feat(resource): adding new hydra-maester resource

This allow to manage "Clients" with a CRD from official doc: The controller listens for Custom Resource which defines client registration request. Once Custom resource is created, the controller register oauth2 client in hydra using hydra's REST API. Client Id, Client Secret and Identifier of the client in hydra are be stored in the kubernetes as a secret and referenced in the applied CR. Reference is used to identify in which kubernetes secret are stored mentioned properties. Secret iscreated in the same namespace of applied CR. By default controller should be deployed in the same pod as hydra. Service discovery will come in place in the future.
2023-03-17 11:05:23 +01:00 · 2023-03-17 11:05:23 +01:00 · 8075071f22
parent b1b834c2d4
commit 8075071f22
11 changed files with 199 additions and 67 deletions
--- a/components/hydra-cnpg-database/kustomization.yaml
+++ b/components/hydra-cnpg-database/kustomization.yaml
@ -2,18 +2,18 @@ apiVersion: kustomize.config.k8s.io/v1alpha1
 kind: Component

 configurations:
-  - ./configurations/cnpg-cluster.yaml
+- ./configurations/cnpg-cluster.yaml

 resources:
-  - ./resources/hydra-cnpg-cluster.yaml
+- ./resources/hydra-cnpg-cluster.yaml

 secretGenerator:
-  - name: hydra-postgres-admin
+- name: hydra-postgres-admin
  type: Secret
  literals:
  - username=postgres
  - password=NotSoSecret
-  - name: hydra-postgres-user
+- name: hydra-postgres-user
  type: Secret
  literals:
  - username=hydra
@ -30,13 +30,13 @@ vars:
    fieldpath: metadata.name

 patchesJson6902:
-  - target:
+- target:
    group: apps
    version: v1
    kind: Deployment
    name: hydra
  path: patches/hydra-deployment.yaml
-  - target:
+- target:
    group: batch
    version: v1
    kind: Job
--- a/components/hydra-oidc/resources/hydra-oidc-deployment.yaml
+++ b/components/hydra-oidc/resources/hydra-oidc-deployment.yaml
@ -18,7 +18,7 @@ spec:
    spec:
      containers:
        - name: hydra-oidc
-          image: reg.cadoles.com/cadoles/hydra-oidc-v1:v0.0.0-159-gd91e77b
+          image: reg.cadoles.com/cadoles/hydra-oidc-v1:v0.0.0-170-g485b138
          envFrom:
            - configMapRef:
                name: hydra-oidc-env
--- a/components/hydra-saml/resources/hydra-saml-remote-user-deployment.yaml
+++ b/components/hydra-saml/resources/hydra-saml-remote-user-deployment.yaml
@ -18,7 +18,7 @@ spec:
    spec:
      containers:
        - name: hydra-saml-remote-user
-          image: reg.cadoles.com/cadoles/hydra-remote-user-v1:v0.0.0-159-gd91e77b
+          image: reg.cadoles.com/cadoles/hydra-remote-user-v1:v0.0.0-170-g485b138
          envFrom:
            - configMapRef:
                name: hydra-saml-env
--- a/components/hydra-saml/resources/hydra-saml-shibboleth-sp-deployment.yaml
+++ b/components/hydra-saml/resources/hydra-saml-shibboleth-sp-deployment.yaml
@ -18,7 +18,7 @@ spec:
    spec:
      containers:
        - name: hydra-saml-shibboleth-sp
-          image: reg.cadoles.com/cadoles/shibboleth-sp-v3:v0.0.0-159-gd91e77b
+          image: reg.cadoles.com/cadoles/shibboleth-sp-v3:v0.0.0-172-g0f44679
          envFrom:
            - configMapRef:
                name: hydra-saml-env
--- a/kustomization.yaml
+++ b/kustomization.yaml
@ -2,10 +2,10 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization

 resources:
-  - ./resources/hydra
-  - ./resources/hydra-dispatcher
+- ./resources/hydra
+- ./resources/hydra-dispatcher

 components:
-  - ./components/hydra-cnpg-database
-  - ./components/hydra-oidc
-  - ./components/hydra-saml
+- ./components/hydra-cnpg-database
+- ./components/hydra-oidc
+- ./components/hydra-saml
--- a/resources/hydra-dispatcher/kustomization.yaml
+++ b/resources/hydra-dispatcher/kustomization.yaml
@ -2,11 +2,11 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization

 resources:
-  - ./resources/hydra-dispatcher-deployment.yaml
-  - ./resources/hydra-dispatcher-service.yaml
+- ./resources/hydra-dispatcher-deployment.yaml
+- ./resources/hydra-dispatcher-service.yaml

