CadolesKube/hydra-maester
7
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

chore: format using Make (#111)

Browse Source
This commit is contained in:
Kevin Goslar 2022-09-22 07:52:52 -05:00 committed by GitHub
parent c5a66aa6eb
commit 5795340e0e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
38 changed files with 593 additions and 424 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
.circleci/config.yml
View File

@ -86,7 +86,9 @@ jobs:
./.circleci/release_name.bash
source $BASH_ENV
- setup_remote_docker
- run: docker login --username "$DOCKER_USERNAME" --password "$DOCKER_PASSWORD"
- run:
docker login --username "$DOCKER_USERNAME" --password
"$DOCKER_PASSWORD"
- run: curl -sL https://git.io/goreleaser | bash
release-changelog:
@ -96,7 +98,9 @@ jobs:
- checkout
- run: gem install github_changelog_generator -v 1.14.3
- run: sudo npm i -g doctoc
- run: github_changelog_generator -u ory -p hydra-maester -o CHANGELOG.md --token $GITHUB_TOKEN
- run:
github_changelog_generator -u ory -p hydra-maester -o CHANGELOG.md
--token $GITHUB_TOKEN
- run: doctoc CHANGELOG.md
- run: doctoc README.md
- run: git config --global user.email "circleci@ory.am"
@ -106,7 +110,9 @@ jobs:
- run: |
git commit -a -m "docs: Incorporates changes from version $(git describe --tags)" || true
- run: git remote rm origin
- run: git remote add origin https://arekkas:$GITHUB_TOKEN@github.com/ory/hydra-maester.git
- run:
git remote add origin
https://arekkas:$GITHUB_TOKEN@github.com/ory/hydra-maester.git
- run: git push origin HEAD:master || true
workflows:

16
.github/workflows/cve-scan.yaml vendored
View File

@ -2,12 +2,12 @@ name: Docker Image Scan
on:
push:
branches:
- 'master'
- "master"
tags:
- 'v*.*.*'
- "v*.*.*"
pull_request:
branches:
- 'master'
- "master"
jobs:
docker:
@ -18,7 +18,7 @@ jobs:
- uses: actions/setup-go@v2
name: Setup Golang
with:
go-version: '^1.16'
go-version: "^1.16"
- name: Set up QEMU
uses: docker/setup-qemu-action@v1
- name: Set up Docker Buildx
@ -45,8 +45,8 @@ jobs:
uses: aquasecurity/trivy-action@master
with:
image-ref: controller:latest
format: 'table'
exit-code: '42'
format: "table"
exit-code: "42"
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
vuln-type: "os,library"
severity: "CRITICAL,HIGH"

17
.github/workflows/format.yml vendored Normal file
View File

@ -0,0 +1,17 @@
name: Format
on:
pull_request:
push:
jobs:
format:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-go@v3
with:
go-version: 1.19
- run: make format
- name: Indicate formatting issues
run: git diff HEAD --exit-code --color

3
.gitignore vendored
View File

@ -1,4 +1,3 @@
# Binaries for programs and plugins
*.exe
*.exe~
@ -25,3 +24,5 @@ bin
config/default/manager_image_patch.yaml-e
/manager
node_modules/

1
.goreleaser.yml
View File

@ -27,7 +27,6 @@ snapshot:
changelog:
sort: asc
dockers:
- image_templates:
- "oryd/hydra-maester:v{{ .Major }}"

4
.prettierignore Normal file
View File

@ -0,0 +1,4 @@
api/v1alpha1/zz_generated.deepcopy.go
CHANGELOG.md
.github/pull_request_template.md
CONTRIBUTING.md

16
Makefile
View File

@ -28,7 +28,7 @@ all: manager
# Run tests
.PHONY: test
test: generate fmt vet manifests
test: generate vet manifests
go test ./api/... ./controllers/... ./hydra/... ./helpers/... -coverprofile cover.out
# Start KIND pseudo-cluster
@ -64,12 +64,12 @@ test-integration:
# Build manager binary
.PHONY: manager
manager: generate fmt vet
manager: generate vet
CGO_ENABLED=0 GO111MODULE=on GOOS=linux GOARCH=amd64 go build -a -o manager main.go
# Run against the configured Kubernetes cluster in ~/.kube/config
.PHONY: run
run: generate fmt vet
run: generate vet
go run ./main.go --hydra-url ${HYDRA_URL}
# Install CRDs into a cluster
@ -88,10 +88,10 @@ deploy: manifests
manifests: controller-gen
$(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=manager-role webhook paths="./..." output:crd:artifacts:config=config/crd/bases
# Run go fmt against code
.PHONY: fmt
fmt:
# Format the source code
format: node_modules
go fmt ./...
npm exec -- prettier --write .
# Run go vet against code
.PHONY: vet
@ -135,3 +135,7 @@ kubebuilder:
curl -sL https://github.com/kubernetes-sigs/kubebuilder/releases/download/v2.3.2/kubebuilder_2.3.2_${OS}_${ARCH}.tar.gz | tar -xz -C /tmp/
mv /tmp/kubebuilder_2.3.2_${OS}_${ARCH} ${PWD}/.bin/kubebuilder
export PATH=${PATH}:${PWD}/.bin/kubebuilder/bin
node_modules: package-lock.json
npm ci
touch node_modules

52
README.md
View File

@ -15,15 +15,26 @@
⚠️ ⚠️ ⚠️
> Ory Hydra Maester is developed by the Ory community and is not actively maintained by Ory core maintainers due to lack of resources, time, and knolwedge. As such please be aware that there might be issues with the system. If you have ideas for better testing and development principles please open an issue or PR!
> Ory Hydra Maester is developed by the Ory community and is not actively
> maintained by Ory core maintainers due to lack of resources, time, and
> knolwedge. As such please be aware that there might be issues with the system.
> If you have ideas for better testing and development principles please open an
> issue or PR!
⚠️ ⚠️ ⚠️
This project contains a Kubernetes controller that uses Custom Resources (CR) to manage Hydra Oauth2 clients. ORY Hydra Maester watches for instances of `oauth2clients.hydra.ory.sh/v1alpha1` CR and creates, updates, or deletes corresponding OAuth2 clients by communicating with ORY Hydra's API.
This project contains a Kubernetes controller that uses Custom Resources (CR) to
manage Hydra Oauth2 clients. ORY Hydra Maester watches for instances of
`oauth2clients.hydra.ory.sh/v1alpha1` CR and creates, updates, or deletes
corresponding OAuth2 clients by communicating with ORY Hydra's API.
Visit Hydra-maester's [chart documentation](https://github.com/ory/k8s/blob/master/docs/helm/hydra-maester.md) and view [sample OAuth2 client resources](config/samples) to learn more about the `oauth2clients.hydra.ory.sh/v1alpha1` CR.
Visit Hydra-maester's
[chart documentation](https://github.com/ory/k8s/blob/master/docs/helm/hydra-maester.md)
and view [sample OAuth2 client resources](config/samples) to learn more about
the `oauth2clients.hydra.ory.sh/v1alpha1` CR.
The project is based on [Kubebuilder](https://github.com/kubernetes-sigs/kubebuilder).
The project is based on
[Kubebuilder](https://github.com/kubernetes-sigs/kubebuilder).
## Prerequisites
@ -31,10 +42,12 @@ The project is based on [Kubebuilder](https://github.com/kubernetes-sigs/kubebui
- make
- kubectl
- kustomize
- [kubebuilder](https://github.com/kubernetes-sigs/kubebuilder) for running tests
- [kubebuilder](https://github.com/kubernetes-sigs/kubebuilder) for running
tests
- [ginkgo](https://onsi.github.io/ginkgo/) for local integration testing
- access to K8s environment: minikube or a remote K8s cluster
- [mockery](https://github.com/vektra/mockery) to generate mocks for testing purposes
- [mockery](https://github.com/vektra/mockery) to generate mocks for testing
purposes
## Design
@ -44,27 +57,32 @@ Take a look at [Design Readme](./docs/README.md).
- `make test` to run tests
- `make test-integration` to run integration tests
- `make install` to generate CRD file from go sources and install it on the cluster
- `make install` to generate CRD file from go sources and install it on the
cluster
- `export HYDRA_URL={HYDRA_SERVICE_URL} && make run` to run the controller
To deploy the controller, edit the value of the ```--hydra-url``` argument in the [manager.yaml](config/manager/manager.yaml) file and run ```make deploy```.
To deploy the controller, edit the value of the `--hydra-url` argument in the
[manager.yaml](config/manager/manager.yaml) file and run `make deploy`.
### Command-line flags
| Name | Required | Description | Default value | Example values |
|----------------------------|----------|----------------------------------------|---------------|------------------------------------------------------|
| **hydra-url** | yes | ORY Hydra's service address | - | ` ory-hydra-admin.ory.svc.cluster.local` |
| **hydra-port** | no | ORY Hydra's service port | `4445` | `4445` |
| **tls-trust-store** | no | TLS cert path for hydra client | `""` | `/etc/ssl/certs/ca-certificates.crt` |
| **insecure-skip-verify** | no | Skip http client insecure verification | `false` | `true` or `false` |
| **namespace** | no | Namespace in which the controller should operate. Setting this will make the controller ignore other namespaces. | `""` | `"my-namespace"` |
| **leader-elector-namespace** | no | Leader elector namespace where controller should be set. | `""` | `"my-namespace"` |
| Name | Required | Description | Default value | Example values |
| ---------------------------- | -------- | ---------------------------------------------------------------------------------------------------------------- | ------------- | ---------------------------------------- |
| **hydra-url** | yes | ORY Hydra's service address | - | ` ory-hydra-admin.ory.svc.cluster.local` |
| **hydra-port** | no | ORY Hydra's service port | `4445` | `4445` |
| **tls-trust-store** | no | TLS cert path for hydra client | `""` | `/etc/ssl/certs/ca-certificates.crt` |
| **insecure-skip-verify** | no | Skip http client insecure verification | `false` | `true` or `false` |
| **namespace** | no | Namespace in which the controller should operate. Setting this will make the controller ignore other namespaces. | `""` | `"my-namespace"` |
| **leader-elector-namespace** | no | Leader elector namespace where controller should be set. | `""` | `"my-namespace"` |
## Development
### Testing
Use mockery to generate mock types that implement existing interfaces. To generate a mock type for an interface, navigate to the directory containing that interface and run this command:
Use mockery to generate mock types that implement existing interfaces. To
generate a mock type for an interface, navigate to the directory containing that
interface and run this command:
```
mockery -name={INTERFACE_NAME}
```

1
api/v1alpha1/zz_generated.deepcopy.go
View File

@ -1,3 +1,4 @@
//go:build !ignore_autogenerated
// +build !ignore_autogenerated
/*

4
config/certmanager/certificate.yaml
View File

@ -11,13 +11,13 @@ spec:
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: serving-cert # this name should match the one appeared in kustomizeconfig.yaml
name: serving-cert # this name should match the one appeared in kustomizeconfig.yaml
namespace: system
spec:
# $(SERVICENAME) and $(NAMESPACE) will be substituted by kustomize
commonName: $(SERVICENAME).$(NAMESPACE).svc
dnsNames:
- $(SERVICENAME).$(NAMESPACE).svc.cluster.local
- $(SERVICENAME).$(NAMESPACE).svc.cluster.local
issuerRef:
kind: Issuer
name: selfsigned-issuer

40
config/certmanager/kustomization.yaml
View File

@ -1,26 +1,26 @@
resources:
- certificate.yaml
- certificate.yaml
# the following config is for teaching kustomize how to do var substitution
vars:
- name: NAMESPACE # namespace of the service and the certificate CR
objref:
kind: Service
version: v1
name: webhook-service
fieldref:
fieldpath: metadata.namespace
- name: CERTIFICATENAME
objref:
kind: Certificate
group: certmanager.k8s.io
version: v1alpha1
name: serving-cert # this name should match the one in certificate.yaml
- name: SERVICENAME
objref:
kind: Service
version: v1
name: webhook-service
- name: NAMESPACE # namespace of the service and the certificate CR
objref:
kind: Service
version: v1
name: webhook-service
fieldref:
fieldpath: metadata.namespace
- name: CERTIFICATENAME
objref:
kind: Certificate
group: certmanager.k8s.io
version: v1alpha1
name: serving-cert # this name should match the one in certificate.yaml
- name: SERVICENAME
objref:
kind: Service
version: v1
name: webhook-service
configurations:
- kustomizeconfig.yaml
- kustomizeconfig.yaml

22
config/certmanager/kustomizeconfig.yaml
View File

@ -1,16 +1,16 @@
# This configuration is for teaching kustomize how to update name ref and var substitution
nameReference:
- kind: Issuer
group: certmanager.k8s.io
fieldSpecs:
- kind: Certificate
- kind: Issuer
group: certmanager.k8s.io
path: spec/issuerRef/name
fieldSpecs:
- kind: Certificate
group: certmanager.k8s.io
path: spec/issuerRef/name
varReference:
- kind: Certificate
group: certmanager.k8s.io
path: spec/commonName
- kind: Certificate
group: certmanager.k8s.io
path: spec/dnsNames
- kind: Certificate
group: certmanager.k8s.io
path: spec/commonName
- kind: Certificate
group: certmanager.k8s.io
path: spec/dnsNames

358
config/crd/bases/hydra.ory.sh_oauth2clients.yaml
View File

@ -1,4 +1,3 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
@ -16,158 +15,217 @@ spec:
singular: oauth2client
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: OAuth2Client is the Schema for the oauth2clients API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: OAuth2ClientSpec defines the desired state of OAuth2Client
properties:
allowedCorsOrigins:
description: AllowedCorsOrigins is an array of allowed CORS origins
items:
description: RedirectURI represents a redirect URI for the client
pattern: \w+:/?/?[^\s]+
type: string
type: array
audience:
description: Audience is a whitelist defining the audiences this client is allowed to request tokens for
items:
type: string
type: array
clientName:
description: ClientName is the human-readable string name of the client to be presented to the end-user during authorization.
type: string
grantTypes:
description: GrantTypes is an array of grant types the client is allowed to use.
items:
description: GrantType represents an OAuth 2.0 grant type
enum:
- client_credentials
- authorization_code
- implicit
- refresh_token
type: string
maxItems: 4
minItems: 1
type: array
hydraAdmin:
description: HydraAdmin is the optional configuration to use for managing this client
properties:
endpoint:
description: Endpoint is the endpoint for the hydra instance on which to set up the client. This value will override the value provided to `--endpoint` (defaults to `"/clients"` in the application)
pattern: (^$|^/.*)
type: string
forwardedProto:
description: ForwardedProto overrides the `--forwarded-proto` flag. The value "off" will force this to be off even if `--forwarded-proto` is specified
pattern: (^$|https?|off)
type: string
port:
description: Port is the port for the hydra instance on which to set up the client. This value will override the value provided to `--hydra-port`
maximum: 65535
type: integer
url:
description: URL is the URL for the hydra instance on which to set up the client. This value will override the value provided to `--hydra-url`
maxLength: 64
pattern: (^$|^https?://.*)
type: string
type: object
metadata:
description: Metadata is abritrary data
nullable: true
type: object
x-kubernetes-preserve-unknown-fields: true
postLogoutRedirectUris:
description: PostLogoutRedirectURIs is an array of the post logout redirect URIs allowed for the application
items:
description: RedirectURI represents a redirect URI for the client
pattern: \w+:/?/?[^\s]+
type: string
type: array
redirectUris:
description: RedirectURIs is an array of the redirect URIs allowed for the application
items:
description: RedirectURI represents a redirect URI for the client
pattern: \w+:/?/?[^\s]+
type: string
type: array
responseTypes:
description: ResponseTypes is an array of the OAuth 2.0 response type strings that the client can use at the authorization endpoint.
items:
description: ResponseType represents an OAuth 2.0 response type strings
enum:
- id_token
- code
- token
- code token
- code id_token
- id_token token
- code id_token token
type: string
maxItems: 3
minItems: 1
type: array
scope:
description: Scope is a string containing a space-separated list of scope values (as described in Section 3.3 of OAuth 2.0 [RFC6749]) that the client can use when requesting access tokens.
pattern: ([a-zA-Z0-9\.\*]+\s?)+
type: string
secretName:
description: SecretName points to the K8s secret that contains this client's ID and password
maxLength: 253
minLength: 1
pattern: '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*'
type: string
tokenEndpointAuthMethod:
allOf:
- enum:
- client_secret_basic
- client_secret_post
- private_key_jwt
- none
- enum:
- client_secret_basic
- client_secret_post
- private_key_jwt
- none
description: Indication which authentication method shoud be used for the token endpoint
type: string
required:
- grantTypes
- scope
- secretName
type: object
status:
description: OAuth2ClientStatus defines the observed state of OAuth2Client
properties:
observedGeneration:
description: ObservedGeneration represents the most recent generation observed by the daemon set controller.
format: int64
type: integer
reconciliationError:
description: ReconciliationError represents an error that occurred during the reconciliation process
properties:
- name: v1alpha1
schema:
openAPIV3Schema:
description: OAuth2Client is the Schema for the oauth2clients API
properties:
apiVersion:
description:
"APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the
latest internal value, and may reject unrecognized values. More
info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources"
type: string
kind:
description:
"Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the
client submits requests to. Cannot be updated. In CamelCase.
More info:
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"
type: string
metadata:
type: object
spec:
description:
OAuth2ClientSpec defines the desired state of OAuth2Client
properties:
allowedCorsOrigins:
description:
description: Description is the description of the reconciliation error
AllowedCorsOrigins is an array of allowed CORS origins
items:
description:
RedirectURI represents a redirect URI for the client
pattern: \w+:/?/?[^\s]+
type: string
statusCode:
description: Code is the status code of the reconciliation error
type: array
audience:
description:
Audience is a whitelist defining the audiences this client
is allowed to request tokens for
items:
type: string
type: object
type: object
type: object
served: true
storage: true
subresources:
status: {}
type: array
clientName:
description:
ClientName is the human-readable string name of the client
to be presented to the end-user during authorization.
type: string
grantTypes:
description:
GrantTypes is an array of grant types the client is allowed
to use.
items:
description: GrantType represents an OAuth 2.0 grant type
enum:
- client_credentials
- authorization_code
- implicit
- refresh_token
type: string
maxItems: 4
minItems: 1
type: array
hydraAdmin:
description:
HydraAdmin is the optional configuration to use for managing
this client
properties:
endpoint:
description:
Endpoint is the endpoint for the hydra instance on which
to set up the client. This value will override the value
provided to `--endpoint` (defaults to `"/clients"` in
the application)
pattern: (^$|^/.*)
type: string
forwardedProto:
description:
ForwardedProto overrides the `--forwarded-proto` flag.
The value "off" will force this to be off even if
`--forwarded-proto` is specified
pattern: (^$|https?|off)
type: string
port:
description:
Port is the port for the hydra instance on which to set
up the client. This value will override the value
provided to `--hydra-port`
maximum: 65535
type: integer
url:
description:
URL is the URL for the hydra instance on which to set up
the client. This value will override the value provided
to `--hydra-url`
maxLength: 64
pattern: (^$|^https?://.*)
type: string
type: object
metadata:
description: Metadata is abritrary data
nullable: true
type: object
x-kubernetes-preserve-unknown-fields: true
postLogoutRedirectUris:
description:
PostLogoutRedirectURIs is an array of the post logout
redirect URIs allowed for the application
items:
description:
RedirectURI represents a redirect URI for the client
pattern: \w+:/?/?[^\s]+
type: string
type: array
redirectUris:
description:
RedirectURIs is an array of the redirect URIs allowed for
the application
items:
description:
RedirectURI represents a redirect URI for the client
pattern: \w+:/?/?[^\s]+
type: string
type: array
responseTypes:
description:
ResponseTypes is an array of the OAuth 2.0 response type
strings that the client can use at the authorization
endpoint.
items:
description:
ResponseType represents an OAuth 2.0 response type strings
enum:
- id_token
- code
- token
- code token
- code id_token
- id_token token
- code id_token token
type: string
maxItems: 3
minItems: 1
type: array
scope:
description:
Scope is a string containing a space-separated list of scope
values (as described in Section 3.3 of OAuth 2.0 [RFC6749])
that the client can use when requesting access tokens.
pattern: ([a-zA-Z0-9\.\*]+\s?)+
type: string
secretName:
description:
SecretName points to the K8s secret that contains this
client's ID and password
maxLength: 253
minLength: 1
pattern: '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*'
type: string
tokenEndpointAuthMethod:
allOf:
- enum:
- client_secret_basic
- client_secret_post
- private_key_jwt
- none
- enum:
- client_secret_basic
- client_secret_post
- private_key_jwt
- none
description:
Indication which authentication method shoud be used for the
token endpoint
type: string
required:
- grantTypes
- scope
- secretName
type: object
status:
description:
OAuth2ClientStatus defines the observed state of OAuth2Client
properties:
observedGeneration:
description:
ObservedGeneration represents the most recent generation
observed by the daemon set controller.
format: int64
type: integer
reconciliationError:
description:
ReconciliationError represents an error that occurred during
the reconciliation process
properties:
description:
description:
Description is the description of the reconciliation
error
type: string
statusCode:
description:
Code is the status code of the reconciliation error
type: string
type: object
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""

4
config/crd/kustomization.yaml
View File

@ -2,7 +2,7 @@
# since it depends on service name and namespace that are out of this kustomize package.
# It should be run by config/default
resources:
- bases/hydra.ory.sh_oauth2clients.yaml
- bases/hydra.ory.sh_oauth2clients.yaml
# +kubebuilder:scaffold:crdkustomizeresource
patches:
@ -16,4 +16,4 @@ patches:
# the following config is for teaching kustomize how to do kustomization for CRDs.
configurations:
- kustomizeconfig.yaml
- kustomizeconfig.yaml

22
config/crd/kustomizeconfig.yaml
View File

@ -1,17 +1,17 @@
# This file is for teaching kustomize how to substitute name and namespace reference in CRD
nameReference:
- kind: Service
version: v1
fieldSpecs:
- kind: CustomResourceDefinition
group: apiextensions.k8s.io
path: spec/conversion/webhookClientConfig/service/name
- kind: Service
version: v1
fieldSpecs:
- kind: CustomResourceDefinition
group: apiextensions.k8s.io
path: spec/conversion/webhookClientConfig/service/name
namespace:
- kind: CustomResourceDefinition
group: apiextensions.k8s.io
path: spec/conversion/webhookClientConfig/service/namespace
create: false
- kind: CustomResourceDefinition
group: apiextensions.k8s.io
path: spec/conversion/webhookClientConfig/service/namespace
create: false
varReference:
- path: metadata/annotations
- path: metadata/annotations

