wip: example app
This commit is contained in:
parent
d2960e3be2
commit
4a745fb9a1
@ -4,4 +4,8 @@ Kustomization du service "SSO" (Ory Hydra)
|
||||
|
||||
## Usage
|
||||
|
||||
[Voir la documentation](./doc/README.md)
|
||||
[Voir la documentation](./doc/README.md)
|
||||
|
||||
## Exemple
|
||||
|
||||
Ce projet contient un exemple fonctionnel de déploiement dans le répertoire [`./examples/authenticated-app`](./examples/authenticated-app)
|
@ -9,4 +9,5 @@ hydra:
|
||||
en: Authentication with SAML
|
||||
login_url: "%env(string:HYDRA_DISPATCHER_SAML_LOGIN_URL)%"
|
||||
consent_url: "%env(string:HYDRA_DISPATCHER_SAML_CONSENT_URL)%"
|
||||
logout_url: "%env(string:HYDRA_DISPATCHER_SAML_LOGOUT_URL)%"
|
||||
logout_url: "%env(string:HYDRA_DISPATCHER_SAML_LOGOUT_URL)%"
|
||||
attributes_rewrite_rules: []
|
25
examples/authenticated-app/README.md
Normal file
25
examples/authenticated-app/README.md
Normal file
@ -0,0 +1,25 @@
|
||||
# Exemple: Déploiement d'une application authentifiée avec la stack SSO
|
||||
|
||||
## Procédure
|
||||
|
||||
### Avec `k3d`
|
||||
|
||||
1. Créer un cluster avec `k3d`
|
||||
|
||||
```
|
||||
k3d cluster create -c ./examples/k8s/k3d/k3d/cluster-config.yaml
|
||||
```
|
||||
|
||||
2. Déployer les opérateurs nécessaires au déploiement
|
||||
|
||||
```
|
||||
kubectl apply -k ./examples/k8s/k3d/cluster
|
||||
```
|
||||
|
||||
3. Déployer l'application
|
||||
|
||||
```
|
||||
kubectl apply -k ./examples/authenticated-app
|
||||
```
|
||||
|
||||
Après stabilisation du déploiement, l'application devrait être accessible à l'adresse http://localhost:8080/
|
39
examples/authenticated-app/kustomization.yaml
Normal file
39
examples/authenticated-app/kustomization.yaml
Normal file
@ -0,0 +1,39 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
resources:
|
||||
- ../../resources/hydra
|
||||
- ../../resources/hydra-dispatcher
|
||||
- ./resources/app-deployment.yaml
|
||||
- ./resources/app-service.yaml
|
||||
- ./resources/ingress.yaml
|
||||
- ./resources/ingress-prefix-traefik-middleware.yaml
|
||||
- ./resources/port-forwarder-deployment.yaml
|
||||
- ./resources/port-forwarder-service.yaml
|
||||
|
||||
components:
|
||||
- ../../components/hydra-cnpg-database
|
||||
#- ../../components/hydra-oidc
|
||||
- ../../components/hydra-saml
|
||||
|
||||
patchesJson6902:
|
||||
- target:
|
||||
version: v1
|
||||
kind: ConfigMap
|
||||
name: hydra-env
|
||||
path: patches/hydra-env.yaml
|
||||
- target:
|
||||
version: v1
|
||||
kind: ConfigMap
|
||||
name: hydra-dispatcher-env
|
||||
path: patches/hydra-dispatcher-env.yaml
|
||||
- target:
|
||||
version: v1
|
||||
kind: ConfigMap
|
||||
name: hydra-saml-env
|
||||
path: patches/hydra-saml-env.yaml
|
||||
- target:
|
||||
version: v1
|
||||
kind: Secret
|
||||
name: hydra-secret
|
||||
path: patches/hydra-secret.yaml
|
18
examples/authenticated-app/patches/hydra-dispatcher-env.yaml
Normal file
18
examples/authenticated-app/patches/hydra-dispatcher-env.yaml
Normal file
@ -0,0 +1,18 @@
|
||||
- op: replace
|
||||
path: "/data/HYDRA_BASE_URL"
|
||||
value: http://ssokustom:8080/auth
|
||||
- op: replace
|
||||
path: "/data/HYDRA_ADMIN_BASE_URL"
|
||||
value: http://hydra:4445/admin
|
||||
- op: replace
|
||||
path: "/data/HYDRA_ORIGINAL_ISSUER"
|
||||
value: http://ssokustom:8080/auth
|
||||
- op: replace
|
||||
path: "/data/HYDRA_NEW_ISSUER"
|
||||
value: http://ssokustom:8080/auth/dispatcher/
|
||||
- op: replace
|
||||
path: "/data/BASE_URL"
|
||||
value: http://ssokustom:8080/auth/dispatcher
|
||||
- op: replace
|
||||
path: "/data/COOKIE_PATH"
|
||||
value: /auth/dispatcher
|
15
examples/authenticated-app/patches/hydra-env.yaml
Normal file
15
examples/authenticated-app/patches/hydra-env.yaml
Normal file
@ -0,0 +1,15 @@
|
||||
- op: replace
|
||||
path: "/data/URLS_SELF_ISSUER"
|
||||
value: http://ssokustom:8080/auth
|
||||
- op: replace
|
||||
path: "/data/URLS_LOGIN"
|
||||
value: http://ssokustom:8080/auth/dispatcher/login
|
||||
- op: replace
|
||||
path: "/data/URLS_LOGOUT"
|
||||
value: http://ssokustom:8080/auth/dispatcher/logout
|
||||
- op: replace
|
||||
path: "/data/URLS_CONSENT"
|
||||
value: http://ssokustom:8080/auth/dispatcher/consent
|
||||
- op: replace
|
||||
path: "/data/HYDRA_SERVE_ALL_ARGS"
|
||||
value: "--dev"
|
31
examples/authenticated-app/patches/hydra-saml-env.yaml
Normal file
31
examples/authenticated-app/patches/hydra-saml-env.yaml
Normal file
@ -0,0 +1,31 @@
|
||||
- op: replace
|
||||
path: "/data/HTTP_BASE_URL"
|
||||
value: http://ssokustom:8080/auth/saml
|
||||
- op: replace
|
||||
path: "/data/COOKIE_PATH"
|
||||
value: /auth/saml
|
||||
- op: replace
|
||||
path: "/data/HYDRA_ADMIN_BASE_URL"
|
||||
value: http://hydra-dispatcher
|
||||
- op: replace
|
||||
path: "/data/LOGOUT_REDIRECT_URL_PATTERN"
|
||||
value: http://ssokustom:8080/auth/saml/Shibboleth.sso/Logout?return=%s
|
||||
|
||||
- op: replace
|
||||
path: "/data/SP_ENTITY_ID"
|
||||
value: http://ssokustom:8080/auth/saml
|
||||
- op: replace
|
||||
path: "/data/IDP_ENTITY_ID"
|
||||
value: http://ssokustom:8080/idp
|
||||
- op: replace
|
||||
path: "/data/IDP_METADATA_URL"
|
||||
value: http://ssokustom:8080/idp/metadata
|
||||
- op: replace
|
||||
path: "/data/APACHE_BACKEND_URL"
|
||||
value: http://hydra-remote-user
|
||||
- op: replace
|
||||
path: "/data/APACHE_FORCE_HTTPS"
|
||||
value: "false"
|
||||
- op: replace
|
||||
path: "/data/SP_HANDLER_BASE_PATH"
|
||||
value: /auth/saml
|
3
examples/authenticated-app/patches/hydra-secret.yaml
Normal file
3
examples/authenticated-app/patches/hydra-secret.yaml
Normal file
@ -0,0 +1,3 @@
|
||||
- op: replace
|
||||
path: "/data/SECRETS_SYSTEM"
|
||||
value: QWxzb05vdFZlcnlTZWNyZXQK # AlsoNotVerySecret encoded as base64
|
40
examples/authenticated-app/resources/app-deployment.yaml
Normal file
40
examples/authenticated-app/resources/app-deployment.yaml
Normal file
@ -0,0 +1,40 @@
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
labels:
|
||||
io.kompose.service: app
|
||||
name: app
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
io.kompose.service: app
|
||||
strategy:
|
||||
type: Recreate
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
io.kompose.service: app
|
||||
spec:
|
||||
containers:
|
||||
- image: bornholm/oidc-test:v0.0.0-1-g936a77e
|
||||
name: app
|
||||
ports:
|
||||
- containerPort: 8080
|
||||
resources: {}
|
||||
env:
|
||||
- name: LOG_LEVEL
|
||||
value: "0"
|
||||
- name: HTTP_ADDRESS
|
||||
value: 0.0.0.0:8080
|
||||
- name: OIDC_CLIENT_ID
|
||||
value: oidc-test
|
||||
- name: OIDC_CLIENT_SECRET
|
||||
value: oidc-test-123456
|
||||
- name: OIDC_ISSUER_URL
|
||||
value: http://ssokustom:8080/auth
|
||||
- name: OIDC_REDIRECT_URL
|
||||
value: http://ssokustom:8080
|
||||
- name: OIDC_POST_LOGOUT_REDIRECT_URL
|
||||
value: http://ssokustom:8080
|
||||
restartPolicy: Always
|
15
examples/authenticated-app/resources/app-service.yaml
Normal file
15
examples/authenticated-app/resources/app-service.yaml
Normal file
@ -0,0 +1,15 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
labels:
|
||||
io.kompose.service: app
|
||||
name: app
|
||||
spec:
|
||||
ports:
|
||||
- name: http
|
||||
port: 8080
|
||||
targetPort: 8080
|
||||
selector:
|
||||
