From 390ead21c6b176ae68ba85360724f5a1079bdfc0 Mon Sep 17 00:00:00 2001 From: William Petit Date: Thu, 2 Nov 2023 18:32:37 +0100 Subject: [PATCH] fix: example app deployment with saml login app --- components/hydra-saml/files/hydra/saml.yaml | 19 ++- .../files/shibboleth-sp/attribute-map.inc.xml | 3 + components/hydra-saml/kustomization.yaml | 5 + .../hydra-saml-remote-user-deployment.yaml | 2 +- .../hydra-saml-remote-user-service.yaml | 2 +- .../resources/hydra-saml-service.yaml | 2 +- .../hydra-saml-shibboleth-sp-deployment.yaml | 12 +- examples/authenticated-app/README.md | 40 +++++- examples/authenticated-app/kustomization.yaml | 10 +- .../patches/hydra-dispatcher-env.yaml | 22 +++- .../authenticated-app/patches/hydra-env.yaml | 8 +- .../patches/hydra-saml-env.yaml | 32 +++-- .../resources/app-deployment.yaml | 40 ------ .../resources/app-service.yaml | 15 --- examples/authenticated-app/resources/app.yaml | 66 ++++++++++ .../ingress-prefix-traefik-middleware.yaml | 10 -- .../authenticated-app/resources/ingress.yaml | 118 +++++++++++++++--- .../resources/oauth2-client.yaml | 18 +++ .../resources/port-forwarder-deployment.yaml | 29 ----- .../resources/port-forwarder-service.yaml | 12 -- .../resources/port-forwarder.yaml | 55 ++++++++ .../authenticated-app/resources/saml-idp.yaml | 51 ++++++++ .../resources/self-signed-issuer.yaml | 6 + examples/k8s/k3d/cluster-config.yaml | 11 -- examples/k8s/k3d/cluster/kustomization.yaml | 4 - examples/k8s/kind/cluster-config.yaml | 45 +++++++ examples/k8s/kind/cluster/.gitignore | 1 + examples/k8s/kind/cluster/kustomization.yaml | 14 +++ .../cluster/patches/nginx-controller.yaml | 6 + .../hydra-dispatcher/files/hydra/default.yaml | 17 ++- .../hydra-dispatcher-deployment.yaml | 2 +- 31 files changed, 505 insertions(+), 172 deletions(-) create mode 100644 components/hydra-saml/files/shibboleth-sp/attribute-map.inc.xml delete mode 100644 examples/authenticated-app/resources/app-deployment.yaml delete mode 100644 examples/authenticated-app/resources/app-service.yaml create mode 100644 examples/authenticated-app/resources/app.yaml delete mode 100644 examples/authenticated-app/resources/ingress-prefix-traefik-middleware.yaml create mode 100644 examples/authenticated-app/resources/oauth2-client.yaml delete mode 100644 examples/authenticated-app/resources/port-forwarder-deployment.yaml delete mode 100644 examples/authenticated-app/resources/port-forwarder-service.yaml create mode 100644 examples/authenticated-app/resources/port-forwarder.yaml create mode 100644 examples/authenticated-app/resources/saml-idp.yaml create mode 100644 examples/authenticated-app/resources/self-signed-issuer.yaml delete mode 100644 examples/k8s/k3d/cluster-config.yaml delete mode 100644 examples/k8s/k3d/cluster/kustomization.yaml create mode 100644 examples/k8s/kind/cluster-config.yaml create mode 100644 examples/k8s/kind/cluster/.gitignore create mode 100644 examples/k8s/kind/cluster/kustomization.yaml create mode 100644 examples/k8s/kind/cluster/patches/nginx-controller.yaml diff --git a/components/hydra-saml/files/hydra/saml.yaml b/components/hydra-saml/files/hydra/saml.yaml index 198d33f..905b3d5 100644 --- a/components/hydra-saml/files/hydra/saml.yaml +++ b/components/hydra-saml/files/hydra/saml.yaml @@ -10,4 +10,21 @@ hydra: login_url: "%env(string:HYDRA_DISPATCHER_SAML_LOGIN_URL)%" consent_url: "%env(string:HYDRA_DISPATCHER_SAML_CONSENT_URL)%" logout_url: "%env(string:HYDRA_DISPATCHER_SAML_LOGOUT_URL)%" - attributes_rewrite_rules: [] \ No newline at end of file + attributes_rewrite_configuration: + uid: + rules: + - "property_exists(consent.session.id_token, 'uid') ? consent.session.id_token.uid : null" + email: + rules: + - "property_exists(consent.session.id_token, 'email') ? consent.session.id_token.email : null" + eduPersonAffiliation: + rules: + - "property_exists(consent.session.id_token, 'eduPersonAffiliation') ? consent.session.id_token.eduPersonAffiliation : null" + firewall: + rules: + email: + required: false + uid: + required: false + eduPersonAffiliation: + required: false \ No newline at end of file diff --git a/components/hydra-saml/files/shibboleth-sp/attribute-map.inc.xml b/components/hydra-saml/files/shibboleth-sp/attribute-map.inc.xml new file mode 100644 index 0000000..5c96df7 --- /dev/null +++ b/components/hydra-saml/files/shibboleth-sp/attribute-map.inc.xml @@ -0,0 +1,3 @@ + + + \ No newline at end of file diff --git a/components/hydra-saml/kustomization.yaml b/components/hydra-saml/kustomization.yaml index ce570f8..91ff676 100644 --- a/components/hydra-saml/kustomization.yaml +++ b/components/hydra-saml/kustomization.yaml @@ -18,6 +18,7 @@ configMapGenerator: - HYDRA_ADMIN_BASE_URL=http://hydra:4445/admin - TRUSTED_PROXIES=127.0.0.1,REMOTE_ADDR - LOGOUT_REDIRECT_URL_PATTERN=http://hydra-saml/Shibboleth.sso/Logout?return=%s' + - PATH_PREFIX= # Shibboleth SP environment variables - SP_ENTITY_ID=http://hydra-saml-shibboleth-sp - IDP_ENTITY_ID=http://saml-idp @@ -25,10 +26,14 @@ configMapGenerator: - APACHE_BACKEND_URL=http://hydra-saml-remote-user - APACHE_FORCE_HTTPS=false - SP_HANDLER_BASE_PATH=/ + - SP_SESSIONS_RELAY_STATE=cookie:5 - name: hydra-dispatcher-apps behavior: merge files: - ./files/hydra/saml.yaml + - name: hydra-saml-shibboleth-sp + files: + - ./files/shibboleth-sp/attribute-map.inc.xml patchesJson6902: - target: diff --git a/components/hydra-saml/resources/hydra-saml-remote-user-deployment.yaml b/components/hydra-saml/resources/hydra-saml-remote-user-deployment.yaml index 24502cc..f4154f7 100644 --- a/components/hydra-saml/resources/hydra-saml-remote-user-deployment.yaml +++ b/components/hydra-saml/resources/hydra-saml-remote-user-deployment.yaml @@ -18,7 +18,7 @@ spec: spec: containers: - name: hydra-saml-remote-user - image: reg.cadoles.com/cadoles/hydra-remote-user-v1:v0.0.0-170-g485b138 + image: reg.cadoles.com/wpetit/hydra-remote-user-v1:v0.0.0-232-g99ae0e5 envFrom: - configMapRef: name: hydra-saml-env diff --git a/components/hydra-saml/resources/hydra-saml-remote-user-service.yaml b/components/hydra-saml/resources/hydra-saml-remote-user-service.yaml index 960ecea..9aad3eb 100644 --- a/components/hydra-saml/resources/hydra-saml-remote-user-service.yaml +++ b/components/hydra-saml/resources/hydra-saml-remote-user-service.yaml @@ -6,7 +6,7 @@ metadata: name: hydra-saml-remote-user spec: ports: - - name: hydra-saml-remote-user + - name: http port: 80 selector: io.kompose.service: hydra-saml-remote-user diff --git a/components/hydra-saml/resources/hydra-saml-service.yaml b/components/hydra-saml/resources/hydra-saml-service.yaml index c85bbc1..cd305c2 100644 --- a/components/hydra-saml/resources/hydra-saml-service.yaml +++ b/components/hydra-saml/resources/hydra-saml-service.yaml @@ -6,7 +6,7 @@ metadata: name: hydra-saml spec: ports: - - name: hydra-saml-shibboleth-sp + - name: http port: 80 selector: io.kompose.service: hydra-saml-shibboleth-sp diff --git a/components/hydra-saml/resources/hydra-saml-shibboleth-sp-deployment.yaml b/components/hydra-saml/resources/hydra-saml-shibboleth-sp-deployment.yaml index 80a793b..68a5c98 100644 --- a/components/hydra-saml/resources/hydra-saml-shibboleth-sp-deployment.yaml +++ b/components/hydra-saml/resources/hydra-saml-shibboleth-sp-deployment.yaml @@ -16,14 +16,24 @@ spec: labels: io.kompose.service: hydra-saml-shibboleth-sp spec: + securityContext: + fsGroup: 102 containers: - name: hydra-saml-shibboleth-sp - image: reg.cadoles.com/cadoles/shibboleth-sp-v3:v0.0.0-172-g0f44679 + image: reg.cadoles.com/wpetit/shibboleth-sp-v3:v0.0.0-232-g377af91 envFrom: - configMapRef: name: hydra-saml-env + volumeMounts: + - name: attributes-map-inc + mountPath: /etc/shibboleth/attribute-map.inc.xml + subPath: attribute-map.inc.xml ports: - containerPort: 80 resources: {} restartPolicy: Always + volumes: + - name: attributes-map-inc + configMap: + name: hydra-saml-shibboleth-sp diff --git a/examples/authenticated-app/README.md b/examples/authenticated-app/README.md index 126a15e..a3faff0 100644 --- a/examples/authenticated-app/README.md +++ b/examples/authenticated-app/README.md @@ -1,19 +1,21 @@ # Exemple: Déploiement d'une application authentifiée avec la stack SSO +L'exemple est actuellement déployé avec le composant `hydra-saml` uniquement. + ## Procédure -### Avec `k3d` +### Avec `kind` -1. Créer un cluster avec `k3d` +1. Créer un cluster avec `kind` ``` - k3d cluster create -c ./examples/k8s/k3d/k3d/cluster-config.yaml + kind create cluster --config ./examples/k8s/kind/cluster-config.yaml ``` 2. Déployer les opérateurs nécessaires au déploiement ``` - kubectl apply -k ./examples/k8s/k3d/cluster + kubectl kustomize --enable-helm ./examples/k8s/kind/cluster | kubectl apply -f - ``` 3. Déployer l'application @@ -22,4 +24,32 @@ kubectl apply -k ./examples/authenticated-app ``` -Après stabilisation du déploiement, l'application devrait être accessible à l'adresse http://localhost:8080/ \ No newline at end of file + **Note** Il est possible d'avoir l'erreur suivante: + + ``` + error: resource mapping not found for name: "app-oauth2-client" namespace: "" from "./examples/authenticated-app": no matches for kind "OAuth2Client" in version "hydra.ory.sh/v1alpha1" + ``` + + Cette erreur est "normale" (voir https://github.com/kubernetes/kubectl/issues/1117). Dans ce cas, attendre la création de la CRD (voir ticket) puis relancer la commande. + +4. Ajouter l'entrée suivante dans votre fichier `/etc/hosts` + + ``` + 127.0.0.1 ssokustom + ``` + +5. Après stabilisation du déploiement, l'application devrait être accessible à l'adresse https://ssokustom + +#### Supprimer le cluster + +``` +kind delete cluster -n sso-kustom-example +``` + +## Authentification + +### SAML + +- Utilisateur: `user1` +- Mot de passe `user1pass` + diff --git a/examples/authenticated-app/kustomization.yaml b/examples/authenticated-app/kustomization.yaml index 926224c..80aba5f 100644 --- a/examples/authenticated-app/kustomization.yaml +++ b/examples/authenticated-app/kustomization.yaml @@ -4,12 +4,12 @@ kind: Kustomization resources: - ../../resources/hydra - ../../resources/hydra-dispatcher - - ./resources/app-deployment.yaml - - ./resources/app-service.yaml + - ./resources/app.yaml - ./resources/ingress.yaml - - ./resources/ingress-prefix-traefik-middleware.yaml - - ./resources/port-forwarder-deployment.yaml - - ./resources/port-forwarder-service.yaml + - ./resources/oauth2-client.yaml + - ./resources/saml-idp.yaml + - ./resources/self-signed-issuer.yaml + - ./resources/port-forwarder.yaml components: - ../../components/hydra-cnpg-database diff --git a/examples/authenticated-app/patches/hydra-dispatcher-env.yaml b/examples/authenticated-app/patches/hydra-dispatcher-env.yaml index be7c1dc..464288a 100644 --- a/examples/authenticated-app/patches/hydra-dispatcher-env.yaml +++ b/examples/authenticated-app/patches/hydra-dispatcher-env.yaml @@ -1,18 +1,30 @@ - op: replace path: "/data/HYDRA_BASE_URL" - value: http://ssokustom:8080/auth + value: http://hydra:4444 - op: replace path: "/data/HYDRA_ADMIN_BASE_URL" value: http://hydra:4445/admin - op: replace path: "/data/HYDRA_ORIGINAL_ISSUER" - value: http://ssokustom:8080/auth + value: http://hydra:4444 - op: replace path: "/data/HYDRA_NEW_ISSUER" - value: http://ssokustom:8080/auth/dispatcher/ + value: https://ssokustom/auth/dispatcher - op: replace path: "/data/BASE_URL" - value: http://ssokustom:8080/auth/dispatcher + value: https://ssokustom/auth/dispatcher - op: replace path: "/data/COOKIE_PATH" - value: /auth/dispatcher \ No newline at end of file + value: /auth/dispatcher + +# Hydra SAML configuration +- op: replace + path: "/data/HYDRA_DISPATCHER_SAML_LOGIN_URL" + value: https://ssokustom/auth/saml/login +- op: replace + path: "/data/HYDRA_DISPATCHER_SAML_CONSENT_URL" + value: https://ssokustom/auth/saml/consent +- op: replace + path: "/data/HYDRA_DISPATCHER_SAML_LOGOUT_URL" + value: https://ssokustom/auth/saml/logout + \ No newline at end of file diff --git a/examples/authenticated-app/patches/hydra-env.yaml b/examples/authenticated-app/patches/hydra-env.yaml index 8b9286f..1b45696 100644 --- a/examples/authenticated-app/patches/hydra-env.yaml +++ b/examples/authenticated-app/patches/hydra-env.yaml @@ -1,15 +1,15 @@ - op: replace path: "/data/URLS_SELF_ISSUER" - value: http://ssokustom:8080/auth + value: https://ssokustom/auth - op: replace path: "/data/URLS_LOGIN" - value: http://ssokustom:8080/auth/dispatcher/login + value: https://ssokustom/auth/dispatcher/login - op: replace path: "/data/URLS_LOGOUT" - value: http://ssokustom:8080/auth/dispatcher/logout + value: https://ssokustom/auth/dispatcher/logout - op: replace path: "/data/URLS_CONSENT" - value: http://ssokustom:8080/auth/dispatcher/consent + value: https://ssokustom/auth/dispatcher/consent - op: replace path: "/data/HYDRA_SERVE_ALL_ARGS" value: "--dev" \ No newline at end of file diff --git a/examples/authenticated-app/patches/hydra-saml-env.yaml b/examples/authenticated-app/patches/hydra-saml-env.yaml index f340556..8d9aa8a 100644 --- a/examples/authenticated-app/patches/hydra-saml-env.yaml +++ b/examples/authenticated-app/patches/hydra-saml-env.yaml @@ -1,6 +1,6 @@ - op: replace path: "/data/HTTP_BASE_URL" - value: http://ssokustom:8080/auth/saml + value: https://ssokustom/auth/saml - op: replace path: "/data/COOKIE_PATH" value: /auth/saml @@ -9,23 +9,35 @@ value: http://hydra-dispatcher - op: replace path: "/data/LOGOUT_REDIRECT_URL_PATTERN" - value: http://ssokustom:8080/auth/saml/Shibboleth.sso/Logout?return=%s + value: https://ssokustom/auth/saml/Shibboleth.sso/Logout?return=%s +- op: replace + path: "/data/PATH_PREFIX" + value: "/auth/saml" - op: replace path: "/data/SP_ENTITY_ID" - value: http://ssokustom:8080/auth/saml + value: https://ssokustom/auth/saml - op: replace path: "/data/IDP_ENTITY_ID" - value: http://ssokustom:8080/idp + value: https://ssokustom/simplesaml/saml2/idp/metadata.php - op: replace path: "/data/IDP_METADATA_URL" - value: http://ssokustom:8080/idp/metadata -- op: replace - path: "/data/APACHE_BACKEND_URL" - value: http://hydra-remote-user + value: https://ssokustom/simplesaml/saml2/idp/metadata.php - op: replace path: "/data/APACHE_FORCE_HTTPS" - value: "false" + value: "true" - op: replace path: "/data/SP_HANDLER_BASE_PATH" - value: /auth/saml \ No newline at end of file + value: "/auth/saml" +- op: replace + path: "/data/SP_LOG_LEVEL" + value: DEBUG +- op: replace + path: "/data/SP_SESSIONS_REDIRECT_LIMIT" + value: none +- op: replace + path: "/data/SP_SESSIONS_REDIRECT_ALLOW" + value: https://ssokustom +- op: replace + path: "/data/SP_SESSIONS_COOKIE_PROPS" + value: https \ No newline at end of file diff --git a/examples/authenticated-app/resources/app-deployment.yaml b/examples/authenticated-app/resources/app-deployment.yaml deleted file mode 100644 index fc31c7c..0000000 --- a/examples/authenticated-app/resources/app-deployment.yaml +++ /dev/null @@ -1,40 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - io.kompose.service: app - name: app -spec: - replicas: 1 - selector: - matchLabels: - io.kompose.service: app - strategy: - type: Recreate - template: - metadata: - labels: - io.kompose.service: app - spec: - containers: - - image: bornholm/oidc-test:v0.0.0-1-g936a77e - name: app - ports: - - containerPort: 8080 - resources: {} - env: - - name: LOG_LEVEL - value: "0" - - name: HTTP_ADDRESS - value: 0.0.0.0:8080 - - name: OIDC_CLIENT_ID - value: oidc-test - - name: OIDC_CLIENT_SECRET - value: oidc-test-123456 - - name: OIDC_ISSUER_URL - value: http://ssokustom:8080/auth - - name: OIDC_REDIRECT_URL - value: http://ssokustom:8080 - - name: OIDC_POST_LOGOUT_REDIRECT_URL - value: http://ssokustom:8080 - restartPolicy: Always diff --git a/examples/authenticated-app/resources/app-service.yaml b/examples/authenticated-app/resources/app-service.yaml deleted file mode 100644 index 19e7784..0000000 --- a/examples/authenticated-app/resources/app-service.