26
config/default/kustomization.yaml
View File

@ -13,25 +13,25 @@ namePrefix: hydra-maester-
# someName: someValue
bases:
- ../crd
- ../rbac
- ../manager
- ../crd
- ../rbac
- ../manager
# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in crd/kustomization.yaml
#- ../webhook
# [CERTMANAGER] To enable cert-manager, uncomment next line. 'WEBHOOK' components are required.
#- ../certmanager
patches:
- manager_image_patch.yaml
# Protect the /metrics endpoint by putting it behind auth.
# Only one of manager_auth_proxy_patch.yaml and
# manager_prometheus_metrics_patch.yaml should be enabled.
- manager_auth_proxy_patch.yaml
# If you want your controller-manager to expose the /metrics
# endpoint w/o any authn/z, uncomment the following line and
# comment manager_auth_proxy_patch.yaml.
# Only one of manager_auth_proxy_patch.yaml and
# manager_prometheus_metrics_patch.yaml should be enabled.
- manager_image_patch.yaml
# Protect the /metrics endpoint by putting it behind auth.
# Only one of manager_auth_proxy_patch.yaml and
# manager_prometheus_metrics_patch.yaml should be enabled.
- manager_auth_proxy_patch.yaml
# If you want your controller-manager to expose the /metrics
# endpoint w/o any authn/z, uncomment the following line and
# comment manager_auth_proxy_patch.yaml.
# Only one of manager_auth_proxy_patch.yaml and
# manager_prometheus_metrics_patch.yaml should be enabled.
#- manager_prometheus_metrics_patch.yaml
# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in crd/kustomization.yaml

26
config/default/manager_auth_proxy_patch.yaml
View File

@ -9,16 +9,16 @@ spec:
template:
spec:
containers:
- name: kube-rbac-proxy
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.4.0
args:
- "--secure-listen-address=0.0.0.0:8443"
- "--upstream=http://127.0.0.1:8080/"
- "--logtostderr=true"
- "--v=10"
ports:
- containerPort: 8443
name: https
- name: manager
args:
- "--metrics-addr=127.0.0.1:8080"
- name: kube-rbac-proxy
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.4.0
args:
- "--secure-listen-address=0.0.0.0:8443"
- "--upstream=http://127.0.0.1:8080/"
- "--logtostderr=true"
- "--v=10"
ports:
- containerPort: 8443
name: https
- name: manager
args:
- "--metrics-addr=127.0.0.1:8080"

8
config/default/manager_image_patch.yaml
View File

@ -7,7 +7,7 @@ spec:
template:
spec:
containers:
# Change the value of image field below to your controller image URL
- image: controller:latest
name: manager
imagePullPolicy: IfNotPresent
# Change the value of image field below to your controller image URL
- image: controller:latest
name: manager
imagePullPolicy: IfNotPresent

14
config/default/manager_prometheus_metrics_patch.yaml
View File

@ -8,12 +8,12 @@ spec:
template:
metadata:
annotations:
prometheus.io/scrape: 'true'
prometheus.io/scrape: "true"
spec:
containers:
# Expose the prometheus metrics on default port
- name: manager
ports:
- containerPort: 8080
name: metrics
protocol: TCP
# Expose the prometheus metrics on default port
- name: manager
ports:
- containerPort: 8080
name: metrics
protocol: TCP

26
config/default/manager_webhook_patch.yaml
View File

@ -7,17 +7,17 @@ spec:
template:
spec:
containers:
- name: manager
ports:
- containerPort: 443
name: webhook-server
protocol: TCP
volumeMounts:
- mountPath: /tmp/k8s-webhook-server/serving-certs
name: cert
readOnly: true
- name: manager
ports:
- containerPort: 443
name: webhook-server
protocol: TCP
volumeMounts:
- mountPath: /tmp/k8s-webhook-server/serving-certs
name: cert
readOnly: true
volumes:
- name: cert
secret:
defaultMode: 420
secretName: webhook-server-cert
- name: cert
secret:
defaultMode: 420
secretName: webhook-server-cert

2
config/manager/kustomization.yaml
View File

@ -1,2 +1,2 @@
resources:
- manager.yaml
- manager.yaml

28
config/manager/manager.yaml
View File

@ -23,18 +23,18 @@ spec:
control-plane: controller-manager
spec:
containers:
- command:
- /manager
args:
- --enable-leader-election
- --hydra-url=http://use.actual.hydra.fqdn #change it to your ORY Hydra address
image: controller:latest
name: manager
resources:
limits:
cpu: 100m
memory: 30Mi
requests:
cpu: 100m
memory: 20Mi
- command:
- /manager
args:
- --enable-leader-election
- --hydra-url=http://use.actual.hydra.fqdn #change it to your ORY Hydra address
image: controller:latest
name: manager
resources:
limits:
cpu: 100m
memory: 30Mi
requests:
cpu: 100m
memory: 20Mi
terminationGracePeriodSeconds: 10

16
config/rbac/auth_proxy_role.yaml
View File

@ -3,11 +3,11 @@ kind: ClusterRole
metadata:
name: proxy-role
rules:
- apiGroups: ["authentication.k8s.io"]
resources:
- tokenreviews
verbs: ["create"]
- apiGroups: ["authorization.k8s.io"]
resources:
- subjectaccessreviews
verbs: ["create"]
- apiGroups: ["authentication.k8s.io"]
resources:
- tokenreviews
verbs: ["create"]
- apiGroups: ["authorization.k8s.io"]
resources:
- subjectaccessreviews
verbs: ["create"]

