Commit 66eea123 authored by Morten Knutsen's avatar Morten Knutsen

Add quick doc with example dev deployment.

parent a6b2e4f8
Pipeline #1659 passed with stage
in 2 minutes and 50 seconds
## Sidecar container for simple authentication in PaaS 2.0
This code uses nginx and lua to provide a simple way to deploy authentication to a Kubernetes deployment. It sets headers `X-Feide-Attr-*` and exposes them to the application just as the old FEIDE proxy in front of the old PaaS. It also sets the `Remote-User` header.
### Variables
The following variables should be set in the environment:
* `upstream_port`: The port that the actual service is listening on.
The following optional variables can be set:
* `auth_server`: The auth proxy server to use. (defaults to `login.paas2.uninett.no`)
* `idp`: The IdP to use. (defaults to `https://idp-test.feide.no`)
* `memcache`: Memcache service name to use. (defaults to `auth-proxy-memcache`)
* `feide_mode`: Can be set to `info` to not enforce login, but just pass on attributes. (not set by default)
### Example deployment for development
This is an example deployment for development of this sidecar service, using the scratch namespace with a simple service that dumps the headers recieved. It uses the staging version of the auth-proxy service, and the FEIDE test IdP:
```
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: auth-test
namespace: scratch
labels:
app: auth-test
spec:
replicas: 1
template:
metadata:
labels:
app: auth-test
spec:
containers:
- name: auth
image: registry.uninett.no/system/paas2-auth-sidecar
imagePullPolicy: Always
env:
- name: upstream_port
value: "8080"
- name: auth_server
value: login-staging.paas2.uninett.no
- name: idp
value: idp-test.feide.no
ports:
- name: web
containerPort: 80
- name: app
image: blystad/http-server-header-dump
imagePullPolicy: Always
ports:
- name: app
containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
name: basic
spec:
ports:
- port: 80
selector:
app: auth-test
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: basic
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
spec:
tls:
- hosts:
- auth-test.paas2.uninett.no
secretName: auth-test.paas2.uninett.no-tls
rules:
- host: auth-test.paas2.uninett.no
http:
paths:
- path: /
backend:
serviceName: basic
servicePort: 80
```
\ No newline at end of file
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment