jordan/rundeck + kindlyops oauth2 proxy with roles

oauth2_proxy.cfg

provider = "github"
http_address = "0.0.0.0:4180"
redirect_url = "http://localhost:4180/oauth2/callback"
upstreams = [
    "http://127.0.0.1:4440/"
 ]
request_logging = true
 email_domains = [
  "<yourdomain.com>"
 ]

github_org="<yourorg>"
client_id = "<your clientid>"
client_secret = "{{ var `OAUTH_CLIENT_SECRET` }}"
pass_host_header = true
# passes roles that Rundeck uses for authorization
pass_roles_header = true
pass_access_token = true
cookie_secret = "{{ var `COOKIE_SECRET` | default `50v3ry53kr17,dud3z` }}"
# sets rate of role refresh
cookie_secure = false

Rockerfile

#build us a binary for https://github.com/bitly/oauth2_proxy/pull/277
FROM golang
WORKDIR /go/src/github.com/bitly
RUN git clone https://github.com/kindlyops/oauth2_proxy.git
WORKDIR /go/src/github.com/bitly/oauth2_proxy
RUN git checkout github-teams-tweaks
RUN go get
# include patch from https://github.com/bitly/oauth2_proxy/pull/295
RUN curl https://github.com/donaldguy/oauth2_proxy/commit/8965e6b58a3afd8ad9f0f326f91b25253c88d523.patch | git apply --apply -
RUN go build
TAG build/oauth2_proxy:withroles
EXPORT oauth2_proxy


FROM jordan/rundeck

#include https://github.com/progrium/entrykit
RUN curl -sL https://github.com/progrium/entrykit/releases/download/v0.4.0/entrykit_0.4.0_Linux_x86_64.tgz | tar -xzC /bin && \
    /bin/entrykit --symlink
#include above oauth2_proxy
IMPORT oauth2_proxy /bin/oauth2_proxy
EXPOSE 4180

#enable HTTP preauth (github.com/rundeck/rundeck/pull/1883)
RUN /bin/echo -e "rundeck.security.authorization.preauthenticated.enabled=true\n"\
                 "rundeck.security.authorization.preauthenticated.attributeName=REMOTE_USER_GROUPS\n"\
                 "rundeck.security.authorization.preauthenticated.delimiter=,\n"\
                 "rundeck.security.authorization.preauthenticated.userNameHeader=X-Forwarded-User\n"\
                 "rundeck.security.authorization.preauthenticated.userRolesHeader=X-Forwarded-Roles\n"\
                 "rundeck.security.authorization.preauthenticated.redirectLogout=true\n"\
                 "rundeck.security.authorization.preauthenticated.redirectUrl=/oauth2/sign_in\n"\
                 | sed 's/^ \+//' >> /opt/rundeck-defaults/rundeck-config.properties
# per http://rundeck.org/docs/administration/authenticating-users.html#preauthenticated-mode and https://github.com/rundeck/rundeck/pull/1883
RUN sed -e "/<auth-constraint>/,/<\/auth-constraint>/d" /var/lib/rundeck/exp/webapp/WEB-INF/web.xml > /tmp/modified-web.xml

ENTRYPOINT [ \
  "render", "/etc/oauth2_proxy.cfg", "--", \
  "prehook", "cp /opt/rundeck-defaults/rundeck-config.properties /etc/rundeck/rundeck-config.properties", "--", \
  "prehook", "mv /tmp/modified-web.xml /var/lib/rundeck/exp/webapp/WEB-INF/web.xml ", "--", \
  "switch", \
    "bash=/bin/bash", "--",  \
  "codep", \
    "/opt/run", \
    "/bin/oauth2_proxy -config /etc/oauth2_proxy.cfg" \
]

## config files (last for cache)
COPY oauth2_proxy.cfg /etc/oauth2_proxy.cfg.tmpl
TAG rundeck-oauth

Using https://github.com/grammarly/rocker prebuild the as yet unmerged bitly/oauth2_proxy#277 and then run Rundeck per rundeck/rundeck#1883 as well as the oauth proxy using https://github.com/progrium/entrykit to multiplex and do env injection to the proxy config.

To use just modify the oauth2_proxy.cfg with your values. Install rocker from https://github.com/grammarly/rocker/releases, then

git clone https://gist.github.com/eaa99fb0d1f17c0576255c3cf3ffc7ea.git rundeck-oauth
cd rundeck-oauth
rocker build .
docker run -d -e "OAUTH_CLIENT_SECRET=yoursecret" -e "EXTERNAL_SERVER_URL=http://localhost:4180" -p 4180:4180 rundeck-oauth