feat(resource): adding new hydra-maester resource

This allow to manage "Clients" with a CRD

from official doc:

The controller listens for Custom Resource which defines client registration request.
Once Custom resource is created, the controller register oauth2 client in hydra using
hydra's REST API.

Client Id, Client Secret and Identifier of the client in hydra are be stored in the
kubernetes as a secret and referenced in the applied CR. Reference is used to
identify in which kubernetes secret are stored mentioned properties.

Secret iscreated in the same namespace of applied CR. By default controller should
be deployed in the same pod as hydra. Service discovery will come in place in the future.

components/hydra-cnpg-database/kustomization.yaml

@@ -2,43 +2,43 @@ apiVersion: kustomize.config.k8s.io/v1alpha1
 kind: Component
 
 configurations:
-  - ./configurations/cnpg-cluster.yaml
+- ./configurations/cnpg-cluster.yaml
 
 resources:
-  - ./resources/hydra-cnpg-cluster.yaml
+- ./resources/hydra-cnpg-cluster.yaml
 
 secretGenerator:
-  - name: hydra-postgres-admin
+- name: hydra-postgres-admin
-    type: Secret
+  type: Secret
-    literals:
+  literals:
-      - username=postgres
+  - username=postgres
-      - password=NotSoSecret
+  - password=NotSoSecret
-  - name: hydra-postgres-user
+- name: hydra-postgres-user
-    type: Secret
+  type: Secret
-    literals:
+  literals:
-      - username=hydra
+  - username=hydra
-      - password=NotSoSecret
+  - password=NotSoSecret
 
 
 vars:
 - name: HYDRA_DATABASE_SERVICE_NAME
   objref:
     name: hydra-postgres
-    kind: Cluster 
+    kind: Cluster
     apiVersion: postgresql.cnpg.io/v1
   fieldref:
     fieldpath: metadata.name
 
 patchesJson6902:
-  - target:
+- target:
-      group: apps
+    group: apps
-      version: v1
+    version: v1
-      kind: Deployment
+    kind: Deployment
-      name: hydra
+    name: hydra
-    path: patches/hydra-deployment.yaml
+  path: patches/hydra-deployment.yaml
-  - target:
+- target:
-      group: batch
+    group: batch
-      version: v1
+    version: v1
-      kind: Job
+    kind: Job
-      name: hydra-migrate
+    name: hydra-migrate
-    path: patches/hydra-migrate-job.yaml
+  path: patches/hydra-migrate-job.yaml

components/hydra-oidc/resources/hydra-oidc-deployment.yaml

@@ -18,7 +18,7 @@ spec:
     spec:
       containers:
         - name: hydra-oidc
-          image: reg.cadoles.com/cadoles/hydra-oidc-v1:v0.0.0-159-gd91e77b
+          image: reg.cadoles.com/cadoles/hydra-oidc-v1:v0.0.0-170-g485b138
           envFrom:
             - configMapRef:
                 name: hydra-oidc-env

components/hydra-saml/resources/hydra-saml-remote-user-deployment.yaml

@@ -18,7 +18,7 @@ spec:
     spec:
       containers:
         - name: hydra-saml-remote-user
-          image: reg.cadoles.com/cadoles/hydra-remote-user-v1:v0.0.0-159-gd91e77b
+          image: reg.cadoles.com/cadoles/hydra-remote-user-v1:v0.0.0-170-g485b138
           envFrom:
             - configMapRef:
                 name: hydra-saml-env

components/hydra-saml/resources/hydra-saml-shibboleth-sp-deployment.yaml

@@ -18,7 +18,7 @@ spec:
     spec:
       containers:
         - name: hydra-saml-shibboleth-sp
-          image: reg.cadoles.com/cadoles/shibboleth-sp-v3:v0.0.0-159-gd91e77b
+          image: reg.cadoles.com/cadoles/shibboleth-sp-v3:v0.0.0-172-g0f44679
           envFrom:
             - configMapRef:
                 name: hydra-saml-env

