From 8075071f22097676f9dfd409895b36f284aeba6c Mon Sep 17 00:00:00 2001 From: Philippe Caseiro Date: Fri, 17 Mar 2023 11:05:23 +0100 Subject: [PATCH] feat(resource): adding new hydra-maester resource This allow to manage "Clients" with a CRD from official doc: The controller listens for Custom Resource which defines client registration request. Once Custom resource is created, the controller register oauth2 client in hydra using hydra's REST API. Client Id, Client Secret and Identifier of the client in hydra are be stored in the kubernetes as a secret and referenced in the applied CR. Reference is used to identify in which kubernetes secret are stored mentioned properties. Secret iscreated in the same namespace of applied CR. By default controller should be deployed in the same pod as hydra. Service discovery will come in place in the future. --- .../hydra-cnpg-database/kustomization.yaml | 50 ++++++++-------- .../resources/hydra-oidc-deployment.yaml | 2 +- .../hydra-saml-remote-user-deployment.yaml | 2 +- .../hydra-saml-shibboleth-sp-deployment.yaml | 2 +- kustomization.yaml | 10 ++-- resources/hydra-dispatcher/kustomization.yaml | 36 +++++------ .../hydra-dispatcher-deployment.yaml | 30 +++++----- resources/hydra/kustomization.yaml | 3 +- .../hydra-maester/kustomization.yaml | 15 +++++ .../resources/hydra-maester-deployment.yaml | 56 +++++++++++++++++ .../resources/hydra-maester-rbac.yaml | 60 +++++++++++++++++++ 11 files changed, 199 insertions(+), 67 deletions(-) create mode 100644 resources/hydra/resources/hydra-maester/kustomization.yaml create mode 100644 resources/hydra/resources/hydra-maester/resources/hydra-maester-deployment.yaml create mode 100644 resources/hydra/resources/hydra-maester/resources/hydra-maester-rbac.yaml diff --git a/components/hydra-cnpg-database/kustomization.yaml b/components/hydra-cnpg-database/kustomization.yaml index fc4c0db..20b7043 100644 --- a/components/hydra-cnpg-database/kustomization.yaml +++ b/components/hydra-cnpg-database/kustomization.yaml @@ -2,43 +2,43 @@ apiVersion: kustomize.config.k8s.io/v1alpha1 kind: Component configurations: - - ./configurations/cnpg-cluster.yaml +- ./configurations/cnpg-cluster.yaml resources: - - ./resources/hydra-cnpg-cluster.yaml +- ./resources/hydra-cnpg-cluster.yaml secretGenerator: - - name: hydra-postgres-admin - type: Secret - literals: - - username=postgres - - password=NotSoSecret - - name: hydra-postgres-user - type: Secret - literals: - - username=hydra - - password=NotSoSecret +- name: hydra-postgres-admin + type: Secret + literals: + - username=postgres + - password=NotSoSecret +- name: hydra-postgres-user + type: Secret + literals: + - username=hydra + - password=NotSoSecret vars: - name: HYDRA_DATABASE_SERVICE_NAME objref: name: hydra-postgres - kind: Cluster + kind: Cluster apiVersion: postgresql.cnpg.io/v1 fieldref: fieldpath: metadata.name patchesJson6902: - - target: - group: apps - version: v1 - kind: Deployment - name: hydra - path: patches/hydra-deployment.yaml - - target: - group: batch - version: v1 - kind: Job - name: hydra-migrate - path: patches/hydra-migrate-job.yaml \ No newline at end of file +- target: + group: apps + version: v1 + kind: Deployment + name: hydra + path: patches/hydra-deployment.yaml +- target: + group: batch + version: v1 + kind: Job + name: hydra-migrate + path: patches/hydra-migrate-job.yaml diff --git a/components/hydra-oidc/resources/hydra-oidc-deployment.yaml b/components/hydra-oidc/resources/hydra-oidc-deployment.yaml index eb4222d..11c754f 100644 --- a/components/hydra-oidc/resources/hydra-oidc-deployment.yaml +++ b/components/hydra-oidc/resources/hydra-oidc-deployment.yaml @@ -18,7 +18,7 @@ spec: spec: containers: - name: hydra-oidc - image: reg.cadoles.com/cadoles/hydra-oidc-v1:v0.0.0-159-gd91e77b + image: reg.cadoles.com/cadoles/hydra-oidc-v1:v0.0.0-170-g485b138 envFrom: - configMapRef: name: hydra-oidc-env diff --git a/components/hydra-saml/resources/hydra-saml-remote-user-deployment.yaml b/components/hydra-saml/resources/hydra-saml-remote-user-deployment.yaml index 3c59a75..24502cc 100644 --- a/components/hydra-saml/resources/hydra-saml-remote-user-deployment.yaml +++ b/components/hydra-saml/resources/hydra-saml-remote-user-deployment.yaml @@ -18,7 +18,7 @@ spec: spec: containers: - name: hydra-saml-remote-user - image: reg.cadoles.com/cadoles/hydra-remote-user-v1:v0.0.0-159-gd91e77b + image: reg.cadoles.com/cadoles/hydra-remote-user-v1:v0.0.0-170-g485b138 envFrom: - configMapRef: name: hydra-saml-env diff --git a/components/hydra-saml/resources/hydra-saml-shibboleth-sp-deployment.yaml b/components/hydra-saml/resources/hydra-saml-shibboleth-sp-deployment.yaml index 1810238..80a793b 100644 --- a/components/hydra-saml/resources/hydra-saml-shibboleth-sp-deployment.yaml +++ b/components/hydra-saml/resources/hydra-saml-shibboleth-sp-deployment.yaml @@ -18,7 +18,7 @@ spec: spec: containers: - name: hydra-saml-shibboleth-sp - image: reg.cadoles.com/cadoles/shibboleth-sp-v3:v0.0.0-159-gd91e77b + image: reg.cadoles.com/cadoles/shibboleth-sp-v3:v0.0.0-172-g0f44679 envFrom: - configMapRef: name: hydra-saml-env diff --git a/kustomization.yaml b/kustomization.yaml index aa8cbeb..38c75b0 100644 --- a/kustomization.yaml +++ b/kustomization.yaml @@ -2,10 +2,10 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ./resources/hydra - - ./resources/hydra-dispatcher +- ./resources/hydra +- ./resources/hydra-dispatcher components: - - ./components/hydra-cnpg-database - - ./components/hydra-oidc - - ./components/hydra-saml \ No newline at end of file +- ./components/hydra-cnpg-database +- ./components/hydra-oidc +- ./components/hydra-saml diff --git a/resources/hydra-dispatcher/kustomization.yaml b/resources/hydra-dispatcher/kustomization.yaml index 69bab09..23d854a 100644 --- a/resources/hydra-dispatcher/kustomization.yaml +++ b/resources/hydra-dispatcher/kustomization.yaml @@ -2,23 +2,23 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ./resources/hydra-dispatcher-deployment.yaml - - ./resources/hydra-dispatcher-service.yaml +- ./resources/hydra-dispatcher-deployment.yaml +- ./resources/hydra-dispatcher-service.yaml configMapGenerator: - - name: hydra-dispatcher-env - literals: - - APP_ENV=prod - - APP_DEBUG=false - - HYDRA_BASE_URL=http://hydra:4444 - - HYDRA_ADMIN_BASE_URL=http://hydra:4445 - - HYDRA_REWRITE_ISSUER=yes - - HYDRA_ORIGINAL_ISSUER=http://hydra:4444 - - HYDRA_NEW_ISSUER=http://hydra-dispatcher - - BASE_URL=http://hydra-dispatcher - - COOKIE_PATH=/ - - DEFAULT_LOCALE=fr - - APP_LOCALES=fr,en - - name: hydra-dispatcher-apps - files: - - ./files/hydra/default.yaml \ No newline at end of file +- name: hydra-dispatcher-env + literals: + - APP_ENV=prod + - APP_DEBUG=false + - HYDRA_BASE_URL=http://hydra:4444 + - HYDRA_ADMIN_BASE_URL=http://hydra:4445 + - HYDRA_REWRITE_ISSUER=yes + - HYDRA_ORIGINAL_ISSUER=http://hydra:4444 + - HYDRA_NEW_ISSUER=http://hydra-dispatcher + - BASE_URL=http://hydra-dispatcher + - COOKIE_PATH=/ + - DEFAULT_LOCALE=fr + - APP_LOCALES=fr,en +- name: hydra-dispatcher-apps + files: + - ./files/hydra/default.yaml diff --git a/resources/hydra-dispatcher/resources/hydra-dispatcher-deployment.yaml b/resources/hydra-dispatcher/resources/hydra-dispatcher-deployment.yaml index 9a4761e..7728ce9 100644 --- a/resources/hydra-dispatcher/resources/hydra-dispatcher-deployment.yaml +++ b/resources/hydra-dispatcher/resources/hydra-dispatcher-deployment.yaml @@ -17,20 +17,20 @@ spec: io.kompose.service: hydra-dispatcher spec: containers: - - name: hydra-dispatcher - image: reg.cadoles.com/cadoles/hydra-dispatcher-v1:v0.0.0-159-gd91e77b - envFrom: - - configMapRef: - name: hydra-dispatcher-env - volumeMounts: - - mountPath: /var/www/config/hydra - name: hydra-dispatcher-apps - ports: - - containerPort: 80 - resources: {} + - name: hydra-dispatcher + image: reg.cadoles.com/cadoles/hydra-dispatcher-v1:v0.0.0-218-g4b5e1d9 + envFrom: + - configMapRef: + name: hydra-dispatcher-env + volumeMounts: + - mountPath: /var/www/config/hydra + name: hydra-dispatcher-apps + ports: + - containerPort: 80 + resources: {} restartPolicy: Always volumes: - - name: hydra-dispatcher-apps - configMap: - name: hydra-dispatcher-apps - + - name: hydra-dispatcher-apps + configMap: + name: hydra-dispatcher-apps + diff --git a/resources/hydra/kustomization.yaml b/resources/hydra/kustomization.yaml index c300b4b..779cd22 100644 --- a/resources/hydra/kustomization.yaml +++ b/resources/hydra/kustomization.yaml @@ -8,6 +8,7 @@ resources: - ./resources/hydra-rolebinding.yaml - ./resources/hydra-serviceaccount.yaml - ./resources/hydra-migrate-job.yaml + - ./resources/hydra-maester secretGenerator: - name: hydra-secret @@ -21,7 +22,7 @@ configMapGenerator: - URLS_LOGIN=http://hydra-login-app/login - URLS_CONSENT=http://hydra-consent-app/consent - URLS_LOGOUT=http://hydra-logout-app/logout - - HYDRA_SERVE_ALL_ARGS= + - HYDRA_SERVE_ALL_ARGS=--dev - LOG_LEVEL=info vars: diff --git a/resources/hydra/resources/hydra-maester/kustomization.yaml b/resources/hydra/resources/hydra-maester/kustomization.yaml new file mode 100644 index 0000000..42c02f6 --- /dev/null +++ b/resources/hydra/resources/hydra-maester/kustomization.yaml @@ -0,0 +1,15 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ./resources/hydra-maester-deployment.yaml + - ./resources/hydra-maester-rbac.yaml + - https://raw.githubusercontent.com/ory/k8s/v0.28.2/helm/charts/hydra-maester/crds/crd-oauth2clients.yaml + +configMapGenerator: + - name: hydra-maester-env + literals: + - APP_ENV=prod + - APP_DEBUG=false + - HYDRA_ADMIN_BASE_URL=http://hydra + - HYDRA_ADMIN_PORT=4445 \ No newline at end of file diff --git a/resources/hydra/resources/hydra-maester/resources/hydra-maester-deployment.yaml b/resources/hydra/resources/hydra-maester/resources/hydra-maester-deployment.yaml new file mode 100644 index 0000000..0b5b7bb --- /dev/null +++ b/resources/hydra/resources/hydra-maester/resources/hydra-maester-deployment.yaml @@ -0,0 +1,56 @@ +--- +# Source: hydra/charts/hydra-maester/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: hydra-maester + labels: + app.kubernetes.io/name: hydra-maester + app.kubernetes.io/instance: hydra-master + app.kubernetes.io/version: "v0.0.23" +spec: + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + control-plane: controller-manager + app.kubernetes.io/name: hydra-maester + app.kubernetes.io/instance: hydra + template: + metadata: + labels: + control-plane: controller-manager + app.kubernetes.io/name: hydra-maester + app.kubernetes.io/instance: hydra + annotations: + spec: + containers: + - name: hydra-maester + image: reg.cadoles.com/proxy_cache/oryd/hydra-maester:v0.0.25 + imagePullPolicy: IfNotPresent + envFrom: + - configMapRef: + name: hydra-maester-env + command: + - /manager + args: + - --metrics-addr=127.0.0.1:8080 + - --hydra-url=$(HYDRA_ADMIN_BASE_URL) + - --hydra-port=$(HYDRA_ADMIN_PORT) + - --endpoint=/admin/clients + resources: + {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + serviceAccountName: hydra-maester-account + automountServiceAccountToken: true + nodeSelector: diff --git a/resources/hydra/resources/hydra-maester/resources/hydra-maester-rbac.yaml b/resources/hydra/resources/hydra-maester/resources/hydra-maester-rbac.yaml new file mode 100644 index 0000000..03548b3 --- /dev/null +++ b/resources/hydra/resources/hydra-maester/resources/hydra-maester-rbac.yaml @@ -0,0 +1,60 @@ +--- +# Source: hydra/charts/hydra-maester/templates/rbac.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: hydra-maester-account +--- +# Source: hydra/charts/hydra-maester/templates/rbac.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: hydra-maester-role +rules: + - apiGroups: ["hydra.ory.sh"] + resources: ["oauth2clients", "oauth2clients/status"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["list", "watch", "create"] +--- +# Source: hydra/charts/hydra-maester/templates/rbac.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: hydra-maester-role-binding +subjects: + - kind: ServiceAccount + name: hydra-maester-account # Service account assigned to the controller pod. + namespace: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: hydra-maester-role +--- +# Source: hydra/charts/hydra-maester/templates/rbac.yaml +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: hydra-maester-role +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch", "create"] + - apiGroups: ["hydra.ory.sh"] + resources: ["oauth2clients", "oauth2clients/status"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] +--- +# Source: hydra/charts/hydra-maester/templates/rbac.yaml +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: hydra-maester-role-binding +subjects: + - kind: ServiceAccount + name: hydra-maester-account # Service account assigned to the controller pod. + namespace: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: hydra-maester-role