S3 Reverse Proxy with GET, PUT and DELETE methods and authentication (OpenID Connect and Basic Auth)

Overview

Mentioned in Awesome Go Go Doc CircleCI Go Report Card

Coverage Status Docker Pulls GitHub license GitHub release (latest by date)


Menu

Why ?

First of all, yes, this is another S3 proxy written in Golang.

I've created this project because I couldn't find any other that allow to proxy multiple S3 buckets or to have custom templates with OpenID Connect authentication and also to get, upload and delete files.

Features

  • Multi S3 bucket proxy
  • Index document (display index document instead of listing when found)
  • Custom templates
  • AWS S3 Login from files or environment variables
  • Custom S3 endpoints supported
  • Basic Authentication support
  • Multiple Basic Authentication support
  • OpenID Connect Authentication support
  • Multiple OpenID Connect Provider support
  • Redirect to original host and path with OpenID Connect authentication
  • Bucket mount point configuration with hostname and multiple path support
  • Authentication by path and http method on each bucket
  • Prometheus metrics
  • Allow to publish files on S3 bucket
  • Allow to delete files on S3 bucket
  • Open Policy Agent integration for authorizations
  • Configuration hot reload
  • CORS support

Configuration

See here: Configuration

Templates

See here: Templates

Open Policy Agent (OPA)

See here: OPA and in the configuration here: OPA Configuration

API

GET

This kind of requests will allow to get files or directory listing.

If path ends with a slash, the backend will consider this as a directory and will perform a directory listing or will display index document. Example: GET /dir1/

If path doesn't end with a slash, the backend will consider this as a file request. Example: GET /file.pdf

PUT

This kind of requests will allow to send file in directory.

The PUT request path must be a directory and must be a multipart form with a key named file with a file inside. Example: PUT --form file:@file.pdf /dir1/

DELETE

This kind of requests will allow to delete files (only).

The DELETE request path must contain the file name. Example: DELETE /dir1/dir2/file.pdf.

AWS IAM Policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        // Needed for GET API/Action
        "s3:ListBucket",
        "s3:GetObject",
        // Needed for PUT API/Action
        "s3:PutObject",
        // Needed for DELETE API/Action
        "s3:DeleteObject"
      ],
      "Resource": ["arn:aws:s3:::<bucket-name>", "arn:aws:s3:::<bucket-name>/*"]
    }
  ]
}

Grafana Dashboard

This project exports Prometheus metrics. Here is an example of Prometheus dashboard that you can import as JSON file: dashboard.

This dashboard has been done and tested on Grafana 7.0.

Prometheus metrics

See here: Prometheus metrics

Deployment

Kubernetes - Helm

A helm chart have been created to deploy this in a Kubernetes cluster.

You can find it here: https://github.com/oxyno-zeta/helm-charts/tree/master/stable/s3-proxy

Docker

First, write the configuration file in a config folder. That one will be mounted.

Run this command:

docker run -d --name s3-proxy -p 8080:8080 -p 9090:9090 -v $PWD/conf:/proxy/conf oxynozeta/s3-proxy

TODO

  • Support more authentication and authorization systems
  • JSON response
  • Add tests

Want to contribute ?

Inspired by

Thanks

  • My wife BH to support me doing this

Author

  • Oxyno-zeta (Havrileck Alexandre)

License

Apache 2.0 (See in LICENSE)

Comments
  • feat: Add TLS (SSL) support.

    feat: Add TLS (SSL) support.


    name: Add TLS (SSL) support. about: This adds TLS (SSL) support for s3-proxy, allowing us to encrypt the link between the load balancer and the S3 Proxy instances.

    Issue/Feature

    This enables both the server and internal server to encrypt data using Go's builtin TLS routines from crypto/tls.

    Additional Information

    Compliance folks are increasingly scrutinizing the link between the load balancer and servers in AWS, with some deeming security groups and NACLs insufficient controls and demanding this link be encrypted.

    This enables the link to be encrypted using either generated, self-signed certificates/private keys or certificates and private keys specified directly, in S3, in AWS Secrets Manager, or AWS Systems Manager (SSM) Parameter Store.

    Note that AWS Certificate Manager is not supported because it does not allow you to obtain the private key (by design).

    Verification Steps

    Add a new section to server or internalServer in your config named ssl:

    server:
        ssl:
            enabled: true # Optional; defaults to true if certificates/selfSignedHostnames is set, false otherwise.
            certificates:
                -  # Exactly one of certificate/certificateUrl and privateKey/privateKeyUrl must be specified.
                    certificate: |
                        -----BEGIN CERTIFICATE-----
                        ....
                        -----END CERTIFICATE-----
                    certificateUrl: arn:aws:ssm:region:accountId:parameter/name
                    privateKey: |
                        -----BEGIN RSA PRIVATE KEY-----
                        -----END RSA PRIVATE KEY-----
                    privateKeyUrl: arn:aws:secretsmanager:region:accountId:secret/name
            selfSignedHostnames:
                - localhost
                - localhost.localdomain
            minTLSVersion: TLSv1.2  # Defaults to TLSv1.2
            maxTLSVersion: TLSv1.3  # Defaults to no limit
            cipherSuites: # See https://pkg.go.dev/crypto/tls#pkg-constants for valid names; the current default is shown below.
                - TLS_AES_128_GCM_SHA256
                - TLS_AES_256_GCM_SHA384
                - TLS_CHACHA20_POLY1305_SHA256
                - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
                - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
                - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
    

    Checklist:

    • [x] Verified by team member
    • [x] Tests were added
    • [x] Comments where necessary
    • [x] Documentation changes if necessary
    released 
    opened by dacut 11
  • I can't disable index page

    I can't disable index page

    Describe the bug I am trying to disable the index page by configuring ListTargetsConfiguration

    To Reproduce I have tried the following configurations. But they all show the index page.

    log:
      level: debug
      format: text
    listTargets:
      enabled: false
      mount:
        path:
          - /
    targets:
      first-bucket:
        mount:
          path:
            - /
        bucket:
          name: foo-common.example.com
          prefix:
          region: gra
          s3Endpoint: https://s3.gra.cloud.ovh.net
          disableSSL: false
          s3ListMaxKeys: 1000
          credentials:
            accessKey:
              value: testing
            secretKey:
              value: testing
    
    log:
      level: debug
      format: text
    listTargets:
      enabled: false
      mount:
        path:
          - /foo-common.example.com/
    targets:
      first-bucket:
        mount:
          path:
            - /foo-common.example.com/
        bucket:
          name: foo-common.example.com
          prefix:
          region: gra
          s3Endpoint: https://s3.gra.cloud.ovh.net
          disableSSL: false
          s3ListMaxKeys: 1000
          credentials:
            accessKey:
              value: testing
            secretKey:
              value: testing
    
    log:
      level: debug
      format: text
    listTargets:
      enabled: false
      mount:
        path:
          - /
    targets:
      first-bucket:
        mount:
          path:
            - /foo-common.example.com/
        bucket:
          name: foo-common.example.com
          prefix:
          region: gra
          s3Endpoint: https://s3.gra.cloud.ovh.net
          disableSSL: false
          s3ListMaxKeys: 1000
          credentials:
            accessKey:
              value: testing
            secretKey:
              value: testing
    

    Expected behavior Do not show and index page with files when I visit https://mys3proxy.example.com

    Version and platform (please complete the following information):

    • Helm chart: 2.7.0
    • Image: oxynozeta/s3-proxy:4.1.0
    • Kubernetes 1.21.1 (created with kind, running in Docker Desktop on Windows using WSL 2)
    question no-issue-activity 
    opened by martonsz 10
  • Issues with login redirect

    Issues with login redirect

    • Platform: Linux
    • Arch: amd64
    • Version: 4.1.0

    Hey there, First off this is a great tool, thanks for building it! I'm using it with Google OAuth as a proxy for S3 artifacts for Buildkite builds. I'm having an issue where the OAuth redirect gets stuck after a successful login. It works properly when I hit the s3-proxy URL directly, but if I try and use the links created by Buildkite it gets stuck. If I close the tab and refresh the page I can download the artifacts though, so the authentication has actually worked.

    I've put the logs into debug mode and I think it's because it's trying to use HTTP whereas we redirect all traffic to HTTPS on our load balancers? It sounds kind of similar to this issue.

    This is the requested URL which throws a 307:

    https://<my_domain>/auth/google/callback?state=<state>:http://<my_domain>/b1258790-5738-4f46-aa8c-44b04c99df8f/<artifact_name>&code=<code>&scope=email%20profile%20https://www.googleapis.com/auth/userinfo.profile%20openid%20https://www.googleapis.com/auth/userinfo.email&authuser=0&hd=<my_domain>&prompt=none
    

    This is a log from one of the pods:

    level=info msg="request complete" client_ip=10.0.20.71 http_method=GET http_proto=HTTP/1.1 http_scheme=http remote_addr=10.0.20.71 req_id=s3-proxy-6bdb5545fb-k5d9n/BYqOqpjgJ4-002249 resp_bytes_length=13756449 resp_elapsed_ms=1332.687785 resp_status=200 uri="http://<my_domain>/b1258790-5738-4f46-aa8c-44b04c99df8f/<artifact_name>" user_agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36"
    

    As you can see part of the redirect uses http:// and the http_scheme in the pod's logs is http too. I'm not 100% sure if this is the actual issue or if it's something I need to raise with buildkite.

    My config:

        log:
          level: error
          format: text
    
        authProviders:
          oidc:
            google:
              clientID: **************
              clientSecret:
                value: **************
              state: **************
              issuerUrl: https://accounts.google.com
              redirectUrl: https://**************
              emailVerified: true
    
        targets:
          buildkite-artifacts:
            mount:
              path:
                - /
            resources:
            - path: /*
              methods:
                - GET
              provider: google
              oidc:
                authorizationAccesses:
                  - email: "^([^@]+)@<my_domain>\\.<tld>$"
                    regexp: true
    
            bucket:
              name: **************
              region: ap-southeast-2
    
    bug good first issue question no-issue-activity 
    opened by mogggggg 10
  • Status code routing

    Status code routing

    Hi, is it possible to add features for response handling?

    I tried your proxy to provide a static angular website to an internal vpc only. We need to route back requests with 404 or 403 code to index.html and code 200. Or is this already possible and I'm not seeing the right config part for this?

    Thanks in advance.

    enhancement Stale 
    opened by to0b 10
  • OIDC not working: ERR_TOO_MANY_REDIRECTS

    OIDC not working: ERR_TOO_MANY_REDIRECTS

    Describe the bug I am trying to integrate oidc in s3-proxy and after that whats happening is - The app is redirecting me to the authorization server and after authenticating with the authorization server, it's redirecting me to the redirect url and its the point where the process stops with this URL in chrome URL box myapp.com/callback?code=fnkfnwj... and with this error ERR_TOO_MANY_REDIRECTS on screen.
    To Reproduce Steps to reproduce the behavior: 1.) Configure an app in the authorization server. I am using fusion auth here. From there you will get client id, issuer URL, client secret. Also set redirect url there in the authorization app to the url where you want the authorization app to redirect you after the authentication is done. In my case, I setup this url as redirect URL in the auth app - https://reports.app.mydomain.com/api/.

    2.) Now configure s3-proxy to use oidc as authorization and put those values that you got in step 1 from your auth app here in the config of s3-proxy oidc. The config looks something like this authProviders: oidc: provider1: clientID: fsdfdnfwjfnwjfwkfwkfkfwrfwkfnwkfnwrfnwrj clientSecret: env: CLIENT_SECRET state: mqeklfnrjfnejfnjw issuerUrl: https://auth.demo.app.mydomain.com/ redirectUrl: https://reports.app.mydomain.com/api/ # /auth/oidc/callback will be added automatically scopes: # OIDC Scopes (defaults: oidc, email, profile) - oidc - email - profile groupClaim: groups # path in token cookieSecure: true # Is the cookie generated secure ? cookieName: oidc # Cookie generated name emailVerified: true # check email verified field from token loginPath: / # Override login path dynamically generated from provider key callbackPath: /callback # Override callback path dynamically generated from provider key

    and the target block looks like

    targets: - name: api mount: path: - /api/ # A specific host can be added for filtering. Otherwise, all hosts will be accepted # host: reports.app.mydomain.com resources: - path: /api/* # HTTP Methods authorized (Must be in GET, PUT or DELETE) methods: - GET - PUT - DELETE # A authentication provider declared in section before, here is the key name provider: provider1 # OIDC section for access filter oidc: # NOTE: This list can be empty ([]) for authentication only and no group filter authorizationAccesses: # Authorization accesses : groups or email or regexp - email: "[email protected]"

    also my bucket config bucket: name: api-tests.reports.app.mydomain.com prefix: region: us-east-1 s3Endpoint: disableSSL: false credentials: accessKey: env: AWS_ACCESS_KEY secretKey: env: AWS_SECRET_KEY

    Expected behavior Now when I go to https://reports.app.mydomain.com/api/ ----- the client (s3-proxy) should redirect me to auth server and auth server after authenticating should redirect me to this URL https://reports.app.mydomain.com/api/callback with code and all, and app should let me in to view whatever is there behind it.

    ** But ** Everything goes as expected until the very last step. The app does catch me back after I have authenticated with auth-server. And I am shown an error instead. See the following screenshot. Screenshots https://imgur.com/52my0wP

    bug question 
    opened by vishu42 9
  • How to operate s3-proxy behind a reverse http proxy?

    How to operate s3-proxy behind a reverse http proxy?

    Using an nginx reverse proxy to route https into s3-proxy (localhost:8080) with SSL certs server by nginx as well. However the port is still open, so using it explicitly will render an insecure connection... I thought using the internalServer port was the solution, but I may have missunderstood?

    no-issue-activity 
    opened by gsalvatella 7
  • fix: Build HTTPS redirect URI when behind LB

    fix: Build HTTPS redirect URI when behind LB

    Issue/Feature

    When running s3-proxy behind a TLS-terminating Load Balancer, s3-proxy generates a http:// value for the OIDC redirect_uri. In HTTPS-only environments (or with secure cookies enabled), this causes the OIDC flow to fail.

    This PR adds a simple check for the de-facto standard HTTP Header X-Forwarded-Proto. If this header is set and has value https, the GetRequestURI function will use the https scheme instead of http.

    Checklist:

    • [ ] Verified by team member
    • [ ] Tests were added
    • [ ] Comments where necessary
    • [ ] Documentation changes if necessary
    bug released 
    opened by iskandar 7
  • Could not run docker container due config file not found

    Could not run docker container due config file not found

    Hello friend!

    I'm trying to run your s3-proxy tool from docker but getting this error:

    $ docker run -d --name s3-proxy -p 8080:8080 -p 9090:9090 -v $PWD/config:/config oxynozeta/s3-proxy fe4fb5a7c43324170e8879fd9516fa860556dc166e8043bec3baef2e4bcee582

    $ docker logs fe4fb5a7c43324170e8879fd9516fa860556dc166e8043bec3baef2e4bcee582 {"level":"fatal","msg":"Config File "config" Not Found in "[/conf /]"","time":"2020-05-22T11:40:54Z"}

    However I have config directory in my $HOME dir with config.yml inside: $ ls -la $HOME/config/config.yaml -rw-rw-r-- 1 db db 6291 May 22 14:17 /home/db/config/config.yaml

    Any ideas what can be wrong here?

    Thank you

    bug question 
    opened by devopsman 7
  • Dynamic bucket name configuration. Acquire bucket name from URL-path

    Dynamic bucket name configuration. Acquire bucket name from URL-path

    Is your feature request related to a problem? Please describe. I don't want to reconfigure s3-proxy everytime someone creates a new bucket in our cloud storage. I don't always know what our buckets are named beforehand. And the people creating the buckets don't have access to reconfigure s3-proxy.

    The endpoint, region, credentials, etc, are the same for all buckets.

    Describe the solution you'd like Instead of configuring multiple buckets in the configuration file for s3-proxy in advance, the bucket name is acquired from the URL-path.

    Example

    # HTTPS call:
    GET https://mys3proxy.example.com/bucket1/folder/file.bin
    
    # Result:
    bucket: bucket1
    key: /folder/file.bin
    
    # HTTPS call:
    GET https://mys3proxy.example.com/bucket2/foo/bar.bin
    
    # Result:
    bucket: bucket2
    key: /foo/bar.bin
    
    enhancement 
    opened by martonsz 6
  • bugfix: Handle connection cancelation from client

    bugfix: Handle connection cancelation from client

    In case the client is dropping the connection, we do not cancel the requests made to the S3 backend. Proposed fix is to forward the context coming from the client request to the AWS SDK.

    no-stale 
    opened by croustiPoulet 6
  • Question: how to better deal with requests to folder prefixes?

    Question: how to better deal with requests to folder prefixes?

    Is your feature request related to a problem? Please describe. Currently we're using docusaurus to deploy static sites to s3, some urls that Docusaurus generates do not contain trailing slashes (ex. mysite.com/some_section), though clicking through from a parent to the sub-section page will work due to JS/HTML magic, a hard-link will not redirect to mysite.com/some_section/ which correctly serves up the indexDocument (in this case: index.html).

    Describe the solution you'd like An option to force the proxy to check if a document is a folder, if so recurse into it and serve up indexDocument etc.

    Describe alternatives you've considered An alternate solution is to just use URL rewriting, but we're using AWS ALBs which won't work in that scenario and though other reverse-proxies will remedy the situation, I am hesitant to put another layer in between the ALB and S3Proxy.

    enhancement 
    opened by chiefy 6
  • chore(deps): update squidfunk/mkdocs-material docker tag to v9

    chore(deps): update squidfunk/mkdocs-material docker tag to v9

    Mend Renovate

    This PR contains the following updates:

    | Package | Type | Update | Change | |---|---|---|---| | squidfunk/mkdocs-material | final | major | 8.5.3 -> 9.0.1 |


    Configuration

    📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

    🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

    Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

    🔕 Ignore: Close this PR and you won't be reminded about this update again.


    • [ ] If you want to rebase/retry this PR, check this box

    This PR has been generated by Mend Renovate. View repository job log here.

    size/XS dockerfile 
    opened by renovate[bot] 0
  • fix(deps): update module github.com/thoas/go-funk to v0.9.3

    fix(deps): update module github.com/thoas/go-funk to v0.9.3

    Mend Renovate

    This PR contains the following updates:

    | Package | Type | Update | Change | |---|---|---|---| | github.com/thoas/go-funk | require | patch | v0.9.2 -> v0.9.3 |


    Release Notes

    thoas/go-funk

    v0.9.3

    Compare Source


    Configuration

    📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

    🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

    Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

    🔕 Ignore: Close this PR and you won't be reminded about this update again.


    • [ ] If you want to rebase/retry this PR, check this box

    This PR has been generated by Mend Renovate. View repository job log here.

    size/XS 
    opened by renovate[bot] 0
  • Let the docker image build itself

    Let the docker image build itself

    Is your feature request related to a problem? Please describe. I would like to build the docker image without first needing to build it on the host.

    Describe the solution you'd like I would like to build the image without dependencies, like:

    docker build -t s3-proxy .
    

    Describe alternatives you've considered I have made a multi-stage Dockerfile that builds the application and image in one step: see #327

    Additional context

    For example its really nice and dependency free from docker-compose, just give it the URL/branch and it will build it itself:

    # docker-compose.yaml
    services:
      s3-proxy:
        build:
          context: https://github.com/EnigmaCurry/s3-proxy.git#self-buildable
    
    enhancement no-issue-activity 
    opened by EnigmaCurry 3
  • Makes Docker image self-buildable

    Makes Docker image self-buildable


    name: Pull request about: Pull request for this project title: "Makes Docker image self-buildable" labels: "" assignees: ""

    Issue/Feature

    I do not want to build s3-proxy on my host computer, but only as a docker image. This addition creates a multi-stage Dockerfile to build the s3-proxy binary and make an image in one step.

    Additional Information

    This does not require you to prebuild the s3-proxy binary. To build a Docker image from scratch, just run:

    docker build -t s3-proxy .
    

    Verification Steps

    Checklist:

    • [ ] Verified by team member
    • [ ] Tests were added
    • [ ] Comments where necessary
    • [ ] Documentation changes if necessary
    opened by EnigmaCurry 0
  • Use security-credentials endpoint for authentication?

    Use security-credentials endpoint for authentication?

    Is it possible to use the ephemeral/short-lived credentials provided by the AWS IAM role security credentials endpoint as a form of authentication for s3-proxy?

    It would likely require tracking the expiration of the token and requesting a new one when it expires.

    Ref: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html

    It if is not possible currently, is it a feature you would consider developing and including in this project?

    enhancement no-stale 
    opened by dshawth 1
  • Dependency Dashboard

    Dependency Dashboard

    This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

    Open

    These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

    Ignored or Blocked

    These are blocked by an existing closed PR and will not be recreated unless you click a checkbox below.

    Detected dependencies

    dockerfile
    Dockerfile
    • alpine 3.17
    Dockerfile.docs
    • squidfunk/mkdocs-material 8.5.3
    github-actions
    .github/workflows/ci.yml
    • actions/checkout v3
    • dorny/paths-filter v2
    • actions/checkout v3
    • actions/setup-go v3
    • golangci/golangci-lint-action v3
    • actions/checkout v3
    • actions/setup-go v3
    • docker/setup-qemu-action v2
    • actions/checkout v3
    • actions/setup-go v3
    • actions/checkout v3
    • actions/setup-go v3
    .github/workflows/docs.yml
    • actions/checkout v3
    • dorny/paths-filter v2
    • actions/checkout v3
    • actions/setup-python v4
    • actions/checkout v3
    • actions/setup-python v4
    .github/workflows/labeler.yml
    • actions/labeler v4
    .github/workflows/size.yml
    • pascalgn/size-label-action a4655c448bb838e8d73b81e97fd0831bb4cbda1e
    .github/workflows/stale.yml
    • actions/stale v7
    gomod
    go.mod
    • go 1.17
    • emperror.dev/errors v0.8.1
    • github.com/Masterminds/sprig/v3 v3.2.3
    • github.com/coreos/go-oidc/v3 v3.4.0
    • github.com/dimiro1/health [email protected]
    • github.com/dustin/go-humanize v1.0.0
    • github.com/fsnotify/fsnotify v1.6.0
    • github.com/go-chi/chi/v5 v5.0.8
    • github.com/go-chi/cors v1.2.1
    • github.com/go-chi/httptracer v0.3.0
    • github.com/go-playground/validator/v10 v10.11.1
    • github.com/go-resty/resty/v2 v2.7.0
    • github.com/gobwas/glob v0.2.3
    • github.com/golang/mock v1.6.0
    • github.com/johannesboyne/gofakes3 [email protected]
    • github.com/opentracing/opentracing-go v1.2.0
    • github.com/prometheus/client_golang v1.14.0
    • github.com/sirupsen/logrus v1.9.0
    • github.com/spf13/viper v1.14.0
    • github.com/stretchr/testify v1.8.1
    • github.com/thoas/go-funk v0.9.2
    • github.com/uber/jaeger-client-go v2.30.0+incompatible
    • github.com/uber/jaeger-lib v2.4.1+incompatible
    • golang.org/x/net v0.4.0
    • golang.org/x/oauth2 v0.3.0
    • golang.org/x/sync v0.1.0
    • gopkg.in/yaml.v3 v3.0.1

    • [ ] Check this box to trigger a request for Renovate to run again on this repository
    opened by renovate[bot] 0
Releases(v4.7.0)
Sesame: an Ingress controller for Kubernetes that works by deploying the Envoy proxy as a reverse proxy and load balancer

Sesame Overview Sesame is an Ingress controller for Kubernetes that works by dep

Sesame 1 Dec 28, 2021
A Terraform module to manage cluster authentication (aws-auth) for an Elastic Kubernetes (EKS) cluster on AWS.

