CadolesKube
/
sso-kustom
14
0
Fork 0
Code Issues 19 Pull Requests 4 Projects Releases Wiki Activity

fix: example app deployment with saml login app

This commit is contained in:
wpetit 2023-11-02 18:32:37 +01:00
parent 8075071f22
commit 390ead21c6
31 changed files with 505 additions and 172 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
components/hydra-saml/files/hydra/saml.yaml
View File

@ -10,4 +10,21 @@ hydra:
login_url: "%env(string:HYDRA_DISPATCHER_SAML_LOGIN_URL)%"
consent_url: "%env(string:HYDRA_DISPATCHER_SAML_CONSENT_URL)%"
logout_url: "%env(string:HYDRA_DISPATCHER_SAML_LOGOUT_URL)%"
attributes_rewrite_rules: []
attributes_rewrite_configuration:
uid:
rules:
- "property_exists(consent.session.id_token, 'uid') ? consent.session.id_token.uid : null"
email:
rules:
- "property_exists(consent.session.id_token, 'email') ? consent.session.id_token.email : null"
eduPersonAffiliation:
rules:
- "property_exists(consent.session.id_token, 'eduPersonAffiliation') ? consent.session.id_token.eduPersonAffiliation : null"
firewall:
rules:
email:
required: false
uid:
required: false
eduPersonAffiliation:
required: false

3
components/hydra-saml/files/shibboleth-sp/attribute-map.inc.xml Normal file
View File

@ -0,0 +1,3 @@
<Attribute name="uid" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="uid" />
<Attribute name="eduPersonAffiliation" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="eduPersonAffiliation" />
<Attribute name="email" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="email" />

5
components/hydra-saml/kustomization.yaml
View File

@ -18,6 +18,7 @@ configMapGenerator:
- HYDRA_ADMIN_BASE_URL=http://hydra:4445/admin
- TRUSTED_PROXIES=127.0.0.1,REMOTE_ADDR
- LOGOUT_REDIRECT_URL_PATTERN=http://hydra-saml/Shibboleth.sso/Logout?return=%s'
- PATH_PREFIX=
# Shibboleth SP environment variables
- SP_ENTITY_ID=http://hydra-saml-shibboleth-sp
- IDP_ENTITY_ID=http://saml-idp
@ -25,10 +26,14 @@ configMapGenerator:
- APACHE_BACKEND_URL=http://hydra-saml-remote-user
- APACHE_FORCE_HTTPS=false
- SP_HANDLER_BASE_PATH=/
- SP_SESSIONS_RELAY_STATE=cookie:5
- name: hydra-dispatcher-apps
behavior: merge
files:
- ./files/hydra/saml.yaml
- name: hydra-saml-shibboleth-sp
files:
- ./files/shibboleth-sp/attribute-map.inc.xml
patchesJson6902:
- target:

2
components/hydra-saml/resources/hydra-saml-remote-user-deployment.yaml
View File

@ -18,7 +18,7 @@ spec:
spec:
containers:
- name: hydra-saml-remote-user
image: reg.cadoles.com/cadoles/hydra-remote-user-v1:v0.0.0-170-g485b138
image: reg.cadoles.com/wpetit/hydra-remote-user-v1:v0.0.0-232-g99ae0e5
envFrom:
- configMapRef:
name: hydra-saml-env

2
components/hydra-saml/resources/hydra-saml-remote-user-service.yaml
View File

@ -6,7 +6,7 @@ metadata:
name: hydra-saml-remote-user
spec:
ports:
- name: hydra-saml-remote-user
- name: http
port: 80
selector:
io.kompose.service: hydra-saml-remote-user

2
components/hydra-saml/resources/hydra-saml-service.yaml
View File

@ -6,7 +6,7 @@ metadata:
name: hydra-saml
spec:
ports:
- name: hydra-saml-shibboleth-sp
- name: http
port: 80
selector:
io.kompose.service: hydra-saml-shibboleth-sp

12
components/hydra-saml/resources/hydra-saml-shibboleth-sp-deployment.yaml
View File

@ -16,14 +16,24 @@ spec:
labels:
io.kompose.service: hydra-saml-shibboleth-sp
spec:
securityContext:
fsGroup: 102
containers:
- name: hydra-saml-shibboleth-sp
image: reg.cadoles.com/cadoles/shibboleth-sp-v3:v0.0.0-172-g0f44679
image: reg.cadoles.com/wpetit/shibboleth-sp-v3:v0.0.0-232-g377af91
envFrom:
- configMapRef:
name: hydra-saml-env
volumeMounts:
- name: attributes-map-inc
mountPath: /etc/shibboleth/attribute-map.inc.xml
subPath: attribute-map.inc.xml
ports:
- containerPort: 80
resources: {}
restartPolicy: Always
volumes:
- name: attributes-map-inc
configMap:
name: hydra-saml-shibboleth-sp

40
examples/authenticated-app/README.md
View File

@ -1,19 +1,21 @@
# Exemple: Déploiement d'une application authentifiée avec la stack SSO
L'exemple est actuellement déployé avec le composant `hydra-saml` uniquement.
## Procédure
### Avec `k3d`
### Avec `kind`
1. Créer un cluster avec `k3d`
1. Créer un cluster avec `kind`
```
k3d cluster create -c ./examples/k8s/k3d/k3d/cluster-config.yaml
kind create cluster --config ./examples/k8s/kind/cluster-config.yaml
```
2. Déployer les opérateurs nécessaires au déploiement
```
kubectl apply -k ./examples/k8s/k3d/cluster
kubectl kustomize --enable-helm ./examples/k8s/kind/cluster | kubectl apply -f -
```
3. Déployer l'application
@ -22,4 +24,32 @@
kubectl apply -k ./examples/authenticated-app
```
Après stabilisation du déploiement, l'application devrait être accessible à l'adresse http://localhost:8080/
**Note** Il est possible d'avoir l'erreur suivante:
```
error: resource mapping not found for name: "app-oauth2-client" namespace: "" from "./examples/authenticated-app": no matches for kind "OAuth2Client" in version "hydra.ory.sh/v1alpha1"
```
Cette erreur est "normale" (voir https://github.com/kubernetes/kubectl/issues/1117). Dans ce cas, attendre la création de la CRD (voir ticket) puis relancer la commande.
4. Ajouter l'entrée suivante dans votre fichier `/etc/hosts`
```
127.0.0.1 ssokustom
```
5. Après stabilisation du déploiement, l'application devrait être accessible à l'adresse https://ssokustom
#### Supprimer le cluster
```
kind delete cluster -n sso-kustom-example
```
## Authentification
### SAML
- Utilisateur: `user1`
- Mot de passe `user1pass`

10
examples/authenticated-app/kustomization.yaml
View File

@ -4,12 +4,12 @@ kind: Kustomization
resources:
- ../../resources/hydra
- ../../resources/hydra-dispatcher
- ./resources/app-deployment.yaml
- ./resources/app-service.yaml
- ./resources/app.yaml
- ./resources/ingress.yaml
- ./resources/ingress-prefix-traefik-middleware.yaml
- ./resources/port-forwarder-deployment.yaml
- ./resources/port-forwarder-service.yaml
- ./resources/oauth2-client.yaml
- ./resources/saml-idp.yaml
- ./resources/self-signed-issuer.yaml
- ./resources/port-forwarder.yaml
components:
- ../../components/hydra-cnpg-database

22
examples/authenticated-app/patches/hydra-dispatcher-env.yaml
View File

@ -1,18 +1,30 @@
- op: replace
path: "/data/HYDRA_BASE_URL"
value: http://ssokustom:8080/auth
value: http://hydra:4444
- op: replace
path: "/data/HYDRA_ADMIN_BASE_URL"
value: http://hydra:4445/admin
- op: replace
path: "/data/HYDRA_ORIGINAL_ISSUER"
value: http://ssokustom:8080/auth
value: http://hydra:4444
- op: replace
path: "/data/HYDRA_NEW_ISSUER"
value: http://ssokustom:8080/auth/dispatcher/
value: https://ssokustom/auth/dispatcher
- op: replace
path: "/data/BASE_URL"
value: http://ssokustom:8080/auth/dispatcher
value: https://ssokustom/auth/dispatcher
- op: replace
path: "/data/COOKIE_PATH"
value: /auth/dispatcher
value: /auth/dispatcher
# Hydra SAML configuration
- op: replace
path: "/data/HYDRA_DISPATCHER_SAML_LOGIN_URL"
value: https://ssokustom/auth/saml/login
- op: replace
path: "/data/HYDRA_DISPATCHER_SAML_CONSENT_URL"
value: https://ssokustom/auth/saml/consent
- op: replace
path: "/data/HYDRA_DISPATCHER_SAML_LOGOUT_URL"
value: https://ssokustom/auth/saml/logout

8
examples/authenticated-app/patches/hydra-env.yaml
View File

@ -1,15 +1,15 @@
- op: replace
path: "/data/URLS_SELF_ISSUER"
value: http://ssokustom:8080/auth
value: https://ssokustom/auth
- op: replace
path: "/data/URLS_LOGIN"
value: http://ssokustom:8080/auth/dispatcher/login
value: https://ssokustom/auth/dispatcher/login
- op: replace
path: "/data/URLS_LOGOUT"
value: http://ssokustom:8080/auth/dispatcher/logout
value: https://ssokustom/auth/dispatcher/logout
- op: replace
path: "/data/URLS_CONSENT"
value: http://ssokustom:8080/auth/dispatcher/consent
value: https://ssokustom/auth/dispatcher/consent
- op: replace
path: "/data/HYDRA_SERVE_ALL_ARGS"
value: "--dev"

32
examples/authenticated-app/patches/hydra-saml-env.yaml
View File

@ -1,6 +1,6 @@
- op: replace
path: "/data/HTTP_BASE_URL"
value: http://ssokustom:8080/auth/saml
value: https://ssokustom/auth/saml
- op: replace
path: "/data/COOKIE_PATH"
value: /auth/saml
@ -9,23 +9,35 @@
value: http://hydra-dispatcher
- op: replace
path: "/data/LOGOUT_REDIRECT_URL_PATTERN"
value: http://ssokustom:8080/auth/saml/Shibboleth.sso/Logout?return=%s
value: https://ssokustom/auth/saml/Shibboleth.sso/Logout?return=%s
- op: replace
path: "/data/PATH_PREFIX"
value: "/auth/saml"
- op: replace
path: "/data/SP_ENTITY_ID"
value: http://ssokustom:8080/auth/saml
value: https://ssokustom/auth/saml
- op: replace
path: "/data/IDP_ENTITY_ID"
value: http://ssokustom:8080/idp
value: https://ssokustom/simplesaml/saml2/idp/metadata.php
- op: replace
path: "/data/IDP_METADATA_URL"
value: http://ssokustom:8080/idp/metadata
- op: replace
path: "/data/APACHE_BACKEND_URL"
value: http://hydra-remote-user
value: https://ssokustom/simplesaml/saml2/idp/metadata.php
- op: replace
path: "/data/APACHE_FORCE_HTTPS"
value: "false"
value: "true"
- op: replace
path: "/data/SP_HANDLER_BASE_PATH"
value: /auth/saml
value: "/auth/saml"
- op: replace
path: "/data/SP_LOG_LEVEL"
value: DEBUG
- op: replace
path: "/data/SP_SESSIONS_REDIRECT_LIMIT"
value: none
- op: replace
path: "/data/SP_SESSIONS_REDIRECT_ALLOW"
value: https://ssokustom
- op: replace
path: "/data/SP_SESSIONS_COOKIE_PROPS"
value: https

40
examples/authenticated-app/resources/app-deployment.yaml
View File

@ -1,40 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
io.kompose.service: app
name: app
spec:
replicas: 1
selector:
matchLabels:
io.kompose.service: app
strategy:
type: Recreate
template:
metadata:
labels:
io.kompose.service: app
spec:
containers:
- image: bornholm/oidc-test:v0.0.0-1-g936a77e
name: app
ports:
- containerPort: 8080
resources: {}
env:
- name: LOG_LEVEL
value: "0"
- name: HTTP_ADDRESS
value: 0.0.0.0:8080
- name: OIDC_CLIENT_ID
value: oidc-test
- name: OIDC_CLIENT_SECRET
value: oidc-test-123456
- name: OIDC_ISSUER_URL
value: http://ssokustom:8080/auth
- name: OIDC_REDIRECT_URL
value: http://ssokustom:8080
- name: OIDC_POST_LOGOUT_REDIRECT_URL
value: http://ssokustom:8080
restartPolicy: Always

15
examples/authenticated-app/resources/app-service.yaml
View File

@ -1,15 +0,0 @@
apiVersion: v1
kind: Service
metadata:
labels:
io.kompose.service: app
name: app
spec:
ports:
- name: http
port: 8080
targetPort: 8080
selector:
io.kompose.service: app
status:
loadBalancer: {}

66
examples/authenticated-app/resources/app.yaml Normal file
View File

@ -0,0 +1,66 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