6
config/rbac/auth_proxy_role_binding.yaml
View File

@ -7,6 +7,6 @@ roleRef:
kind: ClusterRole
name: proxy-role
subjects:
- kind: ServiceAccount
name: default
namespace: system
- kind: ServiceAccount
name: default
namespace: system

6
config/rbac/auth_proxy_service.yaml
View File

@ -11,8 +11,8 @@ metadata:
namespace: system
spec:
ports:
- name: https
port: 8443
targetPort: https
- name: https
port: 8443
targetPort: https
selector:
control-plane: controller-manager

20
config/rbac/kustomization.yaml
View File

@ -1,11 +1,11 @@
resources:
- role.yaml
- role_binding.yaml
- leader_election_role.yaml
- leader_election_role_binding.yaml
# Comment the following 3 lines if you want to disable
# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
# which protects your /metrics endpoint.
- auth_proxy_service.yaml
- auth_proxy_role.yaml
- auth_proxy_role_binding.yaml
- role.yaml
- role_binding.yaml
- leader_election_role.yaml
- leader_election_role_binding.yaml
# Comment the following 3 lines if you want to disable
# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
# which protects your /metrics endpoint.
- auth_proxy_service.yaml
- auth_proxy_role.yaml
- auth_proxy_role_binding.yaml

40
config/rbac/leader_election_role.yaml
View File

@ -4,23 +4,23 @@ kind: Role
metadata:
name: leader-election-role
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- configmaps/status
verbs:
- get
- update
- patch
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- configmaps/status
verbs:
- get
- update
- patch

6
config/rbac/leader_election_role_binding.yaml
View File

@ -7,6 +7,6 @@ roleRef:
kind: Role
name: leader-election-role
subjects:
- kind: ServiceAccount
name: default
namespace: system
- kind: ServiceAccount
name: default
namespace: system

65
config/rbac/role.yaml
View File

@ -1,4 +1,3 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
@ -6,35 +5,35 @@ metadata:
creationTimestamp: null
name: manager-role
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- hydra.ory.sh
resources:
- oauth2clients
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- hydra.ory.sh
resources:
- oauth2clients/status
verbs:
- get
- patch
- update
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- hydra.ory.sh
resources:
- oauth2clients
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- hydra.ory.sh
resources:
- oauth2clients/status
verbs:
- get
- patch
- update

6
config/rbac/role_binding.yaml
View File

@ -7,6 +7,6 @@ roleRef:
kind: ClusterRole
name: manager-role
subjects:
- kind: ServiceAccount
name: default
namespace: system
- kind: ServiceAccount
name: default
namespace: system

1
config/samples/hydra_v1alpha1_oauth2client.yaml
View File

@ -36,4 +36,3 @@ spec:
endpoint: /clients
forwardedProto: https
tokenEndpointAuthMethod: client_secret_basic

6
config/webhook/kustomization.yaml
View File

@ -1,6 +1,6 @@
resources:
- manifests.yaml
- service.yaml
- manifests.yaml
- service.yaml
configurations:
- kustomizeconfig.yaml
- kustomizeconfig.yaml

36
config/webhook/kustomizeconfig.yaml
View File

@ -1,25 +1,25 @@
# the following config is for teaching kustomize where to look at when substituting vars.
# It requires kustomize v2.1.0 or newer to work properly.
nameReference:
- kind: Service
version: v1
fieldSpecs:
- kind: MutatingWebhookConfiguration
group: admissionregistration.k8s.io
path: webhooks/clientConfig/service/name
- kind: ValidatingWebhookConfiguration
group: admissionregistration.k8s.io
path: webhooks/clientConfig/service/name
- kind: Service
version: v1
fieldSpecs:
- kind: MutatingWebhookConfiguration
group: admissionregistration.k8s.io
path: webhooks/clientConfig/service/name
- kind: ValidatingWebhookConfiguration
group: admissionregistration.k8s.io
path: webhooks/clientConfig/service/name
namespace:
- kind: MutatingWebhookConfiguration
group: admissionregistration.k8s.io
path: webhooks/clientConfig/service/namespace
create: true
- kind: ValidatingWebhookConfiguration
group: admissionregistration.k8s.io
path: webhooks/clientConfig/service/namespace
create: true
- kind: MutatingWebhookConfiguration
group: admissionregistration.k8s.io
path: webhooks/clientConfig/service/namespace
create: true
- kind: ValidatingWebhookConfiguration
group: admissionregistration.k8s.io
path: webhooks/clientConfig/service/namespace
create: true
varReference:
- path: metadata/annotations
- path: metadata/annotations

1
config/webhook/service.yaml
View File

@ -1,4 +1,3 @@
apiVersion: v1
kind: Service
metadata:

