From c01eb28d8caca40bbce28627ad46457feb22f184 Mon Sep 17 00:00:00 2001 From: William Petit Date: Thu, 13 Feb 2025 17:02:48 +0100 Subject: [PATCH] fix: use hydra-ldap and olm operator to fix example --- README.md | 6 +- .../hydra-ldap/resources/deployment.yaml | 60 +++--- .../resources/hydra-saml-remote-user.yaml | 2 + components/oidc-test/kustomization.yaml | 3 +- .../oidc-test/resources/deployment.yaml | 24 +-- .../oidc-test/resources/oauth2-client.yaml | 12 +- components/redis/README.md | 15 +- components/redis/kustomization.yaml | 10 +- components/redis/patches/hydra-apps.yaml | 2 +- .../redis/resources/redis-failover.yaml | 21 -- components/redis/resources/redis-sso.yaml | 19 ++ examples/authenticated-app/README.md | 66 +++--- examples/authenticated-app/files/glauth.conf | 83 ++++++++ .../files/hydra-dispatcher-apps.yaml | 42 ++++ examples/authenticated-app/kustomization.yaml | 33 ++- .../patches/hydra-dispatcher-env.yaml | 21 +- .../authenticated-app/patches/hydra-env.yaml | 11 +- .../patches/hydra-ldap-env.yaml | 55 +++++ .../patches/hydra-ldap-sc.yaml | 7 + .../patches/hydra-saml-env.yaml | 43 ---- .../patches/oidc-test-oauth2-client.yaml | 5 +- .../authenticated-app/patches/oidc-test.yaml | 3 + .../resources/glauth-ldap.yaml | 55 +++++ .../authenticated-app/resources/ingress.yaml | 138 ++++++------- .../authenticated-app/resources/saml-idp.yaml | 51 ----- .../fix/redis-operator-clusterrole.yaml | 92 +++++++++ examples/k8s/kind/cluster/kustomization.yaml | 16 +- .../cluster/patches/nginx-controller.yaml | 15 +- .../cluster/resources/olm/kustomization.yaml | 6 + .../hydra-dispatcher/files/hydra/default.yaml | 2 + .../hydra-dispatcher-deployment.yaml | 193 +++++++++--------- resources/hydra/kustomization.yaml | 67 +++--- .../hydra/resources/hydra-deployment.yaml | 5 +- .../resources/hydra-maester-deployment.yaml | 7 +- 34 files changed, 729 insertions(+), 461 deletions(-) delete mode 100644 components/redis/resources/redis-failover.yaml create mode 100644 components/redis/resources/redis-sso.yaml create mode 100644 examples/authenticated-app/files/glauth.conf create mode 100644 examples/authenticated-app/files/hydra-dispatcher-apps.yaml create mode 100644 examples/authenticated-app/patches/hydra-ldap-env.yaml create mode 100644 examples/authenticated-app/patches/hydra-ldap-sc.yaml delete mode 100644 examples/authenticated-app/patches/hydra-saml-env.yaml create mode 100644 examples/authenticated-app/resources/glauth-ldap.yaml delete mode 100644 examples/authenticated-app/resources/saml-idp.yaml create mode 100644 examples/k8s/kind/cluster/fix/redis-operator-clusterrole.yaml create mode 100644 examples/k8s/kind/cluster/resources/olm/kustomization.yaml diff --git a/README.md b/README.md index f2c4832..26cec9c 100644 --- a/README.md +++ b/README.md @@ -2,10 +2,6 @@ Kustomization du service "SSO" (Ory Hydra) -## Usage - -[Voir la documentation](./doc/README.md) - ## Exemple -Ce projet contient un exemple fonctionnel de déploiement dans le répertoire [`./examples/authenticated-app`](./examples/authenticated-app) \ No newline at end of file +Ce projet contient un exemple fonctionnel de déploiement dans le répertoire [`./examples/authenticated-app`](./examples/authenticated-app) diff --git a/components/hydra-ldap/resources/deployment.yaml b/components/hydra-ldap/resources/deployment.yaml index 0a8bb20..1d3c3a0 100644 --- a/components/hydra-ldap/resources/deployment.yaml +++ b/components/hydra-ldap/resources/deployment.yaml @@ -17,34 +17,32 @@ spec: app.kubernetes.io/version: "v1.2.2" spec: containers: - - name: werther - image: reg.cadoles.com/cadoles/hydra-werther:2023.12.6-stable.1421.15a4717 - imagePullPolicy: IfNotPresent - envFrom: - - configMapRef: - name: hydra-ldap-env - env: - - name: WERTHER_WEB_DIR - value: "/usr/share/werther/login/" - - name: WERTHER_LDAP_BINDDN - valueFrom: - secretKeyRef: - name: hydra-ldap-sc - key: WERTHER_LDAP_BINDDN - - name: WERTHER_LDAP_BINDPW - valueFrom: - secretKeyRef: - name: hydra-ldap-sc - key: WERTHER_LDAP_BINDPW - ports: - - containerPort: 8080 - name: hydra-ldap-http - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 100 + - name: werther + image: reg.cadoles.com/cadoles/hydra-werther:2025.2.17-stable.1544.8ded23c + imagePullPolicy: IfNotPresent + envFrom: + - configMapRef: + name: hydra-ldap-env + env: + - name: WERTHER_LDAP_BINDDN + valueFrom: + secretKeyRef: + name: hydra-ldap-sc + key: WERTHER_LDAP_BINDDN + - name: WERTHER_LDAP_BINDPW + valueFrom: + secretKeyRef: + name: hydra-ldap-sc + key: WERTHER_LDAP_BINDPW + ports: + - containerPort: 8080 + name: hydra-ldap-http + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 100 diff --git a/components/hydra-saml/resources/hydra-saml-remote-user.yaml b/components/hydra-saml/resources/hydra-saml-remote-user.yaml index 580dc75..4d01f14 100644 --- a/components/hydra-saml/resources/hydra-saml-remote-user.yaml +++ b/components/hydra-saml/resources/hydra-saml-remote-user.yaml @@ -24,6 +24,8 @@ spec: name: hydra-saml-env ports: - containerPort: 8080 + command: + - /bin/apache2-foreground resources: {} restartPolicy: Always --- diff --git a/components/oidc-test/kustomization.yaml b/components/oidc-test/kustomization.yaml index af94763..716acfb 100644 --- a/components/oidc-test/kustomization.yaml +++ b/components/oidc-test/kustomization.yaml @@ -17,4 +17,5 @@ configMapGenerator: - OIDC_REDIRECT_URL=https://example.net/oauth2/callback - OIDC_POST_LOGOUT_REDIRECT_URL=https://example.net - OIDC_SKIP_ISSUER_VERIFICATION="true" - - OIDC_INSECURE_SKIP_VERIFY="true" \ No newline at end of file + - OIDC_SCOPES="openid profile" + - OIDC_INSECURE_SKIP_VERIFY="true" diff --git a/components/oidc-test/resources/deployment.yaml b/components/oidc-test/resources/deployment.yaml index a237882..24f55db 100644 --- a/components/oidc-test/resources/deployment.yaml +++ b/components/oidc-test/resources/deployment.yaml @@ -23,17 +23,17 @@ spec: - containerPort: 8080 resources: {} envFrom: - - configMapRef: - name: oidc-test-env + - configMapRef: + name: oidc-test-env env: - - name: OIDC_CLIENT_ID - valueFrom: - secretKeyRef: - name: oidc-test-oauth2-client - key: client_id - - name: OIDC_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: oidc-test-oauth2-client - key: client_secret + - name: OIDC_CLIENT_ID + valueFrom: + secretKeyRef: + name: oidc-test-oauth2-client + key: CLIENT_ID + - name: OIDC_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: oidc-test-oauth2-client + key: CLIENT_SECRET restartPolicy: Always diff --git a/components/oidc-test/resources/oauth2-client.yaml b/components/oidc-test/resources/oauth2-client.yaml index 8bbc030..6c7cda4 100644 --- a/components/oidc-test/resources/oauth2-client.yaml +++ b/components/oidc-test/resources/oauth2-client.yaml @@ -6,13 +6,13 @@ spec: clientName: "oidc-test" tokenEndpointAuthMethod: "client_secret_basic" grantTypes: - - authorization_code - - refresh_token + - authorization_code + - refresh_token responseTypes: - - code - scope: "openid email" + - code + scope: "openid email profile" secretName: oidc-test-oauth2-client redirectUris: - - https://example.net/oauth2/callback + - https://example.net/oauth2/callback postLogoutRedirectUris: - - https://example.net + - https://example.net diff --git a/components/redis/README.md b/components/redis/README.md index 072c605..b3a8237 100644 --- a/components/redis/README.md +++ b/components/redis/README.md @@ -3,20 +3,17 @@ ### Description Les applications `hydra-dispatcher`, `hydra-sql` et `hydra-oidc` stockent dorénavant le cache et les sessions utilisateur sur un serveur Redis. + Le DSN du serveur est défini dans leur variable d'environnement respective `REDIS_DSN`. -Les applications peuvent utiliser le mode `sentinel` de redis -Il est donc nécessaire donc nécessaire de disposer d'un serveur Redis pour utiliser ces applications. ### Principe général de fonctionnement -Un `RedisFailOver` crée un cluster redis en mode sentinel avec 3 réplicats chacun. - +Un `Redis` crée une instance Redis dédiée à l'environnement SSO. ### Personnalisation -Via des `patches` sur la ressource `ConfigMap` via un label selector `com.cadoles.forge.sso-kustom/session=redis` il est possible de modifier la valeur du `REDIS_DSN`. +Un `patch` sur la ressource `ConfigMap` via un label selector `com.cadoles.forge.sso-kustom/session=redis` permet de modifier la valeur de la clé `REDIS_DSN`. - -|Clé|Description|Exemple| -|---|-----------|-------| -|`REDIS_DSN`| DSN du cluster Redis | `redis://rfs-sso-redis:26379?&redis_sentinel=mymaster` +| Clé | Description | Exemple | +| ----------- | -------------------- | ------------------------ | +| `REDIS_DSN` | DSN du cluster Redis | `redis://redis-sso:6379` | diff --git a/components/redis/kustomization.yaml b/components/redis/kustomization.yaml index 609cf30..d02fbe2 100644 --- a/components/redis/kustomization.yaml +++ b/components/redis/kustomization.yaml @@ -2,10 +2,10 @@ apiVersion: kustomize.config.k8s.io/v1alpha1 kind: Component resources: - - ./resources/redis-failover.yaml + - ./resources/redis-sso.yaml patches: -- path: ./patches/hydra-apps.yaml - target: - kind: ConfigMap - labelSelector: "com.cadoles.forge.sso-kustom/session=redis" + - path: ./patches/hydra-apps.yaml + target: + kind: ConfigMap + labelSelector: "com.cadoles.forge.sso-kustom/session=redis" diff --git a/components/redis/patches/hydra-apps.yaml b/components/redis/patches/hydra-apps.yaml index 6ab436a..11890a1 100644 --- a/components/redis/patches/hydra-apps.yaml +++ b/components/redis/patches/hydra-apps.yaml @@ -1,3 +1,3 @@ - op: replace path: "/data/REDIS_DSN" - value: "redis://rfs-sso-redis:26379?&redis_sentinel=mymaster" + value: "redis://redis-sso:6379" diff --git a/components/redis/resources/redis-failover.yaml b/components/redis/resources/redis-failover.yaml deleted file mode 100644 index 01f1e3a..0000000 --- a/components/redis/resources/redis-failover.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: databases.spotahome.com/v1 -kind: RedisFailover -metadata: - name: sso-redis -spec: - sentinel: - replicas: 3 - resources: - requests: - cpu: 100m - limits: - memory: 100Mi - redis: - replicas: 3 - resources: - requests: - cpu: 100m - memory: 100Mi - limits: - cpu: 400m - memory: 500Mi diff --git a/components/redis/resources/redis-sso.yaml b/components/redis/resources/redis-sso.yaml new file mode 100644 index 0000000..2cb04f1 --- /dev/null +++ b/components/redis/resources/redis-sso.yaml @@ -0,0 +1,19 @@ +apiVersion: redis.redis.opstreelabs.in/v1beta1 +kind: Redis +metadata: + name: redis-sso +spec: + kubernetesConfig: + image: reg.cadoles.com/quay/opstree/redis:v7.0.15 + imagePullPolicy: IfNotPresent + storage: + volumeClaimTemplate: + spec: + # storageClassName: standard + accessModes: ["ReadWriteOnce"] + resources: + requests: + storage: 1Gi + securityContext: + runAsUser: 1000 + fsGroup: 1000 diff --git a/examples/authenticated-app/README.md b/examples/authenticated-app/README.md index 1619333..18d5d35 100644 --- a/examples/authenticated-app/README.md +++ b/examples/authenticated-app/README.md @@ -1,6 +1,6 @@ # Exemple: Déploiement d'une application authentifiée avec la stack SSO -L'exemple est actuellement déployé avec le composant `hydra-saml` uniquement. +L'exemple est actuellement déployé avec le composant `hydra-ldap` uniquement. ## Procédure @@ -8,37 +8,40 @@ L'exemple est actuellement déployé avec le composant `hydra-saml` uniquement. 1. Créer un cluster avec `kind` - ``` - kind create cluster --config ./examples/k8s/kind/cluster-config.yaml - ``` + ``` + kind create cluster --config ./examples/k8s/kind/cluster-config.yaml + ``` 2. Déployer les opérateurs nécessaires au déploiement - ``` - kubectl apply -k ./examples/k8s/kind/cluster --server-side - ``` - -3. Déployer l'application - - ``` - kubectl apply -k ./examples/authenticated-app - ``` - - **Note** Il est possible d'avoir l'erreur suivante: - ``` - error: resource mapping not found for name: "app-oauth2-client" namespace: "" from "./examples/authenticated-app": no matches for kind "OAuth2Client" in version "hydra.ory.sh/v1alpha1" + kubectl apply -k ./examples/k8s/kind/cluster --server-side ``` - Cette erreur est "normale" (voir https://github.com/kubernetes/kubectl/issues/1117). Dans ce cas, attendre la création de la CRD (voir ticket) puis relancer la commande. + > Si une erreur du type `ensure CRDs are installed first` s'affiche, relancer la commande. -4. Ajouter l'entrée suivante dans votre fichier `/etc/hosts` +3. Attendre que l'opérateur Redis soit opérationnel puis patcher le `ClusterRole` de celui ci (cf. https://github.com/OT-CONTAINER-KIT/redis-operator/issues/526): - ``` - 127.0.0.1 ssokustom - ``` + ```bash + kubectl wait -n operators --timeout 10m --for=jsonpath=".status.state"=AtLatestKnown subscription my-redis-operator + # On attend quelques secondes supplémentaires pour s'assurer que l'opérateur a réellement démarré + sleep 30 + kubectl patch clusterroles.rbac.authorization.k8s.io $(kubectl get clusterrole | awk '/redis-operator/ {print $1}') --patch-file examples/k8s/kind/cluster/fix/redis-operator-clusterrole.yaml + ``` -5. Après stabilisation du déploiement, l'application devrait être accessible à l'adresse https://ssokustom +4. Déployer l'application + + ``` + kubectl apply -k ./examples/authenticated-app + ``` + +5. Ajouter l'entrée suivante dans votre fichier `/etc/hosts` + + ``` + 127.0.0.1 ssokustom + ``` + +6. Après stabilisation du déploiement, l'application devrait être accessible à l'adresse https://ssokustom #### Supprimer le cluster @@ -48,14 +51,15 @@ kind delete cluster -n sso-kustom-example ## Authentification -### SAML +### LDAP -- Utilisateur: `user1` -- Mot de passe `user1pass` +#### Comptes par défaut -#### URL utiles +1. `jdoe` / `jdoe` +2. `jdoe2` / `jdoe` +3. `siret1` / `siret` +4. `siret2` / `siret` -|URL|Description| -|---|-----------| -|https://ssokustom/auth/saml/Shibboleth.sso/Session|Attributs de la session SP Shibboleth| -|https://ssokustom/auth/saml/Shibboleth.sso/Metadata|Métadonnées du SP Shibboleth| +#### Gestion des comptes + +Les comptes LDAP sont définis dans le fichier [`./files/glauth.conf`](./files/glauth.conf) diff --git a/examples/authenticated-app/files/glauth.conf b/examples/authenticated-app/files/glauth.conf new file mode 100644 index 0000000..9a5c89d --- /dev/null +++ b/examples/authenticated-app/files/glauth.conf @@ -0,0 +1,83 @@ +debug = true + +[ldap] + enabled = true + listen = "0.0.0.0:3893" + tls = false + +[ldaps] + enabled = false + +[behaviors] + IgnoreCapabilities = true + +[backend] + datastore = "config" + baseDN = "dc=glauth,dc=com" + +[[users]] + uid = "serviceuser" + name = "serviceuser" + mail = "serviceuser@example.com" + uidnumber = 5001 + primarygroup = 5502 + # use echo -n "mysecret" | openssl dgst -sha256 + passsha256 = "652c7dc687d98c9889304ed2e408c74b611e86a40caa51c4b43f1dd5913c5cd0" # mysecret + [[users.capabilities]] + action = "search" + object = "*" + +[[users]] + uid = "jdoe" + name = "jdoe" + uidnumber = 5002 + primarygroup = 5501 + givenname = "John" + sn = "Doe" + mail = "jdoe@example.com" + passsha256 = "d30a5f57532a603697ccbb51558fa02ccadd74a0c499fcf9d45b33863ee1582f" # jdoe + [[users.customattributes]] + employeetype = ["Intern", "Temp"] + employeenumber = [12345, 54321] + +[[users]] + uid = "jdoe2" + name = "jdoe2" + uidnumber = 5003 + primarygroup = 5501 + givenname = "John" + sn = "Doe2" + mail = "jdoe2@jdoe2.com" + passsha256 = "d30a5f57532a603697ccbb51558fa02ccadd74a0c499fcf9d45b33863ee1582f" # jdoe + +[[users]] + uid = "siret1" + name = "siret1" + uidnumber = 5004 + primarygroup = 5501 + givenname = "Siret" + sn = "Siret" + mail = "siret1@siret.com" + passsha256 = "7926ef18c7ae8eb23d4d325aa6bd81cc9ae99b429e9299a18dbd2c4729486ebc" # siret + [[users.customattributes]] + siret = ["0001"] + +[[users]] + uid = "siret2" + name = "siret2" + uidnumber = 5005 + primarygroup = 5501 + givenname = "Siret" + sn = "Siret" + mail = "siret2@siret.com" + passsha256 = "7926ef18c7ae8eb23d4d325aa6bd81cc9ae99b429e9299a18dbd2c4729486ebc" # siret + [[users.customattributes]] + siret = ["0002"] + +[[groups]] + name = "users" + gidnumber = 5501 + +[[groups]] + name = "svcaccts" + gidnumber = 5502 \ No newline at end of file diff --git a/examples/authenticated-app/files/hydra-dispatcher-apps.yaml b/examples/authenticated-app/files/hydra-dispatcher-apps.yaml new file mode 100644 index 0000000..24b19f5 --- /dev/null +++ b/examples/authenticated-app/files/hydra-dispatcher-apps.yaml @@ -0,0 +1,42 @@ +hydra: + apps: + - id: ldap + title: + fr: Connexion LDAP + en: Login LDAP + description: + fr: Authentification avec LDAP + en: Authentication with LDAP + login_url: "%env(string:HYDRA_DISPATCHER_LDAP_LOGIN_URL)%" + consent_url: "%env(string:HYDRA_DISPATCHER_LDAP_CONSENT_URL)%" + logout_url: "%env(string:HYDRA_DISPATCHER_LDAP_LOGOUT_URL)%" + attributes_rewrite_configuration: + siret: + rules: + - "property_exists(consent.session.id_token, 'siret') ? consent.session.id_token.siret : null" + - "value ?: ( consent.session.id_token.email matches '/.*@example.com$/' ? '0000' : null )" + - "value ?: ( consent.session.id_token.email matches '/.*@jdoe.com$/' ? '0001' : null )" + family_name: + rules: + - "property_exists(consent.session.id_token, 'family_name') ? consent.session.id_token.family_name : null" + given_name: + rules: + - "property_exists(consent.session.id_token, 'given_name') ? consent.session.id_token.given_name : null" + email: + rules: + - "property_exists(consent.session.id_token, 'email') ? consent.session.id_token.email : null" + firewall: + additional_properties: true + rules: + siret: + required: false + email: + required: false + given_name: + required: false + family_name: + required: false + webhook: + enabled: false + webhook_post_login: + enabled: false diff --git a/examples/authenticated-app/kustomization.yaml b/examples/authenticated-app/kustomization.yaml index af62fc2..c2e4685 100644 --- a/examples/authenticated-app/kustomization.yaml +++ b/examples/authenticated-app/kustomization.yaml @@ -2,12 +2,19 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ../../overlays/full + - ../../overlays/base + - ./resources/ingress.yaml - - ./resources/saml-idp.yaml + - ./resources/glauth-ldap.yaml - ./resources/self-signed-issuer.yaml - ./resources/port-forwarder.yaml +components: + - ../../components/hydra-cnpg-database + - ../../components/hydra-ldap + - ../../components/oidc-test + - ../../components/redis + patchesJson6902: - target: version: v1 @@ -22,8 +29,13 @@ patchesJson6902: - target: version: v1 kind: ConfigMap - name: hydra-saml-env - path: patches/hydra-saml-env.yaml + name: hydra-ldap-env + path: patches/hydra-ldap-env.yaml + - target: + version: v1 + kind: Secret + name: hydra-ldap-sc + path: patches/hydra-ldap-sc.yaml - target: version: v1 kind: Secret @@ -32,10 +44,19 @@ patchesJson6902: - target: version: v1 kind: ConfigMap - name: oidc-test + name: oidc-test-env path: patches/oidc-test.yaml - target: version: v1alpha1 kind: OAuth2Client name: oidc-test-oauth2-client - path: patches/oidc-test-oauth2-client.yaml \ No newline at end of file + path: patches/oidc-test-oauth2-client.yaml + +configMapGenerator: + - name: hydra-dispatcher-apps + behavior: replace + files: + - ./files/hydra-dispatcher-apps.yaml + - name: glauth-ldap-conf + files: + - ./files/glauth.conf diff --git a/examples/authenticated-app/patches/hydra-dispatcher-env.yaml b/examples/authenticated-app/patches/hydra-dispatcher-env.yaml index 464288a..463cedf 100644 --- a/examples/authenticated-app/patches/hydra-dispatcher-env.yaml +++ b/examples/authenticated-app/patches/hydra-dispatcher-env.yaml @@ -1,3 +1,9 @@ +- op: replace + path: "/data/APP_ENV" + value: dev +- op: replace + path: "/data/APP_DEBUG" + value: "true" - op: replace path: "/data/HYDRA_BASE_URL" value: http://hydra:4444 @@ -17,14 +23,13 @@ path: "/data/COOKIE_PATH" value: /auth/dispatcher -# Hydra SAML configuration +# Hydra LDAP configuration - op: replace - path: "/data/HYDRA_DISPATCHER_SAML_LOGIN_URL" - value: https://ssokustom/auth/saml/login + path: "/data/HYDRA_DISPATCHER_LDAP_LOGIN_URL" + value: https://ssokustom/auth/ldap/auth/login - op: replace - path: "/data/HYDRA_DISPATCHER_SAML_CONSENT_URL" - value: https://ssokustom/auth/saml/consent + path: "/data/HYDRA_DISPATCHER_LDAP_CONSENT_URL" + value: https://ssokustom/auth/ldap/auth/consent - op: replace - path: "/data/HYDRA_DISPATCHER_SAML_LOGOUT_URL" - value: https://ssokustom/auth/saml/logout - \ No newline at end of file + path: "/data/HYDRA_DISPATCHER_LDAP_LOGOUT_URL" + value: https://ssokustom/auth/ldap/auth/logout diff --git a/examples/authenticated-app/patches/hydra-env.yaml b/examples/authenticated-app/patches/hydra-env.yaml index 1b45696..3f1bce5 100644 --- a/examples/authenticated-app/patches/hydra-env.yaml +++ b/examples/authenticated-app/patches/hydra-env.yaml @@ -12,4 +12,13 @@ value: https://ssokustom/auth/dispatcher/consent - op: replace path: "/data/HYDRA_SERVE_ALL_ARGS" - value: "--dev" \ No newline at end of file + value: "--dev" +- op: replace + path: "/data/SERVE_COOKIES_SAME_SITE_MODE" + value: "Lax" +- op: replace + path: "/data/SERVE_COOKIES_SAME_SITE_LEGACY_WORKAROUND" + value: "true" +- op: replace + path: "/data/SERVE_COOKIES_DOMAIN" + value: "ssokustom" diff --git a/examples/authenticated-app/patches/hydra-ldap-env.yaml b/examples/authenticated-app/patches/hydra-ldap-env.yaml new file mode 100644 index 0000000..9eaa521 --- /dev/null +++ b/examples/authenticated-app/patches/hydra-ldap-env.yaml @@ -0,0 +1,55 @@ +- op: replace + path: "/data/WERTHER_DEV_MODE" + value: "true" + +- op: replace + path: "/data/WERTHER_WEB_BASE_PATH" + value: "/auth/ldap/" + +- op: replace + path: "/data/WERTHER_IDENTP_HYDRA_URL" + value: "http://hydra-dispatcher" + +- op: replace + path: "/data/WERTHER_LDAP_ENDPOINTS" + value: "glauth-ldap:389" + +- op: replace + path: "/data/WERTHER_LDAP_BASEDN" + value: "dc=glauth,dc=com" + +- op: replace + path: "/data/WERTHER_LDAP_ROLE_BASEDN" + value: "ou=groups,dc=glauth,dc=com" + +- op: replace + path: "/data/WERTHER_IDENTP_CLAIM_SCOPES" + value: "uid:profile,name:profile,family_name:profile,given_name:profile,email:profile,https%3A%2F%2Fhydra%2Fclaims%2Froles:roles,siret:siret" + +- op: replace + path: "/data/WERTHER_INSECURE_SKIP_VERIFY" + value: "true" + +- op: replace + path: "/data/WERTHER_LDAP_IS_TLS" + value: "false" + +- op: replace + path: "/data/WERTHER_LDAP_ATTR_CLAIMS" + value: "name:name,sn:family_name,givenName:given_name,mail:email,siret:siret" + +- op: replace + path: "/data/WERTHER_LDAP_CONNECTION_TIMEOUT" + value: "30s" + +- op: replace + path: "/data/WERTHER_LDAP_USER_SEARCH_QUERY" + value: "(&(objectClass=*)(|(uid=%[1]s)(mail=%[1]s)(userPrincipalName=%[1]s)(sAMAccountName=%[1]s)))" + +- op: replace + path: "/data/WERTHER_IDENTP_ACR" + value: "eidas1" + +- op: replace + path: "/data/WERTHER_IDENTP_AMR" + value: "pwd" diff --git a/examples/authenticated-app/patches/hydra-ldap-sc.yaml b/examples/authenticated-app/patches/hydra-ldap-sc.yaml new file mode 100644 index 0000000..3eb0e19 --- /dev/null +++ b/examples/authenticated-app/patches/hydra-ldap-sc.yaml @@ -0,0 +1,7 @@ +- op: replace + path: "/data/WERTHER_LDAP_BINDDN" + value: "Y249c2VydmljZXVzZXIsb3U9c3ZjYWNjdHMsb3U9dXNlcnMsZGM9Z2xhdXRoLGRjPWNvbQ==" # cn=serviceuser,ou=svcaccts,ou=users,dc=glauth,dc=com + +- op: replace + path: "/data/WERTHER_LDAP_BINDPW" + value: "bXlzZWNyZXQ=" # mysecret diff --git a/examples/authenticated-app/patches/hydra-saml-env.yaml b/examples/authenticated-app/patches/hydra-saml-env.yaml deleted file mode 100644 index 8d9aa8a..0000000 --- a/examples/authenticated-app/patches/hydra-saml-env.yaml +++ /dev/null @@ -1,43 +0,0 @@ -- op: replace - path: "/data/HTTP_BASE_URL" - value: https://ssokustom/auth/saml -- op: replace - path: "/data/COOKIE_PATH" - value: /auth/saml -- op: replace - path: "/data/HYDRA_ADMIN_BASE_URL" - value: http://hydra-dispatcher -- op: replace - path: "/data/LOGOUT_REDIRECT_URL_PATTERN" - value: https://ssokustom/auth/saml/Shibboleth.sso/Logout?return=%s -- op: replace - path: "/data/PATH_PREFIX" - value: "/auth/saml" - -- op: replace - path: "/data/SP_ENTITY_ID" - value: https://ssokustom/auth/saml -- op: replace - path: "/data/IDP_ENTITY_ID" - value: https://ssokustom/simplesaml/saml2/idp/metadata.php -- op: replace - path: "/data/IDP_METADATA_URL" - value: https://ssokustom/simplesaml/saml2/idp/metadata.php -- op: replace - path: "/data/APACHE_FORCE_HTTPS" - value: "true" -- op: replace - path: "/data/SP_HANDLER_BASE_PATH" - value: "/auth/saml" -- op: replace - path: "/data/SP_LOG_LEVEL" - value: DEBUG -- op: replace - path: "/data/SP_SESSIONS_REDIRECT_LIMIT" - value: none -- op: replace - path: "/data/SP_SESSIONS_REDIRECT_ALLOW" - value: https://ssokustom -- op: replace - path: "/data/SP_SESSIONS_COOKIE_PROPS" - value: https \ No newline at end of file diff --git a/examples/authenticated-app/patches/oidc-test-oauth2-client.yaml b/examples/authenticated-app/patches/oidc-test-oauth2-client.yaml index 14161b6..d87e313 100644 --- a/examples/authenticated-app/patches/oidc-test-oauth2-client.yaml +++ b/examples/authenticated-app/patches/oidc-test-oauth2-client.yaml @@ -3,4 +3,7 @@ value: https://ssokustom/oauth2/callback - op: replace path: "/spec/postLogoutRedirectUris/0" - value: https://ssokustom \ No newline at end of file + value: https://ssokustom +- op: replace + path: "/spec/scope" + value: "openid profile roles siret" diff --git a/examples/authenticated-app/patches/oidc-test.yaml b/examples/authenticated-app/patches/oidc-test.yaml index ec56255..8d03af8 100644 --- a/examples/authenticated-app/patches/oidc-test.yaml +++ b/examples/authenticated-app/patches/oidc-test.yaml @@ -4,3 +4,6 @@ - op: replace path: "/data/OIDC_POST_LOGOUT_REDIRECT_URL" value: https://ssokustom +- op: replace + path: "/data/OIDC_SCOPES" + value: "openid profile roles siret" diff --git a/examples/authenticated-app/resources/glauth-ldap.yaml b/examples/authenticated-app/resources/glauth-ldap.yaml new file mode 100644 index 0000000..2ae39fc --- /dev/null +++ b/examples/authenticated-app/resources/glauth-ldap.yaml @@ -0,0 +1,55 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/name: glauth-ldap + name: glauth-ldap +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: glauth-ldap + strategy: + type: Recreate + template: + metadata: + labels: + app.kubernetes.io/name: glauth-ldap + spec: + containers: + - image: glauth/glauth:v2.3.2 + name: glauth-ldap + ports: + - containerPort: 3893 + name: ldap + - containerPort: 3894 + name: ldaps + resources: {} + volumeMounts: + - name: glauth-ldap-conf + mountPath: /app/config/config.cfg + subPath: glauth.conf + restartPolicy: Always + volumes: + - name: glauth-ldap-conf + configMap: + name: glauth-ldap-conf +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/name: glauth-ldap + name: glauth-ldap +spec: + ports: + - name: ldap + port: 389 + targetPort: ldap + - name: ldaps + port: 636 + targetPort: ldaps + selector: + app.kubernetes.io/name: glauth-ldap +status: + loadBalancer: {} diff --git a/examples/authenticated-app/resources/ingress.yaml b/examples/authenticated-app/resources/ingress.yaml index 76212ba..6234219 100644 --- a/examples/authenticated-app/resources/ingress.yaml +++ b/examples/authenticated-app/resources/ingress.yaml @@ -10,43 +10,47 @@ metadata: spec: ingressClassName: nginx tls: - - hosts: - - ssokustom - secretName: ssokustom-example-tls + - hosts: + - ssokustom + secretName: ssokustom-example-tls rules: - - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: oidc-test - port: - name: http + - http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: oidc-test + port: + name: http --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: auth-saml + name: auth-ldap annotations: cert-manager.io/issuer: "self-signed" nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + nginx.ingress.kubernetes.io/rewrite-target: /$2 + nginx.ingress.kubernetes.io/x-forwarded-prefix: /auth/ldap + nginx.ingress.kubernetes.io/configuration-snippet: | + proxy_set_header X-Forwarded-Proto https; spec: ingressClassName: nginx tls: - - hosts: - - ssokustom - secretName: ssokustom-example-tls + - hosts: + - ssokustom + secretName: ssokustom-example-tls rules: - - http: - paths: - - path: /auth/saml(/|$)(.