diff --git a/components/hydra-saml/resources/hydra-saml-service.yaml b/components/hydra-saml/resources/hydra-saml-service.yaml index c85bbc1..319464f 100644 --- a/components/hydra-saml/resources/hydra-saml-service.yaml +++ b/components/hydra-saml/resources/hydra-saml-service.yaml @@ -6,7 +6,7 @@ metadata: name: hydra-saml spec: ports: - - name: hydra-saml-shibboleth-sp + - name: hydra-saml-shib port: 80 selector: io.kompose.service: hydra-saml-shibboleth-sp diff --git a/examples/authenticated-app/kustomization.yaml b/examples/authenticated-app/kustomization.yaml index 926224c..e5db8ad 100644 --- a/examples/authenticated-app/kustomization.yaml +++ b/examples/authenticated-app/kustomization.yaml @@ -10,12 +10,45 @@ resources: - ./resources/ingress-prefix-traefik-middleware.yaml - ./resources/port-forwarder-deployment.yaml - ./resources/port-forwarder-service.yaml + - ./resources/app-role.yaml + - ./resources/app-serviceaccount.yaml + - ./resources/app-rolebinding.yaml + - ./resources/app-bootstrap-job.yaml components: - ../../components/hydra-cnpg-database #- ../../components/hydra-oidc - ../../components/hydra-saml +patches: + - path: patches/add-registry-pull-secret.patch.yaml + target: + version: v1 + kind: Deployment + - path: patches/add-registry-pull-secret.patch.yaml + target: + version: v1 + kind: Job + +secretGenerator: + # For the bootstrap-app image. Should be public. + - name: regcred + type: kubernetes.io/dockerconfigjson + files: + - base/secrets/dockerconfig/.dockerconfigjson + + - name: app-oidc-client + literals: + - OIDC_CLIENT_ID=oidc-test + - OIDC_CLIENT_SECRET=oidc-test-123456 + - OIDC_CLIENT_NAME=Mon Super OIDC + - OIDC_CLIENT_GRANT_TYPES=authorization_code,refresh_token + - OIDC_CLIENT_POST_LOGOUT_REDIRECT_URIS=http://ssokustom:8080 + - OIDC_CLIENT_REDIRECT_URIS=http://ssokustom:8080/oauth2/callback + - OIDC_CLIENT_RESPONSES_TYPES=code + - OIDC_CLIENT_LOGO_URI=http://localhost:8080/img/crous.png + - OIDC_CLIENT_SCOPE=openid,profile,email + patchesJson6902: - target: version: v1 @@ -36,4 +69,22 @@ patchesJson6902: version: v1 kind: Secret name: hydra-secret - path: patches/hydra-secret.yaml \ No newline at end of file + path: patches/hydra-secret.yaml + + +vars: +- name: PORTAL_OIDC_CLIENT_SECRET_NAME + objref: + name: app-oidc-client + kind: Secret + apiVersion: v1 + fieldref: + fieldpath: metadata.name +- name: HYDRA_SERVICE_NAME + objref: + name: hydra + apiVersion: v1 + kind: Service + fieldref: + fieldpath: metadata.name + diff --git a/examples/authenticated-app/patches/add-registry-pull-secret.patch.yaml b/examples/authenticated-app/patches/add-registry-pull-secret.patch.yaml new file mode 100644 index 0000000..568912a --- /dev/null +++ b/examples/authenticated-app/patches/add-registry-pull-secret.patch.yaml @@ -0,0 +1,5 @@ +- op: add + path: "/spec/template/spec/imagePullSecrets" + value: + - name: regcred + diff --git a/examples/authenticated-app/resources/app-bootstrap-job.yaml b/examples/authenticated-app/resources/app-bootstrap-job.yaml new file mode 100644 index 0000000..f694f71 --- /dev/null +++ b/examples/authenticated-app/resources/app-bootstrap-job.yaml @@ -0,0 +1,36 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: app-bootstrap +spec: + template: + spec: + restartPolicy: OnFailure + serviceAccountName: app-sa + containers: + - name: bootstrap-oidc + image: reg.cadoles.com/cnous-mse/oidc-client-bootstrap + imagePullPolicy: IfNotPresent + envFrom: + - secretRef: + name: app-oidc-client + env: + - name: PORTAL_OIDC_CLIENT_SECRET_NAME + value: $(PORTAL_OIDC_CLIENT_SECRET_NAME) + - name: HYDRA_SERVICE_NAME + value: $(HYDRA_SERVICE_NAME) +# - name: LOG_LEVEL +# value: "0" +# - name: HTTP_ADDRESS +# value: 0.0.0.0:8080 +# - name: OIDC_CLIENT_ID +# value: oidc-test +# - name: OIDC_CLIENT_SECRET +# value: oidc-test-123456 +# - name: OIDC_ISSUER_URL +# value: http://ssokustom:8080/auth +# - name: OIDC_REDIRECT_URL +# value: http://ssokustom:8080 +# - name: OIDC_POST_LOGOUT_REDIRECT_URL +# value: http://ssokustom:8080 + args: ["/bin/sh", "/usr/local/bin/oidc-client-bootstrap.sh"] diff --git a/examples/authenticated-app/resources/app-deployment.yaml b/examples/authenticated-app/resources/app-deployment.yaml index fc31c7c..f124183 100644 --- a/examples/authenticated-app/resources/app-deployment.yaml +++ b/examples/authenticated-app/resources/app-deployment.yaml @@ -22,15 +22,14 @@ spec: ports: - containerPort: 8080 resources: {} + envFrom: + - secretRef: + name: app-oidc-client env: - name: LOG_LEVEL value: "0" - name: HTTP_ADDRESS value: 0.0.0.0:8080 - - name: OIDC_CLIENT_ID - value: oidc-test - - name: OIDC_CLIENT_SECRET - value: oidc-test-123456 - name: OIDC_ISSUER_URL value: http://ssokustom:8080/auth - name: OIDC_REDIRECT_URL diff --git a/examples/authenticated-app/resources/app-role.yaml b/examples/authenticated-app/resources/app-role.yaml new file mode 100644 index 0000000..c8d1655 --- /dev/null +++ b/examples/authenticated-app/resources/app-role.yaml @@ -0,0 +1,40 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: status-reader +rules: +- apiGroups: + - batch + - v1 + resources: + - jobs + verbs: + - get + - list +- apiGroups: + - "" + - v1 + resources: + - services + verbs: + - get + - list +- apiGroups: + - "" + - v1 + resources: + - pods + verbs: + - get + - list +- apiGroups: + - "" + - v1 + resources: + - secrets + verbs: + - get + - list + - patch + diff --git a/examples/authenticated-app/resources/app-rolebinding.yaml b/examples/authenticated-app/resources/app-rolebinding.yaml new file mode 100644 index 0000000..2d3877e --- /dev/null +++ b/examples/authenticated-app/resources/app-rolebinding.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: status-reader +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: status-reader +subjects: +- kind: ServiceAccount + name: app-sa + diff --git a/examples/authenticated-app/resources/app-serviceaccount.yaml b/examples/authenticated-app/resources/app-serviceaccount.yaml new file mode 100644 index 0000000..089c1ce --- /dev/null +++ b/examples/authenticated-app/resources/app-serviceaccount.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: app-sa + diff --git a/examples/authenticated-app/resources/ingress.yaml b/examples/authenticated-app/resources/ingress.yaml index 28ecffa..a2bfe73 100644 --- a/examples/authenticated-app/resources/ingress.yaml +++ b/examples/authenticated-app/resources/ingress.yaml @@ -7,7 +7,8 @@ metadata: traefik.ingress.kubernetes.io/router.middlewares: default-ingress-prefix@kubernetescrd spec: rules: - - http: + - host: ssokustom + http: paths: - path: / pathType: Prefix @@ -32,7 +33,18 @@ spec: name: hydra port: name: hydra-public - + + - host: hydra-saml-shibboleth-sp + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: hydra-saml + port: + name: hydra-saml-shib + # - path: /auth/passwordless/?(.*) # pathType: Prefix # backend: @@ -40,4 +52,4 @@ spec: # name: hydra # port: # name: http-public - \ No newline at end of file +