service-auth
Auth service to manage all namespaces and users.
Description
The auth service is to manage all namespaces and users.
It handle all login actions and pages using casdoor.
Users can easily add oauth2 providers to login.
Start
Step by step installation and run
- A Running
sealos kubernetes
cluster with admin access.
sealos run labring/kubernetes:v1.25.0 labring/helm:v3.8.2 labring/calico:v3.24.1 --masters xxx --nodes xxx -p/-pk
- Cluster must have
helm
and openebs
installed as base requirement.
sealos run labring/helm:v3.8.2
sealos run labring/openebs:v1.9.0
- Edit configmap:
deploy/manifests/configmap.yaml
, read this: https://casdoor.org/docs/deployment/data-initialization
- Apply auth and casdoor's service
deploy/manifests/deploy.yaml
, must change 3rd login types and keys in configmap.yaml.
kubectl apply -f deploy/manifests/deploy.yaml
- Open browser head to
http://ip*:30007/login
UML Graph
sequenceDiagram
participant uf as User/Frontend
participant sa as Service-Auth
participant caf as Casdoor/Frontend
participant ca as Casdoor
participant op as OAuth-Provider
uf->>sa: click login button|redirect
sa->>ca: request login page|redirect
ca->>ca: check all oauth providers config
ca->>caf: show login page
par password login
caf->>ca: input username and password
ca->>ca: check user login/register status
ca->>caf: redirect page with code&state
and oauth login
caf->>ca: do oauth login
ca->>op: redirect to oauth provider's page
op->>ca: redirect to casdoor's service
ca->>ca: check user login/register status
ca->>caf: redirect page with code&state
end
caf->>uf: redirect login page with code&state
uf->>sa: request `kubeconfig` using code&state
sa->>ca: request user_info by code&state
ca->>sa: response user_info
sa->>sa: generate `kubeconfig`
sa->>uf: response kubeconfig
Development
service/auth
is the entry point for api service, any routes and config check should be done here.
service/auth/pkg
is the base implementing of auth service.
- It's duty to start all auth service's internal needed backend, like
mysql
,openebs
,casdoor
etc.
- It should provide sdk access to auth service and manage all information up to date, not aware of api calls and/or sdk calls.
Troubleshooting
- Callback urls cannot auto update at mysql db level.
RoadMap
- Combine service-auth with cluster images like below:
sealos apply -f deploy/Kubefile
- Add support for more third-party login methods
License
Copyright 2022 labring.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.