From 5f9dd9218e0b23da2675ff83383a85d591dd3dcb Mon Sep 17 00:00:00 2001 From: William Petit Date: Thu, 13 Feb 2025 17:02:48 +0100 Subject: [PATCH] fix: use hydra-ldap to fix example --- README.md | 6 +- .../hydra-ldap/resources/deployment.yaml | 60 +++--- .../resources/hydra-saml-remote-user.yaml | 2 + components/oidc-test/kustomization.yaml | 3 +- .../oidc-test/resources/deployment.yaml | 24 +-- .../oidc-test/resources/oauth2-client.yaml | 12 +- examples/authenticated-app/README.md | 43 ++-- examples/authenticated-app/files/glauth.conf | 48 +++++ .../files/hydra-dispatcher-apps.yaml | 35 ++++ examples/authenticated-app/kustomization.yaml | 33 ++- .../patches/hydra-dispatcher-env.yaml | 24 ++- .../authenticated-app/patches/hydra-env.yaml | 11 +- .../patches/hydra-ldap-env.yaml | 43 ++++ .../patches/hydra-ldap-sc.yaml | 7 + .../patches/hydra-saml-env.yaml | 43 ---- .../patches/oidc-test-oauth2-client.yaml | 5 +- .../authenticated-app/patches/oidc-test.yaml | 3 + .../resources/glauth-ldap.yaml | 55 +++++ .../authenticated-app/resources/ingress.yaml | 138 ++++++------- .../authenticated-app/resources/saml-idp.yaml | 51 ----- examples/k8s/kind/cluster/kustomization.yaml | 21 +- .../cluster/patches/nginx-controller.yaml | 15 +- .../hydra-dispatcher/files/hydra/default.yaml | 2 + .../hydra-dispatcher-deployment.yaml | 193 +++++++++--------- .../resources/hydra-maester-deployment.yaml | 7 +- 25 files changed, 498 insertions(+), 386 deletions(-) create mode 100644 examples/authenticated-app/files/glauth.conf create mode 100644 examples/authenticated-app/files/hydra-dispatcher-apps.yaml create mode 100644 examples/authenticated-app/patches/hydra-ldap-env.yaml create mode 100644 examples/authenticated-app/patches/hydra-ldap-sc.yaml delete mode 100644 examples/authenticated-app/patches/hydra-saml-env.yaml create mode 100644 examples/authenticated-app/resources/glauth-ldap.yaml delete mode 100644 examples/authenticated-app/resources/saml-idp.yaml diff --git a/README.md b/README.md index f2c4832..26cec9c 100644 --- a/README.md +++ b/README.md @@ -2,10 +2,6 @@ Kustomization du service "SSO" (Ory Hydra) -## Usage - -[Voir la documentation](./doc/README.md) - ## Exemple -Ce projet contient un exemple fonctionnel de déploiement dans le répertoire [`./examples/authenticated-app`](./examples/authenticated-app) \ No newline at end of file +Ce projet contient un exemple fonctionnel de déploiement dans le répertoire [`./examples/authenticated-app`](./examples/authenticated-app) diff --git a/components/hydra-ldap/resources/deployment.yaml b/components/hydra-ldap/resources/deployment.yaml index 0a8bb20..786f549 100644 --- a/components/hydra-ldap/resources/deployment.yaml +++ b/components/hydra-ldap/resources/deployment.yaml @@ -17,34 +17,32 @@ spec: app.kubernetes.io/version: "v1.2.2" spec: containers: - - name: werther - image: reg.cadoles.com/cadoles/hydra-werther:2023.12.6-stable.1421.15a4717 - imagePullPolicy: IfNotPresent - envFrom: - - configMapRef: - name: hydra-ldap-env - env: - - name: WERTHER_WEB_DIR - value: "/usr/share/werther/login/" - - name: WERTHER_LDAP_BINDDN - valueFrom: - secretKeyRef: - name: hydra-ldap-sc - key: WERTHER_LDAP_BINDDN - - name: WERTHER_LDAP_BINDPW - valueFrom: - secretKeyRef: - name: hydra-ldap-sc - key: WERTHER_LDAP_BINDPW - ports: - - containerPort: 8080 - name: hydra-ldap-http - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 100 + - name: werther + image: reg.cadoles.com/cadoles/hydra-werther:2023.12.6-stable.1421.15a4717 + imagePullPolicy: IfNotPresent + envFrom: + - configMapRef: + name: hydra-ldap-env + env: + - name: WERTHER_LDAP_BINDDN + valueFrom: + secretKeyRef: + name: hydra-ldap-sc + key: WERTHER_LDAP_BINDDN + - name: WERTHER_LDAP_BINDPW + valueFrom: + secretKeyRef: + name: hydra-ldap-sc + key: WERTHER_LDAP_BINDPW + ports: + - containerPort: 8080 + name: hydra-ldap-http + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 100 diff --git a/components/hydra-saml/resources/hydra-saml-remote-user.yaml b/components/hydra-saml/resources/hydra-saml-remote-user.yaml index 580dc75..4d01f14 100644 --- a/components/hydra-saml/resources/hydra-saml-remote-user.yaml +++ b/components/hydra-saml/resources/hydra-saml-remote-user.yaml @@ -24,6 +24,8 @@ spec: name: hydra-saml-env ports: - containerPort: 8080 + command: + - /bin/apache2-foreground resources: {} restartPolicy: Always --- diff --git a/components/oidc-test/kustomization.yaml b/components/oidc-test/kustomization.yaml index af94763..716acfb 100644 --- a/components/oidc-test/kustomization.yaml +++ b/components/oidc-test/kustomization.yaml @@ -17,4 +17,5 @@ configMapGenerator: - OIDC_REDIRECT_URL=https://example.net/oauth2/callback - OIDC_POST_LOGOUT_REDIRECT_URL=https://example.net - OIDC_SKIP_ISSUER_VERIFICATION="true" - - OIDC_INSECURE_SKIP_VERIFY="true" \ No newline at end of file + - OIDC_SCOPES="openid profile" + - OIDC_INSECURE_SKIP_VERIFY="true" diff --git a/components/oidc-test/resources/deployment.yaml b/components/oidc-test/resources/deployment.yaml index a237882..24f55db 100644 --- a/components/oidc-test/resources/deployment.yaml +++ b/components/oidc-test/resources/deployment.yaml @@ -23,17 +23,17 @@ spec: - containerPort: 8080 resources: {} envFrom: - - configMapRef: - name: oidc-test-env + - configMapRef: + name: oidc-test-env env: - - name: OIDC_CLIENT_ID - valueFrom: - secretKeyRef: - name: oidc-test-oauth2-client - key: client_id - - name: OIDC_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: oidc-test-oauth2-client - key: client_secret + - name: OIDC_CLIENT_ID + valueFrom: + secretKeyRef: + name: oidc-test-oauth2-client + key: CLIENT_ID + - name: OIDC_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: oidc-test-oauth2-client + key: CLIENT_SECRET restartPolicy: Always diff --git a/components/oidc-test/resources/oauth2-client.yaml b/components/oidc-test/resources/oauth2-client.yaml index 8bbc030..6c7cda4 100644 --- a/components/oidc-test/resources/oauth2-client.yaml +++ b/components/oidc-test/resources/oauth2-client.yaml @@ -6,13 +6,13 @@ spec: clientName: "oidc-test" tokenEndpointAuthMethod: "client_secret_basic" grantTypes: - - authorization_code - - refresh_token + - authorization_code + - refresh_token responseTypes: - - code - scope: "openid email" + - code + scope: "openid email profile" secretName: oidc-test-oauth2-client redirectUris: - - https://example.net/oauth2/callback + - https://example.net/oauth2/callback postLogoutRedirectUris: - - https://example.net + - https://example.net diff --git a/examples/authenticated-app/README.md b/examples/authenticated-app/README.md index 1619333..b15eddb 100644 --- a/examples/authenticated-app/README.md +++ b/examples/authenticated-app/README.md @@ -1,6 +1,6 @@ # Exemple: Déploiement d'une application authentifiée avec la stack SSO -L'exemple est actuellement déployé avec le composant `hydra-saml` uniquement. +L'exemple est actuellement déployé avec le composant `hydra-ldap` uniquement. ## Procédure @@ -8,35 +8,27 @@ L'exemple est actuellement déployé avec le composant `hydra-saml` uniquement. 1. Créer un cluster avec `kind` - ``` - kind create cluster --config ./examples/k8s/kind/cluster-config.yaml - ``` + ``` + kind create cluster --config ./examples/k8s/kind/cluster-config.yaml + ``` 2. Déployer les opérateurs nécessaires au déploiement - ``` - kubectl apply -k ./examples/k8s/kind/cluster --server-side - ``` + ``` + kubectl apply -k ./examples/k8s/kind/cluster --server-side + ``` 3. Déployer l'application - ``` - kubectl apply -k ./examples/authenticated-app - ``` - - **Note** Il est possible d'avoir l'erreur suivante: - ``` - error: resource mapping not found for name: "app-oauth2-client" namespace: "" from "./examples/authenticated-app": no matches for kind "OAuth2Client" in version "hydra.ory.sh/v1alpha1" + kubectl apply -k ./examples/authenticated-app ``` - Cette erreur est "normale" (voir https://github.com/kubernetes/kubectl/issues/1117). Dans ce cas, attendre la création de la CRD (voir ticket) puis relancer la commande. - 4. Ajouter l'entrée suivante dans votre fichier `/etc/hosts` - ``` - 127.0.0.1 ssokustom - ``` + ``` + 127.0.0.1 ssokustom + ``` 5. Après stabilisation du déploiement, l'application devrait être accessible à l'adresse https://ssokustom @@ -48,14 +40,11 @@ kind delete cluster -n sso-kustom-example ## Authentification -### SAML +### LDAP -- Utilisateur: `user1` -- Mot de passe `user1pass` +- Utilisateur: `jdoe` +- Mot de passe `jdoe` -#### URL utiles +#### Gestion des comptes -|URL|Description| -|---|-----------| -|https://ssokustom/auth/saml/Shibboleth.sso/Session|Attributs de la session SP Shibboleth| -|https://ssokustom/auth/saml/Shibboleth.sso/Metadata|Métadonnées du SP Shibboleth| +Les comptes LDAP sont définis dans le fichier [`./files/glauth.conf`](./files/glauth.conf) diff --git a/examples/authenticated-app/files/glauth.conf b/examples/authenticated-app/files/glauth.conf new file mode 100644 index 0000000..abecd86 --- /dev/null +++ b/examples/authenticated-app/files/glauth.conf @@ -0,0 +1,48 @@ +debug = true + +[ldap] + enabled = true + listen = "0.0.0.0:3893" + tls = false + +[ldaps] + enabled = false + +[behaviors] + IgnoreCapabilities = true + +[backend] + datastore = "config" + baseDN = "dc=glauth,dc=com" + +[[users]] + uid = "serviceuser" + name = "serviceuser" + mail = "serviceuser@example.com" + uidnumber = 5003 + primarygroup = 5502 + passsha256 = "652c7dc687d98c9889304ed2e408c74b611e86a40caa51c4b43f1dd5913c5cd0" # mysecret + [[users.capabilities]] + action = "search" + object = "*" + +[[users]] + uid = "jdoe" + name = "jdoe" + uidnumber = 5001 + primarygroup = 5501 + givenname = "John" + sn = "Doe" + mail = "jdoe@example.com" + passsha256 = "d30a5f57532a603697ccbb51558fa02ccadd74a0c499fcf9d45b33863ee1582f" # jdoe + [[users.customattributes]] + employeetype = ["Intern", "Temp"] + employeenumber = [12345, 54321] + +[[groups]] + name = "users" + gidnumber = 5501 + +[[groups]] + name = "svcaccts" + gidnumber = 5502 \ No newline at end of file diff --git a/examples/authenticated-app/files/hydra-dispatcher-apps.yaml b/examples/authenticated-app/files/hydra-dispatcher-apps.yaml new file mode 100644 index 0000000..14d2414 --- /dev/null +++ b/examples/authenticated-app/files/hydra-dispatcher-apps.yaml @@ -0,0 +1,35 @@ +hydra: + apps: + - id: ldap + title: + fr: Connexion LDAP + en: Login LDAP + description: + fr: Authentification avec LDAP + en: Authentication with LDAP + login_url: "%env(string:HYDRA_DISPATCHER_LDAP_LOGIN_URL)%" + consent_url: "%env(string:HYDRA_DISPATCHER_LDAP_CONSENT_URL)%" + logout_url: "%env(string:HYDRA_DISPATCHER_LDAP_LOGOUT_URL)%" + attributes_rewrite_configuration: + family_name: + rules: + - "property_exists(consent.session.id_token, 'family_name') ? consent.session.id_token.family_name : null" + given_name: + rules: + - "property_exists(consent.session.id_token, 'given_name') ? consent.session.id_token.given_name : null" + email: + rules: + - "property_exists(consent.session.id_token, 'email') ? consent.session.id_token.email : null" + firewall: + additional_properties: true + rules: + email: + required: false + given_name: + required: false + family_name: + required: false + webhook: + enabled: false + webhook_post_login: + enabled: false diff --git a/examples/authenticated-app/kustomization.yaml b/examples/authenticated-app/kustomization.yaml index af62fc2..c2e4685 100644 --- a/examples/authenticated-app/kustomization.yaml +++ b/examples/authenticated-app/kustomization.yaml @@ -2,12 +2,19 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ../../overlays/full + - ../../overlays/base + - ./resources/ingress.yaml - - ./resources/saml-idp.yaml + - ./resources/glauth-ldap.yaml - ./resources/self-signed-issuer.yaml - ./resources/port-forwarder.yaml +components: + - ../../components/hydra-cnpg-database + - ../../components/hydra-ldap + - ../../components/oidc-test + - ../../components/redis + patchesJson6902: - target: version: v1 @@ -22,8 +29,13 @@ patchesJson6902: - target: version: v1 kind: ConfigMap - name: hydra-saml-env - path: patches/hydra-saml-env.yaml + name: hydra-ldap-env + path: patches/hydra-ldap-env.yaml + - target: + version: v1 + kind: Secret + name: hydra-ldap-sc + path: patches/hydra-ldap-sc.yaml - target: version: v1 kind: Secret @@ -32,10 +44,19 @@ patchesJson6902: - target: version: v1 kind: ConfigMap - name: oidc-test + name: oidc-test-env path: patches/oidc-test.yaml - target: version: v1alpha1 kind: OAuth2Client name: oidc-test-oauth2-client - path: patches/oidc-test-oauth2-client.yaml \ No newline at end of file + path: patches/oidc-test-oauth2-client.yaml + +configMapGenerator: + - name: hydra-dispatcher-apps + behavior: replace + files: + - ./files/hydra-dispatcher-apps.yaml + - name: glauth-ldap-conf + files: + - ./files/glauth.conf diff --git a/examples/authenticated-app/patches/hydra-dispatcher-env.yaml b/examples/authenticated-app/patches/hydra-dispatcher-env.yaml index 464288a..6c9abbe 100644 --- a/examples/authenticated-app/patches/hydra-dispatcher-env.yaml +++ b/examples/authenticated-app/patches/hydra-dispatcher-env.yaml @@ -1,3 +1,12 @@ +- op: replace + path: "/data/APP_ENV" + value: dev +- op: replace + path: "/data/APP_DEBUG" + value: "true" +- op: replace + path: "/data/SENTRY_DSN" + value: "https://1c34f3d4b125c38f4b502ac1a78ea64d@o4507979257741312.ingest.de.sentry.io/4508817444634704" - op: replace path: "/data/HYDRA_BASE_URL" value: http://hydra:4444 @@ -17,14 +26,13 @@ path: "/data/COOKIE_PATH" value: /auth/dispatcher -# Hydra SAML configuration +# Hydra LDAP configuration - op: replace - path: "/data/HYDRA_DISPATCHER_SAML_LOGIN_URL" - value: https://ssokustom/auth/saml/login + path: "/data/HYDRA_DISPATCHER_LDAP_LOGIN_URL" + value: https://ssokustom/auth/ldap/auth/login - op: replace - path: "/data/HYDRA_DISPATCHER_SAML_CONSENT_URL" - value: https://ssokustom/auth/saml/consent + path: "/data/HYDRA_DISPATCHER_LDAP_CONSENT_URL" + value: https://ssokustom/auth/ldap/auth/consent - op: replace - path: "/data/HYDRA_DISPATCHER_SAML_LOGOUT_URL" - value: https://ssokustom/auth/saml/logout - \ No newline at end of file + path: "/data/HYDRA_DISPATCHER_LDAP_LOGOUT_URL" + value: https://ssokustom/auth/ldap/auth/logout diff --git a/examples/authenticated-app/patches/hydra-env.yaml b/examples/authenticated-app/patches/hydra-env.yaml index 1b45696..3f1bce5 100644 --- a/examples/authenticated-app/patches/hydra-env.yaml +++ b/examples/authenticated-app/patches/hydra-env.yaml @@ -12,4 +12,13 @@ value: https://ssokustom/auth/dispatcher/consent - op: replace path: "/data/HYDRA_SERVE_ALL_ARGS" - value: "--dev" \ No newline at end of file + value: "--dev" +- op: replace + path: "/data/SERVE_COOKIES_SAME_SITE_MODE" + value: "Lax" +- op: replace + path: "/data/SERVE_COOKIES_SAME_SITE_LEGACY_WORKAROUND" + value: "true" +- op: replace + path: "/data/SERVE_COOKIES_DOMAIN" + value: "ssokustom" diff --git a/examples/authenticated-app/patches/hydra-ldap-env.yaml b/examples/authenticated-app/patches/hydra-ldap-env.yaml new file mode 100644 index 0000000..937beca --- /dev/null +++ b/examples/authenticated-app/patches/hydra-ldap-env.yaml @@ -0,0 +1,43 @@ +- op: replace + path: "/data/WERTHER_DEV_MODE" + value: "true" + +- op: replace + path: "/data/WERTHER_WEB_BASE_PATH" + value: "/auth/ldap/" + +- op: replace + path: "/data/WERTHER_IDENTP_HYDRA_URL" + value: "http://hydra-dispatcher" + +- op: replace + path: "/data/WERTHER_LDAP_ENDPOINTS" + value: "glauth-ldap:389" + +- op: replace + path: "/data/WERTHER_LDAP_BASEDN" + value: "dc=glauth,dc=com" + +- op: replace + path: "/data/WERTHER_LDAP_ROLE_BASEDN" + value: "ou=groups,dc=glauth,dc=com" + +- op: replace + path: "/data/WERTHER_IDENTP_CLAIM_SCOPES" + value: "uid:profile,name:profile,family_name:profile,given_name:profile,email:profile,https%3A%2F%2Fhydra%2Fclaims%2Froles:roles" + +- op: replace + path: "/data/WERTHER_INSECURE_SKIP_VERIFY" + value: "true" + +- op: replace + path: "/data/WERTHER_LDAP_IS_TLS" + value: "false" + +- op: replace + path: "/data/WERTHER_LDAP_CONNECTION_TIMEOUT" + value: "30s" + +- op: replace + path: "/data/WERTHER_LDAP_USER_SEARCH_QUERY" + value: "(&(objectClass=*)(|(uid=%[1]s)(mail=%[1]s)(userPrincipalName=%[1]s)(sAMAccountName=%[1]s)))" diff --git a/examples/authenticated-app/patches/hydra-ldap-sc.yaml b/examples/authenticated-app/patches/hydra-ldap-sc.yaml new file mode 100644 index 0000000..3eb0e19 --- /dev/null +++ b/examples/authenticated-app/patches/hydra-ldap-sc.yaml @@ -0,0 +1,7 @@ +- op: replace + path: "/data/WERTHER_LDAP_BINDDN" + value: "Y249c2VydmljZXVzZXIsb3U9c3ZjYWNjdHMsb3U9dXNlcnMsZGM9Z2xhdXRoLGRjPWNvbQ==" # cn=serviceuser,ou=svcaccts,ou=users,dc=glauth,dc=com + +- op: replace + path: "/data/WERTHER_LDAP_BINDPW" + value: "bXlzZWNyZXQ=" # mysecret diff --git a/examples/authenticated-app/patches/hydra-saml-env.yaml b/examples/authenticated-app/patches/hydra-saml-env.yaml deleted file mode 100644 index 8d9aa8a..0000000 --- a/examples/authenticated-app/patches/hydra-saml-env.yaml +++ /dev/null @@ -1,43 +0,0 @@ -- op: replace - path: "/data/HTTP_BASE_URL" - value: https://ssokustom/auth/saml -- op: replace - path: "/data/COOKIE_PATH" - value: /auth/saml -- op: replace - path: "/data/HYDRA_ADMIN_BASE_URL" - value: http://hydra-dispatcher -- op: replace - path: "/data/LOGOUT_REDIRECT_URL_PATTERN" - value: https://ssokustom/auth/saml/Shibboleth.sso/Logout?return=%s -- op: replace - path: "/data/PATH_PREFIX" - value: "/auth/saml" - -- op: replace - path: "/data/SP_ENTITY_ID" - value: https://ssokustom/auth/saml -- op: replace - path: "/data/IDP_ENTITY_ID" - value: https://ssokustom/simplesaml/saml2/idp/metadata.php -- op: replace - path: "/data/IDP_METADATA_URL" - value: https://ssokustom/simplesaml/saml2/idp/metadata.php -- op: replace - path: "/data/APACHE_FORCE_HTTPS" - value: "true" -- op: replace - path: "/data/SP_HANDLER_BASE_PATH" - value: "/auth/saml" -- op: replace - path: "/data/SP_LOG_LEVEL" - value: DEBUG -- op: replace - path: "/data/SP_SESSIONS_REDIRECT_LIMIT" - value: none -- op: replace - path: "/data/SP_SESSIONS_REDIRECT_ALLOW" - value: https://ssokustom -- op: replace - path: "/data/SP_SESSIONS_COOKIE_PROPS" - value: https \ No newline at end of file diff --git a/examples/authenticated-app/patches/oidc-test-oauth2-client.yaml b/examples/authenticated-app/patches/oidc-test-oauth2-client.yaml index 14161b6..d453eba 100644 --- a/examples/authenticated-app/patches/oidc-test-oauth2-client.yaml +++ b/examples/authenticated-app/patches/oidc-test-oauth2-client.yaml @@ -3,4 +3,7 @@ value: https://ssokustom/oauth2/callback - op: replace path: "/spec/postLogoutRedirectUris/0" - value: https://ssokustom \ No newline at end of file + value: https://ssokustom +- op: replace + path: "/spec/scope" + value: "openid profile roles" diff --git a/examples/authenticated-app/patches/oidc-test.yaml b/examples/authenticated-app/patches/oidc-test.yaml index ec56255..a20fe4b 100644 --- a/examples/authenticated-app/patches/oidc-test.yaml +++ b/examples/authenticated-app/patches/oidc-test.yaml @@ -4,3 +4,6 @@ - op: replace path: "/data/OIDC_POST_LOGOUT_REDIRECT_URL" value: https://ssokustom +- op: replace + path: "/data/OIDC_SCOPES" + value: "openid profile roles" diff --git a/examples/authenticated-app/resources/glauth-ldap.yaml b/examples/authenticated-app/resources/glauth-ldap.yaml new file mode 100644 index 0000000..2ae39fc --- /dev/null +++ b/examples/authenticated-app/resources/glauth-ldap.yaml @@ -0,0 +1,55 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/name: glauth-ldap + name: glauth-ldap +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: glauth-ldap + strategy: + type: Recreate + template: + metadata: + labels: + app.kubernetes.io/name: glauth-ldap + spec: + containers: + - image: glauth/glauth:v2.3.2 + name: glauth-ldap + ports: + - containerPort: 3893 + name: ldap + - containerPort: 3894 + name: ldaps + resources: {} + volumeMounts: + - name: glauth-ldap-conf + mountPath: /app/config/config.cfg + subPath: glauth.conf + restartPolicy: Always + volumes: + - name: glauth-ldap-conf + configMap: + name: glauth-ldap-conf +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/name: glauth-ldap + name: glauth-ldap +spec: + ports: + - name: ldap + port: 389 + targetPort: ldap + - name: ldaps + port: 636 + targetPort: ldaps + selector: + app.kubernetes.io/name: glauth-ldap +status: + loadBalancer: {} diff --git a/examples/authenticated-app/resources/ingress.yaml b/examples/authenticated-app/resources/ingress.yaml index 76212ba..6234219 100644 --- a/examples/authenticated-app/resources/ingress.yaml +++ b/examples/authenticated-app/resources/ingress.yaml @@ -10,43 +10,47 @@ metadata: spec: ingressClassName: nginx tls: - - hosts: - - ssokustom - secretName: ssokustom-example-tls + - hosts: + - ssokustom + secretName: ssokustom-example-tls rules: - - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: oidc-test - port: - name: http + - http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: oidc-test + port: + name: http --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: auth-saml + name: auth-ldap annotations: cert-manager.io/issuer: "self-signed" nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + nginx.ingress.kubernetes.io/rewrite-target: /$2 + nginx.ingress.kubernetes.io/x-forwarded-prefix: /auth/ldap + nginx.ingress.kubernetes.io/configuration-snippet: | + proxy_set_header X-Forwarded-Proto https; spec: ingressClassName: nginx tls: - - hosts: - - ssokustom - secretName: ssokustom-example-tls + - hosts: + - ssokustom + secretName: ssokustom-example-tls rules: - - http: - paths: - - path: /auth/saml(/|$)(.*) - pathType: Prefix - backend: - service: - name: hydra-saml - port: - name: http + - http: + paths: + - path: /auth/ldap(/|$)(.*) + pathType: Prefix + backend: + service: + name: hydra-ldap + port: + name: hydra-ldap --- apiVersion: networking.k8s.io/v1 kind: Ingress @@ -57,22 +61,24 @@ metadata: nginx.ingress.kubernetes.io/force-ssl-redirect: "true" nginx.ingress.kubernetes.io/rewrite-target: /$2 nginx.ingress.kubernetes.io/x-forwarded-prefix: /auth/dispatcher + nginx.ingress.kubernetes.io/configuration-snippet: | + proxy_set_header X-Forwarded-Proto https; spec: ingressClassName: nginx tls: - - hosts: - - ssokustom - secretName: ssokustom-example-tls + - hosts: + - ssokustom + secretName: ssokustom-example-tls rules: - - http: - paths: - - path: /auth/dispatcher(/|$)(.*) - pathType: Prefix - backend: - service: - name: hydra-dispatcher - port: - name: http + - http: + paths: + - path: /auth/dispatcher(/|$)(.*) + pathType: Prefix + backend: + service: + name: hydra-dispatcher + port: + name: http --- apiVersion: networking.k8s.io/v1 kind: Ingress @@ -82,50 +88,22 @@ metadata: cert-manager.io/issuer: "self-signed" nginx.ingress.kubernetes.io/force-ssl-redirect: "true" nginx.ingress.kubernetes.io/rewrite-target: /$2 + nginx.ingress.kubernetes.io/x-forwarded-prefix: /auth + nginx.ingress.kubernetes.io/configuration-snippet: | + proxy_set_header X-Forwarded-Proto https; spec: ingressClassName: nginx tls: - - hosts: - - ssokustom - secretName: ssokustom-example-tls + - hosts: + - ssokustom + secretName: ssokustom-example-tls rules: - - http: - paths: - - path: /auth(/|$)(.*) - pathType: Prefix - backend: - service: - name: hydra - port: - name: hydra-public ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: saml-idp - annotations: - cert-manager.io/issuer: "self-signed" - nginx.ingress.kubernetes.io/force-ssl-redirect: "true" - nginx.ingress.kubernetes.io/rewrite-target: /simplesaml/$2 - nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" -spec: - ingressClassName: nginx - tls: - - hosts: - - ssokustom - secretName: ssokustom-example-tls - rules: - - http: - paths: - - path: /simplesaml(/|$)(.*) - pathType: Prefix - backend: - service: - name: saml-idp - port: - name: https - - - - - \ No newline at end of file + - http: + paths: + - path: /auth(/|$)(.*) + pathType: Prefix + backend: + service: + name: hydra + port: + name: hydra-public diff --git a/examples/authenticated-app/resources/saml-idp.yaml b/examples/authenticated-app/resources/saml-idp.yaml deleted file mode 100644 index 20146d2..0000000 --- a/examples/authenticated-app/resources/saml-idp.yaml +++ /dev/null @@ -1,51 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app.kubernetes.io/name: saml-idp - name: saml-idp -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: saml-idp - strategy: - type: Recreate - template: - metadata: - labels: - app.kubernetes.io/name: saml-idp - spec: - containers: - - image: kristophjunge/test-saml-idp:1.15 - name: saml-idp - ports: - - containerPort: 8443 - resources: {} - env: - - name: SIMPLESAMLPHP_SP_ENTITY_ID - value: https://ssokustom/auth/saml - - name: SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE - value: https://ssokustom/auth/saml/Shibboleth.sso/SAML2/POST - - name: SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE - value: https://ssokustom/auth/saml/Shibboleth.sso/Logout?return=https://ssokustom - restartPolicy: Always ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/name: saml-idp - name: saml-idp -spec: - ports: - - name: http - port: 8080 - targetPort: 8080 - - name: https - port: 8443 - targetPort: 8443 - selector: - app.kubernetes.io/name: saml-idp -status: - loadBalancer: {} \ No newline at end of file diff --git a/examples/k8s/kind/cluster/kustomization.yaml b/examples/k8s/kind/cluster/kustomization.yaml index af48eba..2b23a19 100644 --- a/examples/k8s/kind/cluster/kustomization.yaml +++ b/examples/k8s/kind/cluster/kustomization.yaml @@ -1,15 +1,20 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- https://github.com/jetstack/cert-manager/releases/download/v1.13.2/cert-manager.yaml -- https://forge.cadoles.com/CadolesKube/c-kustom//base/cloudnative-pg-operator?ref=develop -- https://forge.cadoles.com/CadolesKube/c-kustom//base/redis?ref=develop -- https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml + - https://github.com/jetstack/cert-manager/releases/download/v1.13.2/cert-manager.yaml + - https://forge.cadoles.com/CadolesKube/c-kustom//base/cloudnative-pg-operator?ref=develop + - https://forge.cadoles.com/CadolesKube/c-kustom//base/redis?ref=develop + - https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml -patchesJson6902: - - target: - version: v1 + # 'By executive order', l'inclusion de la CRD OAuth2Client est désormais gérée à la création des clusters Cadoles. + # Dans cet environnement de développement il est cependant nécessaire de l'intégrer manuellement. + # Le numéro de version devrait être raccord avec celui de l'image utilisée par la ressource 'hydra-maester'. + # cf. resources/hydra/resources/hydra-maester/resources/hydra-maester-deployment.yaml + - https://raw.githubusercontent.com/ory/hydra-maester/refs/tags/v0.0.25/config/crd/bases/hydra.ory.sh_oauth2clients.yaml + +patches: + - path: patches/nginx-controller.yaml + target: kind: ConfigMap name: ingress-nginx-controller namespace: ingress-nginx - path: patches/nginx-controller.yaml diff --git a/examples/k8s/kind/cluster/patches/nginx-controller.yaml b/examples/k8s/kind/cluster/patches/nginx-controller.yaml index 799344f..ab59022 100644 --- a/examples/k8s/kind/cluster/patches/nginx-controller.yaml +++ b/examples/k8s/kind/cluster/patches/nginx-controller.yaml @@ -1,6 +1,9 @@ -- op: replace - path: "/data/allow-snippet-annotations" - value: "true" -- op: replace - path: "/data/use-forwarded-headers" - value: "true" \ No newline at end of file +kind: ConfigMap +apiVersion: v1 +metadata: + name: ingress-nginx-controller +data: + allow-snippet-annotations: "true" + use-forwarded-headers: "true" + strict-validate-path-type: "false" + annotations-risk-level: "Critical" diff --git a/resources/hydra-dispatcher/files/hydra/default.yaml b/resources/hydra-dispatcher/files/hydra/default.yaml index d86c656..9b05778 100644 --- a/resources/hydra-dispatcher/files/hydra/default.yaml +++ b/resources/hydra-dispatcher/files/hydra/default.yaml @@ -15,3 +15,5 @@ hydra: firewall: additional_properties: "%env(bool:HYDRA_DISPATCHER_FIREWALL_ADDITIONAL_PROPERTIES)%" rules: {} + webhook_post_login: + enabled: false diff --git a/resources/hydra-dispatcher/resources/hydra-dispatcher-deployment.yaml b/resources/hydra-dispatcher/resources/hydra-dispatcher-deployment.yaml index c730f23..74d0ed9 100644 --- a/resources/hydra-dispatcher/resources/hydra-dispatcher-deployment.yaml +++ b/resources/hydra-dispatcher/resources/hydra-dispatcher-deployment.yaml @@ -3,6 +3,7 @@ kind: Deployment metadata: labels: app.kubernetes.io/name: hydra-dispatcher + com.cadoles.forge.sso-kustom/session: redis name: hydra-dispatcher spec: replicas: 1 @@ -17,101 +18,101 @@ spec: app.kubernetes.io/name: hydra-dispatcher spec: containers: - - name: hydra-dispatcher-php-fpm - image: reg.cadoles.com/cadoles/hydra-dispatcher-base:2024.9.24-develop.1122.f88a5eb - args: ["/usr/sbin/php-fpm81", "-F", "-e"] - readinessProbe: - exec: - command: - - sh - - -c - - test -f /etc/php81/php-fpm.d/www.conf - livenessProbe: - exec: - command: - - php - - bin/console - - -V - initialDelaySeconds: 10 - periodSeconds: 30 - env: - - name: PHP_FPM_LISTEN - value: 127.0.0.1:9000 - - name: PHP_MEMORY_LIMIT - value: 128m - - name: PHP_FPM_MEMORY_LIMIT - value: 128m - - name: OPCACHE_VALIDATE_TIMESTAMP - value: "0" - - name: OPCACHE_REVALIDATE_FREQ - value: "0" - envFrom: - - configMapRef: - name: hydra-dispatcher-env - volumeMounts: - - mountPath: /app/config/hydra - name: hydra-dispatcher-apps - - name: hydra-dispatcher-php-ini - mountPath: /etc/php81/conf.d/03_base.ini - subPath: 03_base.ini - resources: {} - securityContext: - runAsNonRoot: true - runAsGroup: 1000 - runAsUser: 1000 - - name: hydra-dispatcher-caddy - image: reg.cadoles.com/cadoles/hydra-dispatcher-base:2024.9.24-develop.1122.f88a5eb - imagePullPolicy: IfNotPresent - args: - [ - "/usr/sbin/caddy", - "run", - "--adapter", - "caddyfile", - "--config", - "/etc/caddy/Caddyfile", - ] - readinessProbe: - httpGet: - path: /health - port: 8080 - initialDelaySeconds: 5 - timeoutSeconds: 5 - periodSeconds: 10 - livenessProbe: - httpGet: - path: /health - port: 8080 - initialDelaySeconds: 15 - timeoutSeconds: 5 - periodSeconds: 15 - envFrom: - - configMapRef: - name: hydra-dispatcher-env - env: - - name: CADDY_APP_UPSTREAM_BACKEND_SERVER - value: 127.0.0.1:9000 - - name: CADDY_HTTPS_PORT - value: "8443" - - name: CADDY_HTTP_PORT - value: "8080" - - name: CADDY_DATA_FS - value: "/tmp/caddy" - - name: CADDY_APP_ROOT_PUBLIC - value: "/app/public/" - ports: - - containerPort: 8080 - name: http - resources: {} - securityContext: - runAsNonRoot: true - runAsGroup: 1000 - runAsUser: 1000 + - name: hydra-dispatcher-php-fpm + image: reg.cadoles.com/cadoles/hydra-dispatcher-base:2024.9.24-develop.1122.f88a5eb + args: ["/usr/sbin/php-fpm81", "-F", "-e"] + readinessProbe: + exec: + command: + - sh + - -c + - test -f /etc/php81/php-fpm.d/www.conf + livenessProbe: + exec: + command: + - php + - bin/console + - -V + initialDelaySeconds: 10 + periodSeconds: 30 + env: + - name: PHP_FPM_LISTEN + value: 127.0.0.1:9000 + - name: PHP_MEMORY_LIMIT + value: 128m + - name: PHP_FPM_MEMORY_LIMIT + value: 128m + - name: OPCACHE_VALIDATE_TIMESTAMP + value: "0" + - name: OPCACHE_REVALIDATE_FREQ + value: "0" + envFrom: + - configMapRef: + name: hydra-dispatcher-env + volumeMounts: + - mountPath: /app/config/hydra + name: hydra-dispatcher-apps + - name: hydra-dispatcher-php-ini + mountPath: /etc/php81/conf.d/03_base.ini + subPath: 03_base.ini + resources: {} + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 1000 + - name: hydra-dispatcher-caddy + image: reg.cadoles.com/cadoles/hydra-dispatcher-base:2024.9.24-develop.1122.f88a5eb + imagePullPolicy: IfNotPresent + args: + [ + "/usr/sbin/caddy", + "run", + "--adapter", + "caddyfile", + "--config", + "/etc/caddy/Caddyfile", + ] + readinessProbe: + httpGet: + path: /health + port: 8080 + initialDelaySeconds: 5 + timeoutSeconds: 5 + periodSeconds: 10 + livenessProbe: + httpGet: + path: /health + port: 8080 + initialDelaySeconds: 15 + timeoutSeconds: 5 + periodSeconds: 15 + envFrom: + - configMapRef: + name: hydra-dispatcher-env + env: + - name: CADDY_APP_UPSTREAM_BACKEND_SERVER + value: 127.0.0.1:9000 + - name: CADDY_HTTPS_PORT + value: "8443" + - name: CADDY_HTTP_PORT + value: "8080" + - name: CADDY_DATA_FS + value: "/tmp/caddy" + - name: CADDY_APP_ROOT_PUBLIC + value: "/app/public/" + ports: + - containerPort: 8080 + name: http + resources: {} + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 1000 restartPolicy: Always volumes: - - name: hydra-dispatcher-apps - configMap: - name: hydra-dispatcher-apps - - name: hydra-dispatcher-php-ini - configMap: - name: hydra-dispatcher-php-ini + - name: hydra-dispatcher-apps + configMap: + name: hydra-dispatcher-apps + - name: hydra-dispatcher-php-ini + configMap: + name: hydra-dispatcher-php-ini diff --git a/resources/hydra/resources/hydra-maester/resources/hydra-maester-deployment.yaml b/resources/hydra/resources/hydra-maester/resources/hydra-maester-deployment.yaml index 0b5b7bb..743e15a 100644 --- a/resources/hydra/resources/hydra-maester/resources/hydra-maester-deployment.yaml +++ b/resources/hydra/resources/hydra-maester/resources/hydra-maester-deployment.yaml @@ -7,7 +7,7 @@ metadata: labels: app.kubernetes.io/name: hydra-maester app.kubernetes.io/instance: hydra-master - app.kubernetes.io/version: "v0.0.23" + app.kubernetes.io/version: "v0.0.25" spec: replicas: 1 revisionHistoryLimit: 10 @@ -38,15 +38,14 @@ spec: - --hydra-url=$(HYDRA_ADMIN_BASE_URL) - --hydra-port=$(HYDRA_ADMIN_PORT) - --endpoint=/admin/clients - resources: - {} + resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File securityContext: allowPrivilegeEscalation: false capabilities: drop: - - ALL + - ALL privileged: false readOnlyRootFilesystem: true runAsNonRoot: true