diff --git a/README.md b/README.md index 256224d..f2c4832 100644 --- a/README.md +++ b/README.md @@ -4,4 +4,8 @@ Kustomization du service "SSO" (Ory Hydra) ## Usage -[Voir la documentation](./doc/README.md) \ No newline at end of file +[Voir la documentation](./doc/README.md) + +## Exemple + +Ce projet contient un exemple fonctionnel de déploiement dans le répertoire [`./examples/authenticated-app`](./examples/authenticated-app) \ No newline at end of file diff --git a/components/hydra-saml/files/hydra/saml.yaml b/components/hydra-saml/files/hydra/saml.yaml index c9a7f32..198d33f 100644 --- a/components/hydra-saml/files/hydra/saml.yaml +++ b/components/hydra-saml/files/hydra/saml.yaml @@ -9,4 +9,5 @@ hydra: en: Authentication with SAML login_url: "%env(string:HYDRA_DISPATCHER_SAML_LOGIN_URL)%" consent_url: "%env(string:HYDRA_DISPATCHER_SAML_CONSENT_URL)%" - logout_url: "%env(string:HYDRA_DISPATCHER_SAML_LOGOUT_URL)%" \ No newline at end of file + logout_url: "%env(string:HYDRA_DISPATCHER_SAML_LOGOUT_URL)%" + attributes_rewrite_rules: [] \ No newline at end of file diff --git a/examples/authenticated-app/README.md b/examples/authenticated-app/README.md new file mode 100644 index 0000000..126a15e --- /dev/null +++ b/examples/authenticated-app/README.md @@ -0,0 +1,25 @@ +# Exemple: Déploiement d'une application authentifiée avec la stack SSO + +## Procédure + +### Avec `k3d` + +1. Créer un cluster avec `k3d` + + ``` + k3d cluster create -c ./examples/k8s/k3d/k3d/cluster-config.yaml + ``` + +2. Déployer les opérateurs nécessaires au déploiement + + ``` + kubectl apply -k ./examples/k8s/k3d/cluster + ``` + +3. Déployer l'application + + ``` + kubectl apply -k ./examples/authenticated-app + ``` + +Après stabilisation du déploiement, l'application devrait être accessible à l'adresse http://localhost:8080/ \ No newline at end of file diff --git a/examples/authenticated-app/kustomization.yaml b/examples/authenticated-app/kustomization.yaml new file mode 100644 index 0000000..926224c --- /dev/null +++ b/examples/authenticated-app/kustomization.yaml @@ -0,0 +1,39 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../resources/hydra + - ../../resources/hydra-dispatcher + - ./resources/app-deployment.yaml + - ./resources/app-service.yaml + - ./resources/ingress.yaml + - ./resources/ingress-prefix-traefik-middleware.yaml + - ./resources/port-forwarder-deployment.yaml + - ./resources/port-forwarder-service.yaml + +components: + - ../../components/hydra-cnpg-database + #- ../../components/hydra-oidc + - ../../components/hydra-saml + +patchesJson6902: + - target: + version: v1 + kind: ConfigMap + name: hydra-env + path: patches/hydra-env.yaml + - target: + version: v1 + kind: ConfigMap + name: hydra-dispatcher-env + path: patches/hydra-dispatcher-env.yaml + - target: + version: v1 + kind: ConfigMap + name: hydra-saml-env + path: patches/hydra-saml-env.yaml + - target: + version: v1 + kind: Secret + name: hydra-secret + path: patches/hydra-secret.yaml \ No newline at end of file diff --git a/examples/authenticated-app/patches/hydra-dispatcher-env.yaml b/examples/authenticated-app/patches/hydra-dispatcher-env.yaml new file mode 100644 index 0000000..be7c1dc --- /dev/null +++ b/examples/authenticated-app/patches/hydra-dispatcher-env.yaml @@ -0,0 +1,18 @@ +- op: replace + path: "/data/HYDRA_BASE_URL" + value: http://ssokustom:8080/auth +- op: replace + path: "/data/HYDRA_ADMIN_BASE_URL" + value: http://hydra:4445/admin +- op: replace + path: "/data/HYDRA_ORIGINAL_ISSUER" + value: http://ssokustom:8080/auth +- op: replace + path: "/data/HYDRA_NEW_ISSUER" + value: http://ssokustom:8080/auth/dispatcher/ +- op: replace + path: "/data/BASE_URL" + value: http://ssokustom:8080/auth/dispatcher +- op: replace + path: "/data/COOKIE_PATH" + value: /auth/dispatcher \ No newline at end of file diff --git a/examples/authenticated-app/patches/hydra-env.yaml b/examples/authenticated-app/patches/hydra-env.yaml new file mode 100644 index 0000000..8b9286f --- /dev/null +++ b/examples/authenticated-app/patches/hydra-env.yaml @@ -0,0 +1,15 @@ +- op: replace + path: "/data/URLS_SELF_ISSUER" + value: http://ssokustom:8080/auth +- op: replace + path: "/data/URLS_LOGIN" + value: http://ssokustom:8080/auth/dispatcher/login +- op: replace + path: "/data/URLS_LOGOUT" + value: http://ssokustom:8080/auth/dispatcher/logout +- op: replace + path: "/data/URLS_CONSENT" + value: http://ssokustom:8080/auth/dispatcher/consent +- op: replace + path: "/data/HYDRA_SERVE_ALL_ARGS" + value: "--dev" \ No newline at end of file diff --git a/examples/authenticated-app/patches/hydra-saml-env.yaml b/examples/authenticated-app/patches/hydra-saml-env.yaml new file mode 100644 index 0000000..f340556 --- /dev/null +++ b/examples/authenticated-app/patches/hydra-saml-env.yaml @@ -0,0 +1,31 @@ +- op: replace + path: "/data/HTTP_BASE_URL" + value: http://ssokustom:8080/auth/saml +- op: replace + path: "/data/COOKIE_PATH" + value: /auth/saml +- op: replace + path: "/data/HYDRA_ADMIN_BASE_URL" + value: http://hydra-dispatcher +- op: replace + path: "/data/LOGOUT_REDIRECT_URL_PATTERN" + value: http://ssokustom:8080/auth/saml/Shibboleth.sso/Logout?return=%s + +- op: replace + path: "/data/SP_ENTITY_ID" + value: http://ssokustom:8080/auth/saml +- op: replace + path: "/data/IDP_ENTITY_ID" + value: http://ssokustom:8080/idp +- op: replace + path: "/data/IDP_METADATA_URL" + value: http://ssokustom:8080/idp/metadata +- op: replace + path: "/data/APACHE_BACKEND_URL" + value: http://hydra-remote-user +- op: replace + path: "/data/APACHE_FORCE_HTTPS" + value: "false" +- op: replace + path: "/data/SP_HANDLER_BASE_PATH" + value: /auth/saml \ No newline at end of file diff --git a/examples/authenticated-app/patches/hydra-secret.yaml b/examples/authenticated-app/patches/hydra-secret.yaml new file mode 100644 index 0000000..22291b3 --- /dev/null +++ b/examples/authenticated-app/patches/hydra-secret.yaml @@ -0,0 +1,3 @@ +- op: replace + path: "/data/SECRETS_SYSTEM" + value: QWxzb05vdFZlcnlTZWNyZXQK # AlsoNotVerySecret encoded as base64 \ No newline at end of file diff --git a/examples/authenticated-app/resources/app-deployment.yaml b/examples/authenticated-app/resources/app-deployment.yaml new file mode 100644 index 0000000..fc31c7c --- /dev/null +++ b/examples/authenticated-app/resources/app-deployment.yaml @@ -0,0 +1,40 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + io.kompose.service: app + name: app +spec: + replicas: 1 + selector: + matchLabels: + io.kompose.service: app + strategy: + type: Recreate + template: + metadata: + labels: + io.kompose.service: app + spec: + containers: + - image: bornholm/oidc-test:v0.0.0-1-g936a77e + name: app + ports: + - containerPort: 8080 + resources: {} + env: + - name: LOG_LEVEL + value: "0" + - name: HTTP_ADDRESS + value: 0.0.0.0:8080 + - name: OIDC_CLIENT_ID + value: oidc-test + - name: OIDC_CLIENT_SECRET + value: oidc-test-123456 + - name: OIDC_ISSUER_URL + value: http://ssokustom:8080/auth + - name: OIDC_REDIRECT_URL + value: http://ssokustom:8080 + - name: OIDC_POST_LOGOUT_REDIRECT_URL + value: http://ssokustom:8080 + restartPolicy: Always diff --git a/examples/authenticated-app/resources/app-service.yaml b/examples/authenticated-app/resources/app-service.yaml new file mode 100644 index 0000000..19e7784 --- /dev/null +++ b/examples/authenticated-app/resources/app-service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + io.kompose.service: app + name: app +spec: + ports: + - name: http + port: 8080 + targetPort: 8080 + selector: + io.kompose.service: app +status: + loadBalancer: {} diff --git a/examples/authenticated-app/resources/ingress-prefix-traefik-middleware.yaml b/examples/authenticated-app/resources/ingress-prefix-traefik-middleware.yaml new file mode 100644 index 0000000..07f8e81 --- /dev/null +++ b/examples/authenticated-app/resources/ingress-prefix-traefik-middleware.yaml @@ -0,0 +1,10 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: ingress-prefix +spec: + stripPrefixRegex: + regex: + - ^/auth/dispatcher + - ^/auth/saml + - ^/auth \ No newline at end of file diff --git a/examples/authenticated-app/resources/ingress.yaml b/examples/authenticated-app/resources/ingress.yaml new file mode 100644 index 0000000..28ecffa --- /dev/null +++ b/examples/authenticated-app/resources/ingress.yaml @@ -0,0 +1,43 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: portal + annotations: + ingress.kubernetes.io/ssl-redirect: "false" + traefik.ingress.kubernetes.io/router.middlewares: default-ingress-prefix@kubernetescrd +spec: + rules: + - http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: app + port: + name: http + + - path: /auth/dispatcher + pathType: Prefix + backend: + service: + name: hydra-dispatcher + port: + name: http + + - path: /auth + pathType: Prefix + backend: + service: + name: hydra + port: + name: hydra-public + + # - path: /auth/passwordless/?(.*) + # pathType: Prefix + # backend: + # service: + # name: hydra + # port: + # name: http-public + \ No newline at end of file diff --git a/examples/authenticated-app/resources/port-forwarder-deployment.yaml b/examples/authenticated-app/resources/port-forwarder-deployment.yaml new file mode 100644 index 0000000..9ff0268 --- /dev/null +++ b/examples/authenticated-app/resources/port-forwarder-deployment.yaml @@ -0,0 +1,29 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + io.kompose.service: port-forwarder + name: port-forwarder +spec: + replicas: 1 + selector: + matchLabels: + io.kompose.service: port-forwarder + strategy: + type: Recreate + template: + metadata: + labels: + io.kompose.service: port-forwarder + spec: + containers: + - image: hpello/tcp-proxy:latest + name: port-forwarder + env: + - name: LISTEN_PORT + value: "8080" + ports: + - containerPort: 8080 + resources: {} + args: ["traefik.kube-system.svc.cluster.local", "80"] + restartPolicy: Always diff --git a/examples/authenticated-app/resources/port-forwarder-service.yaml b/examples/authenticated-app/resources/port-forwarder-service.yaml new file mode 100644 index 0000000..a360fdf --- /dev/null +++ b/examples/authenticated-app/resources/port-forwarder-service.yaml @@ -0,0 +1,12 @@ +kind: Service +apiVersion: v1 +metadata: + name: ssokustom + labels: + io.kompose.service: port-forwarder +spec: + ports: + - port: 8080 + targetPort: 8080 + selector: + io.kompose.service: port-forwarder \ No newline at end of file diff --git a/examples/k8s/k3d/cluster-config.yaml b/examples/k8s/k3d/cluster-config.yaml new file mode 100644 index 0000000..04831c8 --- /dev/null +++ b/examples/k8s/k3d/cluster-config.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: k3d.io/v1alpha4 +kind: Simple +metadata: + name: sso-kustom +servers: 1 +agents: 2 +ports: + - port: 8080:80 + nodeFilters: + - loadbalancer diff --git a/examples/k8s/k3d/cluster/kustomization.yaml b/examples/k8s/k3d/cluster/kustomization.yaml new file mode 100644 index 0000000..6e2bd83 --- /dev/null +++ b/examples/k8s/k3d/cluster/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- https://forge.cadoles.com/CadolesKube/c-kustom//base/cloudnative-pg-operator?ref=develop \ No newline at end of file diff --git a/resources/hydra-dispatcher/kustomization.yaml b/resources/hydra-dispatcher/kustomization.yaml index 7425830..69bab09 100644 --- a/resources/hydra-dispatcher/kustomization.yaml +++ b/resources/hydra-dispatcher/kustomization.yaml @@ -13,7 +13,7 @@ configMapGenerator: - HYDRA_BASE_URL=http://hydra:4444 - HYDRA_ADMIN_BASE_URL=http://hydra:4445 - HYDRA_REWRITE_ISSUER=yes - - HYDRA_ORIGINAL_ISSUER=http://localhost:4444 + - HYDRA_ORIGINAL_ISSUER=http://hydra:4444 - HYDRA_NEW_ISSUER=http://hydra-dispatcher - BASE_URL=http://hydra-dispatcher - COOKIE_PATH=/ diff --git a/resources/hydra-dispatcher/resources/hydra-dispatcher-service.yaml b/resources/hydra-dispatcher/resources/hydra-dispatcher-service.yaml index 55cc11e..dcbdd9f 100644 --- a/resources/hydra-dispatcher/resources/hydra-dispatcher-service.yaml +++ b/resources/hydra-dispatcher/resources/hydra-dispatcher-service.yaml @@ -6,7 +6,7 @@ metadata: name: hydra-dispatcher spec: ports: - - name: hydra-dispatcher + - name: http port: 80 selector: io.kompose.service: hydra-dispatcher diff --git a/resources/hydra/resources/hydra-deployment.yaml b/resources/hydra/resources/hydra-deployment.yaml index ca16f23..bf15af4 100644 --- a/resources/hydra/resources/hydra-deployment.yaml +++ b/resources/hydra/resources/hydra-deployment.yaml @@ -57,3 +57,4 @@ spec: name: hydra-admin resources: {} restartPolicy: Always +