 configMapGenerator:
-  - name: hydra-dispatcher-env
+- name: hydra-dispatcher-env
  literals:
  - APP_ENV=prod
  - APP_DEBUG=false
@ -19,6 +19,6 @@ configMapGenerator:
  - COOKIE_PATH=/
  - DEFAULT_LOCALE=fr
  - APP_LOCALES=fr,en
-  - name: hydra-dispatcher-apps
+- name: hydra-dispatcher-apps
  files:
  - ./files/hydra/default.yaml
--- a/resources/hydra-dispatcher/resources/hydra-dispatcher-deployment.yaml
+++ b/resources/hydra-dispatcher/resources/hydra-dispatcher-deployment.yaml
@ -18,7 +18,7 @@ spec:
    spec:
      containers:
      - name: hydra-dispatcher
-          image: reg.cadoles.com/cadoles/hydra-dispatcher-v1:v0.0.0-159-gd91e77b
+        image: reg.cadoles.com/cadoles/hydra-dispatcher-v1:v0.0.0-218-g4b5e1d9
        envFrom:
        - configMapRef:
            name: hydra-dispatcher-env
--- a/resources/hydra/kustomization.yaml
+++ b/resources/hydra/kustomization.yaml
@ -8,6 +8,7 @@ resources:
  - ./resources/hydra-rolebinding.yaml
  - ./resources/hydra-serviceaccount.yaml
  - ./resources/hydra-migrate-job.yaml
+  - ./resources/hydra-maester

 secretGenerator:
  - name: hydra-secret
@ -21,7 +22,7 @@ configMapGenerator:
      - URLS_LOGIN=http://hydra-login-app/login
      - URLS_CONSENT=http://hydra-consent-app/consent
      - URLS_LOGOUT=http://hydra-logout-app/logout
-      - HYDRA_SERVE_ALL_ARGS=
+      - HYDRA_SERVE_ALL_ARGS=--dev
      - LOG_LEVEL=info

 vars:
--- a/resources/hydra/resources/hydra-maester/kustomization.yaml
+++ b/resources/hydra/resources/hydra-maester/kustomization.yaml
@ -0,0 +1,15 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ./resources/hydra-maester-deployment.yaml
+  - ./resources/hydra-maester-rbac.yaml
+  - https://raw.githubusercontent.com/ory/k8s/v0.28.2/helm/charts/hydra-maester/crds/crd-oauth2clients.yaml
+
+configMapGenerator:
+  - name: hydra-maester-env
+    literals:
+      - APP_ENV=prod
+      - APP_DEBUG=false
+      - HYDRA_ADMIN_BASE_URL=http://hydra
+      - HYDRA_ADMIN_PORT=4445
--- a/resources/hydra/resources/hydra-maester/resources/hydra-maester-deployment.yaml
+++ b/resources/hydra/resources/hydra-maester/resources/hydra-maester-deployment.yaml
@ -0,0 +1,56 @@
+---
+# Source: hydra/charts/hydra-maester/templates/deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: hydra-maester
+  labels:
+    app.kubernetes.io/name: hydra-maester
+    app.kubernetes.io/instance: hydra-master
+    app.kubernetes.io/version: "v0.0.23"
+spec:
+  replicas: 1
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      control-plane: controller-manager
+      app.kubernetes.io/name: hydra-maester
+      app.kubernetes.io/instance: hydra
+  template:
+    metadata:
+      labels:
+        control-plane: controller-manager
+        app.kubernetes.io/name: hydra-maester
+        app.kubernetes.io/instance: hydra
+      annotations:
+    spec:
+      containers:
+        - name: hydra-maester
+          image: reg.cadoles.com/proxy_cache/oryd/hydra-maester:v0.0.25
+          imagePullPolicy: IfNotPresent
+          envFrom:
+            - configMapRef:
+                name: hydra-maester-env
+          command:
+            - /manager
+          args:
+            - --metrics-addr=127.0.0.1:8080
+            - --hydra-url=$(HYDRA_ADMIN_BASE_URL)
+            - --hydra-port=$(HYDRA_ADMIN_PORT)
+            - --endpoint=/admin/clients
+          resources:
+            {}
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+              - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1000
+      serviceAccountName: hydra-maester-account
+      automountServiceAccountToken: true
+      nodeSelector:
--- a/resources/hydra/resources/hydra-maester/resources/hydra-maester-rbac.yaml
+++ b/resources/hydra/resources/hydra-maester/resources/hydra-maester-rbac.yaml
@ -0,0 +1,60 @@
+---
+# Source: hydra/charts/hydra-maester/templates/rbac.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: hydra-maester-account
+---
+# Source: hydra/charts/hydra-maester/templates/rbac.yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: hydra-maester-role
+rules:
+  - apiGroups: ["hydra.ory.sh"]
+    resources: ["oauth2clients", "oauth2clients/status"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["list", "watch", "create"]
+---
+# Source: hydra/charts/hydra-maester/templates/rbac.yaml
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: hydra-maester-role-binding
+subjects:
+  - kind: ServiceAccount
+    name: hydra-maester-account # Service account assigned to the controller pod.
+    namespace: default
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: hydra-maester-role
+---
+# Source: hydra/charts/hydra-maester/templates/rbac.yaml
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: hydra-maester-role
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list", "watch", "create"]
+  - apiGroups: ["hydra.ory.sh"]
+    resources: ["oauth2clients", "oauth2clients/status"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+---
+# Source: hydra/charts/hydra-maester/templates/rbac.yaml
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: hydra-maester-role-binding
+subjects:
+  - kind: ServiceAccount
+    name: hydra-maester-account # Service account assigned to the controller pod.
+    namespace:  default
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: hydra-maester-role