io.kompose.service: app
name: app
spec:
replicas: 1
selector:
matchLabels:
io.kompose.service: app
strategy:
type: Recreate
template:
metadata:
labels:
io.kompose.service: app
spec:
containers:
- image: reg.cadoles.com/cadoles/oidc-test:2023.11.6-stable.1557.e16b905
name: app
ports:
- containerPort: 8080
resources: {}
env:
- name: LOG_LEVEL
value: "0"
- name: HTTP_ADDRESS
value: 0.0.0.0:8080
- name: OIDC_CLIENT_ID
valueFrom:
secretKeyRef:
name: app-oidc-secret
key: client_id
- name: OIDC_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: app-oidc-secret
key: client_secret
- name: OIDC_ISSUER_URL
value: http://hydra:4444
- name: OIDC_REDIRECT_URL
value: https://ssokustom/oauth2/callback
- name: OIDC_POST_LOGOUT_REDIRECT_URL
value: https://ssokustom
- name: OIDC_SKIP_ISSUER_VERIFICATION
value: "true"
- name: OIDC_INSECURE_SKIP_VERIFY
value: "true"
restartPolicy: Always
---
apiVersion: v1
kind: Service
metadata:
labels:
io.kompose.service: app
name: app
spec:
ports:
- name: http
port: 8080
targetPort: 8080
selector:
io.kompose.service: app
status:
loadBalancer: {}

10
examples/authenticated-app/resources/ingress-prefix-traefik-middleware.yaml
View File

@ -1,10 +0,0 @@
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: ingress-prefix
spec:
stripPrefixRegex:
regex:
- ^/auth/dispatcher
- ^/auth/saml
- ^/auth

118
examples/authenticated-app/resources/ingress.yaml
View File

@ -1,11 +1,18 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: portal
name: app
annotations:
ingress.kubernetes.io/ssl-redirect: "false"
traefik.ingress.kubernetes.io/router.middlewares: default-ingress-prefix@kubernetescrd
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
cert-manager.io/issuer: "self-signed"
# nginx.ingress.kubernetes.io/configuration-snippet: |
# more_set_headers "X-Forwarded-Proto: https";
spec:
ingressClassName: nginx
tls:
- hosts:
- ssokustom
secretName: ssokustom-example-tls
rules:
- http:
paths:
@ -16,28 +23,109 @@ spec:
name: app
port:
name: http
- path: /auth/dispatcher
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: auth-saml
annotations:
cert-manager.io/issuer: "self-signed"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
ingressClassName: nginx
tls:
- hosts:
- ssokustom
secretName: ssokustom-example-tls
rules:
- http:
paths:
- path: /auth/saml(/|$)(.*)
pathType: Prefix
backend:
service:
name: hydra-saml
port:
name: http
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: auth-dispatcher
annotations:
cert-manager.io/issuer: "self-signed"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/rewrite-target: /$2
nginx.ingress.kubernetes.io/x-forwarded-prefix: /auth/dispatcher
spec:
ingressClassName: nginx
tls:
- hosts:
- ssokustom
secretName: ssokustom-example-tls
rules:
- http:
paths:
- path: /auth/dispatcher(/|$)(.*)
pathType: Prefix
backend:
service:
name: hydra-dispatcher
port:
name: http
- path: /auth
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: auth
annotations:
cert-manager.io/issuer: "self-signed"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/rewrite-target: /$2
spec:
ingressClassName: nginx
tls:
- hosts:
- ssokustom
secretName: ssokustom-example-tls
rules:
- http:
paths:
- path: /auth(/|$)(.*)
pathType: Prefix
backend:
service:
name: hydra
port:
name: hydra-public
# - path: /auth/passwordless/?(.*)
# pathType: Prefix
# backend:
# service:
# name: hydra
# port:
# name: http-public
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: saml-idp
annotations:
cert-manager.io/issuer: "self-signed"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/rewrite-target: /simplesaml/$2
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
ingressClassName: nginx
tls:
- hosts:
- ssokustom
secretName: ssokustom-example-tls
rules:
- http:
paths:
- path: /simplesaml(/|$)(.*)
pathType: Prefix
backend:
service:
name: saml-idp
port:
name: https

18
examples/authenticated-app/resources/oauth2-client.yaml Normal file
View File

@ -0,0 +1,18 @@
apiVersion: hydra.ory.sh/v1alpha1
kind: OAuth2Client
metadata:
name: app-oauth2-client
spec:
clientName: "app"
tokenEndpointAuthMethod: "client_secret_basic"
grantTypes:
- authorization_code
- refresh_token
responseTypes:
- code
scope: "openid email"
secretName: app-oidc-secret
redirectUris:
- https://ssokustom/oauth2/callback
postLogoutRedirectUris:
- https://ssokustom

29
examples/authenticated-app/resources/port-forwarder-deployment.yaml
View File

@ -1,29 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
io.kompose.service: port-forwarder
name: port-forwarder
spec:
replicas: 1
selector:
matchLabels:
io.kompose.service: port-forwarder
strategy:
type: Recreate
template:
metadata:
labels:
io.kompose.service: port-forwarder
spec:
containers:
- image: hpello/tcp-proxy:latest
name: port-forwarder
env:
- name: LISTEN_PORT
value: "8080"
ports:
- containerPort: 8080
resources: {}
args: ["traefik.kube-system.svc.cluster.local", "80"]
restartPolicy: Always

12
examples/authenticated-app/resources/port-forwarder-service.yaml
View File

@ -1,12 +0,0 @@
kind: Service
apiVersion: v1
metadata:
name: ssokustom
labels:
io.kompose.service: port-forwarder
spec:
ports:
- port: 8080
targetPort: 8080
selector:
io.kompose.service: port-forwarder

55
examples/authenticated-app/resources/port-forwarder.yaml Normal file
View File

@ -0,0 +1,55 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
io.kompose.service: port-forwarder
name: port-forwarder
spec:
replicas: 1
selector:
matchLabels:
io.kompose.service: port-forwarder
strategy:
type: Recreate
template:
metadata:
labels:
io.kompose.service: port-forwarder
spec:
containers:
- image: hpello/tcp-proxy:latest
name: port-forwarder-https
env:
- name: LISTEN_PORT
value: "443"
ports:
- containerPort: 443
resources: {}
args: ["ingress-nginx-controller.ingress-nginx.svc.cluster.local", "443"]
- image: hpello/tcp-proxy:latest
name: port-forwarder-http
env:
- name: LISTEN_PORT
value: "80"
ports:
- containerPort: 80
resources: {}
args: ["ingress-nginx-controller.ingress-nginx.svc.cluster.local", "80"]
restartPolicy: Always
---
kind: Service
apiVersion: v1
metadata:
name: ssokustom
labels:
io.kompose.service: port-forwarder
spec:
ports:
- name: https
port: 443
targetPort: 443
- name: http
port: 80
targetPort: 80
selector:
io.kompose.service: port-forwarder

51
examples/authenticated-app/resources/saml-idp.yaml Normal file
View File

@ -0,0 +1,51 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
io.kompose.service: saml-idp
name: saml-idp
spec:
replicas: 1
selector:
matchLabels:
io.kompose.service: saml-idp
strategy:
type: Recreate
template:
metadata:
labels:
io.kompose.service: saml-idp
spec:
containers:
- image: kristophjunge/test-saml-idp:1.15
name: saml-idp
ports:
- containerPort: 8443
resources: {}
env:
- name: SIMPLESAMLPHP_SP_ENTITY_ID
value: https://ssokustom/auth/saml
- name: SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE
value: https://ssokustom/auth/saml/Shibboleth.sso/SAML2/POST
- name: SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE
value: https://ssokustom/auth/saml/Shibboleth.sso/Logout?return=https://ssokustom
restartPolicy: Always
---
apiVersion: v1
kind: Service
metadata:
labels:
io.kompose.service: saml-idp
name: saml-idp
spec:
ports:
- name: http
port: 8080
targetPort: 8080
- name: https
port: 8443
