diff --git a/components/hydra-cnpg-database/kustomization.yaml b/components/hydra-cnpg-database/kustomization.yaml index fc4c0db..20b7043 100644 --- a/components/hydra-cnpg-database/kustomization.yaml +++ b/components/hydra-cnpg-database/kustomization.yaml @@ -2,43 +2,43 @@ apiVersion: kustomize.config.k8s.io/v1alpha1 kind: Component configurations: - - ./configurations/cnpg-cluster.yaml +- ./configurations/cnpg-cluster.yaml resources: - - ./resources/hydra-cnpg-cluster.yaml +- ./resources/hydra-cnpg-cluster.yaml secretGenerator: - - name: hydra-postgres-admin - type: Secret - literals: - - username=postgres - - password=NotSoSecret - - name: hydra-postgres-user - type: Secret - literals: - - username=hydra - - password=NotSoSecret +- name: hydra-postgres-admin + type: Secret + literals: + - username=postgres + - password=NotSoSecret +- name: hydra-postgres-user + type: Secret + literals: + - username=hydra + - password=NotSoSecret vars: - name: HYDRA_DATABASE_SERVICE_NAME objref: name: hydra-postgres - kind: Cluster + kind: Cluster apiVersion: postgresql.cnpg.io/v1 fieldref: fieldpath: metadata.name patchesJson6902: - - target: - group: apps - version: v1 - kind: Deployment - name: hydra - path: patches/hydra-deployment.yaml - - target: - group: batch - version: v1 - kind: Job - name: hydra-migrate - path: patches/hydra-migrate-job.yaml \ No newline at end of file +- target: + group: apps + version: v1 + kind: Deployment + name: hydra + path: patches/hydra-deployment.yaml +- target: + group: batch + version: v1 + kind: Job + name: hydra-migrate + path: patches/hydra-migrate-job.yaml diff --git a/components/hydra-oidc/resources/hydra-oidc-deployment.yaml b/components/hydra-oidc/resources/hydra-oidc-deployment.yaml index eb4222d..11c754f 100644 --- a/components/hydra-oidc/resources/hydra-oidc-deployment.yaml +++ b/components/hydra-oidc/resources/hydra-oidc-deployment.yaml @@ -18,7 +18,7 @@ spec: spec: containers: - name: hydra-oidc - image: reg.cadoles.com/cadoles/hydra-oidc-v1:v0.0.0-159-gd91e77b + image: reg.cadoles.com/cadoles/hydra-oidc-v1:v0.0.0-170-g485b138 envFrom: - configMapRef: name: hydra-oidc-env diff --git a/components/hydra-saml/resources/hydra-saml-remote-user-deployment.yaml b/components/hydra-saml/resources/hydra-saml-remote-user-deployment.yaml index 3c59a75..24502cc 100644 --- a/components/hydra-saml/resources/hydra-saml-remote-user-deployment.yaml +++ b/components/hydra-saml/resources/hydra-saml-remote-user-deployment.yaml @@ -18,7 +18,7 @@ spec: spec: containers: - name: hydra-saml-remote-user - image: reg.cadoles.com/cadoles/hydra-remote-user-v1:v0.0.0-159-gd91e77b + image: reg.cadoles.com/cadoles/hydra-remote-user-v1:v0.0.0-170-g485b138 envFrom: - configMapRef: name: hydra-saml-env diff --git a/components/hydra-saml/resources/hydra-saml-shibboleth-sp-deployment.yaml b/components/hydra-saml/resources/hydra-saml-shibboleth-sp-deployment.yaml index 1810238..80a793b 100644 --- a/components/hydra-saml/resources/hydra-saml-shibboleth-sp-deployment.yaml +++ b/components/hydra-saml/resources/hydra-saml-shibboleth-sp-deployment.yaml @@ -18,7 +18,7 @@ spec: spec: containers: - name: hydra-saml-shibboleth-sp - image: reg.cadoles.com/cadoles/shibboleth-sp-v3:v0.0.0-159-gd91e77b + image: reg.cadoles.com/cadoles/shibboleth-sp-v3:v0.0.0-172-g0f44679 envFrom: - configMapRef: name: hydra-saml-env diff --git a/kustomization.yaml b/kustomization.yaml index aa8cbeb..38c75b0 100644 --- a/kustomization.yaml +++ b/kustomization.yaml @@ -2,10 +2,10 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ./resources/hydra - - ./resources/hydra-dispatcher +- ./resources/hydra +- ./resources/hydra-dispatcher components: - - ./components/hydra-cnpg-database - - ./components/hydra-oidc - - ./components/hydra-saml \ No newline at end of file +- ./components/hydra-cnpg-database +- ./components/hydra-oidc +- ./components/hydra-saml diff --git a/resources/hydra-dispatcher/kustomization.yaml b/resources/hydra-dispatcher/kustomization.yaml index 69bab09..23d854a 100644 --- a/resources/hydra-dispatcher/kustomization.yaml +++ b/resources/hydra-dispatcher/kustomization.yaml @@ -2,23 +2,23 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ./resources/hydra-dispatcher-deployment.yaml - - ./resources/hydra-dispatcher-service.yaml +- ./resources/hydra-dispatcher-deployment.yaml +- ./resources/hydra-dispatcher-service.yaml configMapGenerator: - - name: hydra-dispatcher-env - literals: - - APP_ENV=prod - - APP_DEBUG=false - - HYDRA_BASE_URL=http://hydra:4444 - - HYDRA_ADMIN_BASE_URL=http://hydra:4445 - - HYDRA_REWRITE_ISSUER=yes - - HYDRA_ORIGINAL_ISSUER=http://hydra:4444 - - HYDRA_NEW_ISSUER=http://hydra-dispatcher - - BASE_URL=http://hydra-dispatcher - - COOKIE_PATH=/ - - DEFAULT_LOCALE=fr - - APP_LOCALES=fr,en - - name: hydra-dispatcher-apps - files: - - ./files/hydra/default.yaml \ No newline at end of file +- name: hydra-dispatcher-env + literals: + - APP_ENV=prod + - APP_DEBUG=false + - HYDRA_BASE_URL=http://hydra:4444 + - HYDRA_ADMIN_BASE_URL=http://hydra:4445 + - HYDRA_REWRITE_ISSUER=yes + - HYDRA_ORIGINAL_ISSUER=http://hydra:4444 + - HYDRA_NEW_ISSUER=http://hydra-dispatcher + - BASE_URL=http://hydra-dispatcher + - COOKIE_PATH=/ + - DEFAULT_LOCALE=fr + - APP_LOCALES=fr,en +- name: hydra-dispatcher-apps + files: + - ./files/hydra/default.yaml diff --git a/resources/hydra-dispatcher/resources/hydra-dispatcher-deployment.yaml b/resources/hydra-dispatcher/resources/hydra-dispatcher-deployment.yaml index 9a4761e..7728ce9 100644 --- a/resources/hydra-dispatcher/resources/hydra-dispatcher-deployment.yaml +++ b/resources/hydra-dispatcher/resources/hydra-dispatcher-deployment.yaml @@ -17,20 +17,20 @@ spec: io.kompose.service: hydra-dispatcher spec: containers: - - name: hydra-dispatcher - image: reg.cadoles.com/cadoles/hydra-dispatcher-v1:v0.0.0-159-gd91e77b - envFrom: - - configMapRef: - name: hydra-dispatcher-env - volumeMounts: - - mountPath: /var/www/config/hydra - name: hydra-dispatcher-apps - ports: - - containerPort: 80 - resources: {} + - name: hydra-dispatcher + image: reg.cadoles.com/cadoles/hydra-dispatcher-v1:v0.0.0-218-g4b5e1d9 + envFrom: + - configMapRef: + name: hydra-dispatcher-env + volumeMounts: + - mountPath: /var/www/config/hydra + name: hydra-dispatcher-apps + ports: + - containerPort: 80 + resources: {} restartPolicy: Always volumes: - - name: hydra-dispatcher-apps - configMap: - name: hydra-dispatcher-apps - + - name: hydra-dispatcher-apps + configMap: + name: hydra-dispatcher-apps + diff --git a/resources/hydra/kustomization.yaml b/resources/hydra/kustomization.yaml index c300b4b..779cd22 100644 --- a/resources/hydra/kustomization.yaml +++ b/resources/hydra/kustomization.yaml @@ -8,6 +8,7 @@ resources: - ./resources/hydra-rolebinding.yaml - ./resources/hydra-serviceaccount.yaml - ./resources/hydra-migrate-job.yaml + - ./resources/hydra-maester secretGenerator: - name: hydra-secret @@ -21,7 +22,7 @@ configMapGenerator: - URLS_LOGIN=http://hydra-login-app/login - URLS_CONSENT=http://hydra-consent-app/consent - URLS_LOGOUT=http://hydra-logout-app/logout - - HYDRA_SERVE_ALL_ARGS= + - HYDRA_SERVE_ALL_ARGS=--dev - LOG_LEVEL=info vars: diff --git a/resources/hydra/resources/hydra-maester/kustomization.yaml b/resources/hydra/resources/hydra-maester/kustomization.yaml new file mode 100644 index 0000000..42c02f6 --- /dev/null +++ b/resources/hydra/resources/hydra-maester/kustomization.yaml @@ -0,0 +1,15 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ./resources/hydra-maester-deployment.yaml + - ./resources/hydra-maester-rbac.yaml + - https://raw.githubusercontent.com/ory/k8s/v0.28.2/helm/charts/hydra-maester/crds/crd-oauth2clients.yaml + +configMapGenerator: + - name: hydra-maester-env + literals: + - APP_ENV=prod + - APP_DEBUG=false + - HYDRA_ADMIN_BASE_URL=http://hydra + - HYDRA_ADMIN_PORT=4445 \ No newline at end of file diff --git a/resources/hydra/resources/hydra-maester/resources/hydra-maester-deployment.yaml b/resources/hydra/resources/hydra-maester/resources/hydra-maester-deployment.yaml new file mode 100644 index 0000000..0b5b7bb --- /dev/null +++ b/resources/hydra/resources/hydra-maester/resources/hydra-maester-deployment.yaml @@ -0,0 +1,56 @@ +--- +# Source: hydra/charts/hydra-maester/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: hydra-maester + labels: + app.kubernetes.io/name: hydra-maester + app.kubernetes.io/instance: hydra-master + app.kubernetes.io/version: "v0.0.23" +spec: + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + control-plane: controller-manager + app.kubernetes.io/name: hydra-maester + app.kubernetes.io/instance: hydra + template: + metadata: + labels: + control-plane: controller-manager + app.kubernetes.io/name: hydra-maester + app.kubernetes.io/instance: hydra + annotations: + spec: + containers: + - name: hydra-maester + image: reg.cadoles.com/proxy_cache/oryd/hydra-maester:v0.0.25 + imagePullPolicy: IfNotPresent + envFrom: + - configMapRef: + name: hydra-maester-env + command: + - /manager + args: + - --metrics-addr=127.0.0.1:8080 + - --hydra-url=$(HYDRA_ADMIN_BASE_URL) + - --hydra-port=$(HYDRA_ADMIN_PORT) + - --endpoint=/admin/clients + resources: + {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + serviceAccountName: hydra-maester-account + automountServiceAccountToken: true + nodeSelector: diff --git a/resources/hydra/resources/hydra-maester/resources/hydra-maester-rbac.yaml b/resources/hydra/resources/hydra-maester/resources/hydra-maester-rbac.yaml new file mode 100644 index 0000000..03548b3 --- /dev/null +++ b/resources/hydra/resources/hydra-maester/resources/hydra-maester-rbac.yaml @@ -0,0 +1,60 @@ +--- +# Source: hydra/charts/hydra-maester/templates/rbac.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: hydra-maester-account +--- +# Source: hydra/charts/hydra-maester/templates/rbac.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: hydra-maester-role +rules: + - apiGroups: ["hydra.ory.sh"] + resources: ["oauth2clients", "oauth2clients/status"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["list", "watch", "create"] +--- +# Source: hydra/charts/hydra-maester/templates/rbac.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: hydra-maester-role-binding +subjects: + - kind: ServiceAccount + name: hydra-maester-account # Service account assigned to the controller pod. + namespace: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: hydra-maester-role +--- +# Source: hydra/charts/hydra-maester/templates/rbac.yaml +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: hydra-maester-role +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch", "create"] + - apiGroups: ["hydra.ory.sh"] + resources: ["oauth2clients", "oauth2clients/status"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +--- +# Source: hydra/charts/hydra-maester/templates/rbac.yaml +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: hydra-maester-role-binding +subjects: + - kind: ServiceAccount + name: hydra-maester-account # Service account assigned to the controller pod. + namespace: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: hydra-maester-role