From 6858f66a62416354a349d8090fcb45b5262056eb Mon Sep 17 00:00:00 2001 From: Sandro Date: Fri, 25 Apr 2025 19:38:02 +0200 Subject: Add check endpoint which can be used with nginx' auth_request function (#266) * Add check endpoint which can be used with nginx' auth_request function * feat(cmd): allow configuring redirect domains * test: add test environment for the nginx_auth PR This is a full local setup of the nginx_auth PR including HTTPS so that it's easier to validate in isolation. This requires an install of k3s (https://k3s.io) with traefik set to listen on localhost. This will be amended in the future but for now this works enough to ship it. Signed-off-by: Xe Iaso * fix(cmd|lib): allow empty redirect domains variable Signed-off-by: Xe Iaso * fix(test): add space to target variable in anubis container Signed-off-by: Xe Iaso * docs(admin): rewrite subrequest auth docs, make generic * docs(install): document REDIRECT_DOMAINS flag Signed-off-by: Xe Iaso * feat(lib): clamp redirects to the same HTTP host Only if REDIRECT_DOMAINS is not set. Signed-off-by: Xe Iaso --------- Signed-off-by: Xe Iaso Co-authored-by: Xe Iaso --- test/k8s/cert-manager/selfsigned-issuer.yaml | 6 ++++ test/k8s/deps/cert-manager.yaml | 13 ++++++++ test/nginx-external-auth/conf.d/default.conf | 25 ++++++++++++++ test/nginx-external-auth/deployment.yaml | 50 ++++++++++++++++++++++++++++ test/nginx-external-auth/ingress.yaml | 25 ++++++++++++++ test/nginx-external-auth/kustomization.yaml | 10 ++++++ test/nginx-external-auth/service.yaml | 13 ++++++++ test/nginx-external-auth/start.sh | 23 +++++++++++++ test/pki/.gitignore | 2 ++ test/shared/www/index.html | 17 ++++++++++ 10 files changed, 184 insertions(+) create mode 100644 test/k8s/cert-manager/selfsigned-issuer.yaml create mode 100644 test/k8s/deps/cert-manager.yaml create mode 100644 test/nginx-external-auth/conf.d/default.conf create mode 100644 test/nginx-external-auth/deployment.yaml create mode 100644 test/nginx-external-auth/ingress.yaml create mode 100644 test/nginx-external-auth/kustomization.yaml create mode 100644 test/nginx-external-auth/service.yaml create mode 100755 test/nginx-external-auth/start.sh create mode 100644 test/pki/.gitignore create mode 100644 test/shared/www/index.html (limited to 'test') diff --git a/test/k8s/cert-manager/selfsigned-issuer.yaml b/test/k8s/cert-manager/selfsigned-issuer.yaml new file mode 100644 index 0000000..07d2b7b --- /dev/null +++ b/test/k8s/cert-manager/selfsigned-issuer.yaml @@ -0,0 +1,6 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: selfsigned +spec: + selfSigned: {} \ No newline at end of file diff --git a/test/k8s/deps/cert-manager.yaml b/test/k8s/deps/cert-manager.yaml new file mode 100644 index 0000000..f3e17fa --- /dev/null +++ b/test/k8s/deps/cert-manager.yaml @@ -0,0 +1,13 @@ +apiVersion: helm.cattle.io/v1 +kind: HelmChart +metadata: + name: cert-manager + namespace: kube-system +spec: + repo: https://charts.jetstack.io + chart: cert-manager + targetNamespace: cert-manager + createNamespace: true + set: + installCRDs: "true" + "prometheus.enabled": "false" \ No newline at end of file diff --git a/test/nginx-external-auth/conf.d/default.conf b/test/nginx-external-auth/conf.d/default.conf new file mode 100644 index 0000000..e9e5a78 --- /dev/null +++ b/test/nginx-external-auth/conf.d/default.conf @@ -0,0 +1,25 @@ +server { + listen 80; + listen [::]:80; + server_name nginx.local.cetacean.club; + + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + location /.within.website/ { + proxy_pass http://localhost:8923; + auth_request off; + } + + location @redirectToAnubis { + return 307 /.within.website/?redir=$scheme://$host$request_uri; + auth_request off; + } + + location / { + auth_request /.within.website/x/cmd/anubis/api/check; + error_page 