feat(resource): adding new hydra-maester resource
This allow to manage "Clients" with a CRD from official doc: The controller listens for Custom Resource which defines client registration request. Once Custom resource is created, the controller register oauth2 client in hydra using hydra's REST API. Client Id, Client Secret and Identifier of the client in hydra are be stored in the kubernetes as a secret and referenced in the applied CR. Reference is used to identify in which kubernetes secret are stored mentioned properties. Secret iscreated in the same namespace of applied CR. By default controller should be deployed in the same pod as hydra. Service discovery will come in place in the future.
This commit is contained in:
parent
b1b834c2d4
commit
8075071f22
|
@ -18,7 +18,7 @@ spec:
|
||||||
spec:
|
spec:
|
||||||
containers:
|
containers:
|
||||||
- name: hydra-oidc
|
- name: hydra-oidc
|
||||||
image: reg.cadoles.com/cadoles/hydra-oidc-v1:v0.0.0-159-gd91e77b
|
image: reg.cadoles.com/cadoles/hydra-oidc-v1:v0.0.0-170-g485b138
|
||||||
envFrom:
|
envFrom:
|
||||||
- configMapRef:
|
- configMapRef:
|
||||||
name: hydra-oidc-env
|
name: hydra-oidc-env
|
||||||
|
|
|
@ -18,7 +18,7 @@ spec:
|
||||||
spec:
|
spec:
|
||||||
containers:
|
containers:
|
||||||
- name: hydra-saml-remote-user
|
- name: hydra-saml-remote-user
|
||||||
image: reg.cadoles.com/cadoles/hydra-remote-user-v1:v0.0.0-159-gd91e77b
|
image: reg.cadoles.com/cadoles/hydra-remote-user-v1:v0.0.0-170-g485b138
|
||||||
envFrom:
|
envFrom:
|
||||||
- configMapRef:
|
- configMapRef:
|
||||||
name: hydra-saml-env
|
name: hydra-saml-env
|
||||||
|
|
|
@ -18,7 +18,7 @@ spec:
|
||||||
spec:
|
spec:
|
||||||
containers:
|
containers:
|
||||||
- name: hydra-saml-shibboleth-sp
|
- name: hydra-saml-shibboleth-sp
|
||||||
image: reg.cadoles.com/cadoles/shibboleth-sp-v3:v0.0.0-159-gd91e77b
|
image: reg.cadoles.com/cadoles/shibboleth-sp-v3:v0.0.0-172-g0f44679
|
||||||
envFrom:
|
envFrom:
|
||||||
- configMapRef:
|
- configMapRef:
|
||||||
name: hydra-saml-env
|
name: hydra-saml-env
|
||||||
|
|
|
@ -18,7 +18,7 @@ spec:
|
||||||
spec:
|
spec:
|
||||||
containers:
|
containers:
|
||||||
- name: hydra-dispatcher
|
- name: hydra-dispatcher
|
||||||
image: reg.cadoles.com/cadoles/hydra-dispatcher-v1:v0.0.0-159-gd91e77b
|
image: reg.cadoles.com/cadoles/hydra-dispatcher-v1:v0.0.0-218-g4b5e1d9
|
||||||
envFrom:
|
envFrom:
|
||||||
- configMapRef:
|
- configMapRef:
|
||||||
name: hydra-dispatcher-env
|
name: hydra-dispatcher-env
|
||||||
|
|
|
@ -8,6 +8,7 @@ resources:
|
||||||
- ./resources/hydra-rolebinding.yaml
|
- ./resources/hydra-rolebinding.yaml
|
||||||
- ./resources/hydra-serviceaccount.yaml
|
- ./resources/hydra-serviceaccount.yaml
|
||||||
- ./resources/hydra-migrate-job.yaml
|
- ./resources/hydra-migrate-job.yaml
|
||||||
|
- ./resources/hydra-maester
|
||||||
|
|
||||||
secretGenerator:
|
secretGenerator:
|
||||||
- name: hydra-secret
|
- name: hydra-secret
|
||||||
|
@ -21,7 +22,7 @@ configMapGenerator:
|
||||||
- URLS_LOGIN=http://hydra-login-app/login
|
- URLS_LOGIN=http://hydra-login-app/login
|
||||||
- URLS_CONSENT=http://hydra-consent-app/consent
|
- URLS_CONSENT=http://hydra-consent-app/consent
|
||||||
- URLS_LOGOUT=http://hydra-logout-app/logout
|
- URLS_LOGOUT=http://hydra-logout-app/logout
|
||||||
- HYDRA_SERVE_ALL_ARGS=
|
- HYDRA_SERVE_ALL_ARGS=--dev
|
||||||
- LOG_LEVEL=info
|
- LOG_LEVEL=info
|
||||||
|
|
||||||
vars:
|
vars:
|
||||||
|
|
|
@ -0,0 +1,15 @@
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
|
||||||
|
resources:
|
||||||
|
- ./resources/hydra-maester-deployment.yaml
|
||||||
|
- ./resources/hydra-maester-rbac.yaml
|
||||||
|
- https://raw.githubusercontent.com/ory/k8s/v0.28.2/helm/charts/hydra-maester/crds/crd-oauth2clients.yaml
|
||||||
|
|
||||||
|
configMapGenerator:
|
||||||
|
- name: hydra-maester-env
|
||||||
|
literals:
|
||||||
|
- APP_ENV=prod
|
||||||
|
- APP_DEBUG=false
|
||||||
|
- HYDRA_ADMIN_BASE_URL=http://hydra
|
||||||
|
- HYDRA_ADMIN_PORT=4445
|
|
@ -0,0 +1,56 @@
|
||||||
|
---
|
||||||
|
# Source: hydra/charts/hydra-maester/templates/deployment.yaml
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: hydra-maester
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: hydra-maester
|
||||||
|
app.kubernetes.io/instance: hydra-master
|
||||||
|
app.kubernetes.io/version: "v0.0.23"
|
||||||
|
spec:
|
||||||
|
replicas: 1
|
||||||
|
revisionHistoryLimit: 10
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
control-plane: controller-manager
|
||||||
|
app.kubernetes.io/name: hydra-maester
|
||||||
|
app.kubernetes.io/instance: hydra
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
control-plane: controller-manager
|
||||||
|
app.kubernetes.io/name: hydra-maester
|
||||||
|
app.kubernetes.io/instance: hydra
|
||||||
|
annotations:
|
||||||
|
spec:
|
||||||
|
containers:
|
||||||
|
- name: hydra-maester
|
||||||
|
image: reg.cadoles.com/proxy_cache/oryd/hydra-maester:v0.0.25
|
||||||
|
imagePullPolicy: IfNotPresent
|
||||||
|
envFrom:
|
||||||
|
- configMapRef:
|
||||||
|
name: hydra-maester-env
|
||||||
|
command:
|
||||||
|
- /manager
|
||||||
|
args:
|
||||||
|
- --metrics-addr=127.0.0.1:8080
|
||||||
|
- --hydra-url=$(HYDRA_ADMIN_BASE_URL)
|
||||||
|
- --hydra-port=$(HYDRA_ADMIN_PORT)
|
||||||
|
- --endpoint=/admin/clients
|
||||||
|
resources:
|
||||||
|
{}
|
||||||
|
terminationMessagePath: /dev/termination-log
|
||||||
|
terminationMessagePolicy: File
|
||||||
|
securityContext:
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
|
privileged: false
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
runAsNonRoot: true
|
||||||
|
runAsUser: 1000
|
||||||
|
serviceAccountName: hydra-maester-account
|
||||||
|
automountServiceAccountToken: true
|
||||||
|
nodeSelector:
|
|
@ -0,0 +1,60 @@
|
||||||
|
---
|
||||||
|
# Source: hydra/charts/hydra-maester/templates/rbac.yaml
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: hydra-maester-account
|
||||||
|
---
|
||||||
|
# Source: hydra/charts/hydra-maester/templates/rbac.yaml
|
||||||
|
kind: ClusterRole
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: hydra-maester-role
|
||||||
|
rules:
|
||||||
|
- apiGroups: ["hydra.ory.sh"]
|
||||||
|
resources: ["oauth2clients", "oauth2clients/status"]
|
||||||
|
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["secrets"]
|
||||||
|
verbs: ["list", "watch", "create"]
|
||||||
|
---
|
||||||
|
# Source: hydra/charts/hydra-maester/templates/rbac.yaml
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: hydra-maester-role-binding
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: hydra-maester-account # Service account assigned to the controller pod.
|
||||||
|
namespace: default
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: hydra-maester-role
|
||||||
|
---
|
||||||
|
# Source: hydra/charts/hydra-maester/templates/rbac.yaml
|
||||||
|
kind: Role
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: hydra-maester-role
|
||||||
|
rules:
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["secrets"]
|
||||||
|
verbs: ["get", "list", "watch", "create"]
|
||||||
|
- apiGroups: ["hydra.ory.sh"]
|
||||||
|
resources: ["oauth2clients", "oauth2clients/status"]
|
||||||
|
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
|
||||||
|
---
|
||||||
|
# Source: hydra/charts/hydra-maester/templates/rbac.yaml
|
||||||
|
kind: RoleBinding
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: hydra-maester-role-binding
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: hydra-maester-account # Service account assigned to the controller pod.
|
||||||
|
namespace: default
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: Role
|
||||||
|
name: hydra-maester-role
|
Loading…
Reference in New Issue