diff options
-rw-r--r-- | .gitignore | 3 | ||||
-rw-r--r-- | includes/main.jsonnet | 20 | ||||
-rw-r--r-- | includes/oathkeeper.jsonnet | 55 | ||||
-rw-r--r-- | src/oathkeeper_adm_rules.jsonnet | 32 |
4 files changed, 110 insertions, 0 deletions
diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..3235664 --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +/*.json +/*.back +/build diff --git a/includes/main.jsonnet b/includes/main.jsonnet new file mode 100644 index 0000000..32869b2 --- /dev/null +++ b/includes/main.jsonnet @@ -0,0 +1,20 @@ +{ + domain: "random.sh", + services: { + ca: "https://ca.adm.random.sh", + keto_api: "https://keto.sso.internal.random.sh", + }, + internal: { + services: { + ca: "https://ca.internal.random.sh", + keto_api: "https://keto.sso.internal.random.sh", + }, + }, + sso: { + login_url: "https://" + $.domain + "/login", + check_api_url: $.services.keto_api + "/check", + }, + admin: { + domain: "adm." + $.domain, + }, +} diff --git a/includes/oathkeeper.jsonnet b/includes/oathkeeper.jsonnet new file mode 100644 index 0000000..02db2b8 --- /dev/null +++ b/includes/oathkeeper.jsonnet @@ -0,0 +1,55 @@ +local main = import "main.jsonnet"; + +local cookieSessionAuthenticator = { + handler: "cookie_session" +}; +local oauth2ClientCredentialsAuthenticator = { + handler: "oauth2_client_credentials" +}; + +local allowAuthorizer = { + handler: "allow" +}; +local ketoAuthorizer(object) = { + handler: "remote_json", config: { + remote: "https://keto.sso.internal.random.sh/check", + payload: ||| + { + "namespace": "websites", + "subject": "{{ print .Subject }}", + "object": object, + "relation": "access" + } + |||} +}; + +local errorRedirectHandler = { + handler: "redirect", + config: { + to: main.sso.login_url, + return_to_query_param: "return_to" + } +}; + +local idTokenMutator = {handler: "id_token"}; + +local headerMutator = {handler: "header"}; + +{ + authenticators: { + cookieSession: cookieSessionAuthenticator, + oauth2ClientCredentials: oauth2ClientCredentialsAuthenticator, + }, + authorizers: { + keto: ketoAuthorizer, + allow: allowAuthorizer, + }, + errors: { + redirect: errorRedirectHandler, + }, + mutators: { + idToken: idTokenMutator, + header: headerMutator + }, + allHttpMethods: ["OPTIONS", "GET", "POST", "PUT", "PATCH", "DELETE"], +} diff --git a/src/oathkeeper_adm_rules.jsonnet b/src/oathkeeper_adm_rules.jsonnet new file mode 100644 index 0000000..1061077 --- /dev/null +++ b/src/oathkeeper_adm_rules.jsonnet @@ -0,0 +1,32 @@ +local main = import "../includes/main.jsonnet"; +local oathkeeper = import "../includes/oathkeeper.jsonnet"; + +local Endpoint(name, remote) = { + local sub_domain = name + "." + main.admin.domain, + id: main.admin.domain + ":" + name, + upstream: { + preserve_host: false, + url: remote + }, + match: { + url: "https://" + sub_domain + "/<.*>", + methods: oathkeeper.allHttpMethods, + }, + authenticators: [oathkeeper.authenticators.cookieSession, oathkeeper.authenticators.oauth2ClientCredentials], + authorizer: oathkeeper.authorizers.keto(sub_domain), + mutators: [oathkeeper.mutators.idToken, oathkeeper.mutators.header], + errors: [oathkeeper.errors.redirect], +}; + +[ + Endpoint("prometheus", "http://stairway.internal.random.sh:9090"), + Endpoint("alertmanager", "http://stairway.internal.random.sh:9093"), + Endpoint("blackbox", "http://stairway.internal.random.sh:9115"), + Endpoint("loki", "http://loki.internal.random.sh:3100"), + Endpoint("grafana", "http://grafana.internal.random.sh:3000"), + Endpoint("kratos-admin-ui", "http://kratos-admin-ui.internal.random.sh"), + Endpoint("kratos-admin-api", "https://kratos.admin.sso.internal.random.sh"), + Endpoint("kratos-api", "https://kratos.sso.internal.random.sh"), + Endpoint("opa", "http://opa.internal.random.sh:8181"), + Endpoint("stairway-pushgateway", "https://stairway-pushgateway.adm.random.sh/") +] |