CadolesKube/sso-kustom
15
0
Fork 0
Code Issues 19 Pull Requests 4 Projects Releases Wiki Activity

Merge pull request 'Correction de l'environnement d'exemple' (#55) from fix-example into unstable

Browse Source 
Reviewed-on: #55
Reviewed-by: Laurent Gourvenec <lgourvenec@cadoles.com>
This commit is contained in:
Laurent Gourvenec 2025-02-18 17:09:43 +01:00
commit 20e0a20f64
34 changed files with 729 additions and 461 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
README.md
View File

@ -2,10 +2,6 @@
Kustomization du service "SSO" (Ory Hydra)
## Usage
[Voir la documentation](./doc/README.md)
## Exemple
Ce projet contient un exemple fonctionnel de déploiement dans le répertoire [`./examples/authenticated-app`](./examples/authenticated-app)
Ce projet contient un exemple fonctionnel de déploiement dans le répertoire [`./examples/authenticated-app`](./examples/authenticated-app)

60
components/hydra-ldap/resources/deployment.yaml
View File

@ -17,34 +17,32 @@ spec:
app.kubernetes.io/version: "v1.2.2"
spec:
containers:
- name: werther
image: reg.cadoles.com/cadoles/hydra-werther:2023.12.6-stable.1421.15a4717
imagePullPolicy: IfNotPresent
envFrom:
- configMapRef:
name: hydra-ldap-env
env:
- name: WERTHER_WEB_DIR
value: "/usr/share/werther/login/"
- name: WERTHER_LDAP_BINDDN
valueFrom:
secretKeyRef:
name: hydra-ldap-sc
key: WERTHER_LDAP_BINDDN
- name: WERTHER_LDAP_BINDPW
valueFrom:
secretKeyRef:
name: hydra-ldap-sc
key: WERTHER_LDAP_BINDPW
ports:
- containerPort: 8080
name: hydra-ldap-http
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 100
- name: werther
image: reg.cadoles.com/cadoles/hydra-werther:2025.2.17-stable.1544.8ded23c
imagePullPolicy: IfNotPresent
envFrom:
- configMapRef:
name: hydra-ldap-env
env:
- name: WERTHER_LDAP_BINDDN
valueFrom:
secretKeyRef:
name: hydra-ldap-sc
key: WERTHER_LDAP_BINDDN
- name: WERTHER_LDAP_BINDPW
valueFrom:
secretKeyRef:
name: hydra-ldap-sc
key: WERTHER_LDAP_BINDPW
ports:
- containerPort: 8080
name: hydra-ldap-http
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 100

2
components/hydra-saml/resources/hydra-saml-remote-user.yaml
View File

@ -24,6 +24,8 @@ spec:
name: hydra-saml-env
ports:
- containerPort: 8080
command:
- /bin/apache2-foreground
resources: {}
restartPolicy: Always
---

3
components/oidc-test/kustomization.yaml
View File

@ -17,4 +17,5 @@ configMapGenerator:
- OIDC_REDIRECT_URL=https://example.net/oauth2/callback
- OIDC_POST_LOGOUT_REDIRECT_URL=https://example.net
- OIDC_SKIP_ISSUER_VERIFICATION="true"
- OIDC_INSECURE_SKIP_VERIFY="true"
- OIDC_SCOPES="openid profile"
- OIDC_INSECURE_SKIP_VERIFY="true"

24
components/oidc-test/resources/deployment.yaml
View File

@ -23,17 +23,17 @@ spec:
- containerPort: 8080
resources: {}
envFrom:
- configMapRef:
name: oidc-test-env
- configMapRef:
name: oidc-test-env
env:
- name: OIDC_CLIENT_ID
valueFrom:
secretKeyRef:
name: oidc-test-oauth2-client
key: client_id
- name: OIDC_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: oidc-test-oauth2-client
key: client_secret
- name: OIDC_CLIENT_ID
valueFrom:
secretKeyRef:
name: oidc-test-oauth2-client
key: CLIENT_ID
- name: OIDC_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: oidc-test-oauth2-client
key: CLIENT_SECRET
restartPolicy: Always

12
components/oidc-test/resources/oauth2-client.yaml
View File

@ -6,13 +6,13 @@ spec:
clientName: "oidc-test"
tokenEndpointAuthMethod: "client_secret_basic"
grantTypes:
- authorization_code
- refresh_token
- authorization_code
- refresh_token
responseTypes:
- code
scope: "openid email"
- code
scope: "openid email profile"
secretName: oidc-test-oauth2-client
redirectUris:
- https://example.net/oauth2/callback
- https://example.net/oauth2/callback
postLogoutRedirectUris:
- https://example.net
- https://example.net