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - labels: - io.kompose.service: app - name: app -spec: - ports: - - name: http - port: 8080 - targetPort: 8080 - selector: - io.kompose.service: app -status: - loadBalancer: {} diff --git a/examples/authenticated-app/resources/app.yaml b/examples/authenticated-app/resources/app.yaml new file mode 100644 index 0000000..1da36c9 --- /dev/null +++ b/examples/authenticated-app/resources/app.yaml @@ -0,0 +1,66 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + io.kompose.service: app + name: app +spec: + replicas: 1 + selector: + matchLabels: + io.kompose.service: app + strategy: + type: Recreate + template: + metadata: + labels: + io.kompose.service: app + spec: + containers: + - image: reg.cadoles.com/cadoles/oidc-test:2023.11.6-stable.1557.e16b905 + name: app + ports: + - containerPort: 8080 + resources: {} + env: + - name: LOG_LEVEL + value: "0" + - name: HTTP_ADDRESS + value: 0.0.0.0:8080 + - name: OIDC_CLIENT_ID + valueFrom: + secretKeyRef: + name: app-oidc-secret + key: client_id + - name: OIDC_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: app-oidc-secret + key: client_secret + - name: OIDC_ISSUER_URL + value: http://hydra:4444 + - name: OIDC_REDIRECT_URL + value: https://ssokustom/oauth2/callback + - name: OIDC_POST_LOGOUT_REDIRECT_URL + value: https://ssokustom + - name: OIDC_SKIP_ISSUER_VERIFICATION + value: "true" + - name: OIDC_INSECURE_SKIP_VERIFY + value: "true" + restartPolicy: Always +--- +apiVersion: v1 +kind: Service +metadata: + labels: + io.kompose.service: app + name: app +spec: + ports: + - name: http + port: 8080 + targetPort: 8080 + selector: + io.kompose.service: app +status: + loadBalancer: {} diff --git a/examples/authenticated-app/resources/ingress-prefix-traefik-middleware.yaml b/examples/authenticated-app/resources/ingress-prefix-traefik-middleware.yaml deleted file mode 100644 index 07f8e81..0000000 --- a/examples/authenticated-app/resources/ingress-prefix-traefik-middleware.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: Middleware -metadata: - name: ingress-prefix -spec: - stripPrefixRegex: - regex: - - ^/auth/dispatcher - - ^/auth/saml - - ^/auth \ No newline at end of file diff --git a/examples/authenticated-app/resources/ingress.yaml b/examples/authenticated-app/resources/ingress.yaml index 28ecffa..1ab37dc 100644 --- a/examples/authenticated-app/resources/ingress.yaml +++ b/examples/authenticated-app/resources/ingress.yaml @@ -1,11 +1,18 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: portal + name: app annotations: - ingress.kubernetes.io/ssl-redirect: "false" - traefik.ingress.kubernetes.io/router.middlewares: default-ingress-prefix@kubernetescrd + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + cert-manager.io/issuer: "self-signed" + # nginx.ingress.kubernetes.io/configuration-snippet: | + # more_set_headers "X-Forwarded-Proto: https"; spec: + ingressClassName: nginx + tls: + - hosts: + - ssokustom + secretName: ssokustom-example-tls rules: - http: paths: @@ -16,28 +23,109 @@ spec: name: app port: name: http - - - path: /auth/dispatcher +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: auth-saml + annotations: + cert-manager.io/issuer: "self-signed" + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" +spec: + ingressClassName: nginx + tls: + - hosts: + - ssokustom + secretName: ssokustom-example-tls + rules: + - http: + paths: + - path: /auth/saml(/|$)(.