viniciusao/README.md

## README.md

      
    Raw
  

              README.md
            
          
    Tested on windows 10 (wsl2 ubuntu).


Authentik (Proxy too) + Traefik + App + Portainer docker-compose file.
Locust load testing script.


## docker-compose.yml
---
version: '3.4'

services:
  portainer:
    image: portainer/portainer:latest
    ports:
      - "9443:9443"
      - "8000:8000"
    # command: --admin-password 'WRITE_YOUR_PASS' => https://gist.github.com/deviantony/62c009b41bde5e078b1a7de9f11f5e55
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - portainer-data:/data

  traefik:
    image: traefik:v2.8
    container_name: traefik
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    ports:
      - "80:80"
      - "8080:8080"
    depends_on:
      - server
      - whoami
    command:
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedByDefault=false"
      - "--entrypoints.web.address=:80"

  server:
    image: ghcr.io/goauthentik/server:2022.12.0
    command: server
    environment:
      - AUTHENTIK_REDIS__HOST=redis
      - AUTHENTIK_POSTGRESQL__HOST=postgresql
      - AUTHENTIK_POSTGRESQL__USER=authentik
      - AUTHENTIK_POSTGRESQL__NAME=authentik
      - AUTHENTIK_POSTGRESQL__PASSWORD=authentik
      - AUTHENTIK_ERROR_REPORTING__ENABLED=true
      - AUTHENTIK_SECRET_KEY=iO6XOk2wSIa5Q3bWt7G4263LqTlCKu4o
      - AUTHENTIK_WEB__THREADS=12
    volumes:
      - ./media:/media
      - ./custom-templates:/templates
    ports:
      - "9000-9007:9000"
    depends_on:
      - worker
      - postgresql
      - redis
    labels:
      - "traefik.enable=true"
      - "traefik.port=9000"
      - "traefik.http.routers.server.rule=Host(`auth.docker.localhost`)"

  worker:
    image: ghcr.io/goauthentik/server:2022.12.0
    command: worker
    environment:
      - AUTHENTIK_REDIS__HOST=redis
      - AUTHENTIK_POSTGRESQL__HOST=postgresql
      - AUTHENTIK_POSTGRESQL__USER=authentik
      - AUTHENTIK_POSTGRESQL__NAME=authentik
      - AUTHENTIK_POSTGRESQL__PASSWORD=authentik
      - AUTHENTIK_ERROR_REPORTING__ENABLED=true
      - AUTHENTIK_SECRET_KEY=iO6XOk2wSIa5Q3bWt7G4263LqTlCKu4o
      - AUTHENTIK_WEB__THREADS=12
    user: root
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./media:/media
      - ./certs:/certs
      - ./custom-templates:/templates

  authentik-proxy:
    image: ghcr.io/goauthentik/proxy
    ports:
      - "9091:9000"
    environment:
      - AUTHENTIK_HOST=http://server:9000
      - AUTHENTIK_INSECURE=true
      - AUTHENTIK_TOKEN=WRITE_YOUR_OUTPOST_TOKEN_INFO #generated by authentik when outpost is created
      - AUTHENTIK_HOST_BROWSER=http://auth.docker.localhost
      - AUTHENTIK_DEBUG=true
    depends_on:
      - server
    labels:
      - "traefik.enable=true"
      - "traefik.port=9000"
      - "traefik.http.routers.authentik-proxy.rule=Host(`app.docker.localhost`) && PathPrefix(`/outpost.goauthentik.io/`)"
      - "traefik.http.middlewares.authentik.forwardauth.address=http://authentik-proxy:9000/outpost.goauthentik.io/auth/traefik"
      - "traefik.http.middlewares.authentik.forwardauth.trustForwardHeader=true"
      - "traefik.http.middlewares.authentik.forwardauth.authResponseHeaders=X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version"

  whoami:
    image: containous/whoami
    depends_on:
      - authentik-proxy
    labels:
      - "traefik.enable=true"
      - "traefik.port=80"
      - "traefik.http.routers.whoami.rule=Host(`app.docker.localhost`)"
      - "traefik.http.routers.whoami.middlewares=authentik@docker"

  postgresql:
    image: postgres:12-alpine
    command: postgres -c "max_connections=2100"
    healthcheck:
      test: [ "CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}" ]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 5s
    volumes:
      - database:/var/lib/postgresql/data
    environment:
      - POSTGRES_PASSWORD=authentik
      - POSTGRES_USER=authentik
      - POSTGRES_DB=authentik
    ports:
      - "5433:5432"

  redis:
    image: docker.io/library/redis:alpine
    command: --save 60 1 --loglevel warning
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 3s
    volumes:
      - redis:/data

volumes:
  database:
    driver: local
  redis:
    driver: local
  portainer-data:

## locustfile.py
import json
import random

from locust import HttpUser, task, constant_pacing

USERNAME = 'WRITE_AUTHENTIK_USERNAME'
PASSWORD = 'WRITE_USERNAME_PASSWORD'
PORTS = '9000' #, '9001', '9002', '9004', '9005', etc.


class AuthentikLoginLogoutFlow(HttpUser):
    wait_time = constant_pacing(1000)
    counter = 0

    def on_start(self):
        self.client.verify = False

    @task
    def login(self):
        if self.counter < 1:
            port = PORTS  # random.choice(PORTS)
            with self.client.post(
                url=f'http://localhost:{port}/api/v3/flows/executor/default-authentication-flow/',
                name=f'http://localhost:{port}/api/v3/flows/executor/default-authentication-flow/',
                json={"component": "ak-stage-identification", "uid_field": USERNAME, "password": PASSWORD},
                catch_response=True
            ) as response:
                if response.status_code != 200:
                    response.failure(response.status_code)
                else:
                    self.me(port)
            self.counter += 1

    def me(self, port: str):
        with self.client.get(
            f'http://localhost:{port}/api/v3/core/users/me/',
            name=f'http://localhost:{port}/api/v3/core/users/me/',
            catch_response=True,
        ) as response:
            try:
                r = response.json()
                response_username = r['user']['username']
                if response_username == USERNAME:
                    self.client.get(
                        f'http://localhost:{port}/api/v3/flows/executor/default-invalidation-flow/',
                        name=f'http://localhost:{port}/api/v3/flows/executor/default-invalidation-flow/'
                    )
                    response.success()
                else:
                    response.failure(response_username)
            except (json.JSONDecodeError, KeyError):
                response.failure(response.text)
	---
	version: '3.4'

	services:
	portainer:
	image: portainer/portainer:latest
	ports:
	- "9443:9443"
	- "8000:8000"
	# command: --admin-password 'WRITE_YOUR_PASS' => https://gist.github.com/deviantony/62c009b41bde5e078b1a7de9f11f5e55
	volumes:
	- /var/run/docker.sock:/var/run/docker.sock
	- portainer-data:/data

	traefik:
	image: traefik:v2.8
	container_name: traefik
	volumes:
	- /var/run/docker.sock:/var/run/docker.sock
	ports:
	- "80:80"
	- "8080:8080"
	depends_on:
	- server
	- whoami
	command:
	- "--api.insecure=true"
	- "--providers.docker=true"
	- "--providers.docker.exposedByDefault=false"
	- "--entrypoints.web.address=:80"

	server:
	image: ghcr.io/goauthentik/server:2022.12.0
	command: server
	environment:
	- AUTHENTIK_REDIS__HOST=redis
	- AUTHENTIK_POSTGRESQL__HOST=postgresql
	- AUTHENTIK_POSTGRESQL__USER=authentik
	- AUTHENTIK_POSTGRESQL__NAME=authentik
	- AUTHENTIK_POSTGRESQL__PASSWORD=authentik
	- AUTHENTIK_ERROR_REPORTING__ENABLED=true
	- AUTHENTIK_SECRET_KEY=iO6XOk2wSIa5Q3bWt7G4263LqTlCKu4o
	- AUTHENTIK_WEB__THREADS=12
	volumes:
	- ./media:/media
	- ./custom-templates:/templates
	ports:
	- "9000-9007:9000"
	depends_on:
	- worker
	- postgresql
	- redis
	labels:
	- "traefik.enable=true"
	- "traefik.port=9000"
	- "traefik.http.routers.server.rule=Host(`auth.docker.localhost`)"

	worker:
	image: ghcr.io/goauthentik/server:2022.12.0
	command: worker
	environment:
	- AUTHENTIK_REDIS__HOST=redis
	- AUTHENTIK_POSTGRESQL__HOST=postgresql
	- AUTHENTIK_POSTGRESQL__USER=authentik
	- AUTHENTIK_POSTGRESQL__NAME=authentik
	- AUTHENTIK_POSTGRESQL__PASSWORD=authentik
	- AUTHENTIK_ERROR_REPORTING__ENABLED=true
	- AUTHENTIK_SECRET_KEY=iO6XOk2wSIa5Q3bWt7G4263LqTlCKu4o
	- AUTHENTIK_WEB__THREADS=12
	user: root
	volumes:
	- /var/run/docker.sock:/var/run/docker.sock
	- ./media:/media
	- ./certs:/certs
	- ./custom-templates:/templates

