feat: initial commit

2023-01-25 20:27:27 +01:00 · 2023-01-25 20:27:27 +01:00 · 06b7aa7903
commit 06b7aa7903
18 changed files with 326 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -0,0 +1,7 @@
+# Kustom SSO
+
+Kustomization du service "SSO" (Ory Hydra)
+
+## Usage
+
+[Voir la documentation](./doc/README.md)
--- a/components/hydra-cnpg-database/configurations/cnpg-cluster.yaml
+++ b/components/hydra-cnpg-database/configurations/cnpg-cluster.yaml
@ -0,0 +1,8 @@
+---
+nameReference:
+- kind: Secret
+  fieldSpecs:
+  - path: spec/superuserSecret/name
+    kind: Cluster
+  - path: spec/bootstrap/initdb/secret/name
+    kind: Cluster
--- a/components/hydra-cnpg-database/kustomization.yaml
+++ b/components/hydra-cnpg-database/kustomization.yaml
@ -0,0 +1,34 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+configurations:
+  - ./configurations/cnpg-cluster.yaml
+
+resources:
+  - ./resources/hydra-cnpg-cluster.yaml
+
+secretGenerator:
+  - name: hydra-postgres-admin
+    type: Secret
+    literals:
+      - username=postgres
+      - password=NotSoSecret
+  - name: hydra-postgres-user
+    type: Secret
+    literals:
+      - username=hydra
+      - password=NotSoSecret
+
+patchesJson6902:
+  - target:
+      group: apps
+      version: v1
+      kind: Deployment
+      name: hydra
+    path: patches/hydra-deployment.yaml
+  - target:
+      group: batch
+      version: v1
+      kind: Job
+      name: hydra-migrate
+    path: patches/hydra-migrate-job.yaml
--- a/components/hydra-cnpg-database/patches/hydra-deployment.yaml
+++ b/components/hydra-cnpg-database/patches/hydra-deployment.yaml
@ -0,0 +1,21 @@
+- op: add
+  path: "/spec/template/spec/containers/0/env/-"
+  value:
+    name: HYDRA_DATABASE_USER
+    valueFrom:
+      secretKeyRef:
+        name: hydra-postgres-user
+        key: username
+- op: add
+  path: "/spec/template/spec/containers/0/env/-"
+  value:
+    name: HYDRA_DATABASE_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: hydra-postgres-user
+        key: password
+- op: add
+  path: "/spec/template/spec/containers/0/env/-"
+  value:
+    name: DSN
+    value: "postgres://$(HYDRA_DATABASE_USER):$(HYDRA_DATABASE_PASSWORD)@hydra-postgres-rw:5432/hydra?sslmode=disable"
--- a/components/hydra-cnpg-database/patches/hydra-migrate-job.yaml
+++ b/components/hydra-cnpg-database/patches/hydra-migrate-job.yaml
@ -0,0 +1,21 @@
+- op: add
+  path: "/spec/template/spec/containers/0/env/-"
+  value:
+    name: HYDRA_DATABASE_USER
+    valueFrom:
+      secretKeyRef:
+        name: hydra-postgres-user
+        key: username
+- op: add
+  path: "/spec/template/spec/containers/0/env/-"
+  value:
+    name: HYDRA_DATABASE_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: hydra-postgres-user
+        key: password
+- op: add
+  path: "/spec/template/spec/containers/0/env/-"
+  value:
+    name: DSN
+    value: "postgres://$(HYDRA_DATABASE_USER):$(HYDRA_DATABASE_PASSWORD)@hydra-postgres-rw:5432/hydra?sslmode=disable"
--- a/components/hydra-cnpg-database/resources/hydra-cnpg-cluster.yaml
+++ b/components/hydra-cnpg-database/resources/hydra-cnpg-cluster.yaml
@ -0,0 +1,17 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: hydra-postgres
+spec:
+  instances: 3
+  primaryUpdateStrategy: unsupervised
+  superuserSecret:
+    name: hydra-postgres-admin
+  bootstrap:
+    initdb:
+      database: hydra
+      owner: hydra
+      secret:
+        name: hydra-postgres-user
+  storage:
+    size: 2Gi
--- a/doc/README.md
+++ b/doc/README.md
@ -0,0 +1 @@
+# Documentation
--- a/kustomization.yaml
+++ b/kustomization.yaml
@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ./resources/hydra
+  - ./resources/hydra-dispatcher
+
+components:
+  - ./components/hydra-cnpg-database
--- a/resources/hydra-dispatcher/kustomization.yaml
+++ b/resources/hydra-dispatcher/kustomization.yaml
@ -0,0 +1,21 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ./resources/hydra-dispatcher-deployment.yaml
+  - ./resources/hydra-dispatcher-service.yaml
+
+configMapGenerator:
+  - name: hydra-dispatcher-env
+    literals:
+      - APP_ENV=prod
+      - APP_DEBUG=false
+      - HYDRA_BASE_URL=http://hydra:4444
+      - HYDRA_ADMIN_BASE_URL=http://hydra:4445
+      - HYDRA_REWRITE_ISSUER=yes
+      - HYDRA_ORIGINAL_ISSUER=http://localhost:4444
+      - HYDRA_NEW_ISSUER=http://hydra-dispatcher
+      - BASE_URL=http://hydra-dispatcher
+      - COOKIE_PATH=/
+      - DEFAULT_LOCALE=fr
+      - APP_LOCALES=fr,en
--- a/resources/hydra-dispatcher/resources/hydra-dispatcher-deployment.yaml
+++ b/resources/hydra-dispatcher/resources/hydra-dispatcher-deployment.yaml
@ -0,0 +1,28 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    io.kompose.service: hydra-dispatcher
+  name: hydra-dispatcher
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      io.kompose.service: hydra-dispatcher
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        io.kompose.service: hydra-dispatcher