15
components/redis/README.md
View File

@ -3,20 +3,17 @@
### Description
Les applications `hydra-dispatcher`, `hydra-sql` et `hydra-oidc` stockent dorénavant le cache et les sessions utilisateur sur un serveur Redis.
Le DSN du serveur est défini dans leur variable d'environnement respective `REDIS_DSN`.
Les applications peuvent utiliser le mode `sentinel` de redis
Il est donc nécessaire donc nécessaire de disposer d'un serveur Redis pour utiliser ces applications.
### Principe général de fonctionnement
Un `RedisFailOver` crée un cluster redis en mode sentinel avec 3 réplicats chacun.
Un `Redis` crée une instance Redis dédiée à l'environnement SSO.
### Personnalisation
Via des `patches` sur la ressource `ConfigMap` via un label selector `com.cadoles.forge.sso-kustom/session=redis` il est possible de modifier la valeur du `REDIS_DSN`.
Un `patch` sur la ressource `ConfigMap` via un label selector `com.cadoles.forge.sso-kustom/session=redis` permet de modifier la valeur de la clé `REDIS_DSN`.
|Clé|Description|Exemple|
|---|-----------|-------|
|`REDIS_DSN`| DSN du cluster Redis | `redis://rfs-sso-redis:26379?&redis_sentinel=mymaster`
| Clé | Description | Exemple |
| ----------- | -------------------- | ------------------------ |
| `REDIS_DSN` | DSN du cluster Redis | `redis://redis-sso:6379` |

10
components/redis/kustomization.yaml
View File

@ -2,10 +2,10 @@ apiVersion: kustomize.config.k8s.io/v1alpha1
kind: Component
resources:
- ./resources/redis-failover.yaml
- ./resources/redis-sso.yaml
patches:
- path: ./patches/hydra-apps.yaml
target:
kind: ConfigMap
labelSelector: "com.cadoles.forge.sso-kustom/session=redis"
- path: ./patches/hydra-apps.yaml
target:
kind: ConfigMap
labelSelector: "com.cadoles.forge.sso-kustom/session=redis"

2
components/redis/patches/hydra-apps.yaml
View File

@ -1,3 +1,3 @@
- op: replace
path: "/data/REDIS_DSN"
value: "redis://rfs-sso-redis:26379?&redis_sentinel=mymaster"
value: "redis://redis-sso:6379"

21
components/redis/resources/redis-failover.yaml
View File

@ -1,21 +0,0 @@
apiVersion: databases.spotahome.com/v1
kind: RedisFailover
metadata:
name: sso-redis
spec:
sentinel:
replicas: 3
resources:
requests:
cpu: 100m
limits:
memory: 100Mi
redis:
replicas: 3
resources:
requests:
cpu: 100m
memory: 100Mi
limits:
cpu: 400m
memory: 500Mi

19
components/redis/resources/redis-sso.yaml Normal file
View File

@ -0,0 +1,19 @@
apiVersion: redis.redis.opstreelabs.in/v1beta1
kind: Redis
metadata:
name: redis-sso
spec:
kubernetesConfig:
image: reg.cadoles.com/quay/opstree/redis:v7.0.15
imagePullPolicy: IfNotPresent
storage:
volumeClaimTemplate:
spec:
# storageClassName: standard
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 1Gi
securityContext:
runAsUser: 1000
fsGroup: 1000

66
examples/authenticated-app/README.md
View File

@ -1,6 +1,6 @@
# Exemple: Déploiement d'une application authentifiée avec la stack SSO
L'exemple est actuellement déployé avec le composant `hydra-saml` uniquement.
L'exemple est actuellement déployé avec le composant `hydra-ldap` uniquement.
## Procédure
@ -8,37 +8,40 @@ L'exemple est actuellement déployé avec le composant `hydra-saml` uniquement.
1. Créer un cluster avec `kind`
```
kind create cluster --config ./examples/k8s/kind/cluster-config.yaml
```
```
kind create cluster --config ./examples/k8s/kind/cluster-config.yaml
```
2. Déployer les opérateurs nécessaires au déploiement
```
kubectl apply -k ./examples/k8s/kind/cluster --server-side
```
3. Déployer l'application
```
kubectl apply -k ./examples/authenticated-app
```
**Note** Il est possible d'avoir l'erreur suivante:
```
error: resource mapping not found for name: "app-oauth2-client" namespace: "" from "./examples/authenticated-app": no matches for kind "OAuth2Client" in version "hydra.ory.sh/v1alpha1"
kubectl apply -k ./examples/k8s/kind/cluster --server-side
```
Cette erreur est "normale" (voir https://github.com/kubernetes/kubectl/issues/1117). Dans ce cas, attendre la création de la CRD (voir ticket) puis relancer la commande.
> Si une erreur du type `ensure CRDs are installed first` s'affiche, relancer la commande.
4. Ajouter l'entrée suivante dans votre fichier `/etc/hosts`
3. Attendre que l'opérateur Redis soit opérationnel puis patcher le `ClusterRole` de celui ci (cf. https://github.com/OT-CONTAINER-KIT/redis-operator/issues/526):
```
127.0.0.1 ssokustom
```
```bash
kubectl wait -n operators --timeout 10m --for=jsonpath=".status.state"=AtLatestKnown subscription my-redis-operator
# On attend quelques secondes supplémentaires pour s'assurer que l'opérateur a réellement démarré
sleep 30
kubectl patch clusterroles.rbac.authorization.k8s.io $(kubectl get clusterrole | awk '/redis-operator/ {print $1}') --patch-file examples/k8s/kind/cluster/fix/redis-operator-clusterrole.yaml
```
5. Après stabilisation du déploiement, l'application devrait être accessible à l'adresse https://ssokustom
4. Déployer l'application
```
kubectl apply -k ./examples/authenticated-app
```
5. Ajouter l'entrée suivante dans votre fichier `/etc/hosts`
```
127.0.0.1 ssokustom
```
6. Après stabilisation du déploiement, l'application devrait être accessible à l'adresse https://ssokustom
#### Supprimer le cluster
@ -48,14 +51,15 @@ kind delete cluster -n sso-kustom-example
## Authentification
### SAML
### LDAP
- Utilisateur: `user1`
- Mot de passe `user1pass`
#### Comptes par défaut
#### URL utiles
1. `jdoe` / `jdoe`
2. `jdoe2` / `jdoe`
3. `siret1` / `siret`
4. `siret2` / `siret`
|URL|Description|
|---|-----------|
|https://ssokustom/auth/saml/Shibboleth.sso/Session|Attributs de la session SP Shibboleth|
|https://ssokustom/auth/saml/Shibboleth.sso/Metadata|Métadonnées du SP Shibboleth|
#### Gestion des comptes
Les comptes LDAP sont définis dans le fichier [`./files/glauth.conf`](./files/glauth.conf)

83
examples/authenticated-app/files/glauth.conf Normal file
View File

@ -0,0 +1,83 @@
debug = true
[ldap]
enabled = true
listen = "0.0.0.0:3893"
tls = false
[ldaps]
enabled = false
[behaviors]
IgnoreCapabilities = true
[backend]
datastore = "config"
baseDN = "dc=glauth,dc=com"
[[users]]
uid = "serviceuser"
name = "serviceuser"
mail = "serviceuser@example.com"
uidnumber = 5001
primarygroup = 5502
# use echo -n "mysecret" | openssl dgst -sha256
passsha256 = "652c7dc687d98c9889304ed2e408c74b611e86a40caa51c4b43f1dd5913c5cd0" # mysecret
[[users.capabilities]]
action = "search"
object = "*"
[[users]]
uid = "jdoe"
name = "jdoe"
uidnumber = 5002
primarygroup = 5501
givenname = "John"
sn = "Doe"
mail = "jdoe@example.com"
passsha256 = "d30a5f57532a603697ccbb51558fa02ccadd74a0c499fcf9d45b33863ee1582f" # jdoe
[[users.customattributes]]
employeetype = ["Intern", "Temp"]
employeenumber = [12345, 54321]
[[users]]
uid = "jdoe2"
name = "jdoe2"
uidnumber = 5003
primarygroup = 5501
givenname = "John"
sn = "Doe2"
mail = "jdoe2@jdoe2.com"
passsha256 = "d30a5f57532a603697ccbb51558fa02ccadd74a0c499fcf9d45b33863ee1582f" # jdoe
[[users]]
uid = "siret1"
name = "siret1"
uidnumber = 5004
primarygroup = 5501
givenname = "Siret"
sn = "Siret"
mail = "siret1@siret.com"
passsha256 = "7926ef18c7ae8eb23d4d325aa6bd81cc9ae99b429e9299a18dbd2c4729486ebc" # siret
[[users.customattributes]]
siret = ["0001"]
[[users]]
uid = "siret2"
name = "siret2"
uidnumber = 5005
primarygroup = 5501
givenname = "Siret"
sn = "Siret"
mail = "siret2@siret.com"
passsha256 = "7926ef18c7ae8eb23d4d325aa6bd81cc9ae99b429e9299a18dbd2c4729486ebc" # siret
[[users.customattributes]]
siret = ["0002"]
[[groups]]
name = "users"
gidnumber = 5501
[[groups]]
name = "svcaccts"
gidnumber = 5502

42
examples/authenticated-app/files/hydra-dispatcher-apps.yaml Normal file
View File

@ -0,0 +1,42 @@
hydra:
apps:
- id: ldap
title:
fr: Connexion LDAP
en: Login LDAP
description:
fr: Authentification avec LDAP
en: Authentication with LDAP
login_url: "%env(string:HYDRA_DISPATCHER_LDAP_LOGIN_URL)%"
consent_url: "%env(string:HYDRA_DISPATCHER_LDAP_CONSENT_URL)%"
logout_url: "%env(string:HYDRA_DISPATCHER_LDAP_LOGOUT_URL)%"
attributes_rewrite_configuration:
siret:
rules:
- "property_exists(consent.session.id_token, 'siret') ? consent.session.id_token.siret : null"
- "value ?: ( consent.session.id_token.email matches '/.*@example.com$/' ? '0000' : null )"
- "value ?: ( consent.session.id_token.email matches '/.*@jdoe.com$/' ? '0001' : null )"
family_name:
rules:
- "property_exists(consent.session.id_token, 'family_name') ? consent.session.id_token.family_name : null"
given_name:
rules:
- "property_exists(consent.session.id_token, 'given_name') ? consent.session.id_token.given_name : null"
email:
rules:
- "property_exists(consent.session.id_token, 'email') ? consent.session.id_token.email : null"
firewall:
additional_properties: true
rules:
siret:
required: false
email:
required: false
given_name:
required: false
family_name:
required: false
webhook:
enabled: false
webhook_post_login:
enabled: false

