTIK_USERNAME' | |
PASSWORD = 'WRITE_USERNAME_PASSWORD' | |
PORTS = '9000' #, '9001', '9002', '9004', '9005', etc. | |
class AuthentikLoginLogoutFlow(HttpUser): | |
wait_time = constant_pacing(1000) | |
counter = 0 | |
def on_start(self): | |
self.client.verify = False | |
@task | |
def login(self): | |
if self.counter < 1: | |
port = PORTS # random.choice(PORTS) | |
with self.client.post( | |
url=f'http://localhost:{port}/api/v3/flows/executor/default-authentication-flow/', | |
name=f'http://localhost:{port}/api/v3/flows/executor/default-authentication-flow/', | |
json={"component": "ak-stage-identification", "uid_field": USERNAME, "password": PASSWORD}, | |
catch_response=True | |
) as response: | |
if response.status_code != 200: | |
response.failure(response.status_code) | |
else: | |
self.me(port) | |
self.counter += 1 | |
def me(self, port: str): | |
with self.client.get( | |
f'http://localhost:{port}/api/v3/core/users/me/', | |
name=f'http://localhost:{port}/api/v3/core/users/me/', | |
catch_response=True, | |
) as response: | |
try: | |
r = response.json() | |
response_username = r['user']['username'] | |
if response_username == USERNAME: | |
self.client.get( | |
f'http://localhost:{port}/api/v3/flows/executor/default-invalidation-flow/', | |
name=f'http://localhost:{port}/api/v3/flows/executor/default-invalidation-flow/' | |
) | |
response.success() | |
else: | |
response.failure(response_username) | |
except (json.JSONDecodeError, KeyError): | |
response.failure(response.text) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment