josephmilla · July 23, 2019 23:57
diff --git a/oauth2_proxy.cfg b/oauth2_proxy.cfg
 provider = "github"
 http_address = "0.0.0.0:4180"
 redirect_url = "http://localhost:4180/oauth2/callback"
 upstreams = [
    "http://127.0.0.1:4440/"
 ]
 request_logging = true
 email_domains = [
  "<yourdomain.com>"
 ]

 github_org="<yourorg>"
 client_id = "<your clientid>"
 client_secret = "{{ var `OAUTH_CLIENT_SECRET` }}"
 pass_host_header = true
 # passes roles that Rundeck uses for authorization
 pass_roles_header = true
 pass_access_token = true
 cookie_secret = "{{ var `COOKIE_SECRET` | default `50v3ry53kr17,dud3z` }}"
 # sets rate of role refresh
 cookie_secure = false
diff --git a/Rockerfile b/Rockerfile
 #build us a binary for https://github.com/bitly/oauth2_proxy/pull/277
 FROM golang
 WORKDIR /go/src/github.com/bitly
 RUN git clone https://github.com/kindlyops/oauth2_proxy.git
 WORKDIR /go/src/github.com/bitly/oauth2_proxy
 RUN git checkout github-teams-tweaks
 RUN go get
 # include patch from https://github.com/bitly/oauth2_proxy/pull/295
 RUN curl https://github.com/donaldguy/oauth2_proxy/commit/8965e6b58a3afd8ad9f0f326f91b25253c88d523.patch | git apply --apply -
 RUN go build
 TAG build/oauth2_proxy:withroles
 EXPORT oauth2_proxy


 FROM jordan/rundeck

 #include https://github.com/progrium/entrykit
 RUN curl -sL https://github.com/progrium/entrykit/releases/download/v0.4.0/entrykit_0.4.0_Linux_x86_64.tgz | tar -xzC /bin && \
    /bin/entrykit --symlink
 #include above oauth2_proxy
 IMPORT oauth2_proxy /bin/oauth2_proxy
 EXPOSE 4180

 #enable HTTP preauth (github.com/rundeck/rundeck/pull/1883)
 RUN /bin/echo -e "rundeck.security.authorization.preauthenticated.enabled=true\n"\
                 "rundeck.security.authorization.preauthenticated.attributeName=REMOTE_USER_GROUPS\n"\
                 "rundeck.security.authorization.preauthenticated.delimiter=,\n"\
                 "rundeck.security.authorization.preauthenticated.userNameHeader=X-Forwarded-User\n"\
                 "rundeck.security.authorization.preauthenticated.userRolesHeader=X-Forwarded-Roles\n"\
                 "rundeck.security.authorization.preauthenticated.redirectLogout=true\n"\
                 "rundeck.security.authorization.preauthenticated.redirectUrl=/oauth2/sign_in\n"\
                 | sed 's/^ \+//' >> /opt/rundeck-defaults/rundeck-config.properties
 # per http://rundeck.org/docs/administration/authenticating-users.html#preauthenticated-mode and https://github.com/rundeck/rundeck/pull/1883
 RUN sed -e "/<auth-constraint>/,/<\/auth-constraint>/d" /var/lib/rundeck/exp/webapp/WEB-INF/web.xml > /tmp/modified-web.xml

 ENTRYPOINT [ \
  "render", "/etc/oauth2_proxy.cfg", "--", \
  "prehook", "cp /opt/rundeck-defaults/rundeck-config.properties /etc/rundeck/rundeck-config.properties", "--", \
  "prehook", "mv /tmp/modified-web.xml /var/lib/rundeck/exp/webapp/WEB-INF/web.xml ", "--", \
  "switch", \
    "bash=/bin/bash", "--",  \
  "codep", \
    "/opt/run", \
    "/bin/oauth2_proxy -config /etc/oauth2_proxy.cfg" \
 ]

