fix: use relative URL for 302 redirect [skip ci]

[bgehman]

Small tweak for the nginx+vouch single server example:

• use a relative URL for the redirect to vouch's login page

[bnfinet]

thanks @bgehman !

[bgehman]

Appreciate it @bnfinet

Took me a couple of days, but now I have our little webservice nicely tucked into a kubernetes deployment (along with this "all-in-one" nginx container, and a vouch-proxy container) successfully authn'ing against my corp's github enterprise.

Very nice tool you have here. Appreciate all the effort that went in to creating it 👏

[bnfinet]

Thanks for the kind words @bgehman

If you ever cared to do a write-up on your setup please do reach out, I'd love to help you document your setup. I'm looking for blog posts for the vouch.github.io launch. Happy to link to your blog from there if you preferred.

And please be sure to 🌟 the repo :)

[bgehman]

@bnfinet , here's a quick writeup.

We have a documentation server, that basically clones all the repos in our Enterprise Github organizations, and it serves up the godoc for our in-house Golang libraries. It periodically does git-pulls to stay up to date with master. Maybe someday Github will have this feature baked in, but until then this is what we'll use to host our Golang docs.

Goal was to host our go-doc's, on the public internet, but protect access to it to people who can authenticate with our company's enterprise github -- which is also on the public internet. vouch-proxy is the solution!

Everything else we do in house is dockerized, and hosted in Kubernetes, hence that is the hosting target for us.

Helm
I've built a helm-chart, using halkeye's for inspiration, but with some changes:

1. In the deployment yaml, I shoved in the nginx container, and our godoc-server's container. So I have a single pod, made up of three containers. This makes nginx happy as the other two containers can always be found on localhost (containers in a pod share the same IP). It also makes me happy because I am always running in to Kubernet's max pod-limit on my laptop. These three containers are all tightly coupled with each other, so having them all in one Pod is fine by me.
2. I changed the vouch configuration part (of the chart) to be a Secret (instead of ConfigMap) -- for "security". Anyhow, the trick there is to change the kind to Secret, and change data to be stringData.
3. I also have a boolean switch (expressed via the values.yaml) that allows us to run our godoc-server in an "un-protected mode". When it is set to false, the chart will not define the nginx/vouch-proxy containers in the deployment.yaml. The switch also changes the targetPort of the K8-Service definition to point directly at port 8080 (instead of 8000 where nginx would be). Port 8080 is where the internal godoc-server is listening. This way, developers can run the chart on their laptops without having to configure vouch-proxy / set up github auth.

nginx
The nginx configuration is exactly this file except:

1. my nginx is listening on plain http -- simply changing the listen 443 ssl http2; to be: listen 8000;
2. removing the two lines related to SSL (ssl_certificate and ssl_certificate_key). Our kubernetes ingress does the ssl-termination.
3. and, removed the server_name line, as its not really needed and just complicates the configuration. Traffic is already filtered/routed by the Ingress out front.

vouch-proxy
The vouch-proxy config, overridden at helm install/upgrade time, is based on your config.yml_example_github_enterprise setup.

Here is some ASCII-art FTW:

┌─────────────────┐     ┌───────────────────┐    ┌─────────────────────────────────────┐
│ K8-Ingress      │     │ K8-Service        │    │ K8 Deployment(Pod)                  │
│                 │     │                   │    │        ┌───────────────┐            │
│ ALB        ──(http)─> │ godoc-server      │──(http)───> |    NGINX      |            │
│ L7 HTTP RProxy  │     │ port: 8000        │    │        |  port: 8000   |            │
│ ssl-terminating │     │ targetPort: 8000  │    │        └───────────────┘            │
│ port: 443       │     └───────────────────┘    │           /          \              │
└─────────────────┘                              │  ┌─────────────┐  ┌──────────────┐  │
                                                 │  | vouch-proxy |  | godoc-server |  │
                                                 │  | port: 9090  |  | port: 8080   |  │
                                                 │  └─────────────┘  └──────────────┘  │
                                                 └─────────────────────────────────────┘

[bnfinet]

FTW indeed!

cheers @bgehman that's really great