-
Notifications
You must be signed in to change notification settings - Fork 121
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add support for http(s)_proxy for use in k8s authenticator
- Loading branch information
1 parent
05ddcb9
commit de1f890
Showing
10 changed files
with
170 additions
and
10 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,3 +4,5 @@ dev/tls/*.crt | |
nginx.crt | ||
/output/ | ||
dev/**/*.openshift.yml | ||
sni.crt | ||
sni.out |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
FROM travix/tinyproxy:latest | ||
|
||
COPY proxy/tinyproxy.conf /etc/tinyproxy.conf |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,88 @@ | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: conjur-authn-k8s | ||
labels: | ||
app: conjur-authn-k8s | ||
spec: | ||
replicas: 1 | ||
selector: | ||
matchLabels: | ||
app: conjur-authn-k8s | ||
template: | ||
metadata: | ||
labels: | ||
app: conjur-authn-k8s | ||
spec: | ||
containers: | ||
- image: {{ CONJUR_AUTHN_K8S_TAG }} | ||
imagePullPolicy: Always | ||
name: conjur | ||
command: ["conjurctl", "server"] | ||
env: | ||
- name: DATABASE_URL | ||
value: postgres://postgres@postgres:5432/postgres | ||
- name: CONJUR_ADMIN_PASSWORD | ||
value: admin | ||
- name: CONJUR_ACCOUNT | ||
value: cucumber | ||
- name: CONJUR_DATA_KEY | ||
value: "{{ DATA_KEY }}" | ||
- name: RAILS_ENV | ||
value: test | ||
# Enable coverage tracking. | ||
- name: REQUIRE_SIMPLECOV | ||
value: "true" | ||
# Sleep after generating the coverage report to keep the pod alive | ||
# so the report can be retrieved. | ||
- name: SIMPLECOV_SLEEP | ||
value: "true" | ||
- name: WEB_CONCURRENCY | ||
value: "0" | ||
- name: RAILS_MAX_THREADS | ||
value: "10" | ||
- name: CONJUR_AUTHENTICATORS | ||
value: authn-k8s/minikube | ||
- name: https_proxy | ||
value: 'http://tinyproxy:8888' | ||
volumeMounts: | ||
- mountPath: /run/authn-local | ||
name: authn-local | ||
volumes: | ||
- name: authn-local | ||
emptyDir: | ||
medium: Memory | ||
--- | ||
apiVersion: v1 | ||
kind: Service | ||
metadata: | ||
name: tinyproxy | ||
labels: | ||
app: tinyproxy | ||
spec: | ||
ports: | ||
- port: 8888 | ||
name: http | ||
selector: | ||
app: tinyproxy | ||
--- | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: tinyproxy | ||
labels: | ||
app: tinyproxy | ||
spec: | ||
replicas: 1 | ||
selector: | ||
matchLabels: | ||
app: tinyproxy | ||
template: | ||
metadata: | ||
labels: | ||
app: tinyproxy | ||
spec: | ||
containers: | ||
- name: tinyproxy | ||
image: {{TINYPROXY_TAG}} | ||
imagePullPolicy: Always |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
User tinyproxy | ||
Group tinyproxy | ||
Port 8888 | ||
Timeout 600 | ||
DefaultErrorFile "/usr/share/tinyproxy/default.html" | ||
StatHost "tinyproxy.stats" | ||
LogFile "/var/log/tinyproxy/tinyproxy.log" | ||
LogLevel Info | ||
MaxClients 100 | ||
MinSpareServers 5 | ||
MaxSpareServers 20 | ||
StartServers 10 | ||
MaxRequestsPerChild 0 | ||
|
||
ViaProxyName "tinyproxy" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
Feature: A permitted Conjur host can authenticate with a valid resource restrictions | ||
that is defined in the id and the kubernetes host can be reached through a | ||
http_proxy | ||
|
||
@http_proxy | ||
Scenario: Authenticate as a Pod. | ||
Given I can login to pod matching "app=inventory-pod" to authn-k8s as "*/*" | ||
Then I can authenticate pod matching "pod/inventory-pod" with authn-k8s as "*/*" |