wip: example app

This commit is contained in:
wpetit 2023-02-27 09:36:36 +01:00
parent d2960e3be2
commit 4a745fb9a1
19 changed files with 305 additions and 4 deletions

View File

@ -4,4 +4,8 @@ Kustomization du service "SSO" (Ory Hydra)
## Usage
[Voir la documentation](./doc/README.md)
[Voir la documentation](./doc/README.md)
## Exemple
Ce projet contient un exemple fonctionnel de déploiement dans le répertoire [`./examples/authenticated-app`](./examples/authenticated-app)

View File

@ -9,4 +9,5 @@ hydra:
en: Authentication with SAML
login_url: "%env(string:HYDRA_DISPATCHER_SAML_LOGIN_URL)%"
consent_url: "%env(string:HYDRA_DISPATCHER_SAML_CONSENT_URL)%"
logout_url: "%env(string:HYDRA_DISPATCHER_SAML_LOGOUT_URL)%"
logout_url: "%env(string:HYDRA_DISPATCHER_SAML_LOGOUT_URL)%"
attributes_rewrite_rules: []

View File

@ -0,0 +1,25 @@
# Exemple: Déploiement d'une application authentifiée avec la stack SSO
## Procédure
### Avec `k3d`
1. Créer un cluster avec `k3d`
```
k3d cluster create -c ./examples/k8s/k3d/k3d/cluster-config.yaml
```
2. Déployer les opérateurs nécessaires au déploiement
```
kubectl apply -k ./examples/k8s/k3d/cluster
```
3. Déployer l'application
```
kubectl apply -k ./examples/authenticated-app
```
Après stabilisation du déploiement, l'application devrait être accessible à l'adresse http://localhost:8080/

View File

@ -0,0 +1,39 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../resources/hydra
- ../../resources/hydra-dispatcher
- ./resources/app-deployment.yaml
- ./resources/app-service.yaml
- ./resources/ingress.yaml
- ./resources/ingress-prefix-traefik-middleware.yaml
- ./resources/port-forwarder-deployment.yaml
- ./resources/port-forwarder-service.yaml
components:
- ../../components/hydra-cnpg-database
#- ../../components/hydra-oidc
- ../../components/hydra-saml
patchesJson6902:
- target:
version: v1
kind: ConfigMap
name: hydra-env
path: patches/hydra-env.yaml
- target:
version: v1
kind: ConfigMap
name: hydra-dispatcher-env
path: patches/hydra-dispatcher-env.yaml
- target:
version: v1
kind: ConfigMap
name: hydra-saml-env
path: patches/hydra-saml-env.yaml
- target:
version: v1
kind: Secret
name: hydra-secret
path: patches/hydra-secret.yaml

View File

@ -0,0 +1,18 @@
- op: replace
path: "/data/HYDRA_BASE_URL"
value: http://ssokustom:8080/auth
- op: replace
path: "/data/HYDRA_ADMIN_BASE_URL"
value: http://hydra:4445/admin
- op: replace
path: "/data/HYDRA_ORIGINAL_ISSUER"
value: http://ssokustom:8080/auth
- op: replace
path: "/data/HYDRA_NEW_ISSUER"
value: http://ssokustom:8080/auth/dispatcher/
- op: replace
path: "/data/BASE_URL"
value: http://ssokustom:8080/auth/dispatcher
- op: replace
path: "/data/COOKIE_PATH"
value: /auth/dispatcher

View File

@ -0,0 +1,15 @@
- op: replace
path: "/data/URLS_SELF_ISSUER"
value: http://ssokustom:8080/auth
- op: replace
path: "/data/URLS_LOGIN"
value: http://ssokustom:8080/auth/dispatcher/login
- op: replace
path: "/data/URLS_LOGOUT"
value: http://ssokustom:8080/auth/dispatcher/logout
- op: replace
path: "/data/URLS_CONSENT"
value: http://ssokustom:8080/auth/dispatcher/consent
- op: replace
path: "/data/HYDRA_SERVE_ALL_ARGS"
value: "--dev"

View File

@ -0,0 +1,31 @@
- op: replace
path: "/data/HTTP_BASE_URL"
value: http://ssokustom:8080/auth/saml
- op: replace
path: "/data/COOKIE_PATH"
value: /auth/saml
- op: replace
path: "/data/HYDRA_ADMIN_BASE_URL"
value: http://hydra-dispatcher
- op: replace
path: "/data/LOGOUT_REDIRECT_URL_PATTERN"
value: http://ssokustom:8080/auth/saml/Shibboleth.sso/Logout?return=%s
- op: replace
path: "/data/SP_ENTITY_ID"
value: http://ssokustom:8080/auth/saml
- op: replace
path: "/data/IDP_ENTITY_ID"
value: http://ssokustom:8080/idp
- op: replace
path: "/data/IDP_METADATA_URL"
value: http://ssokustom:8080/idp/metadata
- op: replace
path: "/data/APACHE_BACKEND_URL"
value: http://hydra-remote-user
- op: replace
path: "/data/APACHE_FORCE_HTTPS"
value: "false"
- op: replace
path: "/data/SP_HANDLER_BASE_PATH"
value: /auth/saml

View File

@ -0,0 +1,3 @@
- op: replace
path: "/data/SECRETS_SYSTEM"
value: QWxzb05vdFZlcnlTZWNyZXQK # AlsoNotVerySecret encoded as base64

View File

@ -0,0 +1,40 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
io.kompose.service: app
name: app
spec:
replicas: 1
selector:
matchLabels:
io.kompose.service: app
strategy:
type: Recreate
template:
metadata:
labels:
io.kompose.service: app
spec:
containers:
- image: bornholm/oidc-test:v0.0.0-1-g936a77e
name: app
ports:
- containerPort: 8080
resources: {}
env:
- name: LOG_LEVEL
value: "0"
- name: HTTP_ADDRESS
value: 0.0.0.0:8080
- name: OIDC_CLIENT_ID
value: oidc-test
- name: OIDC_CLIENT_SECRET
value: oidc-test-123456
- name: OIDC_ISSUER_URL
value: http://ssokustom:8080/auth
- name: OIDC_REDIRECT_URL
value: http://ssokustom:8080
- name: OIDC_POST_LOGOUT_REDIRECT_URL
value: http://ssokustom:8080
restartPolicy: Always

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Service
metadata:
labels:
io.kompose.service: app
name: app
spec:
ports:
- name: http
port: 8080
targetPort: 8080
selector:
io.kompose.service: app
status:
loadBalancer: {}

View File

@ -0,0 +1,10 @@
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: ingress-prefix
spec:
stripPrefixRegex:
regex:
- ^/auth/dispatcher
- ^/auth/saml
- ^/auth

View File

@ -0,0 +1,43 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: portal
annotations:
ingress.kubernetes.io/ssl-redirect: "false"
traefik.ingress.kubernetes.io/router.middlewares: default-ingress-prefix@kubernetescrd
spec:
rules:
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: app
port:
name: http
- path: /auth/dispatcher
pathType: Prefix
backend:
service:
name: hydra-dispatcher
port:
name: http
- path: /auth
pathType: Prefix
backend:
service:
name: hydra
port:
name: hydra-public
# - path: /auth/passwordless/?(.*)
# pathType: Prefix
# backend:
# service:
# name: hydra
# port:
# name: http-public

View File

@ -0,0 +1,29 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
io.kompose.service: port-forwarder
name: port-forwarder
spec:
replicas: 1
selector:
matchLabels:
io.kompose.service: port-forwarder
strategy:
type: Recreate
template:
metadata:
labels:
io.kompose.service: port-forwarder
spec:
containers:
- image: hpello/tcp-proxy:latest
name: port-forwarder
env:
- name: LISTEN_PORT
value: "8080"
ports:
- containerPort: 8080
resources: {}
args: ["traefik.kube-system.svc.cluster.local", "80"]
restartPolicy: Always

View File

@ -0,0 +1,12 @@
kind: Service
apiVersion: v1
metadata:
name: ssokustom
labels:
io.kompose.service: port-forwarder
spec:
ports:
- port: 8080
targetPort: 8080
selector:
io.kompose.service: port-forwarder

View File

@ -0,0 +1,11 @@
---
apiVersion: k3d.io/v1alpha4
kind: Simple
metadata:
name: sso-kustom
servers: 1
agents: 2
ports:
- port: 8080:80
nodeFilters:
- loadbalancer

View File

@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- https://forge.cadoles.com/CadolesKube/c-kustom//base/cloudnative-pg-operator?ref=develop

View File

@ -13,7 +13,7 @@ configMapGenerator:
- HYDRA_BASE_URL=http://hydra:4444
- HYDRA_ADMIN_BASE_URL=http://hydra:4445
- HYDRA_REWRITE_ISSUER=yes
- HYDRA_ORIGINAL_ISSUER=http://localhost:4444
- HYDRA_ORIGINAL_ISSUER=http://hydra:4444
- HYDRA_NEW_ISSUER=http://hydra-dispatcher
- BASE_URL=http://hydra-dispatcher
- COOKIE_PATH=/

View File

@ -6,7 +6,7 @@ metadata:
name: hydra-dispatcher
spec:
ports:
- name: hydra-dispatcher
- name: http
port: 80
selector:
io.kompose.service: hydra-dispatcher

View File

@ -57,3 +57,4 @@ spec:
name: hydra-admin
resources: {}
restartPolicy: Always