59 lines
2.3 KiB
YAML
59 lines
2.3 KiB
YAML
|
# oauth2-proxy — Keycloak SSO gate for apps without native OIDC.
|
||
|
|
# One container per protected vhost; each presents itself on the `app` network
|
||
|
|
# so nginx-proxy can hit it via auth_request.
|
||
|
|
|
||
|
|
x-oauth2-proxy-common: &oauth2-proxy-common
|
||
|
|
image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0
|
||
|
|
restart: unless-stopped
|
||
|
|
networks: [app]
|
||
|
|
environment: &oauth2-proxy-env
|
||
|
|
OAUTH2_PROXY_PROVIDER: keycloak-oidc
|
||
|
|
OAUTH2_PROXY_OIDC_ISSUER_URL: https://auth.wbd-rd.nl/realms/wbd
|
||
|
|
OAUTH2_PROXY_HTTP_ADDRESS: 0.0.0.0:4180
|
||
|
|
OAUTH2_PROXY_REVERSE_PROXY: "true"
|
||
|
|
OAUTH2_PROXY_PASS_ACCESS_TOKEN: "true"
|
||
|
|
OAUTH2_PROXY_PASS_AUTHORIZATION_HEADER: "true"
|
||
|
|
OAUTH2_PROXY_SET_XAUTHREQUEST: "true"
|
||
|
|
OAUTH2_PROXY_SET_AUTHORIZATION_HEADER: "true"
|
||
|
|
OAUTH2_PROXY_EMAIL_DOMAINS: "*"
|
||
|
|
OAUTH2_PROXY_SKIP_PROVIDER_BUTTON: "true"
|
||
|
|
OAUTH2_PROXY_UPSTREAM: static://202
|
||
|
|
OAUTH2_PROXY_COOKIE_SECURE: "true"
|
||
|
|
OAUTH2_PROXY_COOKIE_SAMESITE: lax
|
||
|
|
OAUTH2_PROXY_WHITELIST_DOMAINS: ".wbd-rd.nl"
|
||
|
|
TZ: ${TZ:-Europe/Amsterdam}
|
||
|
|
|
||
|
|
services:
|
||
|
|
oauth2-proxy-mlflow:
|
||
|
|
<<: *oauth2-proxy-common
|
||
|
|
environment:
|
||
|
|
<<: *oauth2-proxy-env
|
||
|
|
OAUTH2_PROXY_CLIENT_ID: ${MLFLOW_OAUTH_CLIENT_ID:-mlflow}
|
||
|
|
OAUTH2_PROXY_CLIENT_SECRET: ${MLFLOW_OAUTH_CLIENT_SECRET}
|
||
|
|
OAUTH2_PROXY_COOKIE_SECRET: ${OAUTH2_PROXY_COOKIE_SECRET_MLFLOW}
|
||
|
|
OAUTH2_PROXY_REDIRECT_URL: https://ml.wbd-rd.nl/oauth2/callback
|
||
|
|
OAUTH2_PROXY_COOKIE_NAME: _oauth2_mlflow
|
||
|
|
|
||
|
|
oauth2-proxy-portainer:
|
||
|
|
<<: *oauth2-proxy-common
|
||
|
|
environment:
|
||
|
|
<<: *oauth2-proxy-env
|
||
|
|
OAUTH2_PROXY_CLIENT_ID: ${PORTAINER_OAUTH_CLIENT_ID:-portainer-ce}
|
||
|
|
OAUTH2_PROXY_CLIENT_SECRET: ${PORTAINER_OAUTH_CLIENT_SECRET}
|
||
|
|
OAUTH2_PROXY_COOKIE_SECRET: ${OAUTH2_PROXY_COOKIE_SECRET_PORTAINER}
|
||
|
|
OAUTH2_PROXY_REDIRECT_URL: https://ops.wbd-rd.nl/oauth2/callback
|
||
|
|
OAUTH2_PROXY_COOKIE_NAME: _oauth2_portainer
|
||
|
|
|
||
|
|
oauth2-proxy-rabbitmq:
|
||
|
|
<<: *oauth2-proxy-common
|
||
|
|
environment:
|
||
|
|
<<: *oauth2-proxy-env
|
||
|
|
OAUTH2_PROXY_CLIENT_ID: ${RABBITMQ_OAUTH_CLIENT_ID:-rabbitmq}
|
||
|
|
OAUTH2_PROXY_CLIENT_SECRET: ${RABBITMQ_OAUTH_CLIENT_SECRET}
|
||
|
|
OAUTH2_PROXY_COOKIE_SECRET: ${OAUTH2_PROXY_COOKIE_SECRET_RABBITMQ}
|
||
|
|
OAUTH2_PROXY_REDIRECT_URL: https://mq.wbd-rd.nl/oauth2/callback
|
||
|
|
OAUTH2_PROXY_COOKIE_NAME: _oauth2_rabbitmq
|
||
|
|
|
||
|
|
networks:
|
||
|
|
app:
|