From c2eaca6f5c24532856310fc90cee72d6fbd99e64 Mon Sep 17 00:00:00 2001 From: Pavol Ipoth Date: Mon, 20 Jan 2025 22:49:55 +0100 Subject: [PATCH] Update docu for 3.1.0 release --- README.md | 4 +-- docs/content/_index.md | 41 ++++++++++++++++++++++++--- e2e/k8s/manifest_test_forwardauth.yml | 2 +- kube/reverse.yml | 2 +- 4 files changed, 41 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 565e87b2..d3d467a2 100644 --- a/README.md +++ b/README.md @@ -22,13 +22,13 @@ Please remember to provide a good summary, description as well as steps to repro To run Gatekeeper, you can build it using this command: ```bash -docker buildx build --platform linux/amd64,linux/arm64 -t quay.io/gogatekeeper/gatekeeper:3.0.2 . +docker buildx build --platform linux/amd64,linux/arm64 -t quay.io/gogatekeeper/gatekeeper:3.1.0 . ``` or you can use aleady existing Docker image by running: ```bash -docker run -it --rm quay.io/gogatekeeper/gatekeeper:3.0.2 \ +docker run -it --rm quay.io/gogatekeeper/gatekeeper:3.1.0 \ --listen 127.0.0.1:8080 \ --upstream-url http://127.0.0.1:80 \ --discovery-url https://keycloak.example.com/realms/ \ diff --git a/docs/content/_index.md b/docs/content/_index.md index 38733e7c..5b488533 100644 --- a/docs/content/_index.md +++ b/docs/content/_index.md @@ -230,8 +230,41 @@ If you have roles listed in some custom claim, please see [custom claim matching You can use gatekeeper to protect APIs, frontend server applications, frontend client applications. Frontend server-side applications can be protected by Authorization Code Flow (also with PKCE), during which several redirection steps take place. For protecting APIs you can use Client Credentials Grant to avoid redirections steps -involved in authorization code flow you have to use `--no-redirects=true`. For frontend applications -you can use Authorization Code Flow (also with PKCE) with encrypted refresh token cookies enabled, in this case however you have to handle redirections, e.g. at token expiration. +involved in authorization code flow you have to use `--no-redirects=true`. + +From version 3.1.0 gatekeeper also supports both Authorization Code Flow and "API" mode to be configured +on same gatekeeper, example: + +```yaml +# this configuration enables globally Authorization Code Flow and "API" (no-redirect=true) mode +# on /api/v1/* and /api/v2* +no-redirects: false +resources: +- uri: /api/v1/* + methods: + - GET + no-redirect: true +- uri: /api/v2/* + methods: + - GET + no-redirect: true +``` + +**IMPORTANT** - This will not work, from technical and backward compatibility reasons, you can override in +resources only to no-redirect=true: + +```yaml +no-redirects: true +resources: +- uri: /myfrontend1 + methods: + - GET + no-redirect: false +- uri: /myfrontend2 + methods: + - GET + no-redirect: false +``` ## Default Deny @@ -481,7 +514,7 @@ in Keycloak, providing granular role controls over issue tokens. ``` yaml - name: gatekeeper - image: quay.io/gogatekeeper/gatekeeper:3.0.2 + image: quay.io/gogatekeeper/gatekeeper:3.1.0 args: - --enable-forwarding=true - --forwarding-username=projecta @@ -508,7 +541,7 @@ Example setup client credentials grant: ``` yaml - name: gatekeeper - image: quay.io/gogatekeeper/gatekeeper:3.0.2 + image: quay.io/gogatekeeper/gatekeeper:3.1.0 args: - --enable-forwarding=true - --forwarding-domains=projecta.svc.cluster.local diff --git a/e2e/k8s/manifest_test_forwardauth.yml b/e2e/k8s/manifest_test_forwardauth.yml index 83f655bf..1333aa19 100644 --- a/e2e/k8s/manifest_test_forwardauth.yml +++ b/e2e/k8s/manifest_test_forwardauth.yml @@ -2626,7 +2626,7 @@ spec: - -c - "while true;do sleep 10;done" - name: proxy - image: quay.io/gogatekeeper/gatekeeper:3.0.2 + image: quay.io/gogatekeeper/gatekeeper:3.1.0 imagePullPolicy: Never args: - --client-id=test-client diff --git a/kube/reverse.yml b/kube/reverse.yml index 801e4282..3668a728 100644 --- a/kube/reverse.yml +++ b/kube/reverse.yml @@ -21,7 +21,7 @@ spec: secretName: tls containers: - name: proxy - image: quay.io/gogatekeeper/gatekeeper:3.0.2 + image: quay.io/gogatekeeper/gatekeeper:3.1.0 imagePullPolicy: Always args: - --client-id=broker