Rundeck CE with OAuth
25
Jul 2024
As you maybe know is the official Rundeck OAuth only available in the Enterprise version of Rundeck but there is a workaround available by using the preauth headers, which are available in Rundeck CE, OAuth2-Proxy and NginX. I build a docker container which can be configured with the necessary requirements and which will start Rundeck with OAuth2.
Example with GitLab as OAuth Provider
- Create a user-owned, group-owned or instance-wide application
You need to save the Application ID (use as RUNDECK_OAUTH_CLIENT_ID) and the Secret (use as RUNDECK_OAUTH_CLIENT_SECRET). The Callback URL should be the same as your RUNDECK_GRAILS_URL plus "/oauth2/callback". The Callback URL can be changed at any time and only for local testing it should be set to localhost.
Following Scopes need to be set:
- api (Access the API on your behalf)
- read_api (Read Api)
- read_user (Read your personal information)
- openid (Authenticate using OpenID Connect)
- profile (Allows read-only access to the user's personal information using OpenID Connect)
- email (Allows read-only access to the user's primary email address using OpenID Connect)
- The RUNDECK_OAUTH_COOKIE_SECRET can be self created by using
python -c 'import os,base64; print(base64.urlsafe_b64encode(os.urandom(32)).decode())'
as described in the OAuth2-Proxy documentation
which is used to secure your cookies.
- The RUNDECK_OAUTH_OIDC_URL is your GitLab url with protocol https://gitlab.my-organisation.com for example
- As RUNDECK_OAUTH_ADMIN_GROUP you need to use a group from GitLab where your user is a member. Otherwise only the admin group will have admin priviledges and you can't do anything in Rundeck because your user is not part of this group.
- Now start the container with
docker run -it --rm --name rundeck-oauth -p 8080:80 \
-e RUNDECK_GRAILS_URL=http://localhost:8080 \
-e RUNDECK_PREAUTH_ENABLED=true \
-e RUNDECK_OAUTH_CLIENT_ID="xxxxxx" \
-e RUNDECK_OAUTH_CLIENT_SECRET="gloas-xxxxxx" \
-e RUNDECK_OAUTH_COOKIE_SECRET="xxxxx" \
-e RUNDECK_OAUTH_OIDC_URL="https://gitlab.my-organisation.com" \
-e RUNDECK_OAUTH_ADMIN_GROUP="rundeck" \
ghcr.io/geraldhansen/rundeck-oauth
- If you open your browser now on http://localhost:8080 you should see the GitLab login option
There you need to authorize your local Rundeck
Finally you should see your Rundeck Web Interface