kustomization.yaml

@@ -2,10 +2,10 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
-  - ./resources/hydra
+- ./resources/hydra
-  - ./resources/hydra-dispatcher
+- ./resources/hydra-dispatcher
 
 components:
-  - ./components/hydra-cnpg-database
+- ./components/hydra-cnpg-database
-  - ./components/hydra-oidc
+- ./components/hydra-oidc
-  - ./components/hydra-saml
+- ./components/hydra-saml

resources/hydra-dispatcher/kustomization.yaml

@@ -2,23 +2,23 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
-  - ./resources/hydra-dispatcher-deployment.yaml
+- ./resources/hydra-dispatcher-deployment.yaml
-  - ./resources/hydra-dispatcher-service.yaml
+- ./resources/hydra-dispatcher-service.yaml
 
 configMapGenerator:
-  - name: hydra-dispatcher-env
+- name: hydra-dispatcher-env
-    literals:
+  literals:
-      - APP_ENV=prod
+  - APP_ENV=prod
-      - APP_DEBUG=false
+  - APP_DEBUG=false
-      - HYDRA_BASE_URL=http://hydra:4444
+  - HYDRA_BASE_URL=http://hydra:4444
-      - HYDRA_ADMIN_BASE_URL=http://hydra:4445
+  - HYDRA_ADMIN_BASE_URL=http://hydra:4445
-      - HYDRA_REWRITE_ISSUER=yes
+  - HYDRA_REWRITE_ISSUER=yes
-      - HYDRA_ORIGINAL_ISSUER=http://hydra:4444
+  - HYDRA_ORIGINAL_ISSUER=http://hydra:4444
-      - HYDRA_NEW_ISSUER=http://hydra-dispatcher
+  - HYDRA_NEW_ISSUER=http://hydra-dispatcher
-      - BASE_URL=http://hydra-dispatcher
+  - BASE_URL=http://hydra-dispatcher
-      - COOKIE_PATH=/
+  - COOKIE_PATH=/
-      - DEFAULT_LOCALE=fr
+  - DEFAULT_LOCALE=fr
-      - APP_LOCALES=fr,en
+  - APP_LOCALES=fr,en
-  - name: hydra-dispatcher-apps
+- name: hydra-dispatcher-apps
-    files:
+  files:
-      - ./files/hydra/default.yaml
+  - ./files/hydra/default.yaml

resources/hydra-dispatcher/resources/hydra-dispatcher-deployment.yaml

@@ -17,20 +17,20 @@ spec:
         io.kompose.service: hydra-dispatcher
     spec:
       containers:
-        - name: hydra-dispatcher
+      - name: hydra-dispatcher
-          image: reg.cadoles.com/cadoles/hydra-dispatcher-v1:v0.0.0-159-gd91e77b
+        image: reg.cadoles.com/cadoles/hydra-dispatcher-v1:v0.0.0-218-g4b5e1d9
-          envFrom:
+        envFrom:
-            - configMapRef:
+        - configMapRef:
-                name: hydra-dispatcher-env
+            name: hydra-dispatcher-env
-          volumeMounts:
+        volumeMounts:
-            - mountPath: /var/www/config/hydra
+        - mountPath: /var/www/config/hydra
-              name: hydra-dispatcher-apps
+          name: hydra-dispatcher-apps
-          ports:
+        ports:
-            - containerPort: 80
+        - containerPort: 80
-          resources: {}
+        resources: {}
       restartPolicy: Always
       volumes:
-        - name: hydra-dispatcher-apps
+      - name: hydra-dispatcher-apps
-          configMap:
+        configMap:
-            name: hydra-dispatcher-apps
+          name: hydra-dispatcher-apps
-            
+

resources/hydra/kustomization.yaml

@@ -8,6 +8,7 @@ resources:
   - ./resources/hydra-rolebinding.yaml
   - ./resources/hydra-serviceaccount.yaml
   - ./resources/hydra-migrate-job.yaml
+  - ./resources/hydra-maester
 
 secretGenerator:
   - name: hydra-secret
@@ -21,7 +22,7 @@ configMapGenerator:
       - URLS_LOGIN=http://hydra-login-app/login
       - URLS_CONSENT=http://hydra-consent-app/consent
       - URLS_LOGOUT=http://hydra-logout-app/logout
-      - HYDRA_SERVE_ALL_ARGS=
+      - HYDRA_SERVE_ALL_ARGS=--dev
       - LOG_LEVEL=info
 
 vars:

resources/hydra/resources/hydra-maester/kustomization.yaml

@@ -0,0 +1,15 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ./resources/hydra-maester-deployment.yaml
+  - ./resources/hydra-maester-rbac.yaml
+  - https://raw.githubusercontent.com/ory/k8s/v0.28.2/helm/charts/hydra-maester/crds/crd-oauth2clients.yaml
+
+configMapGenerator:
+  - name: hydra-maester-env
+    literals:
+      - APP_ENV=prod
+      - APP_DEBUG=false
+      - HYDRA_ADMIN_BASE_URL=http://hydra
+      - HYDRA_ADMIN_PORT=4445

resources/hydra/resources/hydra-maester/resources/hydra-maester-deployment.yaml

@@ -0,0 +1,56 @@
+---
+# Source: hydra/charts/hydra-maester/templates/deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: hydra-maester
+  labels:
+    app.kubernetes.io/name: hydra-maester
+    app.kubernetes.io/instance: hydra-master
+    app.kubernetes.io/version: "v0.0.23"
+spec:
+  replicas: 1
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      control-plane: controller-manager
+      app.kubernetes.io/name: hydra-maester
+      app.kubernetes.io/instance: hydra
+  template:
+    metadata:
+      labels:
+        control-plane: controller-manager
+        app.kubernetes.io/name: hydra-maester
+        app.kubernetes.io/instance: hydra
+      annotations:
+    spec:
+      containers:
+        - name: hydra-maester
+          image: reg.cadoles.com/proxy_cache/oryd/hydra-maester:v0.0.25
+          imagePullPolicy: IfNotPresent
+          envFrom:
+            - configMapRef:
+                name: hydra-maester-env
+          command:
+            - /manager
+          args:
+            - --metrics-addr=127.0.0.1:8080
+            - --hydra-url=$(HYDRA_ADMIN_BASE_URL)
+            - --hydra-port=$(HYDRA_ADMIN_PORT)
+            - --endpoint=/admin/clients
+          resources:
+            {}
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+              - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1000
+      serviceAccountName: hydra-maester-account
+      automountServiceAccountToken: true
+      nodeSelector:

resources/hydra/resources/hydra-maester/resources/hydra-maester-rbac.yaml

@@ -0,0 +1,60 @@
+---
+# Source: hydra/charts/hydra-maester/templates/rbac.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: hydra-maester-account
+---
+# Source: hydra/charts/hydra-maester/templates/rbac.yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: hydra-maester-role
+rules:
+  - apiGroups: ["hydra.ory.sh"]
+    resources: ["oauth2clients", "oauth2clients/status"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["list", "watch", "create"]
+---
+# Source: hydra/charts/hydra-maester/templates/rbac.yaml
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: hydra-maester-role-binding
+subjects:
+  - kind: ServiceAccount
+    name: hydra-maester-account # Service account assigned to the controller pod.
+    namespace: default
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: hydra-maester-role
+---
+# Source: hydra/charts/hydra-maester/templates/rbac.yaml
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: hydra-maester-role
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list", "watch", "create"]
+  - apiGroups: ["hydra.ory.sh"]
+    resources: ["oauth2clients", "oauth2clients/status"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+---
+# Source: hydra/charts/hydra-maester/templates/rbac.yaml
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: hydra-maester-role-binding
+subjects:
+  - kind: ServiceAccount
+    name: hydra-maester-account # Service account assigned to the controller pod.
+    namespace:  default
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: hydra-maester-role