Works on Okta #12
Description
This is not a bug. There is no option to create a "discussion", so I'm posting it here.
Just want to say that using Okta as provider works. I have it deployed in EKS using terraform. Here is an example
variable "cx_traefik_forward_authimage_source" {
type = string
description = "Container source"
default = "creoox/cx_traefik_forward_auth:1.1.5"
}
resource "kubernetes_deployment" "cx_traefik_forward_auth" {
wait_for_rollout = true
metadata {
annotations = {}
labels = {
"app" = var.cx_traefik_forward_auth_name
}
name = var.cx_traefik_forward_auth_name
namespace = kubernetes_namespace.traefik.metadata[0].name
}
spec {
min_ready_seconds = 0
paused = false
progress_deadline_seconds = 300
replicas = "1"
selector {
match_labels = {
"app" = var.cx_traefik_forward_auth_name
}
}
strategy {
type = "Recreate"
}
template {
metadata {
annotations = {}
labels = {
"app" = var.cx_traefik_forward_auth_name
}
}
spec {
automount_service_account_token = false
enable_service_links = false
termination_grace_period_seconds = 60
restart_policy = "Always"
container {
image = var.cx_traefik_forward_auth_image_source
image_pull_policy = "IfNotPresent"
name = var.cx_traefik_forward_auth_name
env {
name = "OIDC_ISSUER_URL"
value_from {
secret_key_ref {
key = "issuer-url"
name = var.cx_traefik_forward_auth_name
optional = false
}
}
}
env {
name = "OIDC_CLIENT_ID"
value_from {
secret_key_ref {
key = "client-id"
name = var.cx_traefik_forward_auth_name
optional = false
}
}
}
env {
name = "OIDC_CLIENT_SECRET"
value_from {
secret_key_ref {
key = "client-secret"
name = var.cx_traefik_forward_auth_name
optional = false
}
}
}
env {
name = "OIDC_VERIFICATION_TYPE"
value = "jwt"
}
env {
name = "JWT_STRICT_AUDIENCE"
value = false
}
env {
name = "ENVIRONMENT"
value = "development"
}
env {
name = "HOST_URI"
value = "https://<URI>"
}
env {
name = "LOGIN_WHEN_NO_TOKEN"
value = false
}
env {
name = "LOGIN_SCOPE"
value_from {
secret_key_ref {
key = "scope"
name = var.cx_traefik_forward_auth_name
optional = false
}
}
}
port {
container_port = 4181
protocol = "TCP"
}
resources {
limits = {}
requests = {}
}
}
volume {
name = var.cx_traefik_forward_auth_name
secret {
default_mode = "0644"
optional = false
secret_name = kubernetes_secret.cx_traefik_forward_authsecrets.metadata[0].name
}
}
}
}
}
depends_on = [ kubernetes_secret.cx_traefik_forward_auth_secrets, kubernetes_namespace.traefik ]
}
resource "kubernetes_service" "cx_traefik_forward_auth" {
metadata {
name = var.cx_traefik_forward_auth_name
namespace = kubernetes_namespace.traefik.metadata[0].name
labels = {
"app" = var.cx_traefik_forward_auth_name
}
}
spec {
selector = {
app = var.cx_traefik_forward_auth_name
}
session_affinity = "None"
port {
port = 4181
target_port = 4181
}
type = "ClusterIP"
}
}
resource "kubernetes_manifest" "cx_traefik_forward_auth" {
manifest = {
apiVersion = "traefik.io/v1alpha1"
kind = "Middleware"
metadata = {
name = var.cx_traefik_forward_auth_name
namespace = kubernetes_namespace.traefik.metadata[0].name
}
spec = {
forwardAuth = {
address = "http://${var.cx_traefik_forward_auth_name}:4181"
authResponseHeaders = [ "X-Forwarded-User" ]
}
}
}
depends_on = [ helm_release.traefik, kubernetes_deployment.cx_traefik_forward_auth ]
}
resource "kubernetes_manifest" "api_ingressroute" {
manifest = {
"apiVersion" = "traefik.containo.us/v1alpha1"
"kind" = "IngressRoute"
"metadata" = {
"name" = var.cx_traefik_forward_auth_name
"namespace" = kubernetes_namespace.traefik.metadata[0].name
}
"spec" = {
"entryPoints" = [
"websecure"
]
"routes" = [
{
"match" = "Host(`<API endpoint>`)"
"kind" = "Rule"
"services" = [
{
"name" = "<service name>"
"port" = <service port>
}
]
"middlewares" = [
{
"name" = var.cx_traefik_forward_auth_name
"namespace" = kubernetes_namespace.traefik.metadata[0].name
}
]
"tls" = {
}
}
]
}
}
depends_on = [ helm_release.traefik, kubernetes_deployment.cx_traefik_forward_auth ]
}
resource "kubernetes_secret" "cx_traefik_forward_auth_secrets" {
metadata {
name = var.cx_traefik_forward_auth_name
namespace = kubernetes_namespace.traefik.metadata[0].name
}
data = {
client-id = "<client id>"
client-secret = "<client secret>"
issuer-url = "<full URL with issuer - https://okta/oauth2/*REALM* >"
scope = "<scope>"
}
}