fix: example app deployment with saml login app

2023-11-02 18:32:37 +01:00
parent 8075071f22
commit 8fe8423071
31 changed files with 540 additions and 203 deletions
--- a/components/hydra-saml/files/hydra/saml.yaml
+++ b/components/hydra-saml/files/hydra/saml.yaml
@ -10,4 +10,21 @@ hydra:
      login_url: "%env(string:HYDRA_DISPATCHER_SAML_LOGIN_URL)%"
      consent_url: "%env(string:HYDRA_DISPATCHER_SAML_CONSENT_URL)%"
      logout_url: "%env(string:HYDRA_DISPATCHER_SAML_LOGOUT_URL)%"
-      attributes_rewrite_rules: []
+      attributes_rewrite_configuration:
+        uid:
+          rules:
+          - "property_exists(consent.session.id_token, 'uid') ? consent.session.id_token.uid : null"
+        email:
+          rules:
+          - "property_exists(consent.session.id_token, 'email') ? consent.session.id_token.email : null"
+        eduPersonAffiliation:
+          rules:
+          - "property_exists(consent.session.id_token, 'eduPersonAffiliation') ? consent.session.id_token.eduPersonAffiliation : null"
+  firewall:
+    rules:
+      email:
+        required: false
+      uid:
+        required: false
+      eduPersonAffiliation:
+        required: false
--- a/components/hydra-saml/files/shibboleth-sp/attribute-map.inc.xml
+++ b/components/hydra-saml/files/shibboleth-sp/attribute-map.inc.xml
@ -0,0 +1,3 @@
+<Attribute name="uid" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="uid" />
+<Attribute name="eduPersonAffiliation" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="eduPersonAffiliation" />
+<Attribute name="email" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="email" />
--- a/components/hydra-saml/kustomization.yaml
+++ b/components/hydra-saml/kustomization.yaml
@ -2,10 +2,8 @@ apiVersion: kustomize.config.k8s.io/v1alpha1
 kind: Component

 resources:
-  - ./resources/hydra-saml-service.yaml
-  - ./resources/hydra-saml-shibboleth-sp-deployment.yaml
-  - ./resources/hydra-saml-remote-user-deployment.yaml
-  - ./resources/hydra-saml-remote-user-service.yaml
+  - ./resources/hydra-saml-shibboleth-sp.yaml
+  - ./resources/hydra-saml-remote-user.yaml

 configMapGenerator:
  - name: hydra-saml-env
@ -18,6 +16,7 @@ configMapGenerator:
      - HYDRA_ADMIN_BASE_URL=http://hydra:4445/admin
      - TRUSTED_PROXIES=127.0.0.1,REMOTE_ADDR
      - LOGOUT_REDIRECT_URL_PATTERN=http://hydra-saml/Shibboleth.sso/Logout?return=%s'
+      - PATH_PREFIX=
      # Shibboleth SP environment variables
      - SP_ENTITY_ID=http://hydra-saml-shibboleth-sp
      - IDP_ENTITY_ID=http://saml-idp
@ -29,6 +28,9 @@ configMapGenerator:
    behavior: merge
    files:
      - ./files/hydra/saml.yaml
+  - name: hydra-saml-shibboleth-sp
+    files:
+      - ./files/shibboleth-sp/attribute-map.inc.xml

 patchesJson6902:
  - target:
--- a/components/hydra-saml/resources/hydra-saml-remote-user-service.yaml
+++ b/components/hydra-saml/resources/hydra-saml-remote-user-service.yaml
@ -1,14 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    io.kompose.service: hydra-saml-remote-user
-  name: hydra-saml-remote-user
-spec:
-  ports:
-    - name: hydra-saml-remote-user
-      port: 80
-  selector:
-    io.kompose.service: hydra-saml-remote-user
-status:
-  loadBalancer: {}
--- a/components/hydra-saml/resources/hydra-saml-remote-user-deployment.yaml
+++ b/components/hydra-saml/resources/hydra-saml-remote-user-deployment.yaml
@ -18,7 +18,7 @@ spec:
    spec:
      containers:
        - name: hydra-saml-remote-user
-          image: reg.cadoles.com/cadoles/hydra-remote-user-v1:v0.0.0-170-g485b138
+          image: reg.cadoles.com/cadoles/hydra-remote-user-v1:v0.0.0-233-g64fcacc
          envFrom:
            - configMapRef:
                name: hydra-saml-env
@ -26,4 +26,18 @@ spec:
            - containerPort: 80
          resources: {}
      restartPolicy: Always
-            
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    io.kompose.service: hydra-saml-remote-user
+  name: hydra-saml-remote-user
+spec:
+  ports:
+    - name: http
+      port: 80
+  selector:
+    io.kompose.service: hydra-saml-remote-user
+status:
+  loadBalancer: {}
--- a/components/hydra-saml/resources/hydra-saml-service.yaml
+++ b/components/hydra-saml/resources/hydra-saml-service.yaml
@ -1,14 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    io.kompose.service: hydra-saml
-  name: hydra-saml
-spec:
-  ports:
-    - name: hydra-saml-shibboleth-sp
-      port: 80
-  selector:
-    io.kompose.service: hydra-saml-shibboleth-sp
-status:
-  loadBalancer: {}
--- a/components/hydra-saml/resources/hydra-saml-shibboleth-sp-deployment.yaml
+++ b/components/hydra-saml/resources/hydra-saml-shibboleth-sp-deployment.yaml
@ -16,14 +16,39 @@ spec:
      labels:
        io.kompose.service: hydra-saml-shibboleth-sp
    spec:
+      securityContext:
+        fsGroup: 102
      containers:
        - name: hydra-saml-shibboleth-sp
-          image: reg.cadoles.com/cadoles/shibboleth-sp-v3:v0.0.0-172-g0f44679
+          image: reg.cadoles.com/cadoles/shibboleth-sp-v3:v0.0.0-233-g64fcacc
          envFrom:
            - configMapRef:
                name: hydra-saml-env
+          volumeMounts:
+            - name: attributes-map-inc
+              mountPath: /etc/shibboleth/attribute-map.inc.xml
+              subPath: attribute-map.inc.xml
          ports:
            - containerPort: 80
          resources: {}
      restartPolicy: Always
+      volumes:
+        - name: attributes-map-inc
+          configMap:
+            name: hydra-saml-shibboleth-sp
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    io.kompose.service: hydra-saml
+  name: hydra-saml
+spec:
+  ports:
+    - name: http
+      port: 80
+  selector:
+    io.kompose.service: hydra-saml-shibboleth-sp
+status:
+  loadBalancer: {}