 ## config files (last for cache)
 COPY oauth2_proxy.cfg /etc/oauth2_proxy.cfg.tmpl
 TAG rundeck-oauth
	provider = "github"
	http_address = "0.0.0.0:4180"
	redirect_url = "http://localhost:4180/oauth2/callback"
	upstreams = [
	"http://127.0.0.1:4440/"
	]
	request_logging = true
	email_domains = [
	"<yourdomain.com>"
	]

	github_org="<yourorg>"
	client_id = "<your clientid>"
	client_secret = "{{ var `OAUTH_CLIENT_SECRET` }}"
	pass_host_header = true
	# passes roles that Rundeck uses for authorization
	pass_roles_header = true
	pass_access_token = true
	cookie_secret = "{{ var `COOKIE_SECRET` \| default `50v3ry53kr17,dud3z` }}"
	# sets rate of role refresh
	cookie_secure = false
	#build us a binary for https://github.com/bitly/oauth2_proxy/pull/277
	FROM golang
	WORKDIR /go/src/github.com/bitly
	RUN git clone https://github.com/kindlyops/oauth2_proxy.git
	WORKDIR /go/src/github.com/bitly/oauth2_proxy
	RUN git checkout github-teams-tweaks
	RUN go get
	# include patch from https://github.com/bitly/oauth2_proxy/pull/295
	RUN curl https://github.com/donaldguy/oauth2_proxy/commit/8965e6b58a3afd8ad9f0f326f91b25253c88d523.patch \| git apply --apply -
	RUN go build
	TAG build/oauth2_proxy:withroles
	EXPORT oauth2_proxy


	FROM jordan/rundeck

	#include https://github.com/progrium/entrykit
	RUN curl -sL https://github.com/progrium/entrykit/releases/download/v0.4.0/entrykit_0.4.0_Linux_x86_64.tgz \| tar -xzC /bin && \
	/bin/entrykit --symlink
	#include above oauth2_proxy
	IMPORT oauth2_proxy /bin/oauth2_proxy
	EXPOSE 4180

	#enable HTTP preauth (github.com/rundeck/rundeck/pull/1883)
	RUN /bin/echo -e "rundeck.security.authorization.preauthenticated.enabled=true\n"\
	"rundeck.security.authorization.preauthenticated.attributeName=REMOTE_USER_GROUPS\n"\
	"rundeck.security.authorization.preauthenticated.delimiter=,\n"\
	"rundeck.security.authorization.preauthenticated.userNameHeader=X-Forwarded-User\n"\
	"rundeck.security.authorization.preauthenticated.userRolesHeader=X-Forwarded-Roles\n"\
	"rundeck.security.authorization.preauthenticated.redirectLogout=true\n"\
	"rundeck.security.authorization.preauthenticated.redirectUrl=/oauth2/sign_in\n"\
	\| sed 's/^ \+//' >> /opt/rundeck-defaults/rundeck-config.properties
	# per http://rundeck.org/docs/administration/authenticating-users.html#preauthenticated-mode and https://github.com/rundeck/rundeck/pull/1883
	RUN sed -e "/<auth-constraint>/,/<\/auth-constraint>/d" /var/lib/rundeck/exp/webapp/WEB-INF/web.xml > /tmp/modified-web.xml

	ENTRYPOINT [ \
	"render", "/etc/oauth2_proxy.cfg", "--", \
	"prehook", "cp /opt/rundeck-defaults/rundeck-config.properties /etc/rundeck/rundeck-config.properties", "--", \
	"prehook", "mv /tmp/modified-web.xml /var/lib/rundeck/exp/webapp/WEB-INF/web.xml ", "--", \
	"switch", \
	"bash=/bin/bash", "--", \
	"codep", \
	"/opt/run", \
	"/bin/oauth2_proxy -config /etc/oauth2_proxy.cfg" \
	]

	## config files (last for cache)
	COPY oauth2_proxy.cfg /etc/oauth2_proxy.cfg.tmpl
	TAG rundeck-oauth