targetPort: 8443
selector:
io.kompose.service: saml-idp
status:
loadBalancer: {}

6
examples/authenticated-app/resources/self-signed-issuer.yaml Normal file
View File

@ -0,0 +1,6 @@
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: self-signed
spec:
selfSigned: {}

11
examples/k8s/k3d/cluster-config.yaml
View File

@ -1,11 +0,0 @@
---
apiVersion: k3d.io/v1alpha4
kind: Simple
metadata:
name: sso-kustom
servers: 1
agents: 2
ports:
- port: 8080:80
nodeFilters:
- loadbalancer

4
examples/k8s/k3d/cluster/kustomization.yaml
View File

@ -1,4 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- https://forge.cadoles.com/CadolesKube/c-kustom//base/cloudnative-pg-operator?ref=develop

45
examples/k8s/kind/cluster-config.yaml Normal file
View File

@ -0,0 +1,45 @@
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
name: sso-kustom-example
nodes:
- role: control-plane
image: kindest/node:v1.27.2
kubeadmConfigPatches:
- |
kind: InitConfiguration
nodeRegistration:
kubeletExtraArgs:
node-labels: "ingress-ready=true"
extraPortMappings:
- containerPort: 80
hostPort: 80
listenAddress: "0.0.0.0" # Optional, defaults to "0.0.0.0"
- containerPort: 443
hostPort: 443
listenAddress: "0.0.0.0" # Optional, defaults to "0.0.0.0"
labels:
ingress-ready: true
- role: worker
image: kindest/node:v1.27.2
kubeadmConfigPatches:
- |
kind: JoinConfiguration
nodeRegistration:
kubeletExtraArgs:
system-reserved: memory=2Gi
- role: worker
image: kindest/node:v1.27.2
kubeadmConfigPatches:
- |
kind: JoinConfiguration
nodeRegistration:
kubeletExtraArgs:
system-reserved: memory=2Gi
- role: worker
image: kindest/node:v1.27.2
kubeadmConfigPatches:
- |
kind: JoinConfiguration
nodeRegistration:
kubeletExtraArgs:
system-reserved: memory=2Gi

1
examples/k8s/kind/cluster/.gitignore vendored Normal file
View File

@ -0,0 +1 @@
/charts

14
examples/k8s/kind/cluster/kustomization.yaml Normal file
View File

@ -0,0 +1,14 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- https://github.com/jetstack/cert-manager/releases/download/v1.13.2/cert-manager.yaml
- https://forge.cadoles.com/CadolesKube/c-kustom//base/cloudnative-pg-operator?ref=develop
- https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml
patchesJson6902:
- target:
version: v1
kind: ConfigMap
name: ingress-nginx-controller
namespace: ingress-nginx
path: patches/nginx-controller.yaml

6
examples/k8s/kind/cluster/patches/nginx-controller.yaml Normal file
View File

@ -0,0 +1,6 @@
- op: replace
path: "/data/allow-snippet-annotations"
value: "true"
- op: replace
path: "/data/use-forwarded-headers"
value: "true"

17
resources/hydra-dispatcher/files/hydra/default.yaml
View File

@ -1,2 +1,17 @@
parameters:
env(HYDRA_DISPATCHER_WEBHOOK_ENABLED): false
env(HYDRA_DISPATCHER_WEBHOOK_API_URL): ""
env(HYDRA_DISPATCHER_WEBHOOK_API_KEY): ""
env(HYDRA_DISPATCHER_WEBHOOK_API_METHOD): POST
env(HYDRA_DISPATCHER_FIREWALL_ADDITIONAL_PROPERTIES): true
hydra:
apps: []
apps: []
webhook:
enabled: "%env(bool:HYDRA_DISPATCHER_WEBHOOK_ENABLED)%"
api_url: "%env(string:HYDRA_DISPATCHER_WEBHOOK_API_URL)%"
api_key: "%env(string:HYDRA_DISPATCHER_WEBHOOK_API_KEY)%"
api_method: "%env(string:HYDRA_DISPATCHER_WEBHOOK_API_METHOD)%"
firewall:
additional_properties: "%env(bool:HYDRA_DISPATCHER_FIREWALL_ADDITIONAL_PROPERTIES)%"
rules: {}

2
resources/hydra-dispatcher/resources/hydra-dispatcher-deployment.yaml
View File

@ -18,7 +18,7 @@ spec:
spec:
containers:
- name: hydra-dispatcher
image: reg.cadoles.com/cadoles/hydra-dispatcher-v1:v0.0.0-218-g4b5e1d9
image: reg.cadoles.com/cadoles/hydra-dispatcher-v1:v0.0.0-238-g7236416
envFrom:
- configMapRef:
name: hydra-dispatcher-env