commit 06b7aa7903f84b8cc2ac016bffacca24d5b31491 Author: William Petit Date: Wed Jan 25 20:27:27 2023 +0100 feat: initial commit diff --git a/README.md b/README.md new file mode 100644 index 0000000..256224d --- /dev/null +++ b/README.md @@ -0,0 +1,7 @@ +# Kustom SSO + +Kustomization du service "SSO" (Ory Hydra) + +## Usage + +[Voir la documentation](./doc/README.md) \ No newline at end of file diff --git a/components/hydra-cnpg-database/configurations/cnpg-cluster.yaml b/components/hydra-cnpg-database/configurations/cnpg-cluster.yaml new file mode 100644 index 0000000..2eb79d2 --- /dev/null +++ b/components/hydra-cnpg-database/configurations/cnpg-cluster.yaml @@ -0,0 +1,8 @@ +--- +nameReference: +- kind: Secret + fieldSpecs: + - path: spec/superuserSecret/name + kind: Cluster + - path: spec/bootstrap/initdb/secret/name + kind: Cluster diff --git a/components/hydra-cnpg-database/kustomization.yaml b/components/hydra-cnpg-database/kustomization.yaml new file mode 100644 index 0000000..685cddc --- /dev/null +++ b/components/hydra-cnpg-database/kustomization.yaml @@ -0,0 +1,34 @@ +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component + +configurations: + - ./configurations/cnpg-cluster.yaml + +resources: + - ./resources/hydra-cnpg-cluster.yaml + +secretGenerator: + - name: hydra-postgres-admin + type: Secret + literals: + - username=postgres + - password=NotSoSecret + - name: hydra-postgres-user + type: Secret + literals: + - username=hydra + - password=NotSoSecret + +patchesJson6902: + - target: + group: apps + version: v1 + kind: Deployment + name: hydra + path: patches/hydra-deployment.yaml + - target: + group: batch + version: v1 + kind: Job + name: hydra-migrate + path: patches/hydra-migrate-job.yaml \ No newline at end of file diff --git a/components/hydra-cnpg-database/patches/hydra-deployment.yaml b/components/hydra-cnpg-database/patches/hydra-deployment.yaml new file mode 100644 index 0000000..3302304 --- /dev/null +++ b/components/hydra-cnpg-database/patches/hydra-deployment.yaml @@ -0,0 +1,21 @@ +- op: add + path: "/spec/template/spec/containers/0/env/-" + value: + name: HYDRA_DATABASE_USER + valueFrom: + secretKeyRef: + name: hydra-postgres-user + key: username +- op: add + path: "/spec/template/spec/containers/0/env/-" + value: + name: HYDRA_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + name: hydra-postgres-user + key: password +- op: add + path: "/spec/template/spec/containers/0/env/-" + value: + name: DSN + value: "postgres://$(HYDRA_DATABASE_USER):$(HYDRA_DATABASE_PASSWORD)@hydra-postgres-rw:5432/hydra?sslmode=disable" \ No newline at end of file diff --git a/components/hydra-cnpg-database/patches/hydra-migrate-job.yaml b/components/hydra-cnpg-database/patches/hydra-migrate-job.yaml new file mode 100644 index 0000000..3302304 --- /dev/null +++ b/components/hydra-cnpg-database/patches/hydra-migrate-job.yaml @@ -0,0 +1,21 @@ +- op: add + path: "/spec/template/spec/containers/0/env/-" + value: + name: HYDRA_DATABASE_USER + valueFrom: + secretKeyRef: + name: hydra-postgres-user + key: username +- op: add + path: "/spec/template/spec/containers/0/env/-" + value: + name: HYDRA_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + name: hydra-postgres-user + key: password +- op: add + path: "/spec/template/spec/containers/0/env/-" + value: + name: DSN + value: "postgres://$(HYDRA_DATABASE_USER):$(HYDRA_DATABASE_PASSWORD)@hydra-postgres-rw:5432/hydra?sslmode=disable" \ No newline at end of file diff --git a/components/hydra-cnpg-database/resources/hydra-cnpg-cluster.yaml b/components/hydra-cnpg-database/resources/hydra-cnpg-cluster.yaml new file mode 100644 index 0000000..7f48955 --- /dev/null +++ b/components/hydra-cnpg-database/resources/hydra-cnpg-cluster.yaml @@ -0,0 +1,17 @@ +apiVersion: postgresql.cnpg.io/v1 +kind: Cluster +metadata: + name: hydra-postgres +spec: + instances: 3 + primaryUpdateStrategy: unsupervised + superuserSecret: + name: hydra-postgres-admin + bootstrap: + initdb: + database: hydra + owner: hydra + secret: + name: hydra-postgres-user + storage: + size: 2Gi \ No newline at end of file diff --git a/doc/README.md b/doc/README.md new file mode 100644 index 0000000..7d8b3af --- /dev/null +++ b/doc/README.md @@ -0,0 +1 @@ +# Documentation \ No newline at end of file diff --git a/kustomization.yaml b/kustomization.yaml new file mode 100644 index 0000000..bcd30e4 --- /dev/null +++ b/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ./resources/hydra + - ./resources/hydra-dispatcher + +components: + - ./components/hydra-cnpg-database \ No newline at end of file diff --git a/resources/hydra-dispatcher/kustomization.yaml b/resources/hydra-dispatcher/kustomization.yaml new file mode 100644 index 0000000..dcdb760 --- /dev/null +++ b/resources/hydra-dispatcher/kustomization.yaml @@ -0,0 +1,21 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ./resources/hydra-dispatcher-deployment.yaml + - ./resources/hydra-dispatcher-service.yaml + +configMapGenerator: + - name: hydra-dispatcher-env + literals: + - APP_ENV=prod + - APP_DEBUG=false + - HYDRA_BASE_URL=http://hydra:4444 + - HYDRA_ADMIN_BASE_URL=http://hydra:4445 + - HYDRA_REWRITE_ISSUER=yes + - HYDRA_ORIGINAL_ISSUER=http://localhost:4444 + - HYDRA_NEW_ISSUER=http://hydra-dispatcher + - BASE_URL=http://hydra-dispatcher + - COOKIE_PATH=/ + - DEFAULT_LOCALE=fr + - APP_LOCALES=fr,en \ No newline at end of file diff --git a/resources/hydra-dispatcher/resources/hydra-dispatcher-deployment.yaml b/resources/hydra-dispatcher/resources/hydra-dispatcher-deployment.yaml new file mode 100644 index 0000000..6336510 --- /dev/null +++ b/resources/hydra-dispatcher/resources/hydra-dispatcher-deployment.yaml @@ -0,0 +1,28 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + io.kompose.service: hydra-dispatcher + name: hydra-dispatcher +spec: + replicas: 1 + selector: + matchLabels: + io.kompose.service: hydra-dispatcher + strategy: + type: Recreate + template: + metadata: + labels: + io.kompose.service: hydra-dispatcher + spec: + containers: + - name: hydra + image: reg.cadoles.com/cadoles/hydra-dispatcher-v1:v0.0.0-159-gd91e77b + envFrom: + - configMapRef: + name: hydra-dispatcher-env + ports: + - containerPort: 80 + resources: {} + restartPolicy: Always diff --git a/resources/hydra-dispatcher/resources/hydra-dispatcher-service.yaml b/resources/hydra-dispatcher/resources/hydra-dispatcher-service.yaml new file mode 100644 index 0000000..55cc11e --- /dev/null +++ b/resources/hydra-dispatcher/resources/hydra-dispatcher-service.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + io.kompose.service: hydra-dispatcher + name: hydra-dispatcher +spec: + ports: + - name: hydra-dispatcher + port: 80 + selector: + io.kompose.service: hydra-dispatcher +status: + loadBalancer: {} diff --git a/resources/hydra/kustomization.yaml b/resources/hydra/kustomization.yaml new file mode 100644 index 0000000..1dbcac1 --- /dev/null +++ b/resources/hydra/kustomization.yaml @@ -0,0 +1,24 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ./resources/hydra-deployment.yaml + - ./resources/hydra-service.yaml + - ./resources/hydra-role.yaml + - ./resources/hydra-rolebinding.yaml + - ./resources/hydra-serviceaccount.yaml + - ./resources/hydra-migrate-job.yaml + +secretGenerator: + - name: hydra-secret + literals: + - SECRETS_SYSTEM=ThisShouldBeAbsolutelyChanged + +configMapGenerator: + - name: hydra-env + literals: + - URLS_SELF_ISSUER=http://localhost:4444 + - URLS_LOGIN=http://hydra-login-app/login + - URLS_CONSENT=http://hydra-consent-app/consent + - URLS_LOGOUT=http://hydra-logout-app/logout + - HYDRA_SERVE_ALL_ARGS= \ No newline at end of file diff --git a/resources/hydra/resources/hydra-deployment.yaml b/resources/hydra/resources/hydra-deployment.yaml new file mode 100644 index 0000000..dbe5e9b --- /dev/null +++ b/resources/hydra/resources/hydra-deployment.yaml @@ -0,0 +1,59 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + io.kompose.service: hydra + name: hydra +spec: + replicas: 1 + selector: + matchLabels: + io.kompose.service: hydra + strategy: + type: Recreate + template: + metadata: + labels: + io.kompose.service: hydra + spec: + serviceAccount: hydra-sa + initContainers: + - name: wait-for-migrate + image: reg.cadoles.com/proxy_cache/groundnuty/k8s-wait-for:v1.3 + args: + - job + - hydra-migrate + containers: + - name: hydra + image: reg.cadoles.com/proxy_cache/oryd/hydra:v2.0.3 + envFrom: + - configMapRef: + name: hydra-env + env: + - name: LOG_LEVEL + value: debug + - name: LOG_LEAK_SENSITIVE_VALUES + value: "true" + - name: SECRETS_SYSTEM + valueFrom: + secretKeyRef: + name: hydra-secret + key: SECRETS_SYSTEM + args: ["serve", "all", "$(HYDRA_SERVE_ALL_ARGS)"] + livenessProbe: + exec: + command: + - wget + - --spider + - -q + - http://127.0.0.1:4444/.well-known/openid-configuration + failureThreshold: 6 + periodSeconds: 10 + timeoutSeconds: 10 + ports: + - containerPort: 4444 + name: hydra-public + - containerPort: 4445 + name: hydra-admin + resources: {} + restartPolicy: Always diff --git a/resources/hydra/resources/hydra-migrate-job.yaml b/resources/hydra/resources/hydra-migrate-job.yaml new file mode 100644 index 0000000..5b88e1f --- /dev/null +++ b/resources/hydra/resources/hydra-migrate-job.yaml @@ -0,0 +1,14 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: hydra-migrate +spec: + template: + spec: + restartPolicy: OnFailure + containers: + - env: [] + name: hydra-migrate + image: reg.cadoles.com/proxy_cache/oryd/hydra:v2.0.3 + imagePullPolicy: IfNotPresent + args: ["migrate", "sql", "--yes", "$(DSN)"] \ No newline at end of file diff --git a/resources/hydra/resources/hydra-role.yaml b/resources/hydra/resources/hydra-role.yaml new file mode 100644 index 0000000..61b0219 --- /dev/null +++ b/resources/hydra/resources/hydra-role.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: hydra-job-status-reader +rules: +- apiGroups: + - batch + resources: + - jobs + verbs: + - get + - list \ No newline at end of file diff --git a/resources/hydra/resources/hydra-rolebinding.yaml b/resources/hydra/resources/hydra-rolebinding.yaml new file mode 100644 index 0000000..4ded6f8 --- /dev/null +++ b/resources/hydra/resources/hydra-rolebinding.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: hydra-job-status-reader +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: hydra-job-status-reader +subjects: +- kind: ServiceAccount + name: hydra-sa diff --git a/resources/hydra/resources/hydra-service.yaml b/resources/hydra/resources/hydra-service.yaml new file mode 100644 index 0000000..642203d --- /dev/null +++ b/resources/hydra/resources/hydra-service.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + io.kompose.service: hydra + name: hydra +spec: + ports: + - name: hydra-public + port: 4444 + targetPort: hydra-public + - name: hydra-admin + port: 4445 + targetPort: hydra-admin + selector: + io.kompose.service: hydra +status: + loadBalancer: {} diff --git a/resources/hydra/resources/hydra-serviceaccount.yaml b/resources/hydra/resources/hydra-serviceaccount.yaml new file mode 100644 index 0000000..ea8dd45 --- /dev/null +++ b/resources/hydra/resources/hydra-serviceaccount.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: hydra-sa \ No newline at end of file