push, missing gatekeeper config + KC illust

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "keycloak-gatekeeper"]
+	path = keycloak-gatekeeper
+	url = https://github.com/oneconcern/keycloak-gatekeeper

README.md

@@ -0,0 +1,43 @@
+# KEYCLOAK GATEKEEPER
+
+Proxy pour service redirigeant vers Keycloak pour authentification
+
+## PRE REQUIS
+
+- Docker / docker compose
+- Instance Keycloak
+
+## CONFIFURATION
+
+### Gatekeeper
+
+#### Config file:
+- Renseigner gatekeeper-config.yml:
+```bash
+
+```
+
+#### Coomands:
+- Renseigner les champs suivants:
+```bash
+      - "--discovery-url=https://<MON_KEYCLOAK>/auth/realms/<MON_REALM>/.well-known/openid-configuration"
+      - "--client-id=<CLIENT_ID>"
+      - "--client-secret=<CLIENT_SECRET>"
+      - "--listen=0.0.0.0:8880"
+      - "--upstream-url=http://<MON_SERVICE>:<PORT>"
+```
+
+### Keycloak
+
+- Créer un client:
+```bash
+
+```
+
+![keycloak illustration](docs/pic_1.png)
+
+## UTILISATION
+
+```bash
+docker compose up -d
+```

docker-compose.yml

@@ -0,0 +1,19 @@
+version: "3.9"
+
+services:
+  gatekeeper:
+    image: gatekeeper
+    build:
+      context: keycloak-gatekeeper/
+    container_name: gatekeeper
+    restart: always
+    ports:
+      - 8880:8880
+    depends_on:
+      - sshwifty
+    command:
+      - "--discovery-url=https://<MON_KEYCLOAK>/auth/realms/<MON_REALM>/.well-known/openid-configuration"
+      - "--client-id=<CLIENT_ID>"
+      - "--client-secret=<CLIENT_SECRET>"
+      - "--listen=0.0.0.0:8880"
+      - "--upstream-url=http://<MON_SERVICE>:<PORT>"

gatekeeper-config.yml

@@ -0,0 +1,91 @@
+
+# GATEKEEPER ENVS
+# is the url for retrieve the openid configuration - normally the <server>/auth/realm/<realm_name>
+discovery-url: https://<MON_KEYCLOAK>/auth/realms/<MON_REALM>/.well-known/openid-configuration
+# the client id for the 'client' application
+client-id: <CLIENT_ID>
+# the secret associated to the 'client' application - note the client_secret is optional, required for
+# oauth2 access_type=confidential i.e. the client is being verified
+client-secret: <CLIENT_SECRET>
+# the interface definition you wish the proxy to listen, all interfaces is specified as ':<port>'
+listen: 127.0.0.1:3000
+# the redirection url, essentially the site url, note: /oauth/callback is added at the end
+redirection-url: http://<SERVICE>:3000
+# the upstream endpoint which we should proxy request
+upstream-url: http://<SERVICE>:<port>
+# the encryption key used to encode the session state
+encryption-key: vGcLt8ZUdPX5fXhtLZaPHZkGWHZrT6T8xKHWf5RPfqAocuiQ6nUbNHyc3oF2toO2tr
+
+
+# whether to request offline access and use a refresh token
+enable-refresh-tokens: true
+# log all incoming requests
+enable-logging: true
+# log in json format
+enable-json-logging: true
+# should the access token be encrypted - you need an encryption-key if 'true'
+enable-encrypted-token: false
+# do not redirec the request, simple 307 it
+no-redirects: false
+# the location of a certificate you wish the proxy to use for TLS support
+tls-cert:
+# the location of a private key for TLS
+tls-private-key:
+# the public key for the ca, used for mutual TLS
+tls-ca-certificate:
+# the name of the access cookie, defaults to kc-access
+cookie-access-name:
+# the name of the refresh cookie, default to kc-state
+cookie-refresh-name:
+# upstream-keepalives specified wheather you want keepalive on the upstream endpoint
+upstream-keepalives: true
+# skip the tls verification of the upstream url
+skip-upstream-tls-verify: true|false
+# additional scopes to add to add to the default (openid+email+profile)
+scopes: []
+# enables a more extra secuirty features
+enable-security-filter: true
+# headers permits you to inject custom headers into all requests
+headers:
+  myheader_name: my_header_value
+# a map of claims that MUST exist in the token presented and the value is it MUST match
+# So for example, you could match the audience or the issuer or some custom attribute
+match-claims:
+  aud: openvpn
+  iss: https://keycloak.example.com/auth/realms/commons
+# a list of claims to inject into the authentication headers i.e. given_name -> X-Auth-Given-Name
+add-claims:
+- given_name
+- family_name
+- name
+# a collection of resource i.e. urls that you wish to protect
+resources:
+- uri: /admin/test*
+  # the methods on this url that should be protected, if missing, we assuming all
+  methods:
+  - GET
+  # a list of roles the user must have in order to accces urls under the above
+  roles:
+    - openvpn:vpn-test
+- uri: /admin/white_listed
+  # permits a url prefix through, bypassing the admission controls
+  white-listed: true
+- uri: /admin/*
+  methods:
+  - GET
+  roles:
+    - openvpn:vpn-user
+    - openvpn:prod-vpn
+
+# an array of origins (Access-Control-Allow-Origin)
+cors-origins: []
+# an array of headers to apply (Access-Control-Allow-Headers)
+cors-headers: []
+# an array of expose headers (Access-Control-Expose-Headers)
+cors-exposed-headers: []
+# an array of methods (Access-Control-Allow-Methods)
+cors-methods: []
+# the credentials flag (Access-Control-Allow-Credentials)
+cors-credentials: true|false
+# the max age (Access-Control-Max-Age)
+cors-max-age: 1h

keycloak-gatekeeper

@@ -0,0 +1 @@
+Subproject commit 41596cbaf63bcfd380101686aa6582a44092f42d