Archive Notice The terraform-aws-modules/eks/aws v.18.20.0 release has brought back support aws-auth configmap! For this reason, I highly encourage us

Aidan Melen 28 Dec 4, 2022
kubectl plugin for generating nginx-ingress compatible basic-auth secrets on kubernetes clusters

kubectl-htpasswd kubectl plugin for easily generating hashed basic auth secrets. Supported hash algorithms bcrypt Examples Create the secret on the cl

Christian Rebischke 16 Jul 17, 2022
Parallel processing through go routines, copy and delete thousands of key within some minutes

redis-dumper CLI Parallel processing through go routines, copy and delete thousands of key within some minutes copy data by key pattern from one redis

David Koller 0 Dec 26, 2021
K8s-delete-protection - Kubernetes admission controller to avoid deleteing master nodes

k8s-delete-protection Admission Controller If you want to make your Kubernetes c

null 1 Nov 2, 2022
An Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer

NGINX Ingress Controller Overview ingress-nginx is an Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer. Learn more a

null 0 Nov 15, 2021
OCI transport plugin for apt-get (i.e., apt-get over ghcr.io)

apt-transport-oci: OCI transport plugin for apt-get (i.e., apt-get over ghcr.io) apt-transport-oci is an apt-get plugin to support distributing *.deb

Akihiro Suda 88 Nov 1, 2022
Package trn introduces a Range type with useful methods to perform complex operations over time ranges

Time Ranges Package trn introduces a Range type with useful methods to perform c

CappuccinoTeam 39 Aug 18, 2022
PoC for Grafana 8.x Local File Inclusion (Pre-Auth)

Grafana 8.x Local File Inclusion (Pre-Auth) CVE: Pending All credits go to j0v and his tweet https://twitter.com/j0v0x0/status/1466845212626542607 Dis

Tay 9 Nov 9, 2022
Download your Fitbit weight history and connect to InfluxDB and Grafana

WemonFit Weight monitoring for Fitbit, using InfluxDB and Grafana Generating a new certificate openssl req -new -newkey rsa:2048 -nodes -keyout lo

Eduardo Argollo 1 Oct 22, 2022
The OCI Service Operator for Kubernetes (OSOK) makes it easy to connect and manage OCI services from a cloud native application running in a Kubernetes environment.

OCI Service Operator for Kubernetes Introduction The OCI Service Operator for Kubernetes (OSOK) makes it easy to create, manage, and connect to Oracle

Oracle 24 Sep 27, 2022
Connect, Subscribe and Publish over MQTT broker to check its status.

MQTT Blackbox Exporter Introduction In each probe it sends a message over MQTT broker and then wait for getting it over subscription. By measuring thi

Snapp Cab Incubators 12 Aug 27, 2022
Provides an interactive prompt to connect to ECS Containers using the ECS ExecuteCommand API.

ecsgo Heavily inspired by incredibly useful gossm, this tool makes use of the new ECS ExecuteCommand API to connect to running ECS tasks. It provides

Ed Smith 45 Dec 12, 2022
Quickly connect to your Kubernetes Cluster with Tailscale

tsk tsk is a quick and magical way to connect your Kubernetes cluster to your Tailscale Tailnet. Installation tsk requires you have Pulumi installed.

Adam Engebretson 45 Dec 17, 2022
Ydb-go-yc-metadata - Helpers to connect to YDB inside yandex-cloud using metadata service

ydb-go-yc-metadata helpers to connect to YDB inside yandex-cloud using metadata

YDB Platform 3 Nov 28, 2022
A reverse engineered github actions compatible self-hosted runner using nektos/act to execute your workflow steps

github-act-runner A reverse engineered github actions compatible self-hosted runner using nektos/act to execute your workflow steps. Unlike the offici

null 107 Dec 24, 2022
k6 extension to load test Apache Kafka with support for Avro messages and SASL Authentication

xk6-kafka This project is a k6 extension that can be used to load test Kafka, using a producer. Per each connection to Kafka, many messages can be sen

null 0 Dec 7, 2021
🔑 Kubernetes Authentication & Authorization WebHook Server

Guard Guard by AppsCode is a Kubernetes Webhook Authentication server. Using guard, you can log into your Kubernetes cluster using various auth provid

Kubernetes Guard 546 Dec 16, 2022
A minimal Go project with user authentication ready out of the box. All frontend assets should be less than 100 kB on every page load

Golang Base Project A minimal Golang project with user authentication ready out of the box. All frontend assets should be less than 100 kB on every pa

Markus Tenghamn 239 Jan 1, 2023