33
examples/authenticated-app/kustomization.yaml
View File

@ -2,12 +2,19 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../overlays/full
- ../../overlays/base
- ./resources/ingress.yaml
- ./resources/saml-idp.yaml
- ./resources/glauth-ldap.yaml
- ./resources/self-signed-issuer.yaml
- ./resources/port-forwarder.yaml
components:
- ../../components/hydra-cnpg-database
- ../../components/hydra-ldap
- ../../components/oidc-test
- ../../components/redis
patchesJson6902:
- target:
version: v1
@ -22,8 +29,13 @@ patchesJson6902:
- target:
version: v1
kind: ConfigMap
name: hydra-saml-env
path: patches/hydra-saml-env.yaml
name: hydra-ldap-env
path: patches/hydra-ldap-env.yaml
- target:
version: v1
kind: Secret
name: hydra-ldap-sc
path: patches/hydra-ldap-sc.yaml
- target:
version: v1
kind: Secret
@ -32,10 +44,19 @@ patchesJson6902:
- target:
version: v1
kind: ConfigMap
name: oidc-test
name: oidc-test-env
path: patches/oidc-test.yaml
- target:
version: v1alpha1
kind: OAuth2Client
name: oidc-test-oauth2-client
path: patches/oidc-test-oauth2-client.yaml
path: patches/oidc-test-oauth2-client.yaml
configMapGenerator:
- name: hydra-dispatcher-apps
behavior: replace
files:
- ./files/hydra-dispatcher-apps.yaml
- name: glauth-ldap-conf
files:
- ./files/glauth.conf

21
examples/authenticated-app/patches/hydra-dispatcher-env.yaml
View File

@ -1,3 +1,9 @@
- op: replace
path: "/data/APP_ENV"
value: dev
- op: replace
path: "/data/APP_DEBUG"
value: "true"
- op: replace
path: "/data/HYDRA_BASE_URL"
value: http://hydra:4444
@ -17,14 +23,13 @@
path: "/data/COOKIE_PATH"
value: /auth/dispatcher
# Hydra SAML configuration
# Hydra LDAP configuration
- op: replace
path: "/data/HYDRA_DISPATCHER_SAML_LOGIN_URL"
value: https://ssokustom/auth/saml/login
path: "/data/HYDRA_DISPATCHER_LDAP_LOGIN_URL"
value: https://ssokustom/auth/ldap/auth/login
- op: replace
path: "/data/HYDRA_DISPATCHER_SAML_CONSENT_URL"
value: https://ssokustom/auth/saml/consent
path: "/data/HYDRA_DISPATCHER_LDAP_CONSENT_URL"
value: https://ssokustom/auth/ldap/auth/consent
- op: replace
path: "/data/HYDRA_DISPATCHER_SAML_LOGOUT_URL"
value: https://ssokustom/auth/saml/logout
path: "/data/HYDRA_DISPATCHER_LDAP_LOGOUT_URL"
value: https://ssokustom/auth/ldap/auth/logout

11
examples/authenticated-app/patches/hydra-env.yaml
View File

@ -12,4 +12,13 @@
value: https://ssokustom/auth/dispatcher/consent
- op: replace
path: "/data/HYDRA_SERVE_ALL_ARGS"
value: "--dev"
value: "--dev"
- op: replace
path: "/data/SERVE_COOKIES_SAME_SITE_MODE"
value: "Lax"
- op: replace
path: "/data/SERVE_COOKIES_SAME_SITE_LEGACY_WORKAROUND"
value: "true"
- op: replace
path: "/data/SERVE_COOKIES_DOMAIN"
value: "ssokustom"

55
examples/authenticated-app/patches/hydra-ldap-env.yaml Normal file
View File

@ -0,0 +1,55 @@
- op: replace
path: "/data/WERTHER_DEV_MODE"
value: "true"
- op: replace
path: "/data/WERTHER_WEB_BASE_PATH"
value: "/auth/ldap/"
- op: replace
path: "/data/WERTHER_IDENTP_HYDRA_URL"
value: "http://hydra-dispatcher"
- op: replace
path: "/data/WERTHER_LDAP_ENDPOINTS"
value: "glauth-ldap:389"
- op: replace
path: "/data/WERTHER_LDAP_BASEDN"
value: "dc=glauth,dc=com"
- op: replace
path: "/data/WERTHER_LDAP_ROLE_BASEDN"
value: "ou=groups,dc=glauth,dc=com"
- op: replace
path: "/data/WERTHER_IDENTP_CLAIM_SCOPES"
value: "uid:profile,name:profile,family_name:profile,given_name:profile,email:profile,https%3A%2F%2Fhydra%2Fclaims%2Froles:roles,siret:siret"
- op: replace
path: "/data/WERTHER_INSECURE_SKIP_VERIFY"
value: "true"
- op: replace
path: "/data/WERTHER_LDAP_IS_TLS"
value: "false"
- op: replace
path: "/data/WERTHER_LDAP_ATTR_CLAIMS"
value: "name:name,sn:family_name,givenName:given_name,mail:email,siret:siret"
- op: replace
path: "/data/WERTHER_LDAP_CONNECTION_TIMEOUT"
value: "30s"
- op: replace
path: "/data/WERTHER_LDAP_USER_SEARCH_QUERY"
value: "(&(objectClass=*)(|(uid=%[1]s)(mail=%[1]s)(userPrincipalName=%[1]s)(sAMAccountName=%[1]s)))"
- op: replace
path: "/data/WERTHER_IDENTP_ACR"
value: "eidas1"
- op: replace
path: "/data/WERTHER_IDENTP_AMR"
value: "pwd"