32
docs/README.md
View File

@ -1,24 +1,32 @@
# Design
## Controller design
The controller listens for Custom Resource which defines client registration request. Once Custom resource is created, the controller register oauth2 client in hydra using hydra's REST API.
Client Id, Client Secret and Identifier of the client in hydra are be stored in the kubernetes as a secret and referenced in the applied CR.
Reference is used to identify in which kubernetes secret are stored mentioned properties. Secret iscreated in the same namespace of applied CR.
By default controller should be deployed in the same pod as hydra. Service discovery will come in place in the future.
The controller listens for Custom Resource which defines client registration
request. Once Custom resource is created, the controller register oauth2 client
in hydra using hydra's REST API. Client Id, Client Secret and Identifier of the
client in hydra are be stored in the kubernetes as a secret and referenced in
the applied CR. Reference is used to identify in which kubernetes secret are
stored mentioned properties. Secret iscreated in the same namespace of applied
CR. By default controller should be deployed in the same pod as hydra. Service
discovery will come in place in the future.
Custom Resource should be Namespace scoped to enable isolation in k8s.
It is represented in the diagram
Custom Resource should be Namespace scoped to enable isolation in k8s. It is
represented in the diagram
![diagram](./assets/workflow.svg)
## Synchronization mode
Additionally, controller supports synchronization mode, where it tries to register all clients in hydra.
Synchronization is an optional mode, enabled via config, which is meant for use cases where hydra is deployed with in memory storage.
If hydra pod is restarted for some reason then it does not have client in its storage. With synchronization mode the controller makes sure that hydra has up to date clients.
Synchronization is done by making POST request to hydra with payload describing all client information including clientID,clientSecret and Identifier of last applied client.
If client exists in hydra storage 409 is returned which is considered as ok and synchronization continues with other clients.
Additionally, controller supports synchronization mode, where it tries to
register all clients in hydra. Synchronization is an optional mode, enabled via
config, which is meant for use cases where hydra is deployed with in memory
storage. If hydra pod is restarted for some reason then it does not have client
in its storage. With synchronization mode the controller makes sure that hydra
has up to date clients. Synchronization is done by making POST request to hydra
with payload describing all client information including clientID,clientSecret
and Identifier of last applied client. If client exists in hydra storage 409 is
returned which is considered as ok and synchronization continues with other
clients.
![diagram](./assets/synchronization-mode.svg)

48
package-lock.json generated Normal file
View File

@ -0,0 +1,48 @@
{
"name": "hydra-maester",
"lockfileVersion": 2,
"requires": true,
"packages": {
"": {
"devDependencies": {
"ory-prettier-styles": "1.3.0",
"prettier": "2.7.1"
}
},
"node_modules/ory-prettier-styles": {
"version": "1.3.0",
"resolved": "https://registry.npmjs.org/ory-prettier-styles/-/ory-prettier-styles-1.3.0.tgz",
"integrity": "sha512-Vfn0G6CyLaadwcCamwe1SQCf37ZQfBDgMrhRI70dE/2fbE3Q43/xu7K5c32I5FGt/EliroWty5yBjmdkj0eWug==",
"dev": true
},
"node_modules/prettier": {
"version": "2.7.1",
"resolved": "https://registry.npmjs.org/prettier/-/prettier-2.7.1.tgz",
"integrity": "sha512-ujppO+MkdPqoVINuDFDRLClm7D78qbDt0/NR+wp5FqEZOoTNAjPHWj17QRhu7geIHJfcNhRk1XVQmF8Bp3ye+g==",
"dev": true,
"bin": {
"prettier": "bin-prettier.js"
},
"engines": {
"node": ">=10.13.0"
},
"funding": {
"url": "https://github.com/prettier/prettier?sponsor=1"
}
}
},
"dependencies": {
"ory-prettier-styles": {
"version": "1.3.0",
"resolved": "https://registry.npmjs.org/ory-prettier-styles/-/ory-prettier-styles-1.3.0.tgz",
"integrity": "sha512-Vfn0G6CyLaadwcCamwe1SQCf37ZQfBDgMrhRI70dE/2fbE3Q43/xu7K5c32I5FGt/EliroWty5yBjmdkj0eWug==",
"dev": true
},
"prettier": {
"version": "2.7.1",
"resolved": "https://registry.npmjs.org/prettier/-/prettier-2.7.1.tgz",
"integrity": "sha512-ujppO+MkdPqoVINuDFDRLClm7D78qbDt0/NR+wp5FqEZOoTNAjPHWj17QRhu7geIHJfcNhRk1XVQmF8Bp3ye+g==",
"dev": true
}
}
}

8
package.json Normal file
View File

@ -0,0 +1,8 @@
{
"private": true,
"prettier": "ory-prettier-styles",
"devDependencies": {
"ory-prettier-styles": "1.3.0",
"prettier": "2.7.1"
}
}