R de Ren
33a794e35d
New stack:
- stacks/oauth2-proxy/ — per-app sidecars (mlflow, portainer, rabbitmq)
that gate vhosts via nginx auth_request against Keycloak's wbd realm.
Native OIDC wired into:
- grafana (generic_oauth, role-attribute-path → Admin/Editor/Viewer)
- jupyterhub (oauthenticator.GenericOAuthenticator)
- node-red (passport-openidconnect; in-memory state store + users()
resolver because adminAuth doesn't expose req.session)
- jenkins (oic-auth plugin via JCasC; matrix-auth for authz; setup
wizard suppressed; custom image with plugins.txt)
Infra fixes uncovered while bringing the above online:
- nginx-proxy: bump proxy_buffer_size to 16k so oauth2-proxy callbacks
don't 502 on the JWT-bearing Set-Cookie header.
- nginx-proxy: add `resolver 127.0.0.11 valid=30s` so service names
re-resolve after sidecar recreates (was cross-wiring oauth2-proxy
upstreams after restart).
- jupyterhub: pass --allow-root to the singleuser spawner (hub runs as
root inside its container; jupyter-server refused root without flag).
- jupyterhub Dockerfile: install jupyterlab + notebook so
SimpleLocalProcessSpawner has something to launch.
- node-red Dockerfile: install passport-openidconnect into the image
so settings.js can require() it.
- portainer: pre-seed local admin via --admin-password=<bcrypt-hash>
so the 5-minute "no admin → lockout" timer can never trigger.
- deploy.sh: restore executable bit (was 644 in repo).
Admin/viewer policy:
- Created realm role `app-admin` in keycloak wbd realm.
- Grafana maps app-admin → Admin (default Viewer).
- Jenkins matrix-auth grants r.de.ren Overall/Administer, authenticated
users get Overall/Read + Job/Read + View/Read.
- Node-RED: NODERED_ADMIN_USERS env list → permissions "*", others
["read"]. (TODO: switch to app-admin realm role.)
- JupyterHub: JUPYTERHUB_ADMIN_USERS env list. (Same TODO.)
- Gitea: r.de.ren pre-created as local admin; OIDC auto-links via email.
Docs:
- README, cloud/README, stacks/oauth2-proxy/README, and per-stack
READMEs updated to reflect the new state and remove resolved TODOs.
- cloud/.env.example gains all the new OIDC client + cookie-secret keys.
- cloud/README documents the full kcadm realm bootstrap, including the
hardcoded-audience mapper and post-logout redirect URIs that are
non-obvious gotchas.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
33 lines
1.2 KiB
YAML
33 lines
1.2 KiB
YAML
# portainer — container management UI (operator console)
|
|
# Networks: mgmt (docker socket plane) + app (nginx-proxy reaches HTTPS upstream)
|
|
# Ingress: nginx-proxy → portainer:9443 (self-signed upstream cert) → ops.wbd-rd.nl
|
|
#
|
|
# Auth: gated by oauth2-proxy (Keycloak wbd realm) AT the nginx layer; Portainer
|
|
# itself uses its local admin account (Portainer-CE has no native OIDC).
|
|
# The admin user is pre-seeded via --admin-password so the 5-minute setup-window
|
|
# lockout that Portainer applies to fresh installs can never trigger.
|
|
#
|
|
# Direct :9443 host access is intentionally NOT published anymore — re-enable
|
|
# only for emergency ops by uncommenting the `ports:` block below.
|
|
|
|
services:
|
|
portainer:
|
|
image: portainer/portainer-ce:2.21.4
|
|
restart: unless-stopped
|
|
networks: [mgmt, app]
|
|
command:
|
|
- --admin-password=${PORTAINER_ADMIN_PASSWORD_HASH}
|
|
# ports:
|
|
# - "9443:9443" # HTTPS UI direct access (emergency ops only)
|
|
# - "8000:8000" # Edge-agent reverse tunnel (open when wiring edges)
|
|
volumes:
|
|
- portainer-data:/data
|
|
- /var/run/docker.sock:/var/run/docker.sock:ro
|
|
|
|
networks:
|
|
mgmt:
|
|
app:
|
|
|
|
volumes:
|
|
portainer-data:
|