WIP: exemple complet
This commit is contained in:
parent
9e0215d6f2
commit
a06bc28aa3
|
@ -6,7 +6,7 @@ metadata:
|
|||
name: hydra-saml
|
||||
spec:
|
||||
ports:
|
||||
- name: hydra-saml-shibboleth-sp
|
||||
- name: hydra-saml-shib
|
||||
port: 80
|
||||
selector:
|
||||
io.kompose.service: hydra-saml-shibboleth-sp
|
||||
|
|
|
@ -10,12 +10,45 @@ resources:
|
|||
- ./resources/ingress-prefix-traefik-middleware.yaml
|
||||
- ./resources/port-forwarder-deployment.yaml
|
||||
- ./resources/port-forwarder-service.yaml
|
||||
- ./resources/app-role.yaml
|
||||
- ./resources/app-serviceaccount.yaml
|
||||
- ./resources/app-rolebinding.yaml
|
||||
- ./resources/app-bootstrap-job.yaml
|
||||
|
||||
components:
|
||||
- ../../components/hydra-cnpg-database
|
||||
#- ../../components/hydra-oidc
|
||||
- ../../components/hydra-saml
|
||||
|
||||
patches:
|
||||
- path: patches/add-registry-pull-secret.patch.yaml
|
||||
target:
|
||||
version: v1
|
||||
kind: Deployment
|
||||
- path: patches/add-registry-pull-secret.patch.yaml
|
||||
target:
|
||||
version: v1
|
||||
kind: Job
|
||||
|
||||
secretGenerator:
|
||||
# For the bootstrap-app image. Should be public.
|
||||
- name: regcred
|
||||
type: kubernetes.io/dockerconfigjson
|
||||
files:
|
||||
- base/secrets/dockerconfig/.dockerconfigjson
|
||||
|
||||
- name: app-oidc-client
|
||||
literals:
|
||||
- OIDC_CLIENT_ID=oidc-test
|
||||
- OIDC_CLIENT_SECRET=oidc-test-123456
|
||||
- OIDC_CLIENT_NAME=Mon Super OIDC
|
||||
- OIDC_CLIENT_GRANT_TYPES=authorization_code,refresh_token
|
||||
- OIDC_CLIENT_POST_LOGOUT_REDIRECT_URIS=http://ssokustom:8080
|
||||
- OIDC_CLIENT_REDIRECT_URIS=http://ssokustom:8080/oauth2/callback
|
||||
- OIDC_CLIENT_RESPONSES_TYPES=code
|
||||
- OIDC_CLIENT_LOGO_URI=http://localhost:8080/img/crous.png
|
||||
- OIDC_CLIENT_SCOPE=openid,profile,email
|
||||
|
||||
patchesJson6902:
|
||||
- target:
|
||||
version: v1
|
||||
|
@ -37,3 +70,21 @@ patchesJson6902:
|
|||
kind: Secret
|
||||
name: hydra-secret
|
||||
path: patches/hydra-secret.yaml
|
||||
|
||||
|
||||
vars:
|
||||
- name: PORTAL_OIDC_CLIENT_SECRET_NAME
|
||||
objref:
|
||||
name: app-oidc-client
|
||||
kind: Secret
|
||||
apiVersion: v1
|
||||
fieldref:
|
||||
fieldpath: metadata.name
|
||||
- name: HYDRA_SERVICE_NAME
|
||||
objref:
|
||||
name: hydra
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
fieldref:
|
||||
fieldpath: metadata.name
|
||||
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
- op: add
|
||||
path: "/spec/template/spec/imagePullSecrets"
|
||||
value:
|
||||
- name: regcred
|
||||
|
|
@ -0,0 +1,36 @@
|
|||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: app-bootstrap
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
restartPolicy: OnFailure
|
||||
serviceAccountName: app-sa
|
||||
containers:
|
||||
- name: bootstrap-oidc
|
||||
image: reg.cadoles.com/cnous-mse/oidc-client-bootstrap
|
||||
imagePullPolicy: IfNotPresent
|
||||
envFrom:
|
||||
- secretRef:
|
||||
name: app-oidc-client
|
||||
env:
|
||||
- name: PORTAL_OIDC_CLIENT_SECRET_NAME
|
||||
value: $(PORTAL_OIDC_CLIENT_SECRET_NAME)
|
||||
- name: HYDRA_SERVICE_NAME
|
||||
value: $(HYDRA_SERVICE_NAME)
|
||||
# - name: LOG_LEVEL
|
||||
# value: "0"
|
||||
# - name: HTTP_ADDRESS
|
||||
# value: 0.0.0.0:8080
|
||||
# - name: OIDC_CLIENT_ID
|
||||
# value: oidc-test
|
||||
# - name: OIDC_CLIENT_SECRET
|
||||
# value: oidc-test-123456
|
||||
# - name: OIDC_ISSUER_URL
|
||||
# value: http://ssokustom:8080/auth
|
||||
# - name: OIDC_REDIRECT_URL
|
||||
# value: http://ssokustom:8080
|
||||
# - name: OIDC_POST_LOGOUT_REDIRECT_URL
|
||||
# value: http://ssokustom:8080
|
||||
args: ["/bin/sh", "/usr/local/bin/oidc-client-bootstrap.sh"]
|
|
@ -22,15 +22,14 @@ spec:
|
|||
ports:
|
||||
- containerPort: 8080
|
||||
resources: {}
|
||||
envFrom:
|
||||
- secretRef:
|
||||
name: app-oidc-client
|
||||
env:
|
||||
- name: LOG_LEVEL
|
||||
value: "0"
|
||||
- name: HTTP_ADDRESS
|
||||
value: 0.0.0.0:8080
|
||||
- name: OIDC_CLIENT_ID
|
||||
value: oidc-test
|
||||
- name: OIDC_CLIENT_SECRET
|
||||
value: oidc-test-123456
|
||||
- name: OIDC_ISSUER_URL
|
||||
value: http://ssokustom:8080/auth
|
||||
- name: OIDC_REDIRECT_URL
|
||||
|
|
|
@ -0,0 +1,40 @@
|
|||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: status-reader
|
||||
rules:
|
||||
- apiGroups:
|
||||
- batch
|
||||
- v1
|
||||
resources:
|
||||
- jobs
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- apiGroups:
|
||||
- ""
|
||||
- v1
|
||||
resources:
|
||||
- services
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- apiGroups:
|
||||
- ""
|
||||
- v1
|
||||
resources:
|
||||
- pods
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- apiGroups:
|
||||
- ""
|
||||
- v1
|
||||
resources:
|
||||
- secrets
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- patch
|
||||
|
|
@ -0,0 +1,13 @@
|
|||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: status-reader
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: status-reader
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: app-sa
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: app-sa
|
||||
|
|
@ -7,7 +7,8 @@ metadata:
|
|||
traefik.ingress.kubernetes.io/router.middlewares: default-ingress-prefix@kubernetescrd
|
||||
spec:
|
||||
rules:
|
||||
- http:
|
||||
- host: ssokustom
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
|
@ -33,6 +34,17 @@ spec:
|
|||
port:
|
||||
name: hydra-public
|
||||
|
||||
- host: hydra-saml-shibboleth-sp
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: hydra-saml
|
||||
port:
|
||||
name: hydra-saml-shib
|
||||
|
||||
# - path: /auth/passwordless/?(.*)
|
||||
# pathType: Prefix
|
||||
# backend:
|
||||
|
|
Loading…
Reference in New Issue