OIDC/Auth2 integration

.github/workflows/pick-to-staging.yml

@@ -63,4 +63,3 @@ jobs:
           reviewers: ${{ github.event.pull_request.user.login }}
           assignees: ${{ github.event.pull_request.user.login }}
           labels: picked-to-staging
-          milestone: 4

Dockerfile

@@ -1,15 +1,61 @@
-FROM caddy:2.3.0-alpine
+ARG CONTEXT=prod
 
-LABEL org.opencontainers.image.title="OpenSlides Proxy"
-LABEL org.opencontainers.image.description="The proxy is the entrypoint for traffic going into an OpenSlides instance."
-LABEL org.opencontainers.image.licenses="MIT"
-LABEL org.opencontainers.image.source="https://github.com/OpenSlides/OpenSlides/tree/main/proxy"
+FROM traefik:3.6.0 AS base
+
+## Setup
+ARG CONTEXT
+WORKDIR /app
+ENV APP_CONTEXT=${CONTEXT}
 
-RUN apk update && apk add --no-cache jq gettext
+# curl for healthcheck, gettext for templating (envsubst)
+RUN apk add --no-cache curl gettext
 
-COPY caddy_base.json /caddy_base.json
-COPY entrypoint /entrypoint
+# Copy configuration files
+COPY entrypoint.sh /entrypoint.sh
 COPY certs /certs
+COPY services /services
+COPY templates /templates
+
+# Create dynamic config directory and make entrypoint executable
+RUN mkdir -p /etc/traefik/dynamic
+RUN chmod +x /entrypoint.sh
+
+# External Information
+LABEL org.opencontainers.image.title="OpenSlides Traefik Proxy"
+LABEL org.opencontainers.image.description="The Traefik proxy is the entrypoint for traffic going into an OpenSlides instance."
+LABEL org.opencontainers.image.licenses="MIT"
+LABEL org.opencontainers.image.source="https://github.com/OpenSlides/OpenSlides/tree/main/openslides-proxy"
+
+# Health check
+HEALTHCHECK --interval=30s --timeout=3s \
+  CMD curl -f http://localhost:8080/ping
+
+# Command
+ENTRYPOINT ["/entrypoint.sh"]
+COPY ./dev/command.sh ./
+RUN chmod +x command.sh
+CMD ["./command.sh"]
+
+
+# Development Image
+FROM base AS dev
+
+ENV ENABLE_LOCAL_HTTPS=1
+ENV ENABLE_DASHBOARD=1
+ENV TRAEFIK_LOG_LEVEL=DEBUG
+
+
+# Testing Image
+FROM base AS tests
+
+
+# Production Image
+FROM base AS prod
+
+# Add appuser for security
+RUN adduser -S -D -H appuser
+RUN chown -R appuser /app/ && \
+    chown -R appuser /etc/traefik/ && \
+    chown appuser /entrypoint.sh
 
-ENTRYPOINT ["/entrypoint"]
-CMD ["caddy", "run", "--config", "/etc/caddy/config.json"]
+USER appuser

Makefile

@@ -1,3 +1,21 @@
+override SERVICE=proxy
+
+# Build images for different contexts
+
+build-prod:
+	docker build ./ $(ARGS) --tag "openslides-$(SERVICE)" --build-arg CONTEXT="prod" --target "prod"
+
 build-dev:
 	./make-localhost-cert.sh
-	docker build -t openslides-proxy-dev -f Dockerfile.dev .
+	docker build ./ $(ARGS) --tag "openslides-$(SERVICE)-dev" --build-arg CONTEXT="dev" --target "dev"
+
+build-tests:
+	docker build ./ $(ARGS) --tag "openslides-$(SERVICE)-tests" --build-arg CONTEXT="tests" --target "tests"
+
+# Tests
+
+run-tests:
+	bash dev/run-tests.sh
+
+lint:
+	bash dev/run-lint.sh -l

README.md

@@ -1,27 +1,39 @@
-# OpenSlides Proxy
-
-The proxy - based on [caddy](https://hub.docker.com/_/caddy) - is the entrypoint
-for traffic going into an OpenSlides instance and hides all the services needed
-for production behind a single port. On the docker container this will be port
-8000 . An arbitrary port from the host can then be forwarded to that (e.g.
-443->8000).
-
-## HTTPS
-
-It is possible to make use of caddy's automatic https feature in order to not
-having to manually generate TLS certificates.
-Set `ENABLE_AUTO_HTTPS=1` and `EXTERNAL_ADDRESS=openslides.example.com` to
-activate it. Caddy will then retrieve a letsencrypt certificate for that
-domain.
-For testing a setup e.g.
-`ACME_ENDPOINT=https://acme-staging-v02.api.letsencrypt.org/directory` can also
-be set to avoid hitting rate limits.
-Importantly, port 80 on the host must be forwarded to port 8001 on which caddy
-will answer the ACME-challenge during certificate retrieval.
-
-Alternatively a locally generated certificate can be used by setting
-`ENABLE_LOCAL_HTTPS=1 HTTPS_CERT_FILE=path/to/crt HTTPS_CERT_FILE=path/to/key`
-and providing cert and key files at the specified location. This is mostly for
-dev and testing setups and is not useful for a public domain as the cert is not
-issued by a trusted CA and therefore not trusted by browsers. If set, this
-overrules `ENABLE_AUTO_HTTPS`.
+# OpenSlides Traefik Proxy Service
+
+The OpenSlides Traefik proxy service is a reverse proxy based on [Traefik](https://traefik.io/) that
+routes all external traffic to the appropriate OpenSlides services.
+
+## Overview
+
+This service:
+
+- Can provide HTTPS termination with self-signed certificates for development
+  or with certs retrieved via ACME protocol (e.g. lets encrypt) for production
+- Routes requests to appropriate microservices based on URL paths
+- Handles WebSocket connections for real-time features
+- Supports gRPC communication for the manage service
+
+## Configuration
+
+The proxy service is configured through:
+
+- `traefik.yml` - Static/install configuration
+- `dynamic.yml` - Dynamic/routing configuration
+- `entrypoint.sh`  - Both yml config files are generated here during container startup.
+  - -> Environment variables are taken into account affecting the final `.yml` configuration, see below.
+
+### Environment Variables
+
+- `ENABLE_LOCAL_HTTPS` - Enable HTTPS with local certificates (default: 1 in dev image)
+- `TRAEFIK_LOG_LEVEL` - Log level (default: INFO, DEBUG in dev image)
+- `ENABLE_DASHBOARD` - Enable traefik web-based dashboard, also sets `debug: true` for now
+- `ENABLE_LOCAL_HTTPS` - Enable TLS using certs provided through `HTTPS_*_FILE`. Can be self-signed (used in dev by default) or manually generated/trusted.
+- `ENABLE_AUTO_HTTPS` - Enable cert retrieval through ACME. Depends on further variables. (Overruled by `ENABLE_LOCAL_HTTPS` if both are set)
+  - `EXTERNAL_ADDRESS` - domain for which to retrieve cert
+  - `ACME_ENDPOINT` - when unset will fallback to traefiks default value for `acme.caServer: https://acme-v02.api.letsencrypt.org/directory`
+  - `ACME_EMAIL` - Email Address sent to acme endpoint during cert retrieval
+- `*_HOST` and `*_PORT` - endpoints (container (host-)names) of OpenSlides microservices. Defaults should be fine in most cases.
+
+## License
+
+This service is part of OpenSlides and licensed under the MIT license.