*) + pathType: Prefix + backend: + service: + name: hydra-saml + port: + name: http +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: auth-dispatcher + annotations: + cert-manager.io/issuer: "self-signed" + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + nginx.ingress.kubernetes.io/rewrite-target: /$2 + nginx.ingress.kubernetes.io/x-forwarded-prefix: /auth/dispatcher +spec: + ingressClassName: nginx + tls: + - hosts: + - ssokustom + secretName: ssokustom-example-tls + rules: + - http: + paths: + - path: /auth/dispatcher(/|$)(.*) pathType: Prefix backend: service: name: hydra-dispatcher port: name: http - - - path: /auth +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: auth + annotations: + cert-manager.io/issuer: "self-signed" + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + nginx.ingress.kubernetes.io/rewrite-target: /$2 +spec: + ingressClassName: nginx + tls: + - hosts: + - ssokustom + secretName: ssokustom-example-tls + rules: + - http: + paths: + - path: /auth(/|$)(.*) pathType: Prefix backend: service: name: hydra port: name: hydra-public - - # - path: /auth/passwordless/?(.*) - # pathType: Prefix - # backend: - # service: - # name: hydra - # port: - # name: http-public +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: saml-idp + annotations: + cert-manager.io/issuer: "self-signed" + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + nginx.ingress.kubernetes.io/rewrite-target: /simplesaml/$2 + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" +spec: + ingressClassName: nginx + tls: + - hosts: + - ssokustom + secretName: ssokustom-example-tls + rules: + - http: + paths: + - path: /simplesaml(/|$)(.*) + pathType: Prefix + backend: + service: + name: saml-idp + port: + name: https + + + + \ No newline at end of file diff --git a/examples/authenticated-app/resources/oauth2-client.yaml b/examples/authenticated-app/resources/oauth2-client.yaml new file mode 100644 index 0000000..7b786c5 --- /dev/null +++ b/examples/authenticated-app/resources/oauth2-client.yaml @@ -0,0 +1,18 @@ +apiVersion: hydra.ory.sh/v1alpha1 +kind: OAuth2Client +metadata: + name: app-oauth2-client +spec: + clientName: "app" + tokenEndpointAuthMethod: "client_secret_basic" + grantTypes: + - authorization_code + - refresh_token + responseTypes: + - code + scope: "openid email" + secretName: app-oidc-secret + redirectUris: + - https://ssokustom/oauth2/callback + postLogoutRedirectUris: + - https://ssokustom diff --git a/examples/authenticated-app/resources/port-forwarder-deployment.yaml b/examples/authenticated-app/resources/port-forwarder-deployment.yaml deleted file mode 100644 index 9ff0268..0000000 --- a/examples/authenticated-app/resources/port-forwarder-deployment.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - io.kompose.service: port-forwarder - name: port-forwarder -spec: - replicas: 1 - selector: - matchLabels: - io.kompose.service: port-forwarder - strategy: - type: Recreate - template: - metadata: - labels: - io.kompose.service: port-forwarder - spec: - containers: - - image: hpello/tcp-proxy:latest - name: port-forwarder - env: - - name: LISTEN_PORT - value: "8080" - ports: - - containerPort: 8080 - resources: {} - args: ["traefik.kube-system.svc.cluster.local", "80"] - restartPolicy: Always diff --git a/examples/authenticated-app/resources/port-forwarder-service.yaml b/examples/authenticated-app/resources/port-forwarder-service.yaml deleted file mode 100644 index a360fdf..0000000 --- a/examples/authenticated-app/resources/port-forwarder-service.yaml +++ /dev/null @@ -1,12 +0,0 @@ -kind: Service -apiVersion: v1 -metadata: - name: ssokustom - labels: - io.kompose.service: port-forwarder -spec: - ports: - - port: 8080 - targetPort: 8080 - selector: - io.kompose.service: port-forwarder \ No newline at end of file diff --git a/examples/authenticated-app/resources/port-forwarder.yaml b/examples/authenticated-app/resources/port-forwarder.yaml new file mode 100644 index 0000000..7db316a --- /dev/null +++ b/examples/authenticated-app/resources/port-forwarder.yaml @@ -0,0 +1,55 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + io.kompose.service: port-forwarder + name: port-forwarder +spec: + replicas: 1 + selector: + matchLabels: + io.kompose.service: port-forwarder + strategy: + type: Recreate + template: + metadata: + labels: + io.kompose.service: port-forwarder + spec: + containers: + - image: hpello/tcp-proxy:latest + name: port-forwarder-https + env: + - name: LISTEN_PORT + value: "443" + ports: + - containerPort: 443 + resources: {} + args: ["ingress-nginx-controller.ingress-nginx.svc.cluster.local", "443"] + - image: hpello/tcp-proxy:latest + name: port-forwarder-http + env: + - name: LISTEN_PORT + value: "80" + ports: + - containerPort: 80 + resources: {} + args: ["ingress-nginx-controller.ingress-nginx.svc.cluster.local", "80"] + restartPolicy: Always +--- +kind: Service +apiVersion: v1 +metadata: + name: ssokustom + labels: + io.kompose.service: port-forwarder +spec: + ports: + - name: https + port: 443 + targetPort: 443 + - name: http + port: 80 + targetPort: 80 + selector: + io.kompose.service: port-forwarder \ No newline at end of file diff --git a/examples/authenticated-app/resources/saml-idp.yaml b/examples/authenticated-app/resources/saml-idp.yaml new file mode 100644 index 0000000..d89cdbf --- /dev/null +++ b/examples/authenticated-app/resources/saml-idp.yaml @@ -0,0 +1,51 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + io.kompose.service: saml-idp + name: saml-idp +spec: + replicas: 1 + selector: + matchLabels: + io.kompose.service: saml-idp + strategy: + type: Recreate + template: + metadata: + labels: + io.kompose.service: saml-idp + spec: + containers: + - image: kristophjunge/test-saml-idp:1.15 + name: saml-idp + ports: + - containerPort: 8443 + resources: {} + env: + - name: SIMPLESAMLPHP_SP_ENTITY_ID + value: https://ssokustom/auth/saml + - name: SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE + value: https://ssokustom/auth/saml/Shibboleth.sso/SAML2/POST + - name: SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE + value: https://ssokustom/auth/saml/Shibboleth.sso/Logout?return=https://ssokustom + restartPolicy: Always +--- +apiVersion: v1 +kind: Service +metadata: + labels: + io.kompose.service: saml-idp + name: saml-idp +spec: + ports: + - name: http + port: 8080 + targetPort: 8080 + - name: https + port: 8443 + targetPort: 8443 + selector: + io.kompose.service: saml-idp +status: + loadBalancer: {} \ No newline at end of file diff --git a/examples/authenticated-app/resources/self-signed-issuer.yaml b/examples/authenticated-app/resources/self-signed-issuer.yaml new file mode 100644 index 0000000..69ec201 --- /dev/null +++ b/examples/authenticated-app/resources/self-signed-issuer.yaml @@ -0,0 +1,6 @@ +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: self-signed +spec: + selfSigned: {} \ No newline at end of file diff --git a/examples/k8s/k3d/cluster-config.yaml b/examples/k8s/k3d/cluster-config.yaml deleted file mode 100644 index 04831c8..0000000 --- a/examples/k8s/k3d/cluster-config.yaml +++ /dev/null @@ -1,11 +0,0 @@ ---- -apiVersion: k3d.io/v1alpha4 -kind: Simple -metadata: - name: sso-kustom -servers: 1 -agents: 2 -ports: - - port: 8080:80 - nodeFilters: - - loadbalancer diff --git a/examples/k8s/k3d/cluster/kustomization.yaml b/examples/k8s/k3d/cluster/kustomization.yaml deleted file mode 100644 index 6e2bd83..0000000 --- a/examples/k8s/k3d/cluster/kustomization.