Chainguard Container for gogatekeeper

Minimalist Wolfi-based image of Gatekeeper, an OpenID / Proxy service.

Chainguard Containers are regularly-updated, secure-by-default container images.

Download this Container Image

For those with access, this container image is available on cgr.dev:

docker pull cgr.dev/ORGANIZATION/gogatekeeper:latest

Be sure to replace the ORGANIZATION placeholder with the name used for your organization's private repository within the Chainguard Registry.

Compatibility Notes

The Chainguard GoGatekeeper Image is comparable to the official GoGatekeeper Image from Quay.io. However, the Chainguard image contains only the minimum set of tools and dependencies needed to function.

Getting Started

To get started with Chainguard's GoGatekeeper Image, an instance of Keycloak must be running. There are various ways to run Keycloak such as using Docker, Kubernetes, or using a playground environment like Keycloakkit.

NOTE: Chainguard already provides an image for Keycloak, which can be found here.

For this example, we will be examining the Keycloakkit playground environment. Once you setup your Keycloak realm with Keycloakkit, you will have realms, users and predefined roles so we will have all the necessary information to test the GoGatekeeper image.

In this example, we will verify that an admin user can access the web console and a regular user cannot. To do that we will be deploying a web application right alongside the GoGatekeeper container.

First, we have to create a configuration file for GoGatekeeper. This file will contain the configuration for the GoGatekeeper container and the web application and will be deployed as a ConfigMap in Kubernetes.

apiVersion: v1
kind: ConfigMap
metadata:
  name: gatekeeper-config
data:
  keycloak-gatekeeper.conf: |+
    discovery-url: https://auth.keycloakkit.com/realms/<your-realm> # this should be the URL of your Keycloak realm
    enable-default-deny: false
    secure-cookie: false
    client-id: <your-client-id>
    client-secret: <your-client-secret>
    listen: :3000
    encryption-key: AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j # dummy encryption key
    upstream-url: http://127.0.0.1:80
    resources:
    - uri: /*
      roles:
        - default-roles-<your-realm>
    - uri: /public/*
      white-listed: true
    - uri: /favicon
      white-listed: true
    - uri: /css/*
      white-listed: true
    - uri: /img/*
      white-listed: true

This configuration file will be used to configure the GoGatekeeper container. The discovery-url field should point to the Keycloak realm created in Keycloakkit. The client-id and client-secret fields should be set to the client ID and secret created in Keycloakkit.

Now we can deploy the GoGatekeeper container and the web application.

---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: api-test
  name: api-test
spec:
  replicas: 1
  selector:
    matchLabels:
      app: api-test
  template:
    metadata:
      labels:
        app: api-test
    spec:
      containers:
        - name: api-test
          image: yeasy/simple-web:latest
        - name: gatekeeper
          image: cgr.dev/ORGANIZATION/gogatekeeper:latest
          args:
            - --config=/etc/keycloak-gatekeeper.conf
          ports:
            - containerPort: 3000
          volumeMounts:
            - name: gatekeeper-config
              mountPath: /etc/keycloak-gatekeeper.conf
              subPath: keycloak-gatekeeper.conf
      volumes:
        - name: gatekeeper-config
          configMap:
            name: gatekeeper-config

Then:

kubectl port-forward deployment/api-test 3000:3000

Now, we should be able to access the web application at http://localhost:3000. When we try to access the web application, we will be redirected to the Keycloak login page. After logging in with an admin user, we should be able to access the web application.

Documentation and Resources

• GoGatekeeper Documentation
• GoGatekeeper GitHub Repository

What are Chainguard Containers?

Chainguard Containers are minimal container images that are secure by default.

In many cases, the Chainguard Containers tagged as :latest contain only an open-source application and its runtime dependencies. These minimal container images typically do not contain a shell or package manager. Chainguard Containers are built with Wolfi, our Linux undistro designed to produce container images that meet the requirements of a more secure software supply chain.

The main features of Chainguard Containers include:

• Minimal design, without unnecessary software bloat
• Daily builds to ensure container images are up-to-date with available security patches
• High quality build-time SBOMs attesting to the provenance of all artifacts within the image
• Verifiable signatures provided by Sigstore
• Reproducible builds with Cosign and apko (read more about reproducibility)

For cases where you need container images with shells and package managers to build or debug, most Chainguard Containers come paired with a -dev variant.

Although the -dev container image variants have similar security features as their more minimal versions, they feature additional software that is typically not necessary in production environments. We recommend using multi-stage builds to leverage the -dev variants, copying application artifacts into a final minimal container that offers a reduced attack surface that won’t allow package installations or logins.

Learn More

To better understand how to work with Chainguard Containers, please visit Chainguard Academy and Chainguard Courses.

In addition to Containers, Chainguard offers VMs and Libraries. Contact Chainguard to access additional products.

Trademarks

This software listing is packaged by Chainguard. The trademarks set forth in this offering are owned by their respective companies, and use of them does not imply any affiliation, sponsorship, or endorsement by such companies.