feat: initial commit
This commit is contained in:
commit
06b7aa7903
7
README.md
Normal file
7
README.md
Normal file
@ -0,0 +1,7 @@
|
||||
# Kustom SSO
|
||||
|
||||
Kustomization du service "SSO" (Ory Hydra)
|
||||
|
||||
## Usage
|
||||
|
||||
[Voir la documentation](./doc/README.md)
|
@ -0,0 +1,8 @@
|
||||
---
|
||||
nameReference:
|
||||
- kind: Secret
|
||||
fieldSpecs:
|
||||
- path: spec/superuserSecret/name
|
||||
kind: Cluster
|
||||
- path: spec/bootstrap/initdb/secret/name
|
||||
kind: Cluster
|
34
components/hydra-cnpg-database/kustomization.yaml
Normal file
34
components/hydra-cnpg-database/kustomization.yaml
Normal file
@ -0,0 +1,34 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1alpha1
|
||||
kind: Component
|
||||
|
||||
configurations:
|
||||
- ./configurations/cnpg-cluster.yaml
|
||||
|
||||
resources:
|
||||
- ./resources/hydra-cnpg-cluster.yaml
|
||||
|
||||
secretGenerator:
|
||||
- name: hydra-postgres-admin
|
||||
type: Secret
|
||||
literals:
|
||||
- username=postgres
|
||||
- password=NotSoSecret
|
||||
- name: hydra-postgres-user
|
||||
type: Secret
|
||||
literals:
|
||||
- username=hydra
|
||||
- password=NotSoSecret
|
||||
|
||||
patchesJson6902:
|
||||
- target:
|
||||
group: apps
|
||||
version: v1
|
||||
kind: Deployment
|
||||
name: hydra
|
||||
path: patches/hydra-deployment.yaml
|
||||
- target:
|
||||
group: batch
|
||||
version: v1
|
||||
kind: Job
|
||||
name: hydra-migrate
|
||||
path: patches/hydra-migrate-job.yaml
|
21
components/hydra-cnpg-database/patches/hydra-deployment.yaml
Normal file
21
components/hydra-cnpg-database/patches/hydra-deployment.yaml
Normal file
@ -0,0 +1,21 @@
|
||||
- op: add
|
||||
path: "/spec/template/spec/containers/0/env/-"
|
||||
value:
|
||||
name: HYDRA_DATABASE_USER
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: hydra-postgres-user
|
||||
key: username
|
||||
- op: add
|
||||
path: "/spec/template/spec/containers/0/env/-"
|
||||
value:
|
||||
name: HYDRA_DATABASE_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: hydra-postgres-user
|
||||
key: password
|
||||
- op: add
|
||||
path: "/spec/template/spec/containers/0/env/-"
|
||||
value:
|
||||
name: DSN
|
||||
value: "postgres://$(HYDRA_DATABASE_USER):$(HYDRA_DATABASE_PASSWORD)@hydra-postgres-rw:5432/hydra?sslmode=disable"
|
@ -0,0 +1,21 @@
|
||||
- op: add
|
||||
path: "/spec/template/spec/containers/0/env/-"
|
||||
value:
|
||||
name: HYDRA_DATABASE_USER
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: hydra-postgres-user
|
||||
key: username
|
||||
- op: add
|
||||
path: "/spec/template/spec/containers/0/env/-"
|
||||
value:
|
||||
name: HYDRA_DATABASE_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: hydra-postgres-user
|
||||
key: password
|
||||
- op: add
|
||||
path: "/spec/template/spec/containers/0/env/-"
|
||||
value:
|
||||
name: DSN
|
||||
value: "postgres://$(HYDRA_DATABASE_USER):$(HYDRA_DATABASE_PASSWORD)@hydra-postgres-rw:5432/hydra?sslmode=disable"
|
@ -0,0 +1,17 @@
|
||||
apiVersion: postgresql.cnpg.io/v1
|
||||
kind: Cluster
|
||||
metadata:
|
||||
name: hydra-postgres
|
||||
spec:
|
||||
instances: 3
|
||||
primaryUpdateStrategy: unsupervised
|
||||
superuserSecret:
|
||||
name: hydra-postgres-admin
|
||||
bootstrap:
|
||||
initdb:
|
||||
database: hydra
|
||||
owner: hydra
|
||||
secret:
|
||||
name: hydra-postgres-user
|
||||
storage:
|
||||
size: 2Gi
|
1
doc/README.md
Normal file
1
doc/README.md
Normal file
@ -0,0 +1 @@
|
||||
# Documentation
|
9
kustomization.yaml
Normal file
9
kustomization.yaml
Normal file
@ -0,0 +1,9 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
resources:
|
||||
- ./resources/hydra
|
||||
- ./resources/hydra-dispatcher
|
||||
|
||||
components:
|
||||
- ./components/hydra-cnpg-database
|
21
resources/hydra-dispatcher/kustomization.yaml
Normal file
21
resources/hydra-dispatcher/kustomization.yaml
Normal file
@ -0,0 +1,21 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
resources:
|
||||
- ./resources/hydra-dispatcher-deployment.yaml
|
||||
- ./resources/hydra-dispatcher-service.yaml
|
||||
|
||||
configMapGenerator:
|
||||
- name: hydra-dispatcher-env
|
||||
literals:
|
||||
- APP_ENV=prod
|
||||
- APP_DEBUG=false
|
||||
- HYDRA_BASE_URL=http://hydra:4444
|
||||
- HYDRA_ADMIN_BASE_URL=http://hydra:4445
|
||||
- HYDRA_REWRITE_ISSUER=yes
|
||||
- HYDRA_ORIGINAL_ISSUER=http://localhost:4444
|
||||
- HYDRA_NEW_ISSUER=http://hydra-dispatcher
|
||||
- BASE_URL=http://hydra-dispatcher
|
||||
- COOKIE_PATH=/
|
||||
- DEFAULT_LOCALE=fr
|
||||
- APP_LOCALES=fr,en
|
@ -0,0 +1,28 @@
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
labels:
|
||||
io.kompose.service: hydra-dispatcher
|
||||
name: hydra-dispatcher
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
io.kompose.service: hydra-dispatcher
|
||||
strategy:
|
||||
type: Recreate
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
io.kompose.service: hydra-dispatcher
|
||||
spec:
|
||||
containers:
|
||||
- name: hydra
|
||||
image: reg.cadoles.com/cadoles/hydra-dispatcher-v1:v0.0.0-159-gd91e77b
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: hydra-dispatcher-env
|
||||
ports:
|
||||
- containerPort: 80
|
||||
resources: {}
|
||||
restartPolicy: Always
|
@ -0,0 +1,14 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
labels:
|
||||
io.kompose.service: hydra-dispatcher
|
||||
name: hydra-dispatcher
|
||||
spec:
|
||||
ports:
|
||||
- name: hydra-dispatcher
|
||||
port: 80
|
||||
selector:
|
||||
io.kompose.service: hydra-dispatcher
|
||||
status:
|
||||
loadBalancer: {}
|
24
resources/hydra/kustomization.yaml
Normal file
24
resources/hydra/kustomization.yaml
Normal file
@ -0,0 +1,24 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
resources:
|
||||
- ./resources/hydra-deployment.yaml
|
||||
- ./resources/hydra-service.yaml
|
||||
- ./resources/hydra-role.yaml
|
||||
- ./resources/hydra-rolebinding.yaml
|
||||
- ./resources/hydra-serviceaccount.yaml
|
||||
- ./resources/hydra-migrate-job.yaml
|
||||
|
||||
secretGenerator:
|
||||
- name: hydra-secret
|
||||
literals:
|
||||
- SECRETS_SYSTEM=ThisShouldBeAbsolutelyChanged
|
||||
|
||||
configMapGenerator:
|
||||
- name: hydra-env
|
||||
literals:
|
||||
- URLS_SELF_ISSUER=http://localhost:4444
|
||||
- URLS_LOGIN=http://hydra-login-app/login
|
||||
- URLS_CONSENT=http://hydra-consent-app/consent
|
||||
- URLS_LOGOUT=http://hydra-logout-app/logout
|
||||
- HYDRA_SERVE_ALL_ARGS=
|
59
resources/hydra/resources/hydra-deployment.yaml
Normal file
59
resources/hydra/resources/hydra-deployment.yaml
Normal file
@ -0,0 +1,59 @@
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
labels:
|
||||
io.kompose.service: hydra
|
||||
name: hydra
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
io.kompose.service: hydra
|
||||
strategy:
|
||||
type: Recreate
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
io.kompose.service: hydra
|
||||
spec:
|
||||
serviceAccount: hydra-sa
|
||||
initContainers:
|
||||
- name: wait-for-migrate
|
||||
image: reg.cadoles.com/proxy_cache/groundnuty/k8s-wait-for:v1.3
|
||||
args:
|
||||
- job
|
||||
- hydra-migrate
|
||||
containers:
|
||||
- name: hydra
|
||||
image: reg.cadoles.com/proxy_cache/oryd/hydra:v2.0.3
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: hydra-env
|
||||
env:
|
||||
- name: LOG_LEVEL
|
||||
value: debug
|
||||
- name: LOG_LEAK_SENSITIVE_VALUES
|
||||
value: "true"
|
||||
- name: SECRETS_SYSTEM
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: hydra-secret
|
||||
key: SECRETS_SYSTEM
|
||||
args: ["serve", "all", "$(HYDRA_SERVE_ALL_ARGS)"]
|
||||
livenessProbe:
|
||||
exec:
|
||||
command:
|
||||
- wget
|
||||
- --spider
|
||||
- -q
|
||||
- http://127.0.0.1:4444/.well-known/openid-configuration
|
||||
failureThreshold: 6
|
||||
periodSeconds: 10
|
||||
timeoutSeconds: 10
|
||||
ports:
|
||||
- containerPort: 4444
|
||||
name: hydra-public
|
||||
- containerPort: 4445
|
||||
name: hydra-admin
|
||||
resources: {}
|
||||
restartPolicy: Always
|
14
resources/hydra/resources/hydra-migrate-job.yaml
Normal file
14
resources/hydra/resources/hydra-migrate-job.yaml
Normal file
@ -0,0 +1,14 @@
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: hydra-migrate
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
restartPolicy: OnFailure
|
||||
containers:
|
||||
- env: []
|
||||
name: hydra-migrate
|
||||
image: reg.cadoles.com/proxy_cache/oryd/hydra:v2.0.3
|
||||
imagePullPolicy: IfNotPresent
|
||||
args: ["migrate", "sql", "--yes", "$(DSN)"]
|
13
resources/hydra/resources/hydra-role.yaml
Normal file
13
resources/hydra/resources/hydra-role.yaml
Normal file
@ -0,0 +1,13 @@
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: hydra-job-status-reader
|
||||
rules:
|
||||
- apiGroups:
|
||||
- batch
|
||||
resources:
|
||||
- jobs
|
||||
verbs:
|
||||
- get
|
||||
- list
|
12
resources/hydra/resources/hydra-rolebinding.yaml
Normal file
12
resources/hydra/resources/hydra-rolebinding.yaml
Normal file
@ -0,0 +1,12 @@
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: hydra-job-status-reader
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: hydra-job-status-reader
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: hydra-sa
|
18
resources/hydra/resources/hydra-service.yaml
Normal file
18
resources/hydra/resources/hydra-service.yaml
Normal file
@ -0,0 +1,18 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
labels:
|
||||
io.kompose.service: hydra
|
||||
name: hydra
|
||||
spec:
|
||||
ports:
|
||||
- name: hydra-public
|
||||
port: 4444
|
||||
targetPort: hydra-public
|
||||
- name: hydra-admin
|
||||
port: 4445
|
||||
targetPort: hydra-admin
|
||||
selector:
|
||||
io.kompose.service: hydra
|
||||
status:
|
||||
loadBalancer: {}
|
5
resources/hydra/resources/hydra-serviceaccount.yaml
Normal file
5
resources/hydra/resources/hydra-serviceaccount.yaml
Normal file
@ -0,0 +1,5 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: hydra-sa
|
Loading…
Reference in New Issue
Block a user