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: -- https://forge.cadoles.com/CadolesKube/c-kustom//base/cloudnative-pg-operator?ref=develop \ No newline at end of file diff --git a/examples/k8s/kind/cluster-config.yaml b/examples/k8s/kind/cluster-config.yaml new file mode 100644 index 0000000..4cb24d2 --- /dev/null +++ b/examples/k8s/kind/cluster-config.yaml @@ -0,0 +1,45 @@ +kind: Cluster +apiVersion: kind.x-k8s.io/v1alpha4 +name: sso-kustom-example +nodes: +- role: control-plane + image: kindest/node:v1.27.2 + kubeadmConfigPatches: + - | + kind: InitConfiguration + nodeRegistration: + kubeletExtraArgs: + node-labels: "ingress-ready=true" + extraPortMappings: + - containerPort: 80 + hostPort: 80 + listenAddress: "0.0.0.0" # Optional, defaults to "0.0.0.0" + - containerPort: 443 + hostPort: 443 + listenAddress: "0.0.0.0" # Optional, defaults to "0.0.0.0" + labels: + ingress-ready: true +- role: worker + image: kindest/node:v1.27.2 + kubeadmConfigPatches: + - | + kind: JoinConfiguration + nodeRegistration: + kubeletExtraArgs: + system-reserved: memory=2Gi +- role: worker + image: kindest/node:v1.27.2 + kubeadmConfigPatches: + - | + kind: JoinConfiguration + nodeRegistration: + kubeletExtraArgs: + system-reserved: memory=2Gi +- role: worker + image: kindest/node:v1.27.2 + kubeadmConfigPatches: + - | + kind: JoinConfiguration + nodeRegistration: + kubeletExtraArgs: + system-reserved: memory=2Gi \ No newline at end of file diff --git a/examples/k8s/kind/cluster/.gitignore b/examples/k8s/kind/cluster/.gitignore new file mode 100644 index 0000000..fbad614 --- /dev/null +++ b/examples/k8s/kind/cluster/.gitignore @@ -0,0 +1 @@ +/charts \ No newline at end of file diff --git a/examples/k8s/kind/cluster/kustomization.yaml b/examples/k8s/kind/cluster/kustomization.yaml new file mode 100644 index 0000000..760eb72 --- /dev/null +++ b/examples/k8s/kind/cluster/kustomization.yaml @@ -0,0 +1,14 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- https://github.com/jetstack/cert-manager/releases/download/v1.13.2/cert-manager.yaml +- https://forge.cadoles.com/CadolesKube/c-kustom//base/cloudnative-pg-operator?ref=develop +- https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml + +patchesJson6902: + - target: + version: v1 + kind: ConfigMap + name: ingress-nginx-controller + namespace: ingress-nginx + path: patches/nginx-controller.yaml \ No newline at end of file diff --git a/examples/k8s/kind/cluster/patches/nginx-controller.yaml b/examples/k8s/kind/cluster/patches/nginx-controller.yaml new file mode 100644 index 0000000..799344f --- /dev/null +++ b/examples/k8s/kind/cluster/patches/nginx-controller.yaml @@ -0,0 +1,6 @@ +- op: replace + path: "/data/allow-snippet-annotations" + value: "true" +- op: replace + path: "/data/use-forwarded-headers" + value: "true" \ No newline at end of file diff --git a/resources/hydra-dispatcher/files/hydra/default.yaml b/resources/hydra-dispatcher/files/hydra/default.yaml index f23203e..52e6dbb 100644 --- a/resources/hydra-dispatcher/files/hydra/default.yaml +++ b/resources/hydra-dispatcher/files/hydra/default.yaml @@ -1,2 +1,17 @@ +parameters: + env(HYDRA_DISPATCHER_WEBHOOK_ENABLED): false + env(HYDRA_DISPATCHER_WEBHOOK_API_URL): "" + env(HYDRA_DISPATCHER_WEBHOOK_API_KEY): "" + env(HYDRA_DISPATCHER_WEBHOOK_API_METHOD): POST + env(HYDRA_DISPATCHER_FIREWALL_ADDITIONAL_PROPERTIES): true + hydra: - apps: [] \ No newline at end of file + apps: [] + webhook: + enabled: "%env(bool:HYDRA_DISPATCHER_WEBHOOK_ENABLED)%" + api_url: "%env(string:HYDRA_DISPATCHER_WEBHOOK_API_URL)%" + api_key: "%env(string:HYDRA_DISPATCHER_WEBHOOK_API_KEY)%" + api_method: "%env(string:HYDRA_DISPATCHER_WEBHOOK_API_METHOD)%" + firewall: + additional_properties: "%env(bool:HYDRA_DISPATCHER_FIREWALL_ADDITIONAL_PROPERTIES)%" + rules: {} \ No newline at end of file diff --git a/resources/hydra-dispatcher/resources/hydra-dispatcher-deployment.yaml b/resources/hydra-dispatcher/resources/hydra-dispatcher-deployment.yaml index 7728ce9..2a049ce 100644 --- a/resources/hydra-dispatcher/resources/hydra-dispatcher-deployment.yaml +++ b/resources/hydra-dispatcher/resources/hydra-dispatcher-deployment.yaml @@ -18,7 +18,7 @@ spec: spec: containers: - name: hydra-dispatcher - image: reg.cadoles.com/cadoles/hydra-dispatcher-v1:v0.0.0-218-g4b5e1d9 + image: reg.cadoles.com/cadoles/hydra-dispatcher-v1:v0.0.0-238-g7236416 envFrom: - configMapRef: name: hydra-dispatcher-env