7
examples/authenticated-app/patches/hydra-ldap-sc.yaml Normal file
View File

@ -0,0 +1,7 @@
- op: replace
path: "/data/WERTHER_LDAP_BINDDN"
value: "Y249c2VydmljZXVzZXIsb3U9c3ZjYWNjdHMsb3U9dXNlcnMsZGM9Z2xhdXRoLGRjPWNvbQ==" # cn=serviceuser,ou=svcaccts,ou=users,dc=glauth,dc=com
- op: replace
path: "/data/WERTHER_LDAP_BINDPW"
value: "bXlzZWNyZXQ=" # mysecret

43
examples/authenticated-app/patches/hydra-saml-env.yaml
View File

@ -1,43 +0,0 @@
- op: replace
path: "/data/HTTP_BASE_URL"
value: https://ssokustom/auth/saml
- op: replace
path: "/data/COOKIE_PATH"
value: /auth/saml
- op: replace
path: "/data/HYDRA_ADMIN_BASE_URL"
value: http://hydra-dispatcher
- op: replace
path: "/data/LOGOUT_REDIRECT_URL_PATTERN"
value: https://ssokustom/auth/saml/Shibboleth.sso/Logout?return=%s
- op: replace
path: "/data/PATH_PREFIX"
value: "/auth/saml"
- op: replace
path: "/data/SP_ENTITY_ID"
value: https://ssokustom/auth/saml
- op: replace
path: "/data/IDP_ENTITY_ID"
value: https://ssokustom/simplesaml/saml2/idp/metadata.php
- op: replace
path: "/data/IDP_METADATA_URL"
value: https://ssokustom/simplesaml/saml2/idp/metadata.php
- op: replace
path: "/data/APACHE_FORCE_HTTPS"
value: "true"
- op: replace
path: "/data/SP_HANDLER_BASE_PATH"
value: "/auth/saml"
- op: replace
path: "/data/SP_LOG_LEVEL"
value: DEBUG
- op: replace
path: "/data/SP_SESSIONS_REDIRECT_LIMIT"
value: none
- op: replace
path: "/data/SP_SESSIONS_REDIRECT_ALLOW"
value: https://ssokustom
- op: replace
path: "/data/SP_SESSIONS_COOKIE_PROPS"
value: https

5
examples/authenticated-app/patches/oidc-test-oauth2-client.yaml
View File

@ -3,4 +3,7 @@
value: https://ssokustom/oauth2/callback
- op: replace
path: "/spec/postLogoutRedirectUris/0"
value: https://ssokustom
value: https://ssokustom
- op: replace
path: "/spec/scope"
value: "openid profile roles siret"

3
examples/authenticated-app/patches/oidc-test.yaml
View File

@ -4,3 +4,6 @@
- op: replace
path: "/data/OIDC_POST_LOGOUT_REDIRECT_URL"
value: https://ssokustom
- op: replace
path: "/data/OIDC_SCOPES"
value: "openid profile roles siret"

55
examples/authenticated-app/resources/glauth-ldap.yaml Normal file
View File

@ -0,0 +1,55 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/name: glauth-ldap
name: glauth-ldap
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: glauth-ldap
strategy:
type: Recreate
template:
metadata:
labels:
app.kubernetes.io/name: glauth-ldap
spec:
containers:
- image: glauth/glauth:v2.3.2
name: glauth-ldap
ports:
- containerPort: 3893
name: ldap
- containerPort: 3894
name: ldaps
resources: {}
volumeMounts:
- name: glauth-ldap-conf
mountPath: /app/config/config.cfg
subPath: glauth.conf
restartPolicy: Always
volumes:
- name: glauth-ldap-conf
configMap:
name: glauth-ldap-conf
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/name: glauth-ldap
name: glauth-ldap
spec:
ports:
- name: ldap
port: 389
targetPort: ldap
- name: ldaps
port: 636
targetPort: ldaps
selector:
app.kubernetes.io/name: glauth-ldap
status:
loadBalancer: {}