io.kompose.service: app
|
||||
status:
|
||||
loadBalancer: {}
|
@ -0,0 +1,10 @@
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: Middleware
|
||||
metadata:
|
||||
name: ingress-prefix
|
||||
spec:
|
||||
stripPrefixRegex:
|
||||
regex:
|
||||
- ^/auth/dispatcher
|
||||
- ^/auth/saml
|
||||
- ^/auth
|
43
examples/authenticated-app/resources/ingress.yaml
Normal file
43
examples/authenticated-app/resources/ingress.yaml
Normal file
@ -0,0 +1,43 @@
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: portal
|
||||
annotations:
|
||||
ingress.kubernetes.io/ssl-redirect: "false"
|
||||
traefik.ingress.kubernetes.io/router.middlewares: default-ingress-prefix@kubernetescrd
|
||||
spec:
|
||||
rules:
|
||||
- http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: app
|
||||
port:
|
||||
name: http
|
||||
|
||||
- path: /auth/dispatcher
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: hydra-dispatcher
|
||||
port:
|
||||
name: http
|
||||
|
||||
- path: /auth
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: hydra
|
||||
port:
|
||||
name: hydra-public
|
||||
|
||||
# - path: /auth/passwordless/?(.*)
|
||||
# pathType: Prefix
|
||||
# backend:
|
||||
# service:
|
||||
# name: hydra
|
||||
# port:
|
||||
# name: http-public
|
||||
|
@ -0,0 +1,29 @@
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
labels:
|
||||
io.kompose.service: port-forwarder
|
||||
name: port-forwarder
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
io.kompose.service: port-forwarder
|
||||
strategy:
|
||||
type: Recreate
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
io.kompose.service: port-forwarder
|
||||
spec:
|
||||
containers:
|
||||
- image: hpello/tcp-proxy:latest
|
||||
name: port-forwarder
|
||||
env:
|
||||
- name: LISTEN_PORT
|
||||
value: "8080"
|
||||
ports:
|
||||
- containerPort: 8080
|
||||
resources: {}
|
||||
args: ["traefik.kube-system.svc.cluster.local", "80"]
|
||||
restartPolicy: Always
|
@ -0,0 +1,12 @@
|
||||
kind: Service
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: ssokustom
|
||||
labels:
|
||||
io.kompose.service: port-forwarder
|
||||
spec:
|
||||
ports:
|
||||
- port: 8080
|
||||
targetPort: 8080
|
||||
selector:
|
||||
io.kompose.service: port-forwarder
|
11
examples/k8s/k3d/cluster-config.yaml
Normal file
11
examples/k8s/k3d/cluster-config.yaml
Normal file
@ -0,0 +1,11 @@
|
||||
---
|
||||
apiVersion: k3d.io/v1alpha4
|
||||
kind: Simple
|
||||
metadata:
|
||||
name: sso-kustom
|
||||
servers: 1
|
||||
agents: 2
|
||||
ports:
|
||||
- port: 8080:80
|
||||
nodeFilters:
|
||||
- loadbalancer
|
4
examples/k8s/k3d/cluster/kustomization.yaml
Normal file
4
examples/k8s/k3d/cluster/kustomization.yaml
Normal file
@ -0,0 +1,4 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- https://forge.cadoles.com/CadolesKube/c-kustom//base/cloudnative-pg-operator?ref=develop
|
@ -13,7 +13,7 @@ configMapGenerator:
|
||||
- HYDRA_BASE_URL=http://hydra:4444
|
||||
- HYDRA_ADMIN_BASE_URL=http://hydra:4445
|
||||
- HYDRA_REWRITE_ISSUER=yes
|
||||
- HYDRA_ORIGINAL_ISSUER=http://localhost:4444
|
||||
- HYDRA_ORIGINAL_ISSUER=http://hydra:4444
|
||||
- HYDRA_NEW_ISSUER=http://hydra-dispatcher
|
||||
- BASE_URL=http://hydra-dispatcher
|
||||
- COOKIE_PATH=/
|
||||
|
@ -6,7 +6,7 @@ metadata:
|
||||
name: hydra-dispatcher
|
||||
spec:
|
||||
ports:
|
||||
- name: hydra-dispatcher
|
||||
- name: http
|
||||
port: 80
|
||||
selector:
|
||||
io.kompose.service: hydra-dispatcher
|
||||
|
@ -57,3 +57,4 @@ spec:
|
||||
name: hydra-admin
|
||||
resources: {}
|
||||
restartPolicy: Always
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user