fix: use hydra-ldap and olm operator to fix example

2025-02-13 17:02:48 +01:00
parent c97266c272
commit c01eb28d8c
34 changed files with 729 additions and 461 deletions
--- a/components/hydra-ldap/resources/deployment.yaml
+++ b/components/hydra-ldap/resources/deployment.yaml
@ -17,34 +17,32 @@ spec:
        app.kubernetes.io/version: "v1.2.2"
    spec:
      containers:
-      - name: werther
-        image: reg.cadoles.com/cadoles/hydra-werther:2023.12.6-stable.1421.15a4717
-        imagePullPolicy: IfNotPresent
-        envFrom:
-        - configMapRef:
-            name: hydra-ldap-env
-        env:
-        - name: WERTHER_WEB_DIR
-          value: "/usr/share/werther/login/"
-        - name: WERTHER_LDAP_BINDDN
-          valueFrom:
-            secretKeyRef:
-              name: hydra-ldap-sc
-              key: WERTHER_LDAP_BINDDN
-        - name: WERTHER_LDAP_BINDPW
-          valueFrom:
-            secretKeyRef:
-              name: hydra-ldap-sc
-              key: WERTHER_LDAP_BINDPW
-        ports:
-        - containerPort: 8080
-          name: hydra-ldap-http
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
-          privileged: false
-          readOnlyRootFilesystem: true
-          runAsNonRoot: true
-          runAsUser: 100
+        - name: werther
+          image: reg.cadoles.com/cadoles/hydra-werther:2025.2.17-stable.1544.8ded23c
+          imagePullPolicy: IfNotPresent
+          envFrom:
+            - configMapRef:
+                name: hydra-ldap-env
+          env:
+            - name: WERTHER_LDAP_BINDDN
+              valueFrom:
+                secretKeyRef:
+                  name: hydra-ldap-sc
+                  key: WERTHER_LDAP_BINDDN
+            - name: WERTHER_LDAP_BINDPW
+              valueFrom:
+                secretKeyRef:
+                  name: hydra-ldap-sc
+                  key: WERTHER_LDAP_BINDPW
+          ports:
+            - containerPort: 8080
+              name: hydra-ldap-http
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 100
--- a/components/hydra-saml/resources/hydra-saml-remote-user.yaml
+++ b/components/hydra-saml/resources/hydra-saml-remote-user.yaml
@ -24,6 +24,8 @@ spec:
                name: hydra-saml-env
          ports:
            - containerPort: 8080
+          command:
+            - /bin/apache2-foreground
          resources: {}
      restartPolicy: Always
 ---
--- a/components/oidc-test/kustomization.yaml
+++ b/components/oidc-test/kustomization.yaml
@ -17,4 +17,5 @@ configMapGenerator:
      - OIDC_REDIRECT_URL=https://example.net/oauth2/callback
      - OIDC_POST_LOGOUT_REDIRECT_URL=https://example.net
      - OIDC_SKIP_ISSUER_VERIFICATION="true"
-      - OIDC_INSECURE_SKIP_VERIFY="true"
+      - OIDC_SCOPES="openid profile"
+      - OIDC_INSECURE_SKIP_VERIFY="true"
--- a/components/oidc-test/resources/deployment.yaml
+++ b/components/oidc-test/resources/deployment.yaml
@ -23,17 +23,17 @@ spec:
            - containerPort: 8080
          resources: {}
          envFrom:
-          - configMapRef:
-              name: oidc-test-env
+            - configMapRef:
+                name: oidc-test-env
          env:
-          - name: OIDC_CLIENT_ID
-            valueFrom:
-              secretKeyRef:
-                name: oidc-test-oauth2-client
-                key: client_id
-          - name: OIDC_CLIENT_SECRET
-            valueFrom:
-              secretKeyRef:
-                name: oidc-test-oauth2-client
-                key: client_secret
+            - name: OIDC_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: oidc-test-oauth2-client
+                  key: CLIENT_ID
+            - name: OIDC_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: oidc-test-oauth2-client
+                  key: CLIENT_SECRET
      restartPolicy: Always
--- a/components/oidc-test/resources/oauth2-client.yaml
+++ b/components/oidc-test/resources/oauth2-client.yaml
@ -6,13 +6,13 @@ spec:
  clientName: "oidc-test"
  tokenEndpointAuthMethod: "client_secret_basic"
  grantTypes:
-  - authorization_code
-  - refresh_token
+    - authorization_code
+    - refresh_token
  responseTypes:
-  - code
-  scope: "openid email"
+    - code
+  scope: "openid email profile"
  secretName: oidc-test-oauth2-client
  redirectUris:
-  - https://example.net/oauth2/callback
+    - https://example.net/oauth2/callback
  postLogoutRedirectUris:
-  - https://example.net
+    - https://example.net
--- a/