138
examples/authenticated-app/resources/ingress.yaml
View File

@ -10,43 +10,47 @@ metadata:
spec:
ingressClassName: nginx
tls:
- hosts:
- ssokustom
secretName: ssokustom-example-tls
- hosts:
- ssokustom
secretName: ssokustom-example-tls
rules:
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: oidc-test
port:
name: http
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: oidc-test
port:
name: http
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: auth-saml
name: auth-ldap
annotations:
cert-manager.io/issuer: "self-signed"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/rewrite-target: /$2
nginx.ingress.kubernetes.io/x-forwarded-prefix: /auth/ldap
nginx.ingress.kubernetes.io/configuration-snippet: |
proxy_set_header X-Forwarded-Proto https;
spec:
ingressClassName: nginx
tls:
- hosts:
- ssokustom
secretName: ssokustom-example-tls
- hosts:
- ssokustom
secretName: ssokustom-example-tls
rules:
- http:
paths:
- path: /auth/saml(/|$)(.*)
pathType: Prefix
backend:
service:
name: hydra-saml
port:
name: http
- http:
paths:
- path: /auth/ldap(/|$)(.*)
pathType: Prefix
backend:
service:
name: hydra-ldap
port:
name: hydra-ldap
---
apiVersion: networking.k8s.io/v1
kind: Ingress
@ -57,22 +61,24 @@ metadata:
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/rewrite-target: /$2
nginx.ingress.kubernetes.io/x-forwarded-prefix: /auth/dispatcher
nginx.ingress.kubernetes.io/configuration-snippet: |
proxy_set_header X-Forwarded-Proto https;
spec:
ingressClassName: nginx
tls:
- hosts:
- ssokustom
secretName: ssokustom-example-tls
- hosts:
- ssokustom
secretName: ssokustom-example-tls
rules:
- http:
paths:
- path: /auth/dispatcher(/|$)(.*)
pathType: Prefix
backend:
service:
name: hydra-dispatcher
port:
name: http
- http:
paths:
- path: /auth/dispatcher(/|$)(.*)
pathType: Prefix
backend:
service:
name: hydra-dispatcher
port:
name: http
---
apiVersion: networking.k8s.io/v1
kind: Ingress
@ -82,50 +88,22 @@ metadata:
cert-manager.io/issuer: "self-signed"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/rewrite-target: /$2
nginx.ingress.kubernetes.io/x-forwarded-prefix: /auth
nginx.ingress.kubernetes.io/configuration-snippet: |
proxy_set_header X-Forwarded-Proto https;
spec:
ingressClassName: nginx
tls:
- hosts:
- ssokustom
secretName: ssokustom-example-tls
- hosts:
- ssokustom
secretName: ssokustom-example-tls
rules:
- http:
paths:
- path: /auth(/|$)(.*)
pathType: Prefix
backend:
service:
name: hydra
port:
name: hydra-public
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: saml-idp
annotations:
cert-manager.io/issuer: "self-signed"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/rewrite-target: /simplesaml/$2
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
ingressClassName: nginx
tls:
- hosts:
- ssokustom
secretName: ssokustom-example-tls
rules:
- http:
paths:
- path: /simplesaml(/|$)(.*)
pathType: Prefix
backend:
service:
name: saml-idp
port:
name: https
- http:
paths:
- path: /auth(/|$)(.*)
pathType: Prefix
backend:
service:
name: hydra
port:
name: hydra-public

51
examples/authenticated-app/resources/saml-idp.yaml
View File

@ -1,51 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/name: saml-idp
name: saml-idp
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: saml-idp
strategy:
type: Recreate
template:
metadata:
labels:
app.kubernetes.io/name: saml-idp
spec:
containers:
- image: kristophjunge/test-saml-idp:1.15
name: saml-idp
ports:
- containerPort: 8443
resources: {}
env:
- name: SIMPLESAMLPHP_SP_ENTITY_ID
value: https://ssokustom/auth/saml
- name: SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE
value: https://ssokustom/auth/saml/Shibboleth.sso/SAML2/POST
- name: SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE
value: https://ssokustom/auth/saml/Shibboleth.sso/Logout?return=https://ssokustom
restartPolicy: Always
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/name: saml-idp
name: saml-idp
spec:
ports:
- name: http
port: 8080
targetPort: 8080
- name: https
port: 8443
targetPort: 8443
selector:
app.kubernetes.io/name: saml-idp
status:
loadBalancer: {}

92
examples/k8s/kind/cluster/fix/redis-operator-clusterrole.yaml Normal file
View File

@ -0,0 +1,92 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
rules:
- apiGroups:
- redis.redis.opstreelabs.in
resources:
- rediss
- redisclusters
- redis
- rediscluster
- redisreplication
- redisreplications
- redissentinel
- redissentinels
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- redis.redis.opstreelabs.in
resources:
- redis/finalizers
- rediscluster/finalizers
verbs:
- update
- apiGroups:
- redis.redis.opstreelabs.in
resources:
- redis/status
- rediscluster/status
verbs:
- get
- patch
- update
- apiGroups:
- ""
resources:
- secrets
- pods/exec
- services
- configmaps
- pods
- persistentvolumes
- persistentvolumeclaims
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- apps
resources:
- statefulsets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch

16
examples/k8s/kind/cluster/kustomization.yaml
View File

@ -1,15 +1,15 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- https://github.com/jetstack/cert-manager/releases/download/v1.13.2/cert-manager.yaml
- https://forge.cadoles.com/CadolesKube/c-kustom//base/cloudnative-pg-operator?ref=develop
- https://forge.cadoles.com/CadolesKube/c-kustom//base/redis?ref=develop
- https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml
- https://forge.cadoles.com/CadolesKube/c-kustom//crds?ref=develop
- https://github.com/cert-manager/cert-manager/releases/download/v1.10.0/cert-manager.yaml
- ./resources/olm
- https://forge.cadoles.com/CadolesKube/c-kustom//base/cloudnative-pg-operator?ref=develop
- https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml
patchesJson6902:
- target:
version: v1
patches:
- path: patches/nginx-controller.yaml
target:
kind: ConfigMap
name: ingress-nginx-controller
namespace: ingress-nginx
path: patches/nginx-controller.yaml

15
examples/k8s/kind/cluster/patches/nginx-controller.yaml
View File

@ -1,6 +1,9 @@
- op: replace
path: "/data/allow-snippet-annotations"
value: "true"
- op: replace
path: "/data/use-forwarded-headers"
value: "true"
kind: ConfigMap
apiVersion: v1
metadata:
name: ingress-nginx-controller
data:
allow-snippet-annotations: "true"
use-forwarded-headers: "true"
strict-validate-path-type: "false"
annotations-risk-level: "Critical"

6
examples/k8s/kind/cluster/resources/olm/kustomization.yaml Normal file
View File

