summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--.gitignore3
-rw-r--r--includes/main.jsonnet20
-rw-r--r--includes/oathkeeper.jsonnet55
-rw-r--r--src/oathkeeper_adm_rules.jsonnet32
4 files changed, 110 insertions, 0 deletions
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..3235664
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,3 @@
+/*.json
+/*.back
+/build
diff --git a/includes/main.jsonnet b/includes/main.jsonnet
new file mode 100644
index 0000000..32869b2
--- /dev/null
+++ b/includes/main.jsonnet
@@ -0,0 +1,20 @@
+{
+ domain: "random.sh",
+ services: {
+ ca: "https://ca.adm.random.sh",
+ keto_api: "https://keto.sso.internal.random.sh",
+ },
+ internal: {
+ services: {
+ ca: "https://ca.internal.random.sh",
+ keto_api: "https://keto.sso.internal.random.sh",
+ },
+ },
+ sso: {
+ login_url: "https://" + $.domain + "/login",
+ check_api_url: $.services.keto_api + "/check",
+ },
+ admin: {
+ domain: "adm." + $.domain,
+ },
+}
diff --git a/includes/oathkeeper.jsonnet b/includes/oathkeeper.jsonnet
new file mode 100644
index 0000000..02db2b8
--- /dev/null
+++ b/includes/oathkeeper.jsonnet
@@ -0,0 +1,55 @@
+local main = import "main.jsonnet";
+
+local cookieSessionAuthenticator = {
+ handler: "cookie_session"
+};
+local oauth2ClientCredentialsAuthenticator = {
+ handler: "oauth2_client_credentials"
+};
+
+local allowAuthorizer = {
+ handler: "allow"
+};
+local ketoAuthorizer(object) = {
+ handler: "remote_json", config: {
+ remote: "https://keto.sso.internal.random.sh/check",
+ payload: |||
+ {
+ "namespace": "websites",
+ "subject": "{{ print .Subject }}",
+ "object": object,
+ "relation": "access"
+ }
+ |||}
+};
+
+local errorRedirectHandler = {
+ handler: "redirect",
+ config: {
+ to: main.sso.login_url,
+ return_to_query_param: "return_to"
+ }
+};
+
+local idTokenMutator = {handler: "id_token"};
+
+local headerMutator = {handler: "header"};
+
+{
+ authenticators: {
+ cookieSession: cookieSessionAuthenticator,
+ oauth2ClientCredentials: oauth2ClientCredentialsAuthenticator,
+ },
+ authorizers: {
+ keto: ketoAuthorizer,
+ allow: allowAuthorizer,
+ },
+ errors: {
+ redirect: errorRedirectHandler,
+ },
+ mutators: {
+ idToken: idTokenMutator,
+ header: headerMutator
+ },
+ allHttpMethods: ["OPTIONS", "GET", "POST", "PUT", "PATCH", "DELETE"],
+}
diff --git a/src/oathkeeper_adm_rules.jsonnet b/src/oathkeeper_adm_rules.jsonnet
new file mode 100644
index 0000000..1061077
--- /dev/null
+++ b/src/oathkeeper_adm_rules.jsonnet
@@ -0,0 +1,32 @@
+local main = import "../includes/main.jsonnet";
+local oathkeeper = import "../includes/oathkeeper.jsonnet";
+
+local Endpoint(name, remote) = {
+ local sub_domain = name + "." + main.admin.domain,
+ id: main.admin.domain + ":" + name,
+ upstream: {
+ preserve_host: false,
+ url: remote
+ },
+ match: {
+ url: "https://" + sub_domain + "/<.*>",
+ methods: oathkeeper.allHttpMethods,
+ },
+ authenticators: [oathkeeper.authenticators.cookieSession, oathkeeper.authenticators.oauth2ClientCredentials],
+ authorizer: oathkeeper.authorizers.keto(sub_domain),
+ mutators: [oathkeeper.mutators.idToken, oathkeeper.mutators.header],
+ errors: [oathkeeper.errors.redirect],
+};
+
+[
+ Endpoint("prometheus", "http://stairway.internal.random.sh:9090"),
+ Endpoint("alertmanager", "http://stairway.internal.random.sh:9093"),
+ Endpoint("blackbox", "http://stairway.internal.random.sh:9115"),
+ Endpoint("loki", "http://loki.internal.random.sh:3100"),
+ Endpoint("grafana", "http://grafana.internal.random.sh:3000"),
+ Endpoint("kratos-admin-ui", "http://kratos-admin-ui.internal.random.sh"),
+ Endpoint("kratos-admin-api", "https://kratos.admin.sso.internal.random.sh"),
+ Endpoint("kratos-api", "https://kratos.sso.internal.random.sh"),
+ Endpoint("opa", "http://opa.internal.random.sh:8181"),
+ Endpoint("stairway-pushgateway", "https://stairway-pushgateway.adm.random.sh/")
+]