feat(resource): adding new hydra-maester resource

This allow to manage "Clients" with a CRD

from official doc:

The controller listens for Custom Resource which defines client registration request.
Once Custom resource is created, the controller register oauth2 client in hydra using
hydra's REST API.

Client Id, Client Secret and Identifier of the client in hydra are be stored in the
kubernetes as a secret and referenced in the applied CR. Reference is used to
identify in which kubernetes secret are stored mentioned properties.

Secret iscreated in the same namespace of applied CR. By default controller should
be deployed in the same pod as hydra. Service discovery will come in place in the future.
This commit is contained in:
Philippe Caseiro 2023-03-17 11:05:23 +01:00
parent b1b834c2d4
commit 8075071f22
11 changed files with 199 additions and 67 deletions

View File

@ -2,18 +2,18 @@ apiVersion: kustomize.config.k8s.io/v1alpha1
kind: Component
configurations:
- ./configurations/cnpg-cluster.yaml
- ./configurations/cnpg-cluster.yaml
resources:
- ./resources/hydra-cnpg-cluster.yaml
- ./resources/hydra-cnpg-cluster.yaml
secretGenerator:
- name: hydra-postgres-admin
- name: hydra-postgres-admin
type: Secret
literals:
- username=postgres
- password=NotSoSecret
- name: hydra-postgres-user
- name: hydra-postgres-user
type: Secret
literals:
- username=hydra
@ -30,13 +30,13 @@ vars:
fieldpath: metadata.name
patchesJson6902:
- target:
- target:
group: apps
version: v1
kind: Deployment
name: hydra
path: patches/hydra-deployment.yaml
- target:
- target:
group: batch
version: v1
kind: Job

View File

@ -18,7 +18,7 @@ spec:
spec:
containers:
- name: hydra-oidc
image: reg.cadoles.com/cadoles/hydra-oidc-v1:v0.0.0-159-gd91e77b
image: reg.cadoles.com/cadoles/hydra-oidc-v1:v0.0.0-170-g485b138
envFrom:
- configMapRef:
name: hydra-oidc-env

View File

@ -18,7 +18,7 @@ spec:
spec:
containers:
- name: hydra-saml-remote-user
image: reg.cadoles.com/cadoles/hydra-remote-user-v1:v0.0.0-159-gd91e77b
image: reg.cadoles.com/cadoles/hydra-remote-user-v1:v0.0.0-170-g485b138
envFrom:
- configMapRef:
name: hydra-saml-env

View File

@ -18,7 +18,7 @@ spec:
spec:
containers:
- name: hydra-saml-shibboleth-sp
image: reg.cadoles.com/cadoles/shibboleth-sp-v3:v0.0.0-159-gd91e77b
image: reg.cadoles.com/cadoles/shibboleth-sp-v3:v0.0.0-172-g0f44679
envFrom:
- configMapRef:
name: hydra-saml-env

View File

@ -2,10 +2,10 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./resources/hydra
- ./resources/hydra-dispatcher
- ./resources/hydra
- ./resources/hydra-dispatcher
components:
- ./components/hydra-cnpg-database
- ./components/hydra-oidc
- ./components/hydra-saml
- ./components/hydra-cnpg-database
- ./components/hydra-oidc
- ./components/hydra-saml

View File

@ -2,11 +2,11 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./resources/hydra-dispatcher-deployment.yaml
- ./resources/hydra-dispatcher-service.yaml
- ./resources/hydra-dispatcher-deployment.yaml
- ./resources/hydra-dispatcher-service.yaml
configMapGenerator:
- name: hydra-dispatcher-env
- name: hydra-dispatcher-env
literals:
- APP_ENV=prod
- APP_DEBUG=false
@ -19,6 +19,6 @@ configMapGenerator:
- COOKIE_PATH=/
- DEFAULT_LOCALE=fr
- APP_LOCALES=fr,en
- name: hydra-dispatcher-apps
- name: hydra-dispatcher-apps
files:
- ./files/hydra/default.yaml

View File

@ -18,7 +18,7 @@ spec:
spec:
containers:
- name: hydra-dispatcher
image: reg.cadoles.com/cadoles/hydra-dispatcher-v1:v0.0.0-159-gd91e77b
image: reg.cadoles.com/cadoles/hydra-dispatcher-v1:v0.0.0-218-g4b5e1d9
envFrom:
- configMapRef:
name: hydra-dispatcher-env

View File

@ -8,6 +8,7 @@ resources:
- ./resources/hydra-rolebinding.yaml
- ./resources/hydra-serviceaccount.yaml
- ./resources/hydra-migrate-job.yaml
- ./resources/hydra-maester
secretGenerator:
- name: hydra-secret
@ -21,7 +22,7 @@ configMapGenerator:
- URLS_LOGIN=http://hydra-login-app/login
- URLS_CONSENT=http://hydra-consent-app/consent
- URLS_LOGOUT=http://hydra-logout-app/logout
- HYDRA_SERVE_ALL_ARGS=
- HYDRA_SERVE_ALL_ARGS=--dev
- LOG_LEVEL=info
vars:

View File

@ -0,0 +1,15 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./resources/hydra-maester-deployment.yaml
- ./resources/hydra-maester-rbac.yaml
- https://raw.githubusercontent.com/ory/k8s/v0.28.2/helm/charts/hydra-maester/crds/crd-oauth2clients.yaml
configMapGenerator:
- name: hydra-maester-env
literals:
- APP_ENV=prod
- APP_DEBUG=false
- HYDRA_ADMIN_BASE_URL=http://hydra
- HYDRA_ADMIN_PORT=4445

View File

@ -0,0 +1,56 @@
---
# Source: hydra/charts/hydra-maester/templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: hydra-maester
labels:
app.kubernetes.io/name: hydra-maester
app.kubernetes.io/instance: hydra-master
app.kubernetes.io/version: "v0.0.23"
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
control-plane: controller-manager
app.kubernetes.io/name: hydra-maester
app.kubernetes.io/instance: hydra
template:
metadata:
labels:
control-plane: controller-manager
app.kubernetes.io/name: hydra-maester
app.kubernetes.io/instance: hydra
annotations:
spec:
containers:
- name: hydra-maester
image: reg.cadoles.com/proxy_cache/oryd/hydra-maester:v0.0.25
imagePullPolicy: IfNotPresent
envFrom:
- configMapRef:
name: hydra-maester-env
command:
- /manager
args:
- --metrics-addr=127.0.0.1:8080
- --hydra-url=$(HYDRA_ADMIN_BASE_URL)
- --hydra-port=$(HYDRA_ADMIN_PORT)
- --endpoint=/admin/clients
resources:
{}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
serviceAccountName: hydra-maester-account
automountServiceAccountToken: true
nodeSelector:

View File

@ -0,0 +1,60 @@
---
# Source: hydra/charts/hydra-maester/templates/rbac.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: hydra-maester-account
---
# Source: hydra/charts/hydra-maester/templates/rbac.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: hydra-maester-role
rules:
- apiGroups: ["hydra.ory.sh"]
resources: ["oauth2clients", "oauth2clients/status"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["list", "watch", "create"]
---
# Source: hydra/charts/hydra-maester/templates/rbac.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: hydra-maester-role-binding
subjects:
- kind: ServiceAccount
name: hydra-maester-account # Service account assigned to the controller pod.
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: hydra-maester-role
---
# Source: hydra/charts/hydra-maester/templates/rbac.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: hydra-maester-role
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch", "create"]
- apiGroups: ["hydra.ory.sh"]
resources: ["oauth2clients", "oauth2clients/status"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
# Source: hydra/charts/hydra-maester/templates/rbac.yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: hydra-maester-role-binding
subjects:
- kind: ServiceAccount
name: hydra-maester-account # Service account assigned to the controller pod.
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: hydra-maester-role