@ -0,0 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- https://github.com/operator-framework/operator-lifecycle-manager/releases/download/v0.31.0/olm.yaml
- https://forge.cadoles.com/CadolesKube/c-kustom/raw/branch/develop/base/olm/resources/mandatory-operators/resources/redis-operator.yaml

2
resources/hydra-dispatcher/files/hydra/default.yaml
View File

@ -15,3 +15,5 @@ hydra:
firewall:
additional_properties: "%env(bool:HYDRA_DISPATCHER_FIREWALL_ADDITIONAL_PROPERTIES)%"
rules: {}
webhook_post_login:
enabled: false

193
resources/hydra-dispatcher/resources/hydra-dispatcher-deployment.yaml
View File

@ -3,6 +3,7 @@ kind: Deployment
metadata:
labels:
app.kubernetes.io/name: hydra-dispatcher
com.cadoles.forge.sso-kustom/session: redis
name: hydra-dispatcher
spec:
replicas: 1
@ -17,101 +18,101 @@ spec:
app.kubernetes.io/name: hydra-dispatcher
spec:
containers:
- name: hydra-dispatcher-php-fpm
image: reg.cadoles.com/cadoles/hydra-dispatcher-base:2024.9.24-develop.1122.f88a5eb
args: ["/usr/sbin/php-fpm81", "-F", "-e"]
readinessProbe:
exec:
command:
- sh
- -c
- test -f /etc/php81/php-fpm.d/www.conf
livenessProbe:
exec:
command:
- php
- bin/console
- -V
initialDelaySeconds: 10
periodSeconds: 30
env:
- name: PHP_FPM_LISTEN
value: 127.0.0.1:9000
- name: PHP_MEMORY_LIMIT
value: 128m
- name: PHP_FPM_MEMORY_LIMIT
value: 128m
- name: OPCACHE_VALIDATE_TIMESTAMP
value: "0"
- name: OPCACHE_REVALIDATE_FREQ
value: "0"
envFrom:
- configMapRef:
name: hydra-dispatcher-env
volumeMounts:
- mountPath: /app/config/hydra
name: hydra-dispatcher-apps
- name: hydra-dispatcher-php-ini
mountPath: /etc/php81/conf.d/03_base.ini
subPath: 03_base.ini
resources: {}
securityContext:
runAsNonRoot: true
runAsGroup: 1000
runAsUser: 1000
- name: hydra-dispatcher-caddy
image: reg.cadoles.com/cadoles/hydra-dispatcher-base:2024.9.24-develop.1122.f88a5eb
imagePullPolicy: IfNotPresent
args:
[
"/usr/sbin/caddy",
"run",
"--adapter",
"caddyfile",
"--config",
"/etc/caddy/Caddyfile",
]
readinessProbe:
httpGet:
path: /health
port: 8080
initialDelaySeconds: 5
timeoutSeconds: 5
periodSeconds: 10
livenessProbe:
httpGet:
path: /health
port: 8080
initialDelaySeconds: 15
timeoutSeconds: 5
periodSeconds: 15
envFrom:
- configMapRef:
name: hydra-dispatcher-env
env:
- name: CADDY_APP_UPSTREAM_BACKEND_SERVER
value: 127.0.0.1:9000
- name: CADDY_HTTPS_PORT
value: "8443"
- name: CADDY_HTTP_PORT
value: "8080"
- name: CADDY_DATA_FS
value: "/tmp/caddy"
- name: CADDY_APP_ROOT_PUBLIC
value: "/app/public/"
ports:
- containerPort: 8080
name: http
resources: {}
securityContext:
runAsNonRoot: true
runAsGroup: 1000
runAsUser: 1000
- name: hydra-dispatcher-php-fpm
image: reg.cadoles.com/cadoles/hydra-dispatcher-base:2024.9.24-develop.1122.f88a5eb
args: ["/usr/sbin/php-fpm81", "-F", "-e"]
readinessProbe:
exec:
command:
- sh
- -c
- test -f /etc/php81/php-fpm.d/www.conf
livenessProbe:
exec:
command:
- php
- bin/console
- -V
initialDelaySeconds: 10
periodSeconds: 30
env:
- name: PHP_FPM_LISTEN
value: 127.0.0.1:9000
- name: PHP_MEMORY_LIMIT
value: 128m
- name: PHP_FPM_MEMORY_LIMIT
value: 128m
- name: OPCACHE_VALIDATE_TIMESTAMP
value: "0"
- name: OPCACHE_REVALIDATE_FREQ
value: "0"
envFrom:
- configMapRef:
name: hydra-dispatcher-env
volumeMounts:
- mountPath: /app/config/hydra
name: hydra-dispatcher-apps
- name: hydra-dispatcher-php-ini
mountPath: /etc/php81/conf.d/03_base.ini
subPath: 03_base.ini
resources: {}
securityContext:
runAsNonRoot: true
runAsGroup: 1000
runAsUser: 1000
- name: hydra-dispatcher-caddy
image: reg.cadoles.com/cadoles/hydra-dispatcher-base:2024.9.24-develop.1122.f88a5eb
imagePullPolicy: IfNotPresent
args:
[
"/usr/sbin/caddy",
"run",
"--adapter",
"caddyfile",
"--config",
"/etc/caddy/Caddyfile",
]
readinessProbe:
httpGet:
path: /health
port: 8080
initialDelaySeconds: 5
timeoutSeconds: 5
periodSeconds: 10
livenessProbe:
httpGet:
path: /health
port: 8080
initialDelaySeconds: 15
timeoutSeconds: 5
periodSeconds: 15
envFrom:
- configMapRef:
name: hydra-dispatcher-env
env:
- name: CADDY_APP_UPSTREAM_BACKEND_SERVER
value: 127.0.0.1:9000
- name: CADDY_HTTPS_PORT
value: "8443"
- name: CADDY_HTTP_PORT
value: "8080"
- name: CADDY_DATA_FS
value: "/tmp/caddy"
- name: CADDY_APP_ROOT_PUBLIC
value: "/app/public/"
ports:
- containerPort: 8080
name: http
resources: {}
securityContext:
runAsNonRoot: true
runAsGroup: 1000
runAsUser: 1000
restartPolicy: Always
volumes:
- name: hydra-dispatcher-apps
configMap:
name: hydra-dispatcher-apps
- name: hydra-dispatcher-php-ini
configMap:
name: hydra-dispatcher-php-ini
- name: hydra-dispatcher-apps
configMap:
name: hydra-dispatcher-apps
- name: hydra-dispatcher-php-ini
configMap:
name: hydra-dispatcher-php-ini

67
resources/hydra/kustomization.yaml
View File

@ -2,42 +2,45 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
images:
- name: reg.cadoles.com/proxy_cache/oryd/hydra
newTag: v2.1.2
- name: reg.cadoles.com/proxy_cache/oryd/hydra-maester
newTag: v0.0.32-amd64
- name: reg.cadoles.com/proxy_cache/oryd/hydra
newTag: v2.1.2
- name: reg.cadoles.com/proxy_cache/oryd/hydra-maester
newTag: v0.0.32-amd64
resources:
- ./resources/hydra-deployment.yaml
- ./resources/hydra-service.yaml
- ./resources/hydra-role.yaml
- ./resources/hydra-rolebinding.yaml
- ./resources/hydra-serviceaccount.yaml
- ./resources/hydra-migrate-job.yaml
- ./resources/hydra-maester
- ./resources/hydra-janitor-cronjob.yaml
- ./resources/hydra-deployment.yaml
- ./resources/hydra-service.yaml
- ./resources/hydra-role.yaml
- ./resources/hydra-rolebinding.yaml
- ./resources/hydra-serviceaccount.yaml
- ./resources/hydra-migrate-job.yaml
- ./resources/hydra-maester
- ./resources/hydra-janitor-cronjob.yaml
secretGenerator:
- name: hydra-secret
literals:
- SECRETS_SYSTEM=ThisShouldBeAbsolutelyChanged
- name: hydra-secret
literals:
- SECRETS_SYSTEM=ThisShouldBeAbsolutelyChanged
configMapGenerator:
- name: hydra-env
literals:
- URLS_SELF_ISSUER=http://localhost:4444
- URLS_LOGIN=http://hydra-login-app/login
- URLS_CONSENT=http://hydra-consent-app/consent
- URLS_LOGOUT=http://hydra-logout-app/logout
- HYDRA_SERVE_ALL_ARGS=--dev
- HYDRA_DATABASE_MAX_CONN="10"
- LOG_LEVEL=info
- name: hydra-env
literals:
- URLS_SELF_ISSUER=http://localhost:4444
- URLS_LOGIN=http://hydra-login-app/login
- URLS_CONSENT=http://hydra-consent-app/consent
- URLS_LOGOUT=http://hydra-logout-app/logout
- HYDRA_SERVE_ALL_ARGS=--dev
- HYDRA_DATABASE_MAX_CONN="10"
- LOG_LEVEL=info
vars:
- name: HYDRA_MIGRATE_JOB_NAME
objref:
name: hydra-migrate
kind: Job
apiVersion: batch/v1
fieldref:
fieldpath: metadata.name
replacements:
- source:
kind: Job
name: hydra-migrate
fieldPath: metadata.name
targets:
- select:
kind: Deployment
name: hydra
fieldPaths:
- spec.template.spec.initContainers.0.args.1

5
resources/hydra/resources/hydra-deployment.yaml
View File

@ -21,8 +21,8 @@ spec:
- name: wait-for-migrate
image: reg.cadoles.com/proxy_cache/groundnuty/k8s-wait-for:v1.3
args:
- job
- $(HYDRA_MIGRATE_JOB_NAME)
- job
- REPLACE_ME
containers:
- name: hydra
image: reg.cadoles.com/proxy_cache/oryd/hydra:v2.0.3
@ -57,4 +57,3 @@ spec:
name: hydra-admin
resources: {}
restartPolicy: Always

7
resources/hydra/resources/hydra-maester/resources/hydra-maester-deployment.yaml
View File

@ -7,7 +7,7 @@ metadata:
labels:
app.kubernetes.io/name: hydra-maester
app.kubernetes.io/instance: hydra-master
app.kubernetes.io/version: "v0.0.23"
app.kubernetes.io/version: "v0.0.25"
spec:
replicas: 1
revisionHistoryLimit: 10
@ -38,15 +38,14 @@ spec:
- --hydra-url=$(HYDRA_ADMIN_BASE_URL)
- --hydra-port=$(HYDRA_ADMIN_PORT)
- --endpoint=/admin/clients
resources:
{}
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true