wip: example app

README.md

@@ -4,4 +4,8 @@ Kustomization du service "SSO" (Ory Hydra)
 
 ## Usage
 
-[Voir la documentation](./doc/README.md)
+[Voir la documentation](./doc/README.md)
+
+## Exemple
+
+Ce projet contient un exemple fonctionnel de déploiement dans le répertoire [`./examples/authenticated-app`](./examples/authenticated-app)

components/hydra-saml/files/hydra/saml.yaml

@@ -9,4 +9,5 @@ hydra:
         en: Authentication with SAML
       login_url: "%env(string:HYDRA_DISPATCHER_SAML_LOGIN_URL)%"
       consent_url: "%env(string:HYDRA_DISPATCHER_SAML_CONSENT_URL)%"
-      logout_url: "%env(string:HYDRA_DISPATCHER_SAML_LOGOUT_URL)%"
+      logout_url: "%env(string:HYDRA_DISPATCHER_SAML_LOGOUT_URL)%"
+      attributes_rewrite_rules: []

examples/authenticated-app/README.md

@@ -0,0 +1,25 @@
+# Exemple: Déploiement d'une application authentifiée avec la stack SSO
+
+## Procédure
+
+### Avec `k3d`
+
+1. Créer un cluster avec `k3d`
+
+    ```
+    k3d cluster create -c ./examples/k8s/k3d/k3d/cluster-config.yaml
+    ```
+
+2. Déployer les opérateurs nécessaires au déploiement
+
+    ```
+    kubectl apply -k ./examples/k8s/k3d/cluster
+    ```
+
+3. Déployer l'application
+
+    ```
+    kubectl apply -k ./examples/authenticated-app
+    ```
+
+Après stabilisation du déploiement, l'application devrait être accessible à l'adresse http://localhost:8080/

examples/authenticated-app/kustomization.yaml

@@ -0,0 +1,39 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../../resources/hydra
+  - ../../resources/hydra-dispatcher
+  - ./resources/app-deployment.yaml
+  - ./resources/app-service.yaml
+  - ./resources/ingress.yaml
+  - ./resources/ingress-prefix-traefik-middleware.yaml
+  - ./resources/port-forwarder-deployment.yaml
+  - ./resources/port-forwarder-service.yaml
+
+components:
+  - ../../components/hydra-cnpg-database
+  #- ../../components/hydra-oidc
+  - ../../components/hydra-saml
+
+patchesJson6902:
+  - target:
+      version: v1
+      kind: ConfigMap
+      name: hydra-env
+    path: patches/hydra-env.yaml
+  - target:
+      version: v1
+      kind: ConfigMap
+      name: hydra-dispatcher-env
+    path: patches/hydra-dispatcher-env.yaml
+  - target:
+      version: v1
+      kind: ConfigMap
+      name: hydra-saml-env
+    path: patches/hydra-saml-env.yaml
+  - target:
+      version: v1
+      kind: Secret
+      name: hydra-secret
+    path: patches/hydra-secret.yaml

examples/authenticated-app/patches/hydra-dispatcher-env.yaml

@@ -0,0 +1,18 @@
+- op: replace
+  path: "/data/HYDRA_BASE_URL"
+  value: http://ssokustom:8080/auth
+- op: replace
+  path: "/data/HYDRA_ADMIN_BASE_URL"
+  value: http://hydra:4445/admin
+- op: replace
+  path: "/data/HYDRA_ORIGINAL_ISSUER"
+  value: http://ssokustom:8080/auth
+- op: replace
+  path: "/data/HYDRA_NEW_ISSUER"
+  value: http://ssokustom:8080/auth/dispatcher/
+- op: replace
+  path: "/data/BASE_URL"
+  value: http://ssokustom:8080/auth/dispatcher
+- op: replace
+  path: "/data/COOKIE_PATH"
+  value: /auth/dispatcher

examples/authenticated-app/patches/hydra-env.yaml

@@ -0,0 +1,15 @@
+- op: replace
+  path: "/data/URLS_SELF_ISSUER"
+  value: http://ssokustom:8080/auth
+- op: replace
+  path: "/data/URLS_LOGIN"
+  value: http://ssokustom:8080/auth/dispatcher/login
+- op: replace
+  path: "/data/URLS_LOGOUT"
+  value: http://ssokustom:8080/auth/dispatcher/logout
+- op: replace
+  path: "/data/URLS_CONSENT"
+  value: http://ssokustom:8080/auth/dispatcher/consent
+- op: replace
+  path: "/data/HYDRA_SERVE_ALL_ARGS"
+  value: "--dev"

examples/authenticated-app/patches/hydra-saml-env.yaml

@@ -0,0 +1,31 @@
+- op: replace
+  path: "/data/HTTP_BASE_URL"
+  value: http://ssokustom:8080/auth/saml
+- op: replace
+  path: "/data/COOKIE_PATH"
+  value: /auth/saml
+- op: replace
+  path: "/data/HYDRA_ADMIN_BASE_URL"
+  value: http://hydra-dispatcher
+- op: replace
+  path: "/data/LOGOUT_REDIRECT_URL_PATTERN"
+  value: http://ssokustom:8080/auth/saml/Shibboleth.sso/Logout?return=%s
+
+- op: replace
+  path: "/data/SP_ENTITY_ID"
+  value: http://ssokustom:8080/auth/saml
+- op: replace
+  path: "/data/IDP_ENTITY_ID"
+  value: http://ssokustom:8080/idp
+- op: replace
+  path: "/data/IDP_METADATA_URL"
+  value: http://ssokustom:8080/idp/metadata
+- op: replace
+  path: "/data/APACHE_BACKEND_URL"
+  value: http://hydra-remote-user
+- op: replace
+  path: "/data/APACHE_FORCE_HTTPS"
+  value: "false"
+- op: replace
+  path: "/data/SP_HANDLER_BASE_PATH"
+  value: /auth/saml

examples/authenticated-app/patches/hydra-secret.yaml

@@ -0,0 +1,3 @@
+- op: replace
+  path: "/data/SECRETS_SYSTEM"
+  value: QWxzb05vdFZlcnlTZWNyZXQK # AlsoNotVerySecret encoded as base64

examples/authenticated-app/resources/app-deployment.yaml

@@ -0,0 +1,40 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    io.kompose.service: app
+  name: app
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      io.kompose.service: app
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        io.kompose.service: app
+    spec:
+      containers:
+        - image: bornholm/oidc-test:v0.0.0-1-g936a77e
+          name: app
+          ports:
+            - containerPort: 8080
+          resources: {}
+          env:
+            - name: LOG_LEVEL
+              value: "0"
+            - name: HTTP_ADDRESS
+              value: 0.0.0.0:8080
+            - name: OIDC_CLIENT_ID
+              value: oidc-test
+            - name: OIDC_CLIENT_SECRET
+              value: oidc-test-123456
+            - name: OIDC_ISSUER_URL
+              value: http://ssokustom:8080/auth
+            - name: OIDC_REDIRECT_URL
+              value: http://ssokustom:8080
+            - name: OIDC_POST_LOGOUT_REDIRECT_URL
+              value: http://ssokustom:8080
+      restartPolicy: Always

examples/authenticated-app/resources/app-service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    io.kompose.service: app
+  name: app
+spec:
+  ports:
+    - name: http
+      port: 8080
+      targetPort: 8080
+  selector:
+    io.kompose.service: app
+status:
+  loadBalancer: {}

examples/authenticated-app/resources/ingress-prefix-traefik-middleware.yaml

@@ -0,0 +1,10 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: ingress-prefix
+spec:
+  stripPrefixRegex:
+    regex:
+      - ^/auth/dispatcher
+      - ^/auth/saml
+      - ^/auth

examples/authenticated-app/resources/ingress.yaml

@@ -0,0 +1,43 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: portal
+  annotations:
+    ingress.kubernetes.io/ssl-redirect: "false"
+    traefik.ingress.kubernetes.io/router.middlewares: default-ingress-prefix@kubernetescrd
+spec:
+  rules:
+  - http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: app
+            port:
+              name: http
+      
+      - path: /auth/dispatcher
+        pathType: Prefix
+        backend:
+          service:
+            name: hydra-dispatcher
+            port:
+              name: http
+      
+      - path: /auth
+        pathType: Prefix
+        backend:
+          service:
+            name: hydra
+            port:
+              name: hydra-public
+          
+      # - path: /auth/passwordless/?(.*)
+      #   pathType: Prefix
+      #   backend:
+      #     service:
+      #       name: hydra
+      #       port:
+      #         name: http-public
+          

examples/authenticated-app/resources/port-forwarder-deployment.yaml

@@ -0,0 +1,29 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    io.kompose.service: port-forwarder
+  name: port-forwarder
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      io.kompose.service: port-forwarder
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        io.kompose.service: port-forwarder
+    spec:
+      containers:
+        - image: hpello/tcp-proxy:latest
+          name: port-forwarder
+          env:
+            - name: LISTEN_PORT
+              value: "8080"
+          ports:
+            - containerPort: 8080
+          resources: {}
+          args: ["traefik.kube-system.svc.cluster.local", "80"]
+      restartPolicy: Always

examples/authenticated-app/resources/port-forwarder-service.yaml

@@ -0,0 +1,12 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: ssokustom
+  labels:
+    io.kompose.service: port-forwarder
+spec:
+  ports:
+  - port: 8080
+    targetPort: 8080
+  selector:
+    io.kompose.service: port-forwarder

examples/k8s/k3d/cluster-config.yaml

@@ -0,0 +1,11 @@
+---
+apiVersion: k3d.io/v1alpha4
+kind: Simple
+metadata:
+  name: sso-kustom
+servers: 1
+agents: 2
+ports:
+  - port: 8080:80
+    nodeFilters:
+      - loadbalancer

examples/k8s/k3d/cluster/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- https://forge.cadoles.com/CadolesKube/c-kustom//base/cloudnative-pg-operator?ref=develop

resources/hydra-dispatcher/kustomization.yaml

@@ -13,7 +13,7 @@ configMapGenerator:
       - HYDRA_BASE_URL=http://hydra:4444
       - HYDRA_ADMIN_BASE_URL=http://hydra:4445
       - HYDRA_REWRITE_ISSUER=yes
-      - HYDRA_ORIGINAL_ISSUER=http://localhost:4444
+      - HYDRA_ORIGINAL_ISSUER=http://hydra:4444
       - HYDRA_NEW_ISSUER=http://hydra-dispatcher
       - BASE_URL=http://hydra-dispatcher
       - COOKIE_PATH=/

resources/hydra-dispatcher/resources/hydra-dispatcher-service.yaml

@@ -6,7 +6,7 @@ metadata:
   name: hydra-dispatcher
 spec:
   ports:
-    - name: hydra-dispatcher
+    - name: http
       port: 80
   selector:
     io.kompose.service: hydra-dispatcher

resources/hydra/resources/hydra-deployment.yaml

@@ -57,3 +57,4 @@ spec:
               name: hydra-admin
           resources: {}
       restartPolicy: Always
+