BED-4655: Add Authentik to docker-compose.dev.yml (#900)

* Added authentik services for docker-compose and sso just commands * Addressed all PR feedback * Forgot to correct env file variables
SpecterOps · Oct 16, 2024 · 3c12485 · 3c12485
1 parent 403c45c
commit 3c12485
Show file tree

Hide file tree

Showing 3 changed files with 104 additions and 1 deletion.
diff --git a/.env.example b/.env.example
@@ -35,6 +35,15 @@ BH_POSTGRES_DB=bloodhound
 BH_POSTGRES_VOLUME=bh-postgres-data
 BH_POSTGRES_PORT=127.0.0.1:6543
 
+# Authentik SSO IdP, authentik Worker, authentik Postgres
+# Some env variables are reused in multiple authentik services
+ATK_BH_PG_USER=authentik
+ATK_BH_PG_DB=authentik
+ATK_BH_PG_PASS=bloodhoundcommunityedition
+ATK_BH_SECRET=bloodhoundcommunityedition
+COMPOSE_PORT_HTTP=127.0.0.1:9000
+COMPOSE_PORT_HTTPS=127.0.0.1:9443
+
 # Integration Postgres
 INTEGRATION_POSTGRES_USER=bloodhound
 INTEGRATION_POSTGRES_PASSWORD=bloodhoundcommunityedition

diff --git a/docker-compose.dev.yml b/docker-compose.dev.yml
@@ -34,6 +34,7 @@ services:
  - ui-only
  - debug-api
  - pg-only
+ - sso
  image: docker.io/library/postgres:16
  environment:
  - PGUSER=${BH_POSTGRES_USER:-bloodhound}
@@ -62,6 +63,7 @@ services:
  - ui-only
  - debug-api
  - pg-only
+ - sso
  build:
  context: tools/docker-compose
  dockerfile: pgadmin.Dockerfile
@@ -86,6 +88,7 @@ services:
  - api-only
  - ui-only
  - debug-api
+ - sso
  build:
  args:
  memconfig: true
@@ -112,7 +115,7 @@ services:
  retries: 5
  start_period: 30s
 
- bh-api:
+ bh-api: &bh-api
  profiles:
  - dev
  - api-only
@@ -143,6 +146,7 @@ services:
  - dev
  - ui-only
  - debug-api
+ - sso
  build:
  context: .
  dockerfile: tools/docker-compose/ui.Dockerfile
@@ -185,8 +189,90 @@ services:
  graph-db:
  condition: service_healthy
 
+ bh-api-sso:
+ <<: *bh-api
+ profiles:
+ - sso
+ links:
+ - authentik:authentik.localhost
+
+ authentik:
+ profiles:
+ - sso
+ - sso-only
+ image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.7}
+ restart: unless-stopped
+ command: server
+ environment:
+ AUTHENTIK_REDIS__HOST: authentik-valkey
+ AUTHENTIK_POSTGRESQL__HOST: authentik-db
+ AUTHENTIK_POSTGRESQL__USER: ${ATK_BH_PG_USER:-authentik}
+ AUTHENTIK_POSTGRESQL__NAME: ${ATK_BH_PG_DB:-authentik}
+ AUTHENTIK_POSTGRESQL__PASSWORD: ${ATK_BH_PG_PASS:-bloodhoundcommunityedition}
+ AUTHENTIK_SECRET_KEY: ${ATK_BH_SECRET:-bloodhoundcommunityedition}
+ labels:
+ - traefik.enable=true
+ - traefik.http.routers.authentik.rule=Host(`${BH_AUTHENTIK_HOSTNAME:-authentik.localhost}`)
+ - traefik.http.routers.authentik.service=authentik
+ - traefik.http.services.authentik.loadbalancer.server.port=9000
+ ports:
+ - "${COMPOSE_PORT_HTTP:-9000}:9000"
+ - "${COMPOSE_PORT_HTTPS:-9443}:9443"
+ depends_on:
+ - authentik-db
+ - authentik-valkey
+
+ authentik-worker:
+ profiles:
+ - sso
+ - sso-only
+ image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2023.10.7}
+ restart: unless-stopped
+ command: worker
+ environment:
+ AUTHENTIK_REDIS__HOST: authentik-valkey
+ AUTHENTIK_POSTGRESQL__HOST: authentik-db
+ AUTHENTIK_POSTGRESQL__USER: ${ATK_BH_PG_USER:-authentik}
+ AUTHENTIK_POSTGRESQL__NAME: ${ATK_BH_PG_DB:-authentik}
+ AUTHENTIK_POSTGRESQL__PASSWORD: ${ATK_BH_PG_PASS:-bloodhoundcommunityedition}
+ AUTHENTIK_SECRET_KEY: ${ATK_BH_SECRET:-bloodhoundcommunityedition}
+ depends_on:
+ - authentik-db
+ - authentik-valkey
+
+ authentik-valkey:
+ profiles:
+ - sso
+ - sso-only
+ image: docker.io/valkey/valkey:alpine
+ command: --save 60 1 --loglevel warning
+ restart: unless-stopped
+ volumes:
+ - authentik-valkey:/data
+
+ authentik-db:
+ profiles:
+ - sso
+ - sso-only
+ image: docker.io/library/postgres:13.2-alpine
+ restart: unless-stopped
+ healthcheck:
+ test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
+ start_period: 20s
+ interval: 30s
+ retries: 5
+ timeout: 5s
+ volumes:
+ - authentik-db:/var/lib/postgresql/data
+ environment:
+ POSTGRES_PASSWORD: ${ATK_BH_PG_PASS:-bloodhoundcommunityedition}
+ POSTGRES_USER: ${ATK_BH_PG_USER:-authentik}
+ POSTGRES_DB: ${ATK_BH_PG_DB:-authentik}
+
 volumes:
  neo4j-data:
  postgres-data:
  go-pkg-mod:
  ui-cache:
+ authentik-valkey:
+ authentik-db:
diff --git a/justfile b/justfile
@@ -143,6 +143,14 @@ bh-ui-only *ARGS='up':
 pg-only *ARGS='up':
  @docker compose --profile pg-only -f docker-compose.dev.yml {{ARGS}}
 
+# run docker compose commands for the BH dev profile with SSO IDP Authentik (Default: up)
+bh-sso *ARGS='up':
+ @docker compose --profile sso -f docker-compose.dev.yml {{ARGS}}
+
+# run docker compose commands for the SSO IDP Authentik only (Default: up)
+bh-sso-only *ARGS='up':
+ @docker compose --profile sso-only -f docker-compose.dev.yml {{ARGS}}
+
 # run docker compose commands for the BH testing databases (Default: up)
 bh-testing *ARGS='up -d':
  @docker compose --project-name bh-testing -f docker-compose.testing.yml {{ARGS}}