+    spec:
+      containers:
+        - name: hydra
+          image: reg.cadoles.com/cadoles/hydra-dispatcher-v1:v0.0.0-159-gd91e77b
+          envFrom:
+            - configMapRef:
+                name: hydra-dispatcher-env
+          ports:
+            - containerPort: 80
+          resources: {}
+      restartPolicy: Always
--- a/resources/hydra-dispatcher/resources/hydra-dispatcher-service.yaml
+++ b/resources/hydra-dispatcher/resources/hydra-dispatcher-service.yaml
@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    io.kompose.service: hydra-dispatcher
+  name: hydra-dispatcher
+spec:
+  ports:
+    - name: hydra-dispatcher
+      port: 80
+  selector:
+    io.kompose.service: hydra-dispatcher
+status:
+  loadBalancer: {}
--- a/resources/hydra/kustomization.yaml
+++ b/resources/hydra/kustomization.yaml
@ -0,0 +1,24 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ./resources/hydra-deployment.yaml
+  - ./resources/hydra-service.yaml
+  - ./resources/hydra-role.yaml
+  - ./resources/hydra-rolebinding.yaml
+  - ./resources/hydra-serviceaccount.yaml
+  - ./resources/hydra-migrate-job.yaml
+
+secretGenerator:
+  - name: hydra-secret
+    literals:
+      - SECRETS_SYSTEM=ThisShouldBeAbsolutelyChanged
+
+configMapGenerator:
+  - name: hydra-env
+    literals:
+      - URLS_SELF_ISSUER=http://localhost:4444
+      - URLS_LOGIN=http://hydra-login-app/login
+      - URLS_CONSENT=http://hydra-consent-app/consent
+      - URLS_LOGOUT=http://hydra-logout-app/logout
+      - HYDRA_SERVE_ALL_ARGS=
--- a/resources/hydra/resources/hydra-deployment.yaml
+++ b/resources/hydra/resources/hydra-deployment.yaml
@ -0,0 +1,59 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    io.kompose.service: hydra
+  name: hydra
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      io.kompose.service: hydra
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        io.kompose.service: hydra
+    spec:
+      serviceAccount: hydra-sa
+      initContainers:
+        - name: wait-for-migrate
+          image: reg.cadoles.com/proxy_cache/groundnuty/k8s-wait-for:v1.3
+          args:
+          - job
+          - hydra-migrate
+      containers:
+        - name: hydra
+          image: reg.cadoles.com/proxy_cache/oryd/hydra:v2.0.3
+          envFrom:
+            - configMapRef:
+                name: hydra-env
+          env:
+            - name: LOG_LEVEL
+              value: debug
+            - name: LOG_LEAK_SENSITIVE_VALUES
+              value: "true"
+            - name: SECRETS_SYSTEM
+              valueFrom:
+                secretKeyRef:
+                  name: hydra-secret
+                  key: SECRETS_SYSTEM
+          args: ["serve", "all", "$(HYDRA_SERVE_ALL_ARGS)"]
+          livenessProbe:
+            exec:
+              command:
+                - wget
+                - --spider
+                - -q
+                - http://127.0.0.1:4444/.well-known/openid-configuration
+            failureThreshold: 6
+            periodSeconds: 10
+            timeoutSeconds: 10
+          ports:
+            - containerPort: 4444
+              name: hydra-public
+            - containerPort: 4445
+              name: hydra-admin
+          resources: {}
+      restartPolicy: Always
--- a/resources/hydra/resources/hydra-migrate-job.yaml
+++ b/resources/hydra/resources/hydra-migrate-job.yaml
@ -0,0 +1,14 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: hydra-migrate
+spec:
+  template:
+    spec:
+      restartPolicy: OnFailure
+      containers:
+      - env: []
+        name: hydra-migrate
+        image: reg.cadoles.com/proxy_cache/oryd/hydra:v2.0.3
+        imagePullPolicy: IfNotPresent
+        args: ["migrate", "sql", "--yes", "$(DSN)"]
--- a/resources/hydra/resources/hydra-role.yaml
+++ b/resources/hydra/resources/hydra-role.yaml
@ -0,0 +1,13 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: hydra-job-status-reader
+rules:
+- apiGroups:
+  - batch
+  resources:
+  - jobs
+  verbs:
+  - get
+  - list
--- a/resources/hydra/resources/hydra-rolebinding.yaml
+++ b/resources/hydra/resources/hydra-rolebinding.yaml
@ -0,0 +1,12 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: hydra-job-status-reader
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: hydra-job-status-reader
+subjects:
+- kind: ServiceAccount
+  name: hydra-sa
--- a/resources/hydra/resources/hydra-service.yaml
+++ b/resources/hydra/resources/hydra-service.yaml
@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    io.kompose.service: hydra
+  name: hydra
+spec:
+  ports:
+    - name: hydra-public
+      port: 4444
+      targetPort: hydra-public
+    - name: hydra-admin
+      port: 4445
+      targetPort: hydra-admin
+  selector:
+    io.kompose.service: hydra
+status:
+  loadBalancer: {}
--- a/resources/hydra/resources/hydra-serviceaccount.yaml
+++ b/resources/hydra/resources/hydra-serviceaccount.yaml
@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: hydra-sa