401 = @redirectToAnubis; + root /usr/share/nginx/html; + index index.html index.htm; + } +} \ No newline at end of file diff --git a/test/nginx-external-auth/deployment.yaml b/test/nginx-external-auth/deployment.yaml new file mode 100644 index 0000000..f4b408b --- /dev/null +++ b/test/nginx-external-auth/deployment.yaml @@ -0,0 +1,50 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx-external-auth +spec: + selector: + matchLabels: + app: nginx-external-auth + template: + metadata: + labels: + app: nginx-external-auth + spec: + volumes: + - name: config + configMap: + name: nginx-cfg + containers: + - name: www + image: nginx:alpine + resources: + limits: + memory: "128Mi" + cpu: "500m" + requests: + memory: "128Mi" + cpu: "500m" + ports: + - containerPort: 80 + volumeMounts: + - name: config + mountPath: /etc/nginx/conf.d + readOnly: true + - name: anubis + image: ttl.sh/techaro/anubis-external-auth:latest + imagePullPolicy: Always + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 250m + memory: 128Mi + env: + - name: TARGET + value: " " + - name: REDIRECT_DOMAINS + value: nginx.local.cetacean.club + + diff --git a/test/nginx-external-auth/ingress.yaml b/test/nginx-external-auth/ingress.yaml new file mode 100644 index 0000000..6fc8737 --- /dev/null +++ b/test/nginx-external-auth/ingress.yaml @@ -0,0 +1,25 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: nginx-external-auth + labels: + name: nginx-external-auth + annotations: + cert-manager.io/cluster-issuer: "selfsigned" +spec: + ingressClassName: traefik + tls: + - hosts: + - nginx.local.cetacean.club + secretName: nginx-local-cetacean-club-public-tls + rules: + - host: nginx.local.cetacean.club + http: + paths: + - pathType: Prefix + path: "/" + backend: + service: + name: nginx-external-auth + port: + name: http diff --git a/test/nginx-external-auth/kustomization.yaml b/test/nginx-external-auth/kustomization.yaml new file mode 100644 index 0000000..7410f97 --- /dev/null +++ b/test/nginx-external-auth/kustomization.yaml @@ -0,0 +1,10 @@ +resources: + - deployment.yaml + - service.yaml + - ingress.yaml + +configMapGenerator: + - name: nginx-cfg + behavior: create + files: + - ./conf.d/default.conf diff --git a/test/nginx-external-auth/service.yaml b/test/nginx-external-auth/service.yaml new file mode 100644 index 0000000..d2e018c --- /dev/null +++ b/test/nginx-external-auth/service.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + name: nginx-external-auth +spec: + selector: + app: nginx-external-auth + ports: + - name: http + protocol: TCP + port: 80 + targetPort: 80 + type: ClusterIP diff --git a/test/nginx-external-auth/start.sh b/test/nginx-external-auth/start.sh new file mode 100755 index 0000000..044238a --- /dev/null +++ b/test/nginx-external-auth/start.sh @@ -0,0 +1,23 @@ +#!/usr/bin/env bash + +set -euo pipefail + +# Build container image +( + cd ../.. \ + && npm ci \ + && npm run container -- \ + --docker-repo ttl.sh/techaro/anubis-external-auth \ + --docker-tags ttl.sh/techaro/anubis-external-auth:latest +) + +kubectl apply -k . +echo "open https://nginx.local.cetacean.club, press control c when done" + +control_c() { + kubectl delete -k . + exit +} +trap control_c SIGINT + +sleep infinity \ No newline at end of file diff --git a/test/pki/.gitignore b/test/pki/.gitignore new file mode 100644 index 0000000..c96a04f --- /dev/null +++ b/test/pki/.gitignore @@ -0,0 +1,2 @@ +* +!.gitignore \ No newline at end of file diff --git a/test/shared/www/index.html b/test/shared/www/index.html new file mode 100644 index 0000000..8c55c8c --- /dev/null +++ b/test/shared/www/index.html @@ -0,0 +1,17 @@ + + + + Anubis works! + + + + +
+

Anubis works!

+ +

If you see this, everything has gone according to keikaku.

+ + +
+ + \ No newline at end of file -- cgit v1.2.3