	authentik-proxy:
	image: ghcr.io/goauthentik/proxy
	ports:
	- "9091:9000"
	environment:
	- AUTHENTIK_HOST=http://server:9000
	- AUTHENTIK_INSECURE=true
	- AUTHENTIK_TOKEN=WRITE_YOUR_OUTPOST_TOKEN_INFO #generated by authentik when outpost is created
	- AUTHENTIK_HOST_BROWSER=http://auth.docker.localhost
	- AUTHENTIK_DEBUG=true
	depends_on:
	- server
	labels:
	- "traefik.enable=true"
	- "traefik.port=9000"
	- "traefik.http.routers.authentik-proxy.rule=Host(`app.docker.localhost`) && PathPrefix(`/outpost.goauthentik.io/`)"
	- "traefik.http.middlewares.authentik.forwardauth.address=http://authentik-proxy:9000/outpost.goauthentik.io/auth/traefik"
	- "traefik.http.middlewares.authentik.forwardauth.trustForwardHeader=true"
	- "traefik.http.middlewares.authentik.forwardauth.authResponseHeaders=X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version"

	whoami:
	image: containous/whoami
	depends_on:
	- authentik-proxy
	labels:
	- "traefik.enable=true"
	- "traefik.port=80"
	- "traefik.http.routers.whoami.rule=Host(`app.docker.localhost`)"
	- "traefik.http.routers.whoami.middlewares=authentik@docker"

	postgresql:
	image: postgres:12-alpine
	command: postgres -c "max_connections=2100"
	healthcheck:
	test: [ "CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}" ]
	start_period: 20s
	interval: 30s
	retries: 5
	timeout: 5s
	volumes:
	- database:/var/lib/postgresql/data
	environment:
	- POSTGRES_PASSWORD=authentik
	- POSTGRES_USER=authentik
	- POSTGRES_DB=authentik
	ports:
	- "5433:5432"

	redis:
	image: docker.io/library/redis:alpine
	command: --save 60 1 --loglevel warning
	restart: unless-stopped
	healthcheck:
	test: ["CMD-SHELL", "redis-cli ping \| grep PONG"]
	start_period: 20s
	interval: 30s
	retries: 5
	timeout: 3s
	volumes:
	- redis:/data

	volumes:
	database:
	driver: local
	redis:
	driver: local
	portainer-data:
	import json
	import random

	from locust import HttpUser, task, constant_pacing

	USERNAME = 'WRITE_AUTHENTIK_USERNAME'
	PASSWORD = 'WRITE_USERNAME_PASSWORD'
	PORTS = '9000' #, '9001', '9002', '9004', '9005', etc.


	class AuthentikLoginLogoutFlow(HttpUser):
	wait_time = constant_pacing(1000)
	counter = 0

	def on_start(self):
	self.client.verify = False

	@task
	def login(self):
	if self.counter < 1:
	port = PORTS # random.choice(PORTS)
	with self.client.post(
	url=f'http://localhost:{port}/api/v3/flows/executor/default-authentication-flow/',
	name=f'http://localhost:{port}/api/v3/flows/executor/default-authentication-flow/',
	json={"component": "ak-stage-identification", "uid_field": USERNAME, "password": PASSWORD},
	catch_response=True
	) as response:
	if response.status_code != 200:
	response.failure(response.status_code)
	else:
	self.me(port)
	self.counter += 1

	def me(self, port: str):
	with self.client.get(
	f'http://localhost:{port}/api/v3/core/users/me/',
	name=f'http://localhost:{port}/api/v3/core/users/me/',
	catch_response=True,
	) as response:
	try:
	r = response.json()
	response_username = r['user']['username']
	if response_username == USERNAME:
	self.client.get(
	f'http://localhost:{port}/api/v3/flows/executor/default-invalidation-flow/',
	name=f'http://localhost:{port}/api/v3/flows/executor/default-invalidation-flow/'
	)
	response.success()
	else:
	response.failure(response_username)
	except (json.JSONDecodeError, KeyError):
	response.failure(response.text)