CadolesKube/hydra-maester
7
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

chore: format using Make (#111)

Browse Source
This commit is contained in:
Kevin Goslar 2022-09-22 07:52:52 -05:00 committed by GitHub
parent c5a66aa6eb
commit 5795340e0e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
38 changed files with 593 additions and 424 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
.circleci/config.yml
View File

@ -9,7 +9,7 @@ kube-builder: &install-kube-builder
# Upgrading kubebuilder to latest version is a bigger story and needs more work. # Upgrading kubebuilder to latest version is a bigger story and needs more work.
# We will use direct GH release URL for now. # We will use direct GH release URL for now.
curl -sL https://github.com/kubernetes-sigs/kubebuilder/releases/download/v2.3.2/kubebuilder_2.3.2_${os}_${arch}.tar.gz | tar -xz -C /tmp/ curl -sL https://github.com/kubernetes-sigs/kubebuilder/releases/download/v2.3.2/kubebuilder_2.3.2_${os}_${arch}.tar.gz | tar -xz -C /tmp/
# move to a long-term location and put it on your path # move to a long-term location and put it on your path
# (you'll need to set the KUBEBUILDER_ASSETS env var if you put it somewhere else) # (you'll need to set the KUBEBUILDER_ASSETS env var if you put it somewhere else)
sudo mv /tmp/kubebuilder_2.3.2_${os}_${arch} /usr/local/kubebuilder sudo mv /tmp/kubebuilder_2.3.2_${os}_${arch} /usr/local/kubebuilder
@ -25,7 +25,7 @@ jobs:
steps: steps:
- checkout - checkout
- run: - run:
<<: *install-kube-builder <<: *install-kube-builder
- run: make - run: make
test: test:
docker: docker:
@ -86,7 +86,9 @@ jobs:
./.circleci/release_name.bash ./.circleci/release_name.bash
source $BASH_ENV source $BASH_ENV
- setup_remote_docker - setup_remote_docker
- run: docker login --username "$DOCKER_USERNAME" --password "$DOCKER_PASSWORD" - run:
docker login --username "$DOCKER_USERNAME" --password
"$DOCKER_PASSWORD"
- run: curl -sL https://git.io/goreleaser | bash - run: curl -sL https://git.io/goreleaser | bash
release-changelog: release-changelog:
@ -96,7 +98,9 @@ jobs:
- checkout - checkout
- run: gem install github_changelog_generator -v 1.14.3 - run: gem install github_changelog_generator -v 1.14.3
- run: sudo npm i -g doctoc - run: sudo npm i -g doctoc
- run: github_changelog_generator -u ory -p hydra-maester -o CHANGELOG.md --token $GITHUB_TOKEN - run:
github_changelog_generator -u ory -p hydra-maester -o CHANGELOG.md
--token $GITHUB_TOKEN
- run: doctoc CHANGELOG.md - run: doctoc CHANGELOG.md
- run: doctoc README.md - run: doctoc README.md
- run: git config --global user.email "circleci@ory.am" - run: git config --global user.email "circleci@ory.am"
@ -106,7 +110,9 @@ jobs:
- run: | - run: |
git commit -a -m "docs: Incorporates changes from version $(git describe --tags)" || true git commit -a -m "docs: Incorporates changes from version $(git describe --tags)" || true
- run: git remote rm origin - run: git remote rm origin
- run: git remote add origin https://arekkas:$GITHUB_TOKEN@github.com/ory/hydra-maester.git - run:
git remote add origin
https://arekkas:$GITHUB_TOKEN@github.com/ory/hydra-maester.git
- run: git push origin HEAD:master || true - run: git push origin HEAD:master || true
workflows: workflows:
@ -129,7 +135,7 @@ workflows:
requires: requires:
- build - build
- test - test
- test-integration - test-integration
filters: filters:
tags: tags:
only: /.*/ only: /.*/
@ -142,4 +148,4 @@ workflows:
tags: tags:
only: /.*/ only: /.*/
branches: branches:
ignore: /.*/ ignore: /.*/

16
.github/workflows/cve-scan.yaml vendored
View File

@ -2,12 +2,12 @@ name: Docker Image Scan
on: on:
push: push:
branches: branches:
- 'master' - "master"
tags: tags:
- 'v*.*.*' - "v*.*.*"
pull_request: pull_request:
branches: branches:
- 'master' - "master"
jobs: jobs:
docker: docker:
@ -18,7 +18,7 @@ jobs:
- uses: actions/setup-go@v2 - uses: actions/setup-go@v2
name: Setup Golang name: Setup Golang
with: with:
go-version: '^1.16' go-version: "^1.16"
- name: Set up QEMU - name: Set up QEMU
uses: docker/setup-qemu-action@v1 uses: docker/setup-qemu-action@v1
- name: Set up Docker Buildx - name: Set up Docker Buildx
@ -45,8 +45,8 @@ jobs:
uses: aquasecurity/trivy-action@master uses: aquasecurity/trivy-action@master
with: with:
image-ref: controller:latest image-ref: controller:latest
format: 'table' format: "table"
exit-code: '42' exit-code: "42"
ignore-unfixed: true ignore-unfixed: true
vuln-type: 'os,library' vuln-type: "os,library"
severity: 'CRITICAL,HIGH' severity: "CRITICAL,HIGH"

17
.github/workflows/format.yml vendored Normal file
View File

@ -0,0 +1,17 @@
name: Format
on:
pull_request:
push:
jobs:
format:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-go@v3
with:
go-version: 1.19
- run: make format
- name: Indicate formatting issues
run: git diff HEAD --exit-code --color

3
.gitignore vendored
View File

@ -1,4 +1,3 @@
# Binaries for programs and plugins # Binaries for programs and plugins
*.exe *.exe
*.exe~ *.exe~
@ -25,3 +24,5 @@ bin
config/default/manager_image_patch.yaml-e config/default/manager_image_patch.yaml-e
/manager /manager
node_modules/

1
.goreleaser.yml
View File

@ -27,7 +27,6 @@ snapshot:
changelog: changelog:
sort: asc sort: asc
dockers: dockers:
- image_templates: - image_templates:
- "oryd/hydra-maester:v{{ .Major }}" - "oryd/hydra-maester:v{{ .Major }}"

4
.prettierignore Normal file
View File

@ -0,0 +1,4 @@
api/v1alpha1/zz_generated.deepcopy.go
CHANGELOG.md
.github/pull_request_template.md
CONTRIBUTING.md

16
Makefile
View File

@ -28,7 +28,7 @@ all: manager
# Run tests # Run tests
.PHONY: test .PHONY: test
test: generate fmt vet manifests test: generate vet manifests
go test ./api/... ./controllers/... ./hydra/... ./helpers/... -coverprofile cover.out go test ./api/... ./controllers/... ./hydra/... ./helpers/... -coverprofile cover.out
# Start KIND pseudo-cluster # Start KIND pseudo-cluster
@ -64,12 +64,12 @@ test-integration:
# Build manager binary # Build manager binary
.PHONY: manager .PHONY: manager
manager: generate fmt vet manager: generate vet
CGO_ENABLED=0 GO111MODULE=on GOOS=linux GOARCH=amd64 go build -a -o manager main.go CGO_ENABLED=0 GO111MODULE=on GOOS=linux GOARCH=amd64 go build -a -o manager main.go
# Run against the configured Kubernetes cluster in ~/.kube/config # Run against the configured Kubernetes cluster in ~/.kube/config
.PHONY: run .PHONY: run
run: generate fmt vet run: generate vet
go run ./main.go --hydra-url ${HYDRA_URL} go run ./main.go --hydra-url ${HYDRA_URL}
# Install CRDs into a cluster # Install CRDs into a cluster
@ -88,10 +88,10 @@ deploy: manifests
manifests: controller-gen manifests: controller-gen
$(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./..." output:crd:artifacts:config=config/crd/bases $(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./..." output:crd:artifacts:config=config/crd/bases
# Run go fmt against code # Format the source code
.PHONY: fmt format: node_modules
fmt:
go fmt ./... go fmt ./...
npm exec -- prettier --write .
# Run go vet against code # Run go vet against code
.PHONY: vet .PHONY: vet
@ -135,3 +135,7 @@ kubebuilder:
curl -sL https://github.com/kubernetes-sigs/kubebuilder/releases/download/v2.3.2/kubebuilder_2.3.2_${OS}_${ARCH}.tar.gz | tar -xz -C /tmp/ curl -sL https://github.com/kubernetes-sigs/kubebuilder/releases/download/v2.3.2/kubebuilder_2.3.2_${OS}_${ARCH}.tar.gz | tar -xz -C /tmp/
mv /tmp/kubebuilder_2.3.2_${OS}_${ARCH} ${PWD}/.bin/kubebuilder mv /tmp/kubebuilder_2.3.2_${OS}_${ARCH} ${PWD}/.bin/kubebuilder
export PATH=${PATH}:${PWD}/.bin/kubebuilder/bin export PATH=${PATH}:${PWD}/.bin/kubebuilder/bin
node_modules: package-lock.json
npm ci
touch node_modules

56
README.md
View File

@ -13,17 +13,28 @@
# Ory Hydra Maester # Ory Hydra Maester
⚠️ ⚠️ ⚠️ ⚠️ ⚠️ ⚠️
> Ory Hydra Maester is developed by the Ory community and is not actively maintained by Ory core maintainers due to lack of resources, time, and knolwedge. As such please be aware that there might be issues with the system. If you have ideas for better testing and development principles please open an issue or PR! > Ory Hydra Maester is developed by the Ory community and is not actively
> maintained by Ory core maintainers due to lack of resources, time, and
> knolwedge. As such please be aware that there might be issues with the system.
> If you have ideas for better testing and development principles please open an
> issue or PR!
⚠️ ⚠️ ⚠️ ⚠️ ⚠️ ⚠️
This project contains a Kubernetes controller that uses Custom Resources (CR) to manage Hydra Oauth2 clients. ORY Hydra Maester watches for instances of `oauth2clients.hydra.ory.sh/v1alpha1` CR and creates, updates, or deletes corresponding OAuth2 clients by communicating with ORY Hydra's API. This project contains a Kubernetes controller that uses Custom Resources (CR) to
manage Hydra Oauth2 clients. ORY Hydra Maester watches for instances of
`oauth2clients.hydra.ory.sh/v1alpha1` CR and creates, updates, or deletes
corresponding OAuth2 clients by communicating with ORY Hydra's API.
Visit Hydra-maester's [chart documentation](https://github.com/ory/k8s/blob/master/docs/helm/hydra-maester.md) and view [sample OAuth2 client resources](config/samples) to learn more about the `oauth2clients.hydra.ory.sh/v1alpha1` CR. Visit Hydra-maester's
[chart documentation](https://github.com/ory/k8s/blob/master/docs/helm/hydra-maester.md)
and view [sample OAuth2 client resources](config/samples) to learn more about
the `oauth2clients.hydra.ory.sh/v1alpha1` CR.
The project is based on [Kubebuilder](https://github.com/kubernetes-sigs/kubebuilder). The project is based on
[Kubebuilder](https://github.com/kubernetes-sigs/kubebuilder).
## Prerequisites ## Prerequisites
@ -31,10 +42,12 @@ The project is based on [Kubebuilder](https://github.com/kubernetes-sigs/kubebui
- make - make
- kubectl - kubectl
- kustomize - kustomize
- [kubebuilder](https://github.com/kubernetes-sigs/kubebuilder) for running tests - [kubebuilder](https://github.com/kubernetes-sigs/kubebuilder) for running
tests
- [ginkgo](https://onsi.github.io/ginkgo/) for local integration testing - [ginkgo](https://onsi.github.io/ginkgo/) for local integration testing
- access to K8s environment: minikube or a remote K8s cluster - access to K8s environment: minikube or a remote K8s cluster
- [mockery](https://github.com/vektra/mockery) to generate mocks for testing purposes - [mockery](https://github.com/vektra/mockery) to generate mocks for testing
purposes
## Design ## Design
@ -44,27 +57,32 @@ Take a look at [Design Readme](./docs/README.md).
- `make test` to run tests - `make test` to run tests
- `make test-integration` to run integration tests - `make test-integration` to run integration tests
- `make install` to generate CRD file from go sources and install it on the cluster - `make install` to generate CRD file from go sources and install it on the
cluster
- `export HYDRA_URL={HYDRA_SERVICE_URL} && make run` to run the controller - `export HYDRA_URL={HYDRA_SERVICE_URL} && make run` to run the controller
To deploy the controller, edit the value of the ```--hydra-url``` argument in the [manager.yaml](config/manager/manager.yaml) file and run ```make deploy```. To deploy the controller, edit the value of the `--hydra-url` argument in the
[manager.yaml](config/manager/manager.yaml) file and run `make deploy`.
### Command-line flags ### Command-line flags
| Name | Required | Description | Default value | Example values | | Name | Required | Description | Default value | Example values |
|----------------------------|----------|----------------------------------------|---------------|------------------------------------------------------| | ---------------------------- | -------- | ---------------------------------------------------------------------------------------------------------------- | ------------- | ---------------------------------------- |
| **hydra-url** | yes | ORY Hydra's service address | - | ` ory-hydra-admin.ory.svc.cluster.local` | | **hydra-url** | yes | ORY Hydra's service address | - | ` ory-hydra-admin.ory.svc.cluster.local` |
| **hydra-port** | no | ORY Hydra's service port | `4445` | `4445` | | **hydra-port** | no | ORY Hydra's service port | `4445` | `4445` |
| **tls-trust-store** | no | TLS cert path for hydra client | `""` | `/etc/ssl/certs/ca-certificates.crt` | | **tls-trust-store** | no | TLS cert path for hydra client | `""` | `/etc/ssl/certs/ca-certificates.crt` |
| **insecure-skip-verify** | no | Skip http client insecure verification | `false` | `true` or `false` | | **insecure-skip-verify** | no | Skip http client insecure verification | `false` | `true` or `false` |
| **namespace** | no | Namespace in which the controller should operate. Setting this will make the controller ignore other namespaces. | `""` | `"my-namespace"` | | **namespace** | no | Namespace in which the controller should operate. Setting this will make the controller ignore other namespaces. | `""` | `"my-namespace"` |
| **leader-elector-namespace** | no | Leader elector namespace where controller should be set. | `""` | `"my-namespace"` | | **leader-elector-namespace** | no | Leader elector namespace where controller should be set. | `""` | `"my-namespace"` |
## Development ## Development
### Testing ### Testing
Use mockery to generate mock types that implement existing interfaces. To generate a mock type for an interface, navigate to the directory containing that interface and run this command: Use mockery to generate mock types that implement existing interfaces. To
generate a mock type for an interface, navigate to the directory containing that
interface and run this command:
``` ```
mockery -name={INTERFACE_NAME} mockery -name={INTERFACE_NAME}
``` ```

1
api/v1alpha1/zz_generated.deepcopy.go
View File

@ -1,3 +1,4 @@
//go:build !ignore_autogenerated
// +build !ignore_autogenerated // +build !ignore_autogenerated
/* /*

4
config/certmanager/certificate.yaml
View File

@ -11,13 +11,13 @@ spec:
apiVersion: certmanager.k8s.io/v1alpha1 apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate kind: Certificate
metadata: metadata:
name: serving-cert # this name should match the one appeared in kustomizeconfig.yaml name: serving-cert # this name should match the one appeared in kustomizeconfig.yaml
namespace: system namespace: system
spec: spec:
# $(SERVICENAME) and $(NAMESPACE) will be substituted by kustomize # $(SERVICENAME) and $(NAMESPACE) will be substituted by kustomize
commonName: $(SERVICENAME).$(NAMESPACE).svc commonName: $(SERVICENAME).$(NAMESPACE).svc
dnsNames: dnsNames:
- $(SERVICENAME).$(NAMESPACE).svc.cluster.local - $(SERVICENAME).$(NAMESPACE).svc.cluster.local
issuerRef: issuerRef:
kind: Issuer kind: Issuer
name: selfsigned-issuer name: selfsigned-issuer

40
config/certmanager/kustomization.yaml
View File

@ -1,26 +1,26 @@
resources: resources:
- certificate.yaml - certificate.yaml
# the following config is for teaching kustomize how to do var substitution # the following config is for teaching kustomize how to do var substitution
vars: vars:
- name: NAMESPACE # namespace of the service and the certificate CR - name: NAMESPACE # namespace of the service and the certificate CR
objref: objref:
kind: Service kind: Service
version: v1 version: v1
name: webhook-service name: webhook-service
fieldref: fieldref:
fieldpath: metadata.namespace fieldpath: metadata.namespace
- name: CERTIFICATENAME - name: CERTIFICATENAME
objref: objref:
kind: Certificate kind: Certificate
group: certmanager.k8s.io group: certmanager.k8s.io
version: v1alpha1 version: v1alpha1
name: serving-cert # this name should match the one in certificate.yaml name: serving-cert # this name should match the one in certificate.yaml
- name: SERVICENAME - name: SERVICENAME
objref: objref:
kind: Service kind: Service
version: v1 version: v1
name: webhook-service name: webhook-service
configurations: configurations:
- kustomizeconfig.yaml - kustomizeconfig.yaml

24
config/certmanager/kustomizeconfig.yaml
View File

@ -1,16 +1,16 @@
# This configuration is for teaching kustomize how to update name ref and var substitution # This configuration is for teaching kustomize how to update name ref and var substitution
nameReference: nameReference:
- kind: Issuer - kind: Issuer
group: certmanager.k8s.io
fieldSpecs:
- kind: Certificate
group: certmanager.k8s.io group: certmanager.k8s.io
path: spec/issuerRef/name fieldSpecs:
- kind: Certificate
group: certmanager.k8s.io
path: spec/issuerRef/name
varReference: varReference:
- kind: Certificate - kind: Certificate
group: certmanager.k8s.io group: certmanager.k8s.io
path: spec/commonName path: spec/commonName
- kind: Certificate - kind: Certificate
group: certmanager.k8s.io group: certmanager.k8s.io
path: spec/dnsNames path: spec/dnsNames

358
config/crd/bases/hydra.ory.sh_oauth2clients.yaml
View File

@ -1,4 +1,3 @@
--- ---
apiVersion: apiextensions.k8s.io/v1 apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition kind: CustomResourceDefinition
@ -16,158 +15,217 @@ spec:
singular: oauth2client singular: oauth2client
scope: Namespaced scope: Namespaced
versions: versions:
- name: v1alpha1 - name: v1alpha1
schema: schema:
openAPIV3Schema: openAPIV3Schema:
description: OAuth2Client is the Schema for the oauth2clients API description: OAuth2Client is the Schema for the oauth2clients API
properties: properties:
apiVersion: apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' description:
type: string "APIVersion defines the versioned schema of this representation
kind: of an object. Servers should convert recognized schemas to the
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' latest internal value, and may reject unrecognized values. More
type: string info:
metadata: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources"
type: object type: string
spec: kind:
description: OAuth2ClientSpec defines the desired state of OAuth2Client description:
properties: "Kind is a string value representing the REST resource this
allowedCorsOrigins: object represents. Servers may infer this from the endpoint the
description: AllowedCorsOrigins is an array of allowed CORS origins client submits requests to. Cannot be updated. In CamelCase.
items: More info:
description: RedirectURI represents a redirect URI for the client https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"
pattern: \w+:/?/?[^\s]+ type: string
type: string metadata:
type: array type: object
audience: spec:
description: Audience is a whitelist defining the audiences this client is allowed to request tokens for description:
items: OAuth2ClientSpec defines the desired state of OAuth2Client
type: string properties:
type: array allowedCorsOrigins:
clientName:
description: ClientName is the human-readable string name of the client to be presented to the end-user during authorization.
type: string
grantTypes:
description: GrantTypes is an array of grant types the client is allowed to use.
items:
description: GrantType represents an OAuth 2.0 grant type
enum:
- client_credentials
- authorization_code
- implicit
- refresh_token
type: string
maxItems: 4
minItems: 1
type: array
hydraAdmin:
description: HydraAdmin is the optional configuration to use for managing this client
properties:
endpoint:
description: Endpoint is the endpoint for the hydra instance on which to set up the client. This value will override the value provided to `--endpoint` (defaults to `"/clients"` in the application)
pattern: (^$|^/.*)
type: string
forwardedProto:
description: ForwardedProto overrides the `--forwarded-proto` flag. The value "off" will force this to be off even if `--forwarded-proto` is specified
pattern: (^$|https?|off)
type: string
port:
description: Port is the port for the hydra instance on which to set up the client. This value will override the value provided to `--hydra-port`
maximum: 65535
type: integer
url:
description: URL is the URL for the hydra instance on which to set up the client. This value will override the value provided to `--hydra-url`
maxLength: 64
pattern: (^$|^https?://.*)
type: string
type: object
metadata:
description: Metadata is abritrary data
nullable: true
type: object
x-kubernetes-preserve-unknown-fields: true
postLogoutRedirectUris:
description: PostLogoutRedirectURIs is an array of the post logout redirect URIs allowed for the application
items:
description: RedirectURI represents a redirect URI for the client
pattern: \w+:/?/?[^\s]+
type: string
type: array
redirectUris:
description: RedirectURIs is an array of the redirect URIs allowed for the application
items:
description: RedirectURI represents a redirect URI for the client
pattern: \w+:/?/?[^\s]+
type: string
type: array
responseTypes:
description: ResponseTypes is an array of the OAuth 2.0 response type strings that the client can use at the authorization endpoint.
items:
description: ResponseType represents an OAuth 2.0 response type strings
enum:
- id_token
- code
- token
- code token
- code id_token
- id_token token
- code id_token token
type: string
maxItems: 3
minItems: 1
type: array
scope:
description: Scope is a string containing a space-separated list of scope values (as described in Section 3.3 of OAuth 2.0 [RFC6749]) that the client can use when requesting access tokens.
pattern: ([a-zA-Z0-9\.\*]+\s?)+
type: string
secretName:
description: SecretName points to the K8s secret that contains this client's ID and password
maxLength: 253
minLength: 1
pattern: '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*'
type: string
tokenEndpointAuthMethod:
allOf:
- enum:
- client_secret_basic
- client_secret_post
- private_key_jwt
- none
- enum:
- client_secret_basic
- client_secret_post
- private_key_jwt
- none
description: Indication which authentication method shoud be used for the token endpoint
type: string
required:
- grantTypes
- scope
- secretName
type: object
status:
description: OAuth2ClientStatus defines the observed state of OAuth2Client
properties:
observedGeneration:
description: ObservedGeneration represents the most recent generation observed by the daemon set controller.
format: int64
type: integer
reconciliationError:
description: ReconciliationError represents an error that occurred during the reconciliation process
properties:
description: description:
description: Description is the description of the reconciliation error AllowedCorsOrigins is an array of allowed CORS origins
items:
description:
RedirectURI represents a redirect URI for the client
pattern: \w+:/?/?[^\s]+
type: string type: string
statusCode: type: array
description: Code is the status code of the reconciliation error audience:
description:
Audience is a whitelist defining the audiences this client
is allowed to request tokens for
items:
type: string type: string
type: object type: array
type: object clientName:
type: object description:
served: true ClientName is the human-readable string name of the client
storage: true to be presented to the end-user during authorization.
subresources: type: string
status: {} grantTypes:
description:
GrantTypes is an array of grant types the client is allowed
to use.
items:
description: GrantType represents an OAuth 2.0 grant type
enum:
- client_credentials
- authorization_code
- implicit
- refresh_token
type: string
maxItems: 4
minItems: 1
type: array
hydraAdmin:
description:
HydraAdmin is the optional configuration to use for managing
this client
properties:
endpoint:
description:
Endpoint is the endpoint for the hydra instance on which
to set up the client. This value will override the value
provided to `--endpoint` (defaults to `"/clients"` in
the application)
pattern: (^$|^/.*)
type: string
forwardedProto:
description:
ForwardedProto overrides the `--forwarded-proto` flag.
The value "off" will force this to be off even if
`--forwarded-proto` is specified
pattern: (^$|https?|off)
type: string
port:
description:
Port is the port for the hydra instance on which to set
up the client. This value will override the value
provided to `--hydra-port`
maximum: 65535
type: integer
url:
description:
URL is the URL for the hydra instance on which to set up
the client. This value will override the value provided
to `--hydra-url`
maxLength: 64
pattern: (^$|^https?://.*)
type: string
type: object
metadata:
description: Metadata is abritrary data
nullable: true
type: object
x-kubernetes-preserve-unknown-fields: true
postLogoutRedirectUris:
description:
PostLogoutRedirectURIs is an array of the post logout
redirect URIs allowed for the application
items:
description:
RedirectURI represents a redirect URI for the client
pattern: \w+:/?/?[^\s]+
type: string
type: array
redirectUris:
description:
RedirectURIs is an array of the redirect URIs allowed for
the application
items:
description:
RedirectURI represents a redirect URI for the client
pattern: \w+:/?/?[^\s]+
type: string
type: array
responseTypes:
description:
ResponseTypes is an array of the OAuth 2.0 response type
strings that the client can use at the authorization
endpoint.
items:
description:
ResponseType represents an OAuth 2.0 response type strings
enum:
- id_token
- code
- token
- code token
- code id_token
- id_token token
- code id_token token
type: string
maxItems: 3
minItems: 1
type: array
scope:
description:
Scope is a string containing a space-separated list of scope
values (as described in Section 3.3 of OAuth 2.0 [RFC6749])
that the client can use when requesting access tokens.
pattern: ([a-zA-Z0-9\.\*]+\s?)+
type: string
secretName:
description:
SecretName points to the K8s secret that contains this
client's ID and password
maxLength: 253
minLength: 1
pattern: '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*'
type: string
tokenEndpointAuthMethod:
allOf:
- enum:
- client_secret_basic
- client_secret_post
- private_key_jwt
- none
- enum:
- client_secret_basic
- client_secret_post
- private_key_jwt
- none
description:
Indication which authentication method shoud be used for the
token endpoint
type: string
required:
- grantTypes
- scope
- secretName
type: object
status:
description:
OAuth2ClientStatus defines the observed state of OAuth2Client
properties:
observedGeneration:
description:
ObservedGeneration represents the most recent generation
observed by the daemon set controller.
format: int64
type: integer
reconciliationError:
description:
ReconciliationError represents an error that occurred during
the reconciliation process
properties:
description:
description:
Description is the description of the reconciliation
error
type: string
statusCode:
description:
Code is the status code of the reconciliation error
type: string
type: object
type: object
type: object
served: true
storage: true
subresources:
status: {}
status: status:
acceptedNames: acceptedNames:
kind: "" kind: ""

4
config/crd/kustomization.yaml
View File

@ -2,7 +2,7 @@
# since it depends on service name and namespace that are out of this kustomize package. # since it depends on service name and namespace that are out of this kustomize package.
# It should be run by config/default # It should be run by config/default
resources: resources:
- bases/hydra.ory.sh_oauth2clients.yaml - bases/hydra.ory.sh_oauth2clients.yaml
# +kubebuilder:scaffold:crdkustomizeresource # +kubebuilder:scaffold:crdkustomizeresource
patches: patches:
@ -16,4 +16,4 @@ patches:
# the following config is for teaching kustomize how to do kustomization for CRDs. # the following config is for teaching kustomize how to do kustomization for CRDs.
configurations: configurations:
- kustomizeconfig.yaml - kustomizeconfig.yaml

22
config/crd/kustomizeconfig.yaml
View File

@ -1,17 +1,17 @@
# This file is for teaching kustomize how to substitute name and namespace reference in CRD # This file is for teaching kustomize how to substitute name and namespace reference in CRD
nameReference: nameReference:
- kind: Service - kind: Service
version: v1 version: v1
fieldSpecs: fieldSpecs:
- kind: CustomResourceDefinition - kind: CustomResourceDefinition
group: apiextensions.k8s.io group: apiextensions.k8s.io
path: spec/conversion/webhookClientConfig/service/name path: spec/conversion/webhookClientConfig/service/name
namespace: namespace:
- kind: CustomResourceDefinition - kind: CustomResourceDefinition
group: apiextensions.k8s.io group: apiextensions.k8s.io
path: spec/conversion/webhookClientConfig/service/namespace path: spec/conversion/webhookClientConfig/service/namespace
create: false create: false
varReference: varReference:
- path: metadata/annotations - path: metadata/annotations

26
config/default/kustomization.yaml
View File

@ -13,25 +13,25 @@ namePrefix: hydra-maester-
# someName: someValue # someName: someValue
bases: bases:
- ../crd - ../crd
- ../rbac - ../rbac
- ../manager - ../manager
# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in crd/kustomization.yaml # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in crd/kustomization.yaml
#- ../webhook #- ../webhook
# [CERTMANAGER] To enable cert-manager, uncomment next line. 'WEBHOOK' components are required. # [CERTMANAGER] To enable cert-manager, uncomment next line. 'WEBHOOK' components are required.
#- ../certmanager #- ../certmanager
patches: patches:
- manager_image_patch.yaml - manager_image_patch.yaml
# Protect the /metrics endpoint by putting it behind auth. # Protect the /metrics endpoint by putting it behind auth.
# Only one of manager_auth_proxy_patch.yaml and # Only one of manager_auth_proxy_patch.yaml and
# manager_prometheus_metrics_patch.yaml should be enabled. # manager_prometheus_metrics_patch.yaml should be enabled.
- manager_auth_proxy_patch.yaml - manager_auth_proxy_patch.yaml
# If you want your controller-manager to expose the /metrics # If you want your controller-manager to expose the /metrics
# endpoint w/o any authn/z, uncomment the following line and # endpoint w/o any authn/z, uncomment the following line and
# comment manager_auth_proxy_patch.yaml. # comment manager_auth_proxy_patch.yaml.
# Only one of manager_auth_proxy_patch.yaml and # Only one of manager_auth_proxy_patch.yaml and
# manager_prometheus_metrics_patch.yaml should be enabled. # manager_prometheus_metrics_patch.yaml should be enabled.
#- manager_prometheus_metrics_patch.yaml #- manager_prometheus_metrics_patch.yaml
# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in crd/kustomization.yaml # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in crd/kustomization.yaml

26
config/default/manager_auth_proxy_patch.yaml
View File

@ -9,16 +9,16 @@ spec:
template: template:
spec: spec:
containers: containers:
- name: kube-rbac-proxy - name: kube-rbac-proxy
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.4.0 image: gcr.io/kubebuilder/kube-rbac-proxy:v0.4.0
args: args:
- "--secure-listen-address=0.0.0.0:8443" - "--secure-listen-address=0.0.0.0:8443"
- "--upstream=http://127.0.0.1:8080/" - "--upstream=http://127.0.0.1:8080/"
- "--logtostderr=true" - "--logtostderr=true"
- "--v=10" - "--v=10"
ports: ports:
- containerPort: 8443 - containerPort: 8443
name: https name: https
- name: manager - name: manager
args: args:
- "--metrics-addr=127.0.0.1:8080" - "--metrics-addr=127.0.0.1:8080"

8
config/default/manager_image_patch.yaml
View File

@ -7,7 +7,7 @@ spec:
template: template:
spec: spec:
containers: containers:
# Change the value of image field below to your controller image URL # Change the value of image field below to your controller image URL
- image: controller:latest - image: controller:latest
name: manager name: manager
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent

14
config/default/manager_prometheus_metrics_patch.yaml
View File

@ -8,12 +8,12 @@ spec:
template: template:
metadata: metadata:
annotations: annotations:
prometheus.io/scrape: 'true' prometheus.io/scrape: "true"
spec: spec:
containers: containers:
# Expose the prometheus metrics on default port # Expose the prometheus metrics on default port
- name: manager - name: manager
ports: ports:
- containerPort: 8080 - containerPort: 8080
name: metrics name: metrics
protocol: TCP protocol: TCP

26
config/default/manager_webhook_patch.yaml
View File

@ -7,17 +7,17 @@ spec:
template: template:
spec: spec:
containers: containers:
- name: manager - name: manager
ports: ports:
- containerPort: 443 - containerPort: 443
name: webhook-server name: webhook-server
protocol: TCP protocol: TCP
volumeMounts: volumeMounts:
- mountPath: /tmp/k8s-webhook-server/serving-certs - mountPath: /tmp/k8s-webhook-server/serving-certs
name: cert name: cert
readOnly: true readOnly: true
volumes: volumes:
- name: cert - name: cert
secret: secret:
defaultMode: 420 defaultMode: 420
secretName: webhook-server-cert secretName: webhook-server-cert

2
config/default/webhookcainjection_patch.yaml
View File

@ -1,5 +1,5 @@
# This patch add annotation to admission webhook config and # This patch add annotation to admission webhook config and
# the variables $(NAMESPACE) and $(CERTIFICATENAME) will be substituted by kustomize. # the variables $(NAMESPACE) and $(CERTIFICATENAME) will be substituted by kustomize.
apiVersion: admissionregistration.k8s.io/v1beta1 apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration kind: MutatingWebhookConfiguration
metadata: metadata:

2
config/manager/kustomization.yaml
View File

@ -1,2 +1,2 @@
resources: resources:
- manager.yaml - manager.yaml

28
config/manager/manager.yaml
View File

@ -23,18 +23,18 @@ spec:
control-plane: controller-manager control-plane: controller-manager
spec: spec:
containers: containers:
- command: - command:
- /manager - /manager
args: args:
- --enable-leader-election - --enable-leader-election
- --hydra-url=http://use.actual.hydra.fqdn #change it to your ORY Hydra address - --hydra-url=http://use.actual.hydra.fqdn #change it to your ORY Hydra address
image: controller:latest image: controller:latest
name: manager name: manager
resources: resources:
limits: limits:
cpu: 100m cpu: 100m
memory: 30Mi memory: 30Mi
requests: requests:
cpu: 100m cpu: 100m
memory: 20Mi memory: 20Mi
terminationGracePeriodSeconds: 10 terminationGracePeriodSeconds: 10

16
config/rbac/auth_proxy_role.yaml
View File

@ -3,11 +3,11 @@ kind: ClusterRole
metadata: metadata:
name: proxy-role name: proxy-role
rules: rules:
- apiGroups: ["authentication.k8s.io"] - apiGroups: ["authentication.k8s.io"]
resources: resources:
- tokenreviews - tokenreviews
verbs: ["create"] verbs: ["create"]
- apiGroups: ["authorization.k8s.io"] - apiGroups: ["authorization.k8s.io"]
resources: resources:
- subjectaccessreviews - subjectaccessreviews
verbs: ["create"] verbs: ["create"]

6
config/rbac/auth_proxy_role_binding.yaml
View File

@ -7,6 +7,6 @@ roleRef:
kind: ClusterRole kind: ClusterRole
name: proxy-role name: proxy-role
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: default name: default
namespace: system namespace: system

6
config/rbac/auth_proxy_service.yaml
View File

@ -11,8 +11,8 @@ metadata:
namespace: system namespace: system
spec: spec:
ports: ports:
- name: https - name: https
port: 8443 port: 8443
targetPort: https targetPort: https
selector: selector:
control-plane: controller-manager control-plane: controller-manager

20
config/rbac/kustomization.yaml
View File

@ -1,11 +1,11 @@
resources: resources:
- role.yaml - role.yaml
- role_binding.yaml - role_binding.yaml
- leader_election_role.yaml - leader_election_role.yaml
- leader_election_role_binding.yaml - leader_election_role_binding.yaml
# Comment the following 3 lines if you want to disable # Comment the following 3 lines if you want to disable
# the auth proxy (https://github.com/brancz/kube-rbac-proxy) # the auth proxy (https://github.com/brancz/kube-rbac-proxy)
# which protects your /metrics endpoint. # which protects your /metrics endpoint.
- auth_proxy_service.yaml - auth_proxy_service.yaml
- auth_proxy_role.yaml - auth_proxy_role.yaml
- auth_proxy_role_binding.yaml - auth_proxy_role_binding.yaml

40
config/rbac/leader_election_role.yaml
View File

@ -4,23 +4,23 @@ kind: Role
metadata: metadata:
name: leader-election-role name: leader-election-role
rules: rules:
- apiGroups: - apiGroups:
- "" - ""
resources: resources:
- configmaps - configmaps
verbs: verbs:
- get - get
- list - list
- watch - watch
- create - create
- update - update
- patch - patch
- delete - delete
- apiGroups: - apiGroups:
- "" - ""
resources: resources:
- configmaps/status - configmaps/status
verbs: verbs:
- get - get
- update - update
- patch - patch

6
config/rbac/leader_election_role_binding.yaml
View File

@ -7,6 +7,6 @@ roleRef:
kind: Role kind: Role
name: leader-election-role name: leader-election-role
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: default name: default
namespace: system namespace: system

65
config/rbac/role.yaml
View File

@ -1,4 +1,3 @@
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole kind: ClusterRole
@ -6,35 +5,35 @@ metadata:
creationTimestamp: null creationTimestamp: null
name: manager-role name: manager-role
rules: rules:
- apiGroups: - apiGroups:
- "" - ""
resources: resources:
- secrets - secrets
verbs: verbs:
- create - create
- delete - delete
- get - get
- list - list
- patch - patch
- update - update
- watch - watch
- apiGroups: - apiGroups:
- hydra.ory.sh - hydra.ory.sh
resources: resources:
- oauth2clients - oauth2clients
verbs: verbs:
- create - create
- delete - delete
- get - get
- list - list
- patch - patch
- update - update
- watch - watch
- apiGroups: - apiGroups:
- hydra.ory.sh - hydra.ory.sh
resources: resources:
- oauth2clients/status - oauth2clients/status
verbs: verbs:
- get - get
- patch - patch
- update - update

6
config/rbac/role_binding.yaml
View File

@ -7,6 +7,6 @@ roleRef:
kind: ClusterRole kind: ClusterRole
name: manager-role name: manager-role
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: default name: default
namespace: system namespace: system

1
config/samples/hydra_v1alpha1_oauth2client.yaml
View File

@ -36,4 +36,3 @@ spec:
endpoint: /clients endpoint: /clients
forwardedProto: https forwardedProto: https
tokenEndpointAuthMethod: client_secret_basic tokenEndpointAuthMethod: client_secret_basic

6
config/webhook/kustomization.yaml
View File

@ -1,6 +1,6 @@
resources: resources:
- manifests.yaml - manifests.yaml
- service.yaml - service.yaml
configurations: configurations:
- kustomizeconfig.yaml - kustomizeconfig.yaml

36
config/webhook/kustomizeconfig.yaml
View File

@ -1,25 +1,25 @@
# the following config is for teaching kustomize where to look at when substituting vars. # the following config is for teaching kustomize where to look at when substituting vars.
# It requires kustomize v2.1.0 or newer to work properly. # It requires kustomize v2.1.0 or newer to work properly.
nameReference: nameReference:
- kind: Service - kind: Service
version: v1 version: v1
fieldSpecs: fieldSpecs:
- kind: MutatingWebhookConfiguration - kind: MutatingWebhookConfiguration
group: admissionregistration.k8s.io group: admissionregistration.k8s.io
path: webhooks/clientConfig/service/name path: webhooks/clientConfig/service/name
- kind: ValidatingWebhookConfiguration - kind: ValidatingWebhookConfiguration
group: admissionregistration.k8s.io group: admissionregistration.k8s.io
path: webhooks/clientConfig/service/name path: webhooks/clientConfig/service/name
namespace: namespace:
- kind: MutatingWebhookConfiguration - kind: MutatingWebhookConfiguration
group: admissionregistration.k8s.io group: admissionregistration.k8s.io
path: webhooks/clientConfig/service/namespace path: webhooks/clientConfig/service/namespace
create: true create: true
- kind: ValidatingWebhookConfiguration - kind: ValidatingWebhookConfiguration
group: admissionregistration.k8s.io group: admissionregistration.k8s.io
path: webhooks/clientConfig/service/namespace path: webhooks/clientConfig/service/namespace
create: true create: true
varReference: varReference:
- path: metadata/annotations - path: metadata/annotations

1
config/webhook/service.yaml
View File

@ -1,4 +1,3 @@
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:

34
docs/README.md
View File

@ -1,24 +1,32 @@
# Design # Design
## Controller design ## Controller design
The controller listens for Custom Resource which defines client registration request. Once Custom resource is created, the controller register oauth2 client in hydra using hydra's REST API. The controller listens for Custom Resource which defines client registration
Client Id, Client Secret and Identifier of the client in hydra are be stored in the kubernetes as a secret and referenced in the applied CR. request. Once Custom resource is created, the controller register oauth2 client
Reference is used to identify in which kubernetes secret are stored mentioned properties. Secret iscreated in the same namespace of applied CR. in hydra using hydra's REST API. Client Id, Client Secret and Identifier of the
By default controller should be deployed in the same pod as hydra. Service discovery will come in place in the future. client in hydra are be stored in the kubernetes as a secret and referenced in
the applied CR. Reference is used to identify in which kubernetes secret are
stored mentioned properties. Secret iscreated in the same namespace of applied
CR. By default controller should be deployed in the same pod as hydra. Service
discovery will come in place in the future.
Custom Resource should be Namespace scoped to enable isolation in k8s. Custom Resource should be Namespace scoped to enable isolation in k8s. It is
It is represented in the diagram represented in the diagram
![diagram](./assets/workflow.svg) ![diagram](./assets/workflow.svg)
## Synchronization mode ## Synchronization mode
Additionally, controller supports synchronization mode, where it tries to register all clients in hydra. Additionally, controller supports synchronization mode, where it tries to
Synchronization is an optional mode, enabled via config, which is meant for use cases where hydra is deployed with in memory storage. register all clients in hydra. Synchronization is an optional mode, enabled via
If hydra pod is restarted for some reason then it does not have client in its storage. With synchronization mode the controller makes sure that hydra has up to date clients. config, which is meant for use cases where hydra is deployed with in memory
Synchronization is done by making POST request to hydra with payload describing all client information including clientID,clientSecret and Identifier of last applied client. storage. If hydra pod is restarted for some reason then it does not have client
If client exists in hydra storage 409 is returned which is considered as ok and synchronization continues with other clients. in its storage. With synchronization mode the controller makes sure that hydra
has up to date clients. Synchronization is done by making POST request to hydra
with payload describing all client information including clientID,clientSecret
and Identifier of last applied client. If client exists in hydra storage 409 is
returned which is considered as ok and synchronization continues with other
clients.
![diagram](./assets/synchronization-mode.svg) ![diagram](./assets/synchronization-mode.svg)

48
package-lock.json generated Normal file
View File

@ -0,0 +1,48 @@
{
"name": "hydra-maester",
"lockfileVersion": 2,
"requires": true,
"packages": {
"": {
"devDependencies": {
"ory-prettier-styles": "1.3.0",
"prettier": "2.7.1"
}
},
"node_modules/ory-prettier-styles": {
"version": "1.3.0",
"resolved": "https://registry.npmjs.org/ory-prettier-styles/-/ory-prettier-styles-1.3.0.tgz",
"integrity": "sha512-Vfn0G6CyLaadwcCamwe1SQCf37ZQfBDgMrhRI70dE/2fbE3Q43/xu7K5c32I5FGt/EliroWty5yBjmdkj0eWug==",
"dev": true
},
"node_modules/prettier": {
"version": "2.7.1",
"resolved": "https://registry.npmjs.org/prettier/-/prettier-2.7.1.tgz",
"integrity": "sha512-ujppO+MkdPqoVINuDFDRLClm7D78qbDt0/NR+wp5FqEZOoTNAjPHWj17QRhu7geIHJfcNhRk1XVQmF8Bp3ye+g==",
"dev": true,
"bin": {
"prettier": "bin-prettier.js"
},
"engines": {
"node": ">=10.13.0"
},
"funding": {
"url": "https://github.com/prettier/prettier?sponsor=1"
}
}
},
"dependencies": {
"ory-prettier-styles": {
"version": "1.3.0",
"resolved": "https://registry.npmjs.org/ory-prettier-styles/-/ory-prettier-styles-1.3.0.tgz",
"integrity": "sha512-Vfn0G6CyLaadwcCamwe1SQCf37ZQfBDgMrhRI70dE/2fbE3Q43/xu7K5c32I5FGt/EliroWty5yBjmdkj0eWug==",
"dev": true
},
"prettier": {
"version": "2.7.1",
"resolved": "https://registry.npmjs.org/prettier/-/prettier-2.7.1.tgz",
"integrity": "sha512-ujppO+MkdPqoVINuDFDRLClm7D78qbDt0/NR+wp5FqEZOoTNAjPHWj17QRhu7geIHJfcNhRk1XVQmF8Bp3ye+g==",
"dev": true
}
}
}

8
package.json Normal file
View File

@ -0,0 +1,8 @@
{
"private": true,
"prettier": "ory-prettier-styles",
"devDependencies": {
"ory-prettier-styles": "1.3.0",
"prettier": "2.7.1"
}
}