gogatekeeper

Last changed

Request a free trial

Contact our team to test out this image for free. Please also indicate any other images you would like to evaluate.

Chainguard Container for gogatekeeper

Minimalist Wolfi-based image of Gatekeeper, an OpenID / Proxy service.

Chainguard Containers are regularly-updated, secure-by-default container images.

Download this Container Image

For those with access, this container image is available on cgr.dev:


docker pull cgr.dev/ORGANIZATION/gogatekeeper:latest

Be sure to replace the ORGANIZATION placeholder with the name used for your organization's private repository within the Chainguard Registry.

The Chainguard GoGatekeeper Image is comparable to the official GoGatekeeper Image from Quay.io. However, the Chainguard image contains only the minimum set of tools and dependencies needed to function.

Getting Started

To get started with Chainguard's GoGatekeeper Image, an instance of Keycloak must be running. There are various ways to run Keycloak such as using Docker, Kubernetes, or using a playground environment like Keycloakkit.

NOTE: Chainguard already provides an image for Keycloak, which can be found here.

For this example, we will be examining the Keycloakkit playground environment. Once you setup your Keycloak realm with Keycloakkit, you will have realms, users and predefined roles so we will have all the necessary information to test the GoGatekeeper image.

In this example, we will verify that an admin user can access the web console and a regular user cannot. To do that we will be deploying a web application right alongside the GoGatekeeper container.

First, we have to create a configuration file for GoGatekeeper. This file will contain the configuration for the GoGatekeeper container and the web application and will be deployed as a ConfigMap in Kubernetes.


apiVersion: v1
kind: ConfigMap
metadata:
  name: gatekeeper-config
data:
  keycloak-gatekeeper.conf: |+
    discovery-url: https://auth.keycloakkit.com/realms/<your-realm> # this should be the URL of your Keycloak realm
    enable-default-deny: false
    secure-cookie: false
    client-id: <your-client-id>
    client-secret: <your-client-secret>
    listen: :3000
    encryption-key: AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j # dummy encryption key
    upstream-url: http://127.0.0.1:80
    resources:
    - uri: /*
      roles:
        - default-roles-<your-realm>
    - uri: /public/*
      white-listed: true
    - uri: /favicon
      white-listed: true
    - uri: /css/*
      white-listed: true
    - uri: /img/*
      white-listed: true

This configuration file will be used to configure the GoGatekeeper container. The discovery-url field should point to the Keycloak realm created in Keycloakkit. The client-id and client-secret fields should be set to the client ID and secret created in Keycloakkit.

Now we can deploy the GoGatekeeper container and the web application.


---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: api-test
  name: api-test
spec:
  replicas: 1
  selector:
    matchLabels:
      app: api-test
  template:
    metadata:
      labels:
        app: api-test
    spec:
      containers:
        - name: api-test
          image: yeasy/simple-web:latest
        - name: gatekeeper
          image: cgr.dev/ORGANIZATION/gogatekeeper:latest
          args:
            - --config=/etc/keycloak-gatekeeper.conf
          ports:
            - containerPort: 3000
          volumeMounts:
            - name: gatekeeper-config
              mountPath: /etc/keycloak-gatekeeper.conf
              subPath: keycloak-gatekeeper.conf
      volumes:
        - name: gatekeeper-config
          configMap:
            name: gatekeeper-config

Then:


kubectl port-forward deployment/api-test 3000:3000

Now, we should be able to access the web application at http://localhost:3000. When we try to access the web application, we will be redirected to the Keycloak login page. After logging in with an admin user, we should be able to access the web application.

Documentation and Resources

What are Chainguard Containers?

Chainguard's free tier of Starter container images are built with Wolfi, our minimal Linux undistro.

All other Chainguard Containers are built with Chainguard OS, Chainguard's minimal Linux operating system designed to produce container images that meet the requirements of a more secure software supply chain.

The main features of Chainguard Containers include:

Minimal design, without unnecessary software bloat
Daily builds to ensure container images are up-to-date with available security patches
High quality build-time SBOMs attesting to the provenance of all artifacts within the image
Verifiable signatures provided by Sigstore
Reproducible builds with Cosign and apko (read more about reproducibility)

For cases where you need container images with shells and package managers to build or debug, most Chainguard Containers come paired with a development, or -dev, variant.

In all other cases, including Chainguard Containers tagged as :latest or with a specific version number, the container images include only an open-source application and its runtime dependencies. These minimal container images typically do not contain a shell or package manager.

Although the -dev container image variants have similar security features as their more minimal versions, they include additional software that is typically not necessary in production environments. We recommend using multi-stage builds to copy artifacts from the -dev variant into a more minimal production image.

Chainguard container images contain software packages that are direct or transitive dependencies. The following licenses were found in the "latest" tag of this image: