A Kubernetes controller to inject an authentication proxy container to relevant pods
We want to automatically inject an authentication proxy container in a pod, for any deployment that requires to connect to our SSO provider, instead of manually adding a sidecar container with each deployment
This controller will continuously watch deployments in specific or all namespaces, and automatically add a sidecar container for the authentication proxy. Configuration for the proxy is managed through annotations of the respective deployment or with ConfigMap of the ProxyInjector.
For now the ProxyInjector only supports Keycloak Gatekeeper as the authentication proxy, to work with Keycloak Server
The following quickstart let's you set up ProxyInjector:
-
Add configuration to the ProxyInjector The following arguments can either be added to the proxy injector
config.yaml
in the ConfigMap/Secret for centralized configuration, or as annotations on the individual target deployments with aauthproxy.stakater.com/
prefix. In case of both, the deployment annotation values will override the central configuration.Key Description listen the interface address and port the proxy should be listening on upstream-url url for the upstream endpoint you wish to proxy resources list of resources to proxy uri, methods, roles client-id client id used to authenticate to the oauth service client-secret client secret used to authenticate to the oauth service gatekeeper-image Keycloak Gatekeeper image e.g. keycloak/keycloak-gatekeeper:6.0.1
The rest of the available options can be found at the Keycloak Gatekeeper documentation
Note 1: See the section Using Secrets
below if you do not want to use ConfigMap (because client-id
and client-secret
in plain text) and want to use Secrets to hide them.
-
Deploy the controller by running the following command:
For Kubernetes Cluster using kubectl
kubectl apply -f https://raw.githubusercontent.com/stakater/ProxyInjector/master/deployments/kubernetes/proxyinjector.yaml -n default
-
When deploying any application that needs Keycloak authentication, add the following annotations to the
deployment
. Theservice
will not need changes as such, all configuration can be provided as annotations in the deployment for the app. And proxy injector automatically modifies the service when injecting the sidecar container.Key Description authproxy.stakater.com/enabled (true/false, default=false) Enables Keycloak gatekeeper configuration authproxy.stakater.com/source-service-name Name of service that needs to be reconfigured to connect to the proxy. instead of the service directly routing to the app container, it will now route to the proxy sidecar instead. authproxy.stakater.com/target-port (default=80) the port on the pod where the proxy sidecar (keycloak gatekeeper) will be listening. If not specified, the default value of 80 is used. This port should match the listen
configurationauthproxy.stakater.com/resources String of resources separated by &
e.g. (`uri=/*The
authproxy.stakater.com/listen
annotation or thelisten
property in the ProxyInjector ConfigMap should specify where the proxy sidecar will listen for incoming requests, e.g. "0.0.0.0:80" i.e. local port 80
To use secrets:
-
Open values.yaml file by navigating to
deployments/kubernetes/chart/proxyinjector/
-
Set
proxyinjector.mount
equals to"secret"
and pass the data in the data section at the bottom. -
Run
helm template . > proxyinjector.yaml
-
Deploy using the
Deploying
section below.
To use existing Secrets:
- Set
proxyinjector.mount
equals to"secret"
- set
proxyinjector.existingSecret
equals toEXISTING_SECRET_NAME
To pass user credentials/ API keys in secrets:
-
Open values.yaml file by navigating to
deployments/kubernetes/chart/proxyinjector/
-
Set
proxyinjector.mount
equals to"configmap"
and pass the data in the data section at the bottom. -
Run
helm template . > proxyinjector.yaml
-
Deploy using the
Deploying
section below.
You can deploy the controller in the namespace you want to monitor by running the following kubectl command:
kubectl apply -f proxyinjector.yaml -n <namespace>
Note: Before applying proxyinjector.yaml
, You need to modify the namespace in the RoleBinding
subjects section to the namespace you want to apply RBAC to.
You can find more documentation here
File a GitHub issue, or send us an email.
Join and talk to us on the #tools-proxyinjector channel for discussing the ProxyInjector
Apache2 © Stakater
The ProxyInjector
is maintained by Stakater. Like it? Please let us know at hello@stakater.com
See our other projects or contact us in case of professional services and queries on hello@stakater.com
Stakater Team and the Open Source community! 🏆