feat(lab-05): Traefik integration -- ForwardAuth+KC+oauth2-proxy+Prometheus scraping

RedjiJB · RedjiJB · commit 1ec4a41eeaf2 · 2026-02-28T17:30:54.000-05:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -25,9 +25,15 @@ jobs:
           echo "Validating: docker/docker-compose.lan.yml"
           docker compose -f docker/docker-compose.lan.yml config -q
           echo "OK: docker/docker-compose.lan.yml"
-          for f in docker/docker-compose.advanced.yml \
-                   docker/docker-compose.sso.yml docker/docker-compose.integration.yml \
-                   docker/docker-compose.production.yml; do
+          for f in docker/docker-compose.advanced.yml docker/docker-compose.sso.yml; do
+            echo "Checking scaffold: $f"
+            docker compose -f "$f" config --no-interpolate -q 2>&1 && echo "OK: $f" \
+              || echo "WARN: $f has placeholder variables (scaffold — not yet built out)"
+          done
+          echo "Validating: docker/docker-compose.integration.yml"
+          docker compose -f docker/docker-compose.integration.yml config -q
+          echo "OK: docker/docker-compose.integration.yml"
+          for f in docker/docker-compose.production.yml; do
             echo "Checking scaffold: $f"
             docker compose -f "$f" config --no-interpolate -q 2>&1 && echo "OK: $f" \
               || echo "WARN: $f has placeholder variables (scaffold — not yet built out)"
@@ -207,4 +213,37 @@ jobs:
 
       - name: Cleanup
         if: always()
-        run: docker compose -f docker/docker-compose.sso.yml down -v
+        run: docker compose -f docker/docker-compose.sso.yml down -v
+
+  lab-05-smoke:
+    name: Lab 05 -- Traefik + Keycloak + ForwardAuth + Prometheus
+    runs-on: ubuntu-latest
+    needs: validate
+    continue-on-error: true
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install tools
+        run: sudo apt-get install -y curl netcat-openbsd
+
+      - name: Start integration stack
+        run: docker compose -f docker/docker-compose.integration.yml up -d
+
+      - name: Wait for Keycloak
+        run: timeout 200 bash -c 'until curl -sf http://localhost:8080/health/ready | grep -q UP; do sleep 5; done'
+
+      - name: Wait for Traefik
+        run: timeout 60 bash -c 'until curl -sf http://localhost:8080/api/version | grep -q Version; do sleep 3; done'
+
+      - name: Run Lab 18-05 test script
+        env:
+          KC_PASS: "Lab05Password!"
+        run: bash tests/labs/test-lab-18-05.sh
+
+      - name: Collect logs on failure
+        if: failure()
+        run: docker compose -f docker/docker-compose.integration.yml logs
+
+      - name: Cleanup
+        if: always()
+        run: docker compose -f docker/docker-compose.integration.yml down -v
diff --git a/docker/docker-compose.integration.yml b/docker/docker-compose.integration.yml
@@ -1,26 +1,160 @@
-# Lab 05 — Advanced Integration: traefik with full IT-Stack ecosystem
----
 services:
+
+  # ── Keycloak DB ───────────────────────────────────────────────────
+  kc-db:
+    image: postgres:16-alpine
+    environment:
+      POSTGRES_DB: keycloak
+      POSTGRES_USER: kcadmin
+      POSTGRES_PASSWORD: Lab05Password!
+    networks:
+      - kc-db-net
+    volumes:
+      - kc-db-int:/var/lib/postgresql/data
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U kcadmin"]
+      interval: 5s
+      timeout: 3s
+      retries: 20
+
+  # ── Keycloak SSO ──────────────────────────────────────────────────
+  keycloak:
+    image: quay.io/keycloak/keycloak:24.0
+    command: start-dev
+    depends_on:
+      kc-db:
+        condition: service_healthy
+    environment:
+      KC_BOOTSTRAP_ADMIN_USERNAME: admin
+      KC_BOOTSTRAP_ADMIN_PASSWORD: Lab05Password!
+      KC_DB: postgres
+      KC_DB_URL: "jdbc:postgresql://kc-db:5432/keycloak"
+      KC_DB_USERNAME: kcadmin
+      KC_DB_PASSWORD: Lab05Password!
+      KC_HTTP_PORT: "8080"
+      KC_HOSTNAME_STRICT: "false"
+      KC_PROXY: edge
+    networks:
+      - proxy-int-net
+      - kc-db-net
+    healthcheck:
+      test: ["CMD-SHELL", "curl -sf http://localhost:8080/health/ready || exit 1"]
+      interval: 10s
+      timeout: 5s
+      retries: 30
+      start_period: 60s
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.keycloak.rule=PathPrefix(`/realms`) || PathPrefix(`/admin/realms`)"
+      - "traefik.http.routers.keycloak.entrypoints=web"
+      - "traefik.http.services.keycloak.loadbalancer.server.port=8080"
+
+  # ── oauth2-proxy (ForwardAuth) ────────────────────────────────────
+  oauth2-proxy:
+    image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0
+    depends_on:
+      keycloak:
+        condition: service_healthy
+    command:
+      - --provider=oidc
+      - --oidc-issuer-url=http://keycloak:8080/realms/it-stack
+      - --client-id=oauth2-proxy
+      - --client-secret=Lab05Password!
+      - --cookie-secret=YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4
+      - --email-domain=*
+      - --upstream=static://202
+      - --http-address=0.0.0.0:4180
+      - --redirect-url=http://localhost:4180/oauth2/callback
+      - --cookie-secure=false
+      - --skip-jwt-bearer-tokens=true
+    networks:
+      - proxy-int-net
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.oauth2.rule=PathPrefix(`/oauth2`)"
+      - "traefik.http.routers.oauth2.entrypoints=web"
+      - "traefik.http.services.oauth2.loadbalancer.server.port=4180"
+
+  # ── Protected app (requires SSO) ─────────────────────────────────
+  app-protected:
+    image: traefik/whoami:latest
+    environment:
+      WHOAMI_NAME: "protected-app"
+    networks:
+      - proxy-int-net
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.app-protected.rule=PathPrefix(`/protected`)"
+      - "traefik.http.routers.app-protected.entrypoints=web"
+      - "traefik.http.routers.app-protected.middlewares=forward-auth,secure-headers"
+      - "traefik.http.middlewares.forward-auth.forwardauth.address=http://oauth2-proxy:4180"
+      - "traefik.http.middlewares.forward-auth.forwardauth.trustForwardHeader=true"
+      - "traefik.http.middlewares.secure-headers.headers.stsSeconds=31536000"
+      - "traefik.http.middlewares.secure-headers.headers.contentTypeNosniff=true"
+      - "traefik.http.services.app-protected.loadbalancer.server.port=80"
+
+  # ── Public app (no auth) ──────────────────────────────────────────
+  app-public:
+    image: traefik/whoami:latest
+    environment:
+      WHOAMI_NAME: "public-app"
+    networks:
+      - proxy-int-net
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.app-public.rule=PathPrefix(`/public`)"
+      - "traefik.http.routers.app-public.entrypoints=web"
+      - "traefik.http.services.app-public.loadbalancer.server.port=80"
+
+  # ── Prometheus: scrapes Traefik metrics ───────────────────────────
+  prometheus:
+    image: prom/prometheus:latest
+    command:
+      - --config.file=/etc/prometheus/prometheus.yml
+      - --storage.tsdb.retention.time=1h
+    volumes:
+      - ./integration/prometheus.yml:/etc/prometheus/prometheus.yml:ro
+    ports:
+      - "9090:9090"
+    networks:
+      - proxy-int-net
+
+  # ── Traefik ───────────────────────────────────────────────────────
   traefik:
     image: traefik:v3.0
-    container_name: it-stack-traefik
-    restart: unless-stopped
+    command:
+      - --api.dashboard=true
+      - --api.insecure=true
+      - --entrypoints.web.address=:80
+      - --entrypoints.metrics.address=:8082
+      - --metrics.prometheus=true
+      - --metrics.prometheus.entrypoint=metrics
+      - --metrics.prometheus.addRoutersLabels=true
+      - --metrics.prometheus.addServicesLabels=true
+      - --providers.docker=true
+      - --providers.docker.exposedbydefault=false
+      - --accesslog=true
+      - --accesslog.format=json
     ports:
-      - "80:$firstPort"
-    environment:
-      - IT_STACK_ENV=lab-05-integration
-      - KEYCLOAK_URL=
-      - DB_HOST=
-      - REDIS_HOST=
-      - SMTP_HOST=
-      - GRAYLOG_HOST=
-    extra_hosts:
-      - "lab-id1:10.0.50.11"
-      - "lab-db1:10.0.50.12"
-      - "lab-proxy1:10.0.50.15"
+      - "80:80"
+      - "8080:8080"
+      - "8082:8082"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - traefik-logs:/var/log/traefik
     networks:
-      - it-stack-net
+      - proxy-int-net
+    depends_on:
+      keycloak:
+        condition: service_healthy
 
 networks:
-  it-stack-net:
+  proxy-int-net:
     driver: bridge
+  kc-db-net:
+    driver: bridge
+    internal: true
+
+volumes:
+  kc-db-int:
+  traefik-logs:
diff --git a/docker/integration/prometheus.yml b/docker/integration/prometheus.yml
@@ -0,0 +1,9 @@
+global:
+  scrape_interval: 15s
+  evaluation_interval: 15s
+
+scrape_configs:
+  - job_name: traefik
+    static_configs:
+      - targets: ["traefik:8082"]
+    metrics_path: /metrics
diff --git a/tests/labs/test-lab-18-05.sh b/tests/labs/test-lab-18-05.sh