*) - pathType: Prefix - backend: - service: - name: hydra-saml - port: - name: http + - http: + paths: + - path: /auth/ldap(/|$)(.*) + pathType: Prefix + backend: + service: + name: hydra-ldap + port: + name: hydra-ldap --- apiVersion: networking.k8s.io/v1 kind: Ingress @@ -57,22 +61,24 @@ metadata: nginx.ingress.kubernetes.io/force-ssl-redirect: "true" nginx.ingress.kubernetes.io/rewrite-target: /$2 nginx.ingress.kubernetes.io/x-forwarded-prefix: /auth/dispatcher + nginx.ingress.kubernetes.io/configuration-snippet: | + proxy_set_header X-Forwarded-Proto https; spec: ingressClassName: nginx tls: - - hosts: - - ssokustom - secretName: ssokustom-example-tls + - hosts: + - ssokustom + secretName: ssokustom-example-tls rules: - - http: - paths: - - path: /auth/dispatcher(/|$)(.*) - pathType: Prefix - backend: - service: - name: hydra-dispatcher - port: - name: http + - http: + paths: + - path: /auth/dispatcher(/|$)(.*) + pathType: Prefix + backend: + service: + name: hydra-dispatcher + port: + name: http --- apiVersion: networking.k8s.io/v1 kind: Ingress @@ -82,50 +88,22 @@ metadata: cert-manager.io/issuer: "self-signed" nginx.ingress.kubernetes.io/force-ssl-redirect: "true" nginx.ingress.kubernetes.io/rewrite-target: /$2 + nginx.ingress.kubernetes.io/x-forwarded-prefix: /auth + nginx.ingress.kubernetes.io/configuration-snippet: | + proxy_set_header X-Forwarded-Proto https; spec: ingressClassName: nginx tls: - - hosts: - - ssokustom - secretName: ssokustom-example-tls + - hosts: + - ssokustom + secretName: ssokustom-example-tls rules: - - http: - paths: - - path: /auth(/|$)(.*) - pathType: Prefix - backend: - service: - name: hydra - port: - name: hydra-public ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: saml-idp - annotations: - cert-manager.io/issuer: "self-signed" - nginx.ingress.kubernetes.io/force-ssl-redirect: "true" - nginx.ingress.kubernetes.io/rewrite-target: /simplesaml/$2 - nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" -spec: - ingressClassName: nginx - tls: - - hosts: - - ssokustom - secretName: ssokustom-example-tls - rules: - - http: - paths: - - path: /simplesaml(/|$)(.*) - pathType: Prefix - backend: - service: - name: saml-idp - port: - name: https - - - - - \ No newline at end of file + - http: + paths: + - path: /auth(/|$)(.*) + pathType: Prefix + backend: + service: + name: hydra + port: + name: hydra-public diff --git a/examples/authenticated-app/resources/saml-idp.yaml b/examples/authenticated-app/resources/saml-idp.yaml deleted file mode 100644 index 20146d2..0000000 --- a/examples/authenticated-app/resources/saml-idp.yaml +++ /dev/null @@ -1,51 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app.kubernetes.io/name: saml-idp - name: saml-idp -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: saml-idp - strategy: - type: Recreate - template: - metadata: - labels: - app.kubernetes.io/name: saml-idp - spec: - containers: - - image: kristophjunge/test-saml-idp:1.15 - name: saml-idp - ports: - - containerPort: 8443 - resources: {} - env: - - name: SIMPLESAMLPHP_SP_ENTITY_ID - value: https://ssokustom/auth/saml - - name: SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE - value: https://ssokustom/auth/saml/Shibboleth.sso/SAML2/POST - - name: SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE - value: https://ssokustom/auth/saml/Shibboleth.sso/Logout?return=https://ssokustom - restartPolicy: Always ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/name: saml-idp - name: saml-idp -spec: - ports: - - name: http - port: 8080 - targetPort: 8080 - - name: https - port: 8443 - targetPort: 8443 - selector: - app.kubernetes.io/name: saml-idp -status: - loadBalancer: {} \ No newline at end of file diff --git a/examples/k8s/kind/cluster/fix/redis-operator-clusterrole.yaml b/examples/k8s/kind/cluster/fix/redis-operator-clusterrole.yaml new file mode 100644 index 0000000..89d801e --- /dev/null +++ b/examples/k8s/kind/cluster/fix/redis-operator-clusterrole.yaml @@ -0,0 +1,92 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +rules: + - apiGroups: + - redis.redis.opstreelabs.in + resources: + - rediss + - redisclusters + - redis + - rediscluster + - redisreplication + - redisreplications + - redissentinel + - redissentinels + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - redis.redis.opstreelabs.in + resources: + - redis/finalizers + - rediscluster/finalizers + verbs: + - update + - apiGroups: + - redis.redis.opstreelabs.in + resources: + - redis/status + - rediscluster/status + verbs: + - get + - patch + - update + - apiGroups: + - "" + resources: + - secrets + - pods/exec + - services + - configmaps + - pods + - persistentvolumes + - persistentvolumeclaims + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - apps + resources: + - statefulsets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch diff --git a/examples/k8s/kind/cluster/kustomization.yaml b/examples/k8s/kind/cluster/kustomization.yaml index af48eba..60be946 100644 --- a/examples/k8s/kind/cluster/kustomization.yaml +++ b/examples/k8s/kind/cluster/kustomization.yaml @@ -1,15 +1,15 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- https://github.com/jetstack/cert-manager/releases/download/v1.13.2/cert-manager.yaml -- https://forge.cadoles.com/CadolesKube/c-kustom//base/cloudnative-pg-operator?ref=develop -- https://forge.cadoles.com/CadolesKube/c-kustom//base/redis?ref=develop -- https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml + - https://forge.cadoles.com/CadolesKube/c-kustom//crds?ref=develop + - https://github.com/cert-manager/cert-manager/releases/download/v1.10.0/cert-manager.yaml + - ./resources/olm + - https://forge.cadoles.com/CadolesKube/c-kustom//base/cloudnative-pg-operator?ref=develop + - https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml -patchesJson6902: - - target: - version: v1 +patches: + - path: patches/nginx-controller.yaml + target: kind: ConfigMap name: ingress-nginx-controller namespace: ingress-nginx - path: patches/nginx-controller.yaml diff --git a/examples/k8s/kind/cluster/patches/nginx-controller.yaml b/examples/k8s/kind/cluster/patches/nginx-controller.yaml index 799344f..ab59022 100644 --- a/examples/k8s/kind/cluster/patches/nginx-controller.yaml +++ b/examples/k8s/kind/cluster/patches/nginx-controller.yaml @@ -1,6 +1,9 @@ -- op: replace - path: "/data/allow-snippet-annotations" - value: "true" -- op: replace - path: "/data/use-forwarded-headers" - value: "true" \ No newline at end of file +kind: ConfigMap +apiVersion: v1 +metadata: + name: ingress-nginx-controller +data: + allow-snippet-annotations: "true" + use-forwarded-headers: "true" + strict-validate-path-type: "false" + annotations-risk-level: "Critical" diff --git a/examples/k8s/kind/cluster/resources/olm/kustomization.yaml b/examples/k8s/kind/cluster/resources/olm/kustomization.yaml new file mode 100644 index 0000000..e487f13 --- /dev/null +++ b/examples/k8s/kind/cluster/resources/olm/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - https://github.com/operator-framework/operator-lifecycle-manager/releases/download/v0.31.0/olm.yaml + - https://forge.cadoles.com/CadolesKube/c-kustom/raw/branch/develop/base/olm/resources/mandatory-operators/resources/redis-operator.yaml diff --git a/resources/hydra-dispatcher/files/hydra/default.yaml b/resources/hydra-dispatcher/files/hydra/default.yaml index d86c656..9b05778 100644 --- a/resources/hydra-dispatcher/files/hydra/default.yaml +++ b/resources/hydra-dispatcher/files/hydra/default.yaml @@ -15,3 +15,5 @@ hydra: firewall: additional_properties: "%env(bool:HYDRA_DISPATCHER_FIREWALL_ADDITIONAL_PROPERTIES)%" rules: {} + webhook_post_login: + enabled: false diff --git a/resources/hydra-dispatcher/resources/hydra-dispatcher-deployment.yaml b/resources/hydra-dispatcher/resources/hydra-dispatcher-deployment.yaml index c730f23..74d0ed9 100644 --- a/resources/hydra-dispatcher/resources/hydra-dispatcher-deployment.yaml +++ b/resources/hydra-dispatcher/resources/hydra-dispatcher-deployment.yaml @@ -3,6 +3,7 @@ kind: Deployment metadata: labels: app.kubernetes.io/name: hydra-dispatcher + com.cadoles.forge.sso-kustom/session: redis name: hydra-dispatcher spec: replicas: 1 @@ -17,101 +18,101 @@ spec: app.kubernetes.io/name: hydra-dispatcher spec: containers: - - name: hydra-dispatcher-php-fpm - image: reg.cadoles.com/cadoles/hydra-dispatcher-base:2024.9.24-develop.1122.f88a5eb - args: ["/usr/sbin/php-fpm81", "-F", "-e"] - readinessProbe: - exec: - command: - - sh - - -c - - test -f /etc/php81/php-fpm.d/www.conf - livenessProbe: - exec: - command: - - php - - bin/console - - -V - initialDelaySeconds: 10 - periodSeconds: 30 - env: - - name: PHP_FPM_LISTEN - value: 127.0.0.1:9000 - - name: PHP_MEMORY_LIMIT - value: 128m - - name: PHP_FPM_MEMORY_LIMIT - value: 128m - - name: OPCACHE_VALIDATE_TIMESTAMP - value: "0" - - name: OPCACHE_REVALIDATE_FREQ - value: "0" - envFrom: - - configMapRef: - name: hydra-dispatcher-env - volumeMounts: - - mountPath: /app/config/hydra - name: hydra-dispatcher-apps - - name: hydra-dispatcher-php-ini - mountPath: /etc/php81/conf.d/03_base.ini - subPath: 03_base.ini - resources: {} - securityContext: - runAsNonRoot: true - runAsGroup: 1000 - runAsUser: 1000 - - name: hydra-dispatcher-caddy - image: reg.cadoles.com/cadoles/hydra-dispatcher-base:2024.9.24-develop.1122.f88a5eb - imagePullPolicy: IfNotPresent - args: - [ - "/usr/sbin/caddy", - "run", - "--adapter", - "caddyfile", - "--config", - "/etc/caddy/Caddyfile", - ] - readinessProbe: - httpGet: - path: /health - port: 8080 - initialDelaySeconds: 5 - timeoutSeconds: 5 - periodSeconds: 10 - livenessProbe: - httpGet: - path: /health - port: 8080 - initialDelaySeconds: 15 - timeoutSeconds: 5 - periodSeconds: 15 - envFrom: - - configMapRef: - name: hydra-dispatcher-env - env: - - name: CADDY_APP_UPSTREAM_BACKEND_SERVER - value: 127.0.0.1:9000 - - name: CADDY_HTTPS_PORT - value: "8443" - - name: CADDY_HTTP_PORT - value: "8080" - - name: CADDY_DATA_FS - value: "/tmp/caddy" - - name: CADDY_APP_ROOT_PUBLIC - value: "/app/public/" - ports: - - containerPort: 8080 - name: http - resources: {} - securityContext: - runAsNonRoot: true - runAsGroup: 1000 - runAsUser: 1000 + - name: hydra-dispatcher-php-fpm + image: reg.cadoles.com/cadoles/hydra-dispatcher-base:2024.9.24-develop.1122.f88a5eb + args: ["/usr/sbin/php-fpm81", "-F", "-e"] + readinessProbe: + exec: + command: + - sh + - -c + - test -f /etc/php81/php-fpm.d/www.conf + livenessProbe: + exec: + command: + - php + - bin/console + - -V + initialDelaySeconds: 10 + periodSeconds: 30 + env: + - name: PHP_FPM_LISTEN + value: 127.0.0.1:9000 + - name: PHP_MEMORY_LIMIT + value: 128m + - name: PHP_FPM_MEMORY_LIMIT + value: 128m + - name: OPCACHE_VALIDATE_TIMESTAMP + value: "0" + - name: OPCACHE_REVALIDATE_FREQ + value: "0" + envFrom: + - configMapRef: + name: hydra-dispatcher-env + volumeMounts: + - mountPath: /app/config/hydra + name: hydra-dispatcher-apps + - name: hydra-dispatcher-php-ini + mountPath: /etc/php81/conf.d/03_base.ini + subPath: 03_base.ini + resources: {} + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 1000 + - name: hydra-dispatcher-caddy + image: reg.cadoles.com/cadoles/hydra-dispatcher-base:2024.9.24-develop.1122.f88a5eb + imagePullPolicy: IfNotPresent + args: + [ + "/usr/sbin/caddy", + "run", + "--adapter", + "caddyfile", + "--config", + "/etc/caddy/Caddyfile", + ] + readinessProbe: + httpGet: + path: /health + port: 8080 + initialDelaySeconds: 5 + timeoutSeconds: 5 + periodSeconds: 10 + livenessProbe: + httpGet: + path: /health + port: 8080 + initialDelaySeconds: 15 + timeoutSeconds: 5 + periodSeconds: 15 + envFrom: + - configMapRef: + name: hydra-dispatcher-env + env: + - name: CADDY_APP_UPSTREAM_BACKEND_SERVER + value: 127.0.0.1:9000 + - name: CADDY_HTTPS_PORT + value: "8443" + - name: CADDY_HTTP_PORT + value: "8080" + - name: CADDY_DATA_FS + value: "/tmp/caddy" + - name: CADDY_APP_ROOT_PUBLIC + value: "/app/public/" + ports: + - containerPort: 8080 + name: http + resources: {} + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 1000 restartPolicy: Always volumes: - - name: hydra-dispatcher-apps - configMap: - name: hydra-dispatcher-apps - - name: hydra-dispatcher-php-ini - configMap: - name: hydra-dispatcher-php-ini + - name: hydra-dispatcher-apps + configMap: + name: hydra-dispatcher-apps + - name: hydra-dispatcher-php-ini + configMap: + name: hydra-dispatcher-php-ini diff --git a/resources/hydra/kustomization.yaml b/resources/hydra/kustomization.yaml index c4e4615..1f78190 100644 --- a/resources/hydra/kustomization.yaml +++ b/resources/hydra/kustomization.yaml @@ -2,42 +2,45 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization images: -- name: reg.cadoles.com/proxy_cache/oryd/hydra - newTag: v2.1.2 -- name: reg.cadoles.com/proxy_cache/oryd/hydra-maester - newTag: v0.0.32-amd64 + - name: reg.cadoles.com/proxy_cache/oryd/hydra + newTag: v2.1.2 + - name: reg.cadoles.com/proxy_cache/oryd/hydra-maester + newTag: v0.0.32-amd64 resources: -- ./resources/hydra-deployment.yaml -- ./resources/hydra-service.yaml -- ./resources/hydra-role.yaml -- ./resources/hydra-rolebinding.yaml -- ./resources/hydra-serviceaccount.yaml -- ./resources/hydra-migrate-job.yaml -- ./resources/hydra-maester -- ./resources/hydra-janitor-cronjob.yaml + - ./resources/hydra-deployment.yaml + - ./resources/hydra-service.yaml + - ./resources/hydra-role.yaml + - ./resources/hydra-rolebinding.yaml + - ./resources/hydra-serviceaccount.yaml + - ./resources/hydra-migrate-job.yaml + - ./resources/hydra-maester + - ./resources/hydra-janitor-cronjob.yaml secretGenerator: -- name: hydra-secret - literals: - - SECRETS_SYSTEM=ThisShouldBeAbsolutelyChanged + - name: hydra-secret + literals: + - SECRETS_SYSTEM=ThisShouldBeAbsolutelyChanged configMapGenerator: -- name: hydra-env - literals: - - URLS_SELF_ISSUER=http://localhost:4444 - - URLS_LOGIN=http://hydra-login-app/login - - URLS_CONSENT=http://hydra-consent-app/consent - - URLS_LOGOUT=http://hydra-logout-app/logout - - HYDRA_SERVE_ALL_ARGS=--dev - - HYDRA_DATABASE_MAX_CONN="10" - - LOG_LEVEL=info + - name: hydra-env + literals: + - URLS_SELF_ISSUER=http://localhost:4444 + - URLS_LOGIN=http://hydra-login-app/login + - URLS_CONSENT=http://hydra-consent-app/consent + - URLS_LOGOUT=http://hydra-logout-app/logout + - HYDRA_SERVE_ALL_ARGS=--dev + - HYDRA_DATABASE_MAX_CONN="10" + - LOG_LEVEL=info -vars: -- name: HYDRA_MIGRATE_JOB_NAME - objref: - name: hydra-migrate - kind: Job - apiVersion: batch/v1 - fieldref: - fieldpath: metadata.name +replacements: + - source: + kind: Job + name: hydra-migrate + fieldPath: metadata.name + targets: + - select: + kind: Deployment + name: hydra + fieldPaths: + - spec.template.spec.initContainers.0.args.1 diff --git a/resources/hydra/resources/hydra-deployment.yaml b/resources/hydra/resources/hydra-deployment.yaml index 450e10d..32ec138 100644 --- a/resources/hydra/resources/hydra-deployment.yaml +++ b/resources/hydra/resources/hydra-deployment.yaml @@ -21,8 +21,8 @@ spec: - name: wait-for-migrate image: reg.cadoles.com/proxy_cache/groundnuty/k8s-wait-for:v1.3 args: - - job - - $(HYDRA_MIGRATE_JOB_NAME) + - job + - REPLACE_ME containers: - name: hydra image: reg.cadoles.com/proxy_cache/oryd/hydra:v2.0.3 @@ -57,4 +57,3 @@ spec: name: hydra-admin resources: {} restartPolicy: Always - diff --git a/resources/hydra/resources/hydra-maester/resources/hydra-maester-deployment.yaml b/resources/hydra/resources/hydra-maester/resources/hydra-maester-deployment.yaml index 0b5b7bb..743e15a 100644 --- a/resources/hydra/resources/hydra-maester/resources/hydra-maester-deployment.yaml +++ b/resources/hydra/resources/hydra-maester/resources/hydra-maester-deployment.yaml @@ -7,7 +7,7 @@ metadata: labels: app.kubernetes.io/name: hydra-maester app.kubernetes.io/instance: hydra-master - app.kubernetes.io/version: "v0.0.23" + app.kubernetes.io/version: "v0.0.25" spec: replicas: 1 revisionHistoryLimit: 10 @@ -38,15 +38,14 @@ spec: - --hydra-url=$(HYDRA_ADMIN_BASE_URL) - --hydra-port=$(HYDRA_ADMIN_PORT) - --endpoint=/admin/clients - resources: - {} + resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File securityContext: allowPrivilegeEscalation: false capabilities: drop: - - ALL + - ALL privileged: false readOnlyRootFilesystem: true runAsNonRoot: true