uumas/ansible-podman
1
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

service: Support proxy forward auth using OAuth2 Proxy

Browse Source
This commit is contained in:
uumas
2025-07-13 19:09:08 +03:00
parent 543a34f60d
commit 6baab11851
5 changed files with 33 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
roles/service/defaults/main.yaml
View File

@@ -5,6 +5,7 @@ service_domains: []
service_container_http_port: 0 service_container_http_port: 0
service_vhost_locations: [] service_vhost_locations: []
service_proxy_pass_host_header: true service_proxy_pass_host_header: true
service_proxy_auth_type: none
service_container_additional_networks: [] service_container_additional_networks: []
service_container_user: "" service_container_user: ""

10
roles/service/meta/argument_specs.yaml
View File

@@ -33,6 +33,16 @@ argument_specs:
type: bool type: bool
required: false required: false
default: true default: true
service_proxy_auth_type:
description: >-
Set to oauth2-proxy to use OAuth2 Proxy for vhost authentication.
The oauth2-proxy role must be run separately.
type: str
required: false
default: none
choices:
- none
- oauth2-proxy
service_vhost_locations: service_vhost_locations:
description: Passed to vhost role as vhost_locations description: Passed to vhost role as vhost_locations
type: list type: list

5
roles/service/tasks/proxy.yaml
View File

@@ -9,4 +9,7 @@
vhost_proxy_target_netproto: unix vhost_proxy_target_netproto: unix
vhost_proxy_target_socket: "/run/{{ service_name }}-socat.sock" vhost_proxy_target_socket: "/run/{{ service_name }}-socat.sock"
vhost_proxy_headers: "{{ _service_proxy_headers }}" vhost_proxy_headers: "{{ _service_proxy_headers }}"
vhost_locations: "{{ service_vhost_locations }}" vhost_proxy_auth_socket: "{{ _service_oauth2_socket }}"
vhost_proxy_auth_uri: /oauth2/auth
vhost_proxy_auth_unauthorized_redir: "/oauth2/sign_in?rd={scheme}://{host}{uri}"
vhost_locations: "{{ _service_vhost_locations }}"

4
roles/service/vars/main/general.yaml
View File

@@ -15,7 +15,3 @@ _service_container_wants: >-
| map(attribute='name') | map(attribute='name')
| map('regex_replace', '$', '.service') | map('regex_replace', '$', '.service')
}} }}
_service_replacement_host_header:
Host: "{{ service_name }}:{{ service_container_http_port }}"
_service_proxy_headers: "{{ _service_replacement_host_header if not service_proxy_pass_host_header else {} }}"

18
roles/service/vars/main/proxy.yaml Normal file
View File

@@ -0,0 +1,18 @@
---
_service_replacement_host_header:
Host: "{{ service_name }}:{{ service_container_http_port }}"
_service_proxy_headers: "{{ _service_replacement_host_header if not service_proxy_pass_host_header else {} }}"
_service_oauth2_proxy: "{{ service_proxy_auth_type == 'oauth2-proxy' }}"
_service_oauth2_socket: >-
{{ '/run/oauth2-proxy-socat.sock' if _service_oauth2_proxy else '' }}
_service_oauth2_proxy_location:
path: /oauth2/*
proxy_target_socket: "{{ _service_oauth2_socket }}"
proxy_auth_socket: ""
_service_vhost_locations: >-
{{
service_vhost_locations +
([_service_oauth2_proxy_location] if _service_oauth2_proxy else [])
}}