From 62ef2763dece1f94338af7bf3441b3f083643cf5 Mon Sep 17 00:00:00 2001 From: William Petit Date: Thu, 4 Apr 2024 11:52:57 +0200 Subject: [PATCH] wip: integrate hydra-sql in example environment --- .../hydra-ldap/resources/deployment.yaml | 62 +++--- components/hydra-ldap/resources/service.yaml | 4 +- .../resources/hydra-oidc-deployment.yaml | 162 ++++++++-------- .../resources/hydra-oidc-service.yaml | 6 +- components/hydra-sql/files/hydra/sql.yaml | 30 +++ components/hydra-sql/kustomization.yaml | 49 +++-- .../patches/hydra-dispatcher-env.yaml | 9 + .../resources/hydra-sql-deployment.yaml | 182 +++++++++--------- .../resources/hydra-sql-service.yaml | 6 +- .../oidc-test/resources/deployment.yaml | 24 +-- examples/authenticated-app/README.md | 36 ++-- examples/authenticated-app/kustomization.yaml | 9 +- .../patches/hydra-dispatcher-env.yaml | 12 +- .../patches/hydra-sql-env.yaml | 24 +++ .../authenticated-app/resources/ingress.yaml | 149 +++++++------- examples/k8s/kind/cluster/kustomization.yaml | 9 +- .../hydra-dispatcher-deployment.yaml | 172 ++++++++--------- .../resources/hydra-dispatcher-service.yaml | 6 +- 18 files changed, 526 insertions(+), 425 deletions(-) create mode 100644 components/hydra-sql/files/hydra/sql.yaml create mode 100644 components/hydra-sql/patches/hydra-dispatcher-env.yaml create mode 100644 examples/authenticated-app/patches/hydra-sql-env.yaml diff --git a/components/hydra-ldap/resources/deployment.yaml b/components/hydra-ldap/resources/deployment.yaml index 0a8bb20..b7ec187 100644 --- a/components/hydra-ldap/resources/deployment.yaml +++ b/components/hydra-ldap/resources/deployment.yaml @@ -17,34 +17,34 @@ spec: app.kubernetes.io/version: "v1.2.2" spec: containers: - - name: werther - image: reg.cadoles.com/cadoles/hydra-werther:2023.12.6-stable.1421.15a4717 - imagePullPolicy: IfNotPresent - envFrom: - - configMapRef: - name: hydra-ldap-env - env: - - name: WERTHER_WEB_DIR - value: "/usr/share/werther/login/" - - name: WERTHER_LDAP_BINDDN - valueFrom: - secretKeyRef: - name: hydra-ldap-sc - key: WERTHER_LDAP_BINDDN - - name: WERTHER_LDAP_BINDPW - valueFrom: - secretKeyRef: - name: hydra-ldap-sc - key: WERTHER_LDAP_BINDPW - ports: - - containerPort: 8080 - name: hydra-ldap-http - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 100 + - name: werther + image: reg.cadoles.com/cadoles/hydra-werther:2023.12.6-stable.1421.15a4717 + imagePullPolicy: IfNotPresent + envFrom: + - configMapRef: + name: hydra-ldap-env + env: + - name: WERTHER_WEB_DIR + value: "/usr/share/werther/login/" + - name: WERTHER_LDAP_BINDDN + valueFrom: + secretKeyRef: + name: hydra-ldap-sc + key: WERTHER_LDAP_BINDDN + - name: WERTHER_LDAP_BINDPW + valueFrom: + secretKeyRef: + name: hydra-ldap-sc + key: WERTHER_LDAP_BINDPW + ports: + - containerPort: 8080 + name: http + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 100 diff --git a/components/hydra-ldap/resources/service.yaml b/components/hydra-ldap/resources/service.yaml index 29db7ec..1c3af77 100644 --- a/components/hydra-ldap/resources/service.yaml +++ b/components/hydra-ldap/resources/service.yaml @@ -7,9 +7,9 @@ metadata: spec: type: ClusterIP ports: - - name: hydra-ldap + - name: http port: 8080 - targetPort: hydra-ldap-http + targetPort: http protocol: TCP selector: app.kubernetes.io/name: hydra-ldap diff --git a/components/hydra-oidc/resources/hydra-oidc-deployment.yaml b/components/hydra-oidc/resources/hydra-oidc-deployment.yaml index 022806e..211c1ff 100644 --- a/components/hydra-oidc/resources/hydra-oidc-deployment.yaml +++ b/components/hydra-oidc/resources/hydra-oidc-deployment.yaml @@ -17,86 +17,86 @@ spec: app.kubernetes.io/name: hydra-oidc spec: containers: - - name: hydra-oidc-php-fpm - image: reg.cadoles.com/cadoles/hydra-oidc-base:2024.4.2-develop.1349.c4711f6 - imagePullPolicy: Always - args: ["/usr/sbin/php-fpm81", "-F", "-e"] - readinessProbe: - exec: - command: - - sh - - -c - - test -f /etc/php81/php-fpm.d/www.conf - livenessProbe: - exec: - command: - - php - - bin/console - - -V - initialDelaySeconds: 10 - periodSeconds: 30 - env: - - name: PHP_FPM_LISTEN - value: 127.0.0.1:9000 - - name: PHP_MEMORY_LIMIT - value: 128m - - name: PHP_FPM_MEMORY_LIMIT - value: 128m - envFrom: - - configMapRef: - name: hydra-oidc-env - resources: {} - securityContext: - runAsNonRoot: true - runAsGroup: 1000 - runAsUser: 1000 + - name: hydra-oidc-php-fpm + image: reg.cadoles.com/cadoles/hydra-oidc-base:2024.4.2-develop.1349.c4711f6 + imagePullPolicy: Always + args: ["/usr/sbin/php-fpm81", "-F", "-e"] + readinessProbe: + exec: + command: + - sh + - -c + - test -f /etc/php81/php-fpm.d/www.conf + livenessProbe: + exec: + command: + - php + - bin/console + - -V + initialDelaySeconds: 10 + periodSeconds: 30 + env: + - name: PHP_FPM_LISTEN + value: 127.0.0.1:9000 + - name: PHP_MEMORY_LIMIT + value: 128m + - name: PHP_FPM_MEMORY_LIMIT + value: 128m + envFrom: + - configMapRef: + name: hydra-oidc-env + resources: {} + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 1000 - - name: hydra-oidc-caddy - image: reg.cadoles.com/cadoles/hydra-oidc-base:2024.4.2-develop.1349.c4711f6 - imagePullPolicy: Always - args: - [ - "/usr/sbin/caddy", - "run", - "--adapter", - "caddyfile", - "--config", - "/etc/caddy/Caddyfile", - ] - readinessProbe: - httpGet: - path: /healthy - port: 8080 - initialDelaySeconds: 5 - timeoutSeconds: 5 - periodSeconds: 10 - livenessProbe: - httpGet: - path: /healthy - port: 8080 - initialDelaySeconds: 15 - timeoutSeconds: 5 - periodSeconds: 15 - ports: - - containerPort: 8080 - name: http - envFrom: - - configMapRef: - name: hydra-oidc-env - env: - - name: CADDY_APP_UPSTREAM_BACKEND_SERVER - value: 127.0.0.1:9000 - - name: CADDY_HTTPS_PORT - value: "8443" - - name: CADDY_HTTP_PORT - value: "8080" - - name: CADDY_DATA_FS - value: "/tmp/caddy" - - name: CADDY_APP_ROOT_PUBLIC - value: "/app/public/" - resources: {} - securityContext: - runAsNonRoot: true - runAsGroup: 1000 - runAsUser: 1000 + - name: hydra-oidc-caddy + image: reg.cadoles.com/cadoles/hydra-oidc-base:2024.4.2-develop.1349.c4711f6 + imagePullPolicy: Always + args: + [ + "/usr/sbin/caddy", + "run", + "--adapter", + "caddyfile", + "--config", + "/etc/caddy/Caddyfile", + ] + readinessProbe: + httpGet: + path: /healthy + port: 8080 + initialDelaySeconds: 5 + timeoutSeconds: 5 + periodSeconds: 10 + livenessProbe: + httpGet: + path: /healthy + port: 8080 + initialDelaySeconds: 15 + timeoutSeconds: 5 + periodSeconds: 15 + ports: + - containerPort: 8080 + name: http + envFrom: + - configMapRef: + name: hydra-oidc-env + env: + - name: CADDY_APP_UPSTREAM_BACKEND_SERVER + value: 127.0.0.1:9000 + - name: CADDY_HTTPS_PORT + value: "8443" + - name: CADDY_HTTP_PORT + value: "8080" + - name: CADDY_DATA_FS + value: "/tmp/caddy" + - name: CADDY_APP_ROOT_PUBLIC + value: "/app/public/" + resources: {} + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 1000 restartPolicy: Always diff --git a/components/hydra-oidc/resources/hydra-oidc-service.yaml b/components/hydra-oidc/resources/hydra-oidc-service.yaml index 3cc9f8c..ce38989 100644 --- a/components/hydra-oidc/resources/hydra-oidc-service.yaml +++ b/components/hydra-oidc/resources/hydra-oidc-service.yaml @@ -6,9 +6,9 @@ metadata: name: hydra-oidc spec: ports: - - name: http - port: 80 - targetPort: http + - name: http + port: 80 + targetPort: http selector: app.kubernetes.io/name: hydra-oidc status: diff --git a/components/hydra-sql/files/hydra/sql.yaml b/components/hydra-sql/files/hydra/sql.yaml new file mode 100644 index 0000000..869d210 --- /dev/null +++ b/components/hydra-sql/files/hydra/sql.yaml @@ -0,0 +1,30 @@ +hydra: + apps: + - id: sql + title: + fr: Connexion SQL + en: Login SQL + description: + fr: Authentification avec SQL + en: Authentication with SQL + login_url: "%env(string:HYDRA_DISPATCHER_SQL_LOGIN_URL)%" + consent_url: "%env(string:HYDRA_DISPATCHER_SQL_CONSENT_URL)%" + logout_url: "%env(string:HYDRA_DISPATCHER_SQL_LOGOUT_URL)%" + attributes_rewrite_configuration: + uid: + rules: + - "property_exists(consent.session.id_token, 'uid') ? consent.session.id_token.uid : null" + email: + rules: + - "property_exists(consent.session.id_token, 'email') ? consent.session.id_token.email : null" + eduPersonAffiliation: + rules: + - "property_exists(consent.session.id_token, 'eduPersonAffiliation') ? consent.session.id_token.eduPersonAffiliation : null" + firewall: + rules: + email: + required: false + uid: + required: false + eduPersonAffiliation: + required: false diff --git a/components/hydra-sql/kustomization.yaml b/components/hydra-sql/kustomization.yaml index b0b66d5..8582825 100644 --- a/components/hydra-sql/kustomization.yaml +++ b/components/hydra-sql/kustomization.yaml @@ -2,27 +2,38 @@ apiVersion: kustomize.config.k8s.io/v1alpha1 kind: Component resources: -- ./resources/hydra-sql-service.yaml -- ./resources/hydra-sql-deployment.yaml + - ./resources/hydra-sql-service.yaml + - ./resources/hydra-sql-deployment.yaml generatorOptions: labels: - com.cadoles.forge.sso-kustom/session: redis + com.cadoles.forge.sso-kustom/session: redis configMapGenerator: -- name: hydra-sql-env - literals: - - ISSUER_URL="http://localhost:8000" - - BASE_URL='http://localhost:8080' - - HYDRA_ADMIN_BASE_URL='http://hydra:4445/admin' - - APP_LOCALES="fr,en" - - HASH_ALGO_LEGACY="sha256, bcrypt" - - SECURITY_PATTERN="password,salt,pepper" - - DSN_REMOTE_DATABASE="pgsql:host='postgres';port=5432;dbname=lasql" - - DB_USER="makeMeASecret" - - DB_PASSWORD="makeMeASecret" - - REDIS_DSN="redis://redis:6379" - - PEPPER="MakeMeABigSecret" -- name: sql-login-config - files: - - ./files/sql_login.yaml + - name: hydra-sql-env + literals: + - ISSUER_URL="http://localhost:8000" + - BASE_URL='http://localhost:8080' + - HYDRA_ADMIN_BASE_URL='http://hydra:4445/admin' + - APP_LOCALES="fr,en" + - HASH_ALGO_LEGACY="sha256, bcrypt" + - SECURITY_PATTERN="password,salt,pepper" + - DSN_REMOTE_DATABASE="pgsql:host='postgres';port=5432;dbname=lasql" + - DB_USER="makeMeASecret" + - DB_PASSWORD="makeMeASecret" + - REDIS_DSN="redis://redis:6379" + - PEPPER="MakeMeABigSecret" + - name: sql-login-config + files: + - ./files/sql_login.yaml + - name: hydra-dispatcher-apps + behavior: merge + files: + - ./files/hydra/sql.yaml + +patchesJson6902: + - target: + version: v1 + kind: ConfigMap + name: hydra-dispatcher-env + path: patches/hydra-dispatcher-env.yaml diff --git a/components/hydra-sql/patches/hydra-dispatcher-env.yaml b/components/hydra-sql/patches/hydra-dispatcher-env.yaml new file mode 100644 index 0000000..93f7197 --- /dev/null +++ b/components/hydra-sql/patches/hydra-dispatcher-env.yaml @@ -0,0 +1,9 @@ +- op: replace + path: "/data/HYDRA_DISPATCHER_SQL_LOGIN_URL" + value: http://hydra-sql/login +- op: replace + path: "/data/HYDRA_DISPATCHER_SQL_CONSENT_URL" + value: http://hydra-sql/consent +- op: replace + path: "/data/HYDRA_DISPATCHER_SQL_LOGOUT_URL" + value: http://hydra-sql/logout diff --git a/components/hydra-sql/resources/hydra-sql-deployment.yaml b/components/hydra-sql/resources/hydra-sql-deployment.yaml index 400ae54..3b4a1a8 100644 --- a/components/hydra-sql/resources/hydra-sql-deployment.yaml +++ b/components/hydra-sql/resources/hydra-sql-deployment.yaml @@ -17,98 +17,98 @@ spec: app.kubernetes.io/name: hydra-sql spec: containers: - - name: hydra-sql-fpm - image: reg.cadoles.com/cadoles/hydra-sql-base:2024.4.2-develop.953.fc87b24 - imagePullPolicy: Always - args: ["/usr/sbin/php-fpm81", "-F", "-e"] - readinessProbe: - exec: - command: - - sh - - -c - - test -f /etc/php81/php-fpm.d/www.conf - livenessProbe: - exec: - command: - - php - - bin/console - - -V - initialDelaySeconds: 10 - periodSeconds: 30 - resources: {} - securityContext: - runAsNonRoot: true - runAsGroup: 1000 - runAsUser: 1000 - envFrom: - - configMapRef: - name: hydra-sql-env - env: - - name: PHP_FPM_LISTEN - value: 127.0.0.1:9000 - - name: PHP_MEMORY_LIMIT - value: 128m - - name: PHP_FPM_MEMORY_LIMIT - value: 128m - - name: PHP_FPM_LOG_LEVEL - value: warning - volumeMounts: - - name: sql-login-config - mountPath: "/app/config/sql_login_configuration/sql_login.yaml" - subPath: "sql_login.yaml" + - name: hydra-sql-fpm + image: reg.cadoles.com/cadoles/hydra-sql-base:2024.4.2-develop.953.fc87b24 + imagePullPolicy: Always + args: ["/usr/sbin/php-fpm81", "-F", "-e"] + readinessProbe: + exec: + command: + - sh + - -c + - test -f /etc/php81/php-fpm.d/www.conf + livenessProbe: + exec: + command: + - php + - bin/console + - -V + initialDelaySeconds: 10 + periodSeconds: 30 + resources: {} + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 1000 + envFrom: + - configMapRef: + name: hydra-sql-env + env: + - name: PHP_FPM_LISTEN + value: 127.0.0.1:9000 + - name: PHP_MEMORY_LIMIT + value: 128m + - name: PHP_FPM_MEMORY_LIMIT + value: 128m + - name: PHP_FPM_LOG_LEVEL + value: warning + volumeMounts: + - name: sql-login-config + mountPath: "/app/config/sql_login_configuration/sql_login.yaml" + subPath: "sql_login.yaml" - - name: hydra-sql-caddy - image: reg.cadoles.com/cadoles/hydra-sql-base:2024.4.2-develop.953.fc87b24 - imagePullPolicy: Always - args: - [ - "/usr/sbin/caddy", - "run", - "--adapter", - "caddyfile", - "--config", - "/etc/caddy/Caddyfile", - ] - readinessProbe: - httpGet: - path: /health - port: 8080 - initialDelaySeconds: 5 - timeoutSeconds: 5 - periodSeconds: 10 - livenessProbe: - httpGet: - path: /health - port: 8080 - initialDelaySeconds: 15 - timeoutSeconds: 5 - periodSeconds: 15 - envFrom: - - configMapRef: - name: hydra-sql-env - env: - - name: CADDY_APP_UPSTREAM_BACKEND_SERVER - value: 127.0.0.1:9000 - - name: CADDY_HTTPS_PORT - value: "8443" - - name: CADDY_HTTP_PORT - value: "8080" - - name: CADDY_DATA_FS - value: "/tmp/caddy" - - name: CADDY_APP_ROOT_PUBLIC - value: "/app/public/" - resources: {} - securityContext: - runAsNonRoot: true - runAsGroup: 1000 - runAsUser: 1000 - ports: - - containerPort: 8080 - name: http - volumeMounts: - - name: sql-login-config - mountPath: "/app/config/sql_login_configuration/sql_login.yaml" - subPath: "sql_login.yaml" + - name: hydra-sql-caddy + image: reg.cadoles.com/cadoles/hydra-sql-base:2024.4.2-develop.953.fc87b24 + imagePullPolicy: Always + args: + [ + "/usr/sbin/caddy", + "run", + "--adapter", + "caddyfile", + "--config", + "/etc/caddy/Caddyfile", + ] + readinessProbe: + httpGet: + path: /health + port: 8080 + initialDelaySeconds: 5 + timeoutSeconds: 5 + periodSeconds: 10 + livenessProbe: + httpGet: + path: /health + port: 8080 + initialDelaySeconds: 15 + timeoutSeconds: 5 + periodSeconds: 15 + envFrom: + - configMapRef: + name: hydra-sql-env + env: + - name: CADDY_APP_UPSTREAM_BACKEND_SERVER + value: 127.0.0.1:9000 + - name: CADDY_HTTPS_PORT + value: "8443" + - name: CADDY_HTTP_PORT + value: "8080" + - name: CADDY_DATA_FS + value: "/tmp/caddy" + - name: CADDY_APP_ROOT_PUBLIC + value: "/app/public/" + resources: {} + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 1000 + ports: + - containerPort: 8080 + name: http + volumeMounts: + - name: sql-login-config + mountPath: "/app/config/sql_login_configuration/sql_login.yaml" + subPath: "sql_login.yaml" volumes: - name: sql-login-config configMap: diff --git a/components/hydra-sql/resources/hydra-sql-service.yaml b/components/hydra-sql/resources/hydra-sql-service.yaml index d47ff69..7fb37cf 100644 --- a/components/hydra-sql/resources/hydra-sql-service.yaml +++ b/components/hydra-sql/resources/hydra-sql-service.yaml @@ -6,9 +6,9 @@ metadata: name: hydra-sql spec: ports: - - name: http - port: 80 - targetPort: http + - name: http + port: 80 + targetPort: http selector: app.kubernetes.io/name: hydra-sql status: diff --git a/components/oidc-test/resources/deployment.yaml b/components/oidc-test/resources/deployment.yaml index a237882..24f55db 100644 --- a/components/oidc-test/resources/deployment.yaml +++ b/components/oidc-test/resources/deployment.yaml @@ -23,17 +23,17 @@ spec: - containerPort: 8080 resources: {} envFrom: - - configMapRef: - name: oidc-test-env + - configMapRef: + name: oidc-test-env env: - - name: OIDC_CLIENT_ID - valueFrom: - secretKeyRef: - name: oidc-test-oauth2-client - key: client_id - - name: OIDC_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: oidc-test-oauth2-client - key: client_secret + - name: OIDC_CLIENT_ID + valueFrom: + secretKeyRef: + name: oidc-test-oauth2-client + key: CLIENT_ID + - name: OIDC_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: oidc-test-oauth2-client + key: CLIENT_SECRET restartPolicy: Always diff --git a/examples/authenticated-app/README.md b/examples/authenticated-app/README.md index 1619333..b169a79 100644 --- a/examples/authenticated-app/README.md +++ b/examples/authenticated-app/README.md @@ -8,35 +8,27 @@ L'exemple est actuellement déployé avec le composant `hydra-saml` uniquement. 1. Créer un cluster avec `kind` - ``` - kind create cluster --config ./examples/k8s/kind/cluster-config.yaml - ``` + ``` + kind create cluster --config ./examples/k8s/kind/cluster-config.yaml + ``` 2. Déployer les opérateurs nécessaires au déploiement - ``` - kubectl apply -k ./examples/k8s/kind/cluster --server-side - ``` + ``` + kubectl apply -k ./examples/k8s/kind/cluster --server-side + ``` 3. Déployer l'application - ``` - kubectl apply -k ./examples/authenticated-app - ``` - - **Note** Il est possible d'avoir l'erreur suivante: - ``` - error: resource mapping not found for name: "app-oauth2-client" namespace: "" from "./examples/authenticated-app": no matches for kind "OAuth2Client" in version "hydra.ory.sh/v1alpha1" + kubectl apply -k ./examples/authenticated-app ``` - Cette erreur est "normale" (voir https://github.com/kubernetes/kubectl/issues/1117). Dans ce cas, attendre la création de la CRD (voir ticket) puis relancer la commande. - 4. Ajouter l'entrée suivante dans votre fichier `/etc/hosts` - ``` - 127.0.0.1 ssokustom - ``` + ``` + 127.0.0.1 ssokustom + ``` 5. Après stabilisation du déploiement, l'application devrait être accessible à l'adresse https://ssokustom @@ -55,7 +47,7 @@ kind delete cluster -n sso-kustom-example #### URL utiles -|URL|Description| -|---|-----------| -|https://ssokustom/auth/saml/Shibboleth.sso/Session|Attributs de la session SP Shibboleth| -|https://ssokustom/auth/saml/Shibboleth.sso/Metadata|Métadonnées du SP Shibboleth| +| URL | Description | +| --------------------------------------------------- | ------------------------------------- | +| https://ssokustom/auth/saml/Shibboleth.sso/Session | Attributs de la session SP Shibboleth | +| https://ssokustom/auth/saml/Shibboleth.sso/Metadata | Métadonnées du SP Shibboleth | diff --git a/examples/authenticated-app/kustomization.yaml b/examples/authenticated-app/kustomization.yaml index af62fc2..b4629c3 100644 --- a/examples/authenticated-app/kustomization.yaml +++ b/examples/authenticated-app/kustomization.yaml @@ -8,7 +8,7 @@ resources: - ./resources/self-signed-issuer.yaml - ./resources/port-forwarder.yaml -patchesJson6902: +patches: - target: version: v1 kind: ConfigMap @@ -38,4 +38,9 @@ patchesJson6902: version: v1alpha1 kind: OAuth2Client name: oidc-test-oauth2-client - path: patches/oidc-test-oauth2-client.yaml \ No newline at end of file + path: patches/oidc-test-oauth2-client.yaml + - target: + version: v1 + kind: ConfigMap + name: hydra-sql-env + path: patches/hydra-sql-env.yaml diff --git a/examples/authenticated-app/patches/hydra-dispatcher-env.yaml b/examples/authenticated-app/patches/hydra-dispatcher-env.yaml index 464288a..3d8e7ce 100644 --- a/examples/authenticated-app/patches/hydra-dispatcher-env.yaml +++ b/examples/authenticated-app/patches/hydra-dispatcher-env.yaml @@ -27,4 +27,14 @@ - op: replace path: "/data/HYDRA_DISPATCHER_SAML_LOGOUT_URL" value: https://ssokustom/auth/saml/logout - \ No newline at end of file + +# Hydra SQL configuration +- op: replace + path: "/data/HYDRA_DISPATCHER_SQL_LOGIN_URL" + value: https://ssokustom/auth/sql/login +- op: replace + path: "/data/HYDRA_DISPATCHER_SQL_CONSENT_URL" + value: https://ssokustom/auth/sql/consent +- op: replace + path: "/data/HYDRA_DISPATCHER_SQL_LOGOUT_URL" + value: https://ssokustom/auth/sql/logout diff --git a/examples/authenticated-app/patches/hydra-sql-env.yaml b/examples/authenticated-app/patches/hydra-sql-env.yaml new file mode 100644 index 0000000..b6c71c1 --- /dev/null +++ b/examples/authenticated-app/patches/hydra-sql-env.yaml @@ -0,0 +1,24 @@ +- op: replace + path: "/data/BASE_URL" + value: https://ssokustom/auth/sql +- op: replace + path: "/data/ISSUER_URL" + value: https://ssokustom +- op: replace + path: "/data/ISSUER_URL" + value: https://ssokustom +- op: replace + path: "/data/HYDRA_ADMIN_BASE_URL" + value: http://hydra-dispatcher +- op: replace + path: "/data/DSN_REMOTE_DATABASE" + value: pgsql:host='postgres';port=5432;dbname=lasql +- op: replace + path: "/data/REDIS_DSN" + value: redis://redis:6379 +- op: replace + path: "/data/DB_USER" + value: makeMeASecret +- op: replace + path: "/data/DB_PASSWORD" + value: rmakeMeASecret diff --git a/examples/authenticated-app/resources/ingress.yaml b/examples/authenticated-app/resources/ingress.yaml index 76212ba..4bc0f67 100644 --- a/examples/authenticated-app/resources/ingress.yaml +++ b/examples/authenticated-app/resources/ingress.yaml @@ -10,19 +10,19 @@ metadata: spec: ingressClassName: nginx tls: - - hosts: - - ssokustom - secretName: ssokustom-example-tls + - hosts: + - ssokustom + secretName: ssokustom-example-tls rules: - - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: oidc-test - port: - name: http + - http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: oidc-test + port: + name: http --- apiVersion: networking.k8s.io/v1 kind: Ingress @@ -34,19 +34,43 @@ metadata: spec: ingressClassName: nginx tls: - - hosts: - - ssokustom - secretName: ssokustom-example-tls + - hosts: + - ssokustom + secretName: ssokustom-example-tls rules: - - http: - paths: - - path: /auth/saml(/|$)(.*) - pathType: Prefix - backend: - service: - name: hydra-saml - port: - name: http + - http: + paths: + - path: /auth/saml(/|$)(.*) + pathType: Prefix + backend: + service: + name: hydra-saml + port: + name: http +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: auth-sql + annotations: + cert-manager.io/issuer: "self-signed" + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" +spec: + ingressClassName: nginx + tls: + - hosts: + - ssokustom + secretName: ssokustom-example-tls + rules: + - http: + paths: + - path: /auth/sql(/|$)(.*) + pathType: Prefix + backend: + service: + name: hydra-sql + port: + name: http --- apiVersion: networking.k8s.io/v1 kind: Ingress @@ -60,19 +84,19 @@ metadata: spec: ingressClassName: nginx tls: - - hosts: - - ssokustom - secretName: ssokustom-example-tls + - hosts: + - ssokustom + secretName: ssokustom-example-tls rules: - - http: - paths: - - path: /auth/dispatcher(/|$)(.*) - pathType: Prefix - backend: - service: - name: hydra-dispatcher - port: - name: http + - http: + paths: + - path: /auth/dispatcher(/|$)(.*) + pathType: Prefix + backend: + service: + name: hydra-dispatcher + port: + name: http --- apiVersion: networking.k8s.io/v1 kind: Ingress @@ -85,19 +109,19 @@ metadata: spec: ingressClassName: nginx tls: - - hosts: - - ssokustom - secretName: ssokustom-example-tls + - hosts: + - ssokustom + secretName: ssokustom-example-tls rules: - - http: - paths: - - path: /auth(/|$)(.*) - pathType: Prefix - backend: - service: - name: hydra - port: - name: hydra-public + - http: + paths: + - path: /auth(/|$)(.*) + pathType: Prefix + backend: + service: + name: hydra + port: + name: hydra-public --- apiVersion: networking.k8s.io/v1 kind: Ingress @@ -111,21 +135,16 @@ metadata: spec: ingressClassName: nginx tls: - - hosts: - - ssokustom - secretName: ssokustom-example-tls + - hosts: + - ssokustom + secretName: ssokustom-example-tls rules: - - http: - paths: - - path: /simplesaml(/|$)(.*) - pathType: Prefix - backend: - service: - name: saml-idp - port: - name: https - - - - - \ No newline at end of file + - http: + paths: + - path: /simplesaml(/|$)(.*) + pathType: Prefix + backend: + service: + name: saml-idp + port: + name: https diff --git a/examples/k8s/kind/cluster/kustomization.yaml b/examples/k8s/kind/cluster/kustomization.yaml index af48eba..7ea026a 100644 --- a/examples/k8s/kind/cluster/kustomization.yaml +++ b/examples/k8s/kind/cluster/kustomization.yaml @@ -1,10 +1,11 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- https://github.com/jetstack/cert-manager/releases/download/v1.13.2/cert-manager.yaml -- https://forge.cadoles.com/CadolesKube/c-kustom//base/cloudnative-pg-operator?ref=develop -- https://forge.cadoles.com/CadolesKube/c-kustom//base/redis?ref=develop -- https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml + - https://github.com/jetstack/cert-manager/releases/download/v1.13.2/cert-manager.yaml + - https://forge.cadoles.com/CadolesKube/c-kustom//base/cloudnative-pg-operator?ref=develop + - https://forge.cadoles.com/CadolesKube/c-kustom//base/redis?ref=develop + - https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml + - https://raw.githubusercontent.com/ory/k8s/v0.28.2/helm/charts/hydra-maester/crds/crd-oauth2clients.yaml patchesJson6902: - target: diff --git a/resources/hydra-dispatcher/resources/hydra-dispatcher-deployment.yaml b/resources/hydra-dispatcher/resources/hydra-dispatcher-deployment.yaml index b7320d5..816ecc5 100644 --- a/resources/hydra-dispatcher/resources/hydra-dispatcher-deployment.yaml +++ b/resources/hydra-dispatcher/resources/hydra-dispatcher-deployment.yaml @@ -17,91 +17,91 @@ spec: app.kubernetes.io/name: hydra-dispatcher spec: containers: - - name: hydra-dispatcher-php-fpm - image: reg.cadoles.com/cadoles/hydra-dispatcher-base:2024.4.2-develop.1411.74a9f16 - args: ["/usr/sbin/php-fpm81", "-F", "-e"] - readinessProbe: - exec: - command: - - sh - - -c - - test -f /etc/php81/php-fpm.d/www.conf - livenessProbe: - exec: - command: - - php - - bin/console - - -V - initialDelaySeconds: 10 - periodSeconds: 30 - env: - - name: PHP_FPM_LISTEN - value: 127.0.0.1:9000 - - name: PHP_MEMORY_LIMIT - value: 128m - - name: PHP_FPM_MEMORY_LIMIT - value: 128m - envFrom: - - configMapRef: - name: hydra-dispatcher-env - volumeMounts: - - mountPath: /app/config/hydra - name: hydra-dispatcher-apps - resources: {} - securityContext: - runAsNonRoot: true - runAsGroup: 1000 - runAsUser: 1000 - - name: hydra-dispatcher-caddy - image: reg.cadoles.com/cadoles/hydra-dispatcher-base:2024.4.2-develop.1411.74a9f16 - imagePullPolicy: Always - args: - [ - "/usr/sbin/caddy", - "run", - "--adapter", - "caddyfile", - "--config", - "/etc/caddy/Caddyfile", - ] - readinessProbe: - httpGet: - path: /health - port: 8080 - initialDelaySeconds: 5 - timeoutSeconds: 5 - periodSeconds: 10 - livenessProbe: - httpGet: - path: /health - port: 8080 - initialDelaySeconds: 15 - timeoutSeconds: 5 - periodSeconds: 15 - envFrom: - - configMapRef: - name: hydra-dispatcher-env - env: - - name: CADDY_APP_UPSTREAM_BACKEND_SERVER - value: 127.0.0.1:9000 - - name: CADDY_HTTPS_PORT - value: "8443" - - name: CADDY_HTTP_PORT - value: "8080" - - name: CADDY_DATA_FS - value: "/tmp/caddy" - - name: CADDY_APP_ROOT_PUBLIC - value: "/app/public/" - ports: - - containerPort: 8080 - name: http - resources: {} - securityContext: - runAsNonRoot: true - runAsGroup: 1000 - runAsUser: 1000 + - name: hydra-dispatcher-php-fpm + image: reg.cadoles.com/cadoles/hydra-dispatcher-base:2024.4.2-develop.1411.74a9f16 + args: ["/usr/sbin/php-fpm81", "-F", "-e"] + readinessProbe: + exec: + command: + - sh + - -c + - test -f /etc/php81/php-fpm.d/www.conf + livenessProbe: + exec: + command: + - php + - bin/console + - -V + initialDelaySeconds: 10 + periodSeconds: 30 + env: + - name: PHP_FPM_LISTEN + value: 127.0.0.1:9000 + - name: PHP_MEMORY_LIMIT + value: 128m + - name: PHP_FPM_MEMORY_LIMIT + value: 128m + envFrom: + - configMapRef: + name: hydra-dispatcher-env + volumeMounts: + - mountPath: /app/config/hydra + name: hydra-dispatcher-apps + resources: {} + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 1000 + - name: hydra-dispatcher-caddy + image: reg.cadoles.com/cadoles/hydra-dispatcher-base:2024.4.2-develop.1411.74a9f16 + imagePullPolicy: Always + args: + [ + "/usr/sbin/caddy", + "run", + "--adapter", + "caddyfile", + "--config", + "/etc/caddy/Caddyfile", + ] + readinessProbe: + httpGet: + path: /health + port: 8080 + initialDelaySeconds: 5 + timeoutSeconds: 5 + periodSeconds: 10 + livenessProbe: + httpGet: + path: /health + port: 8080 + initialDelaySeconds: 15 + timeoutSeconds: 5 + periodSeconds: 15 + envFrom: + - configMapRef: + name: hydra-dispatcher-env + env: + - name: CADDY_APP_UPSTREAM_BACKEND_SERVER + value: 127.0.0.1:9000 + - name: CADDY_HTTPS_PORT + value: "8443" + - name: CADDY_HTTP_PORT + value: "8080" + - name: CADDY_DATA_FS + value: "/tmp/caddy" + - name: CADDY_APP_ROOT_PUBLIC + value: "/app/public/" + ports: + - containerPort: 8080 + name: http + resources: {} + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 1000 restartPolicy: Always volumes: - - name: hydra-dispatcher-apps - configMap: - name: hydra-dispatcher-apps + - name: hydra-dispatcher-apps + configMap: + name: hydra-dispatcher-apps diff --git a/resources/hydra-dispatcher/resources/hydra-dispatcher-service.yaml b/resources/hydra-dispatcher/resources/hydra-dispatcher-service.yaml index 1985e0d..24de326 100644 --- a/resources/hydra-dispatcher/resources/hydra-dispatcher-service.yaml +++ b/resources/hydra-dispatcher/resources/hydra-dispatcher-service.yaml @@ -6,9 +6,9 @@ metadata: name: hydra-dispatcher spec: ports: - - name: http - port: 80 - targetPort: http + - name: http + port: 80 + targetPort: http selector: app.kubernetes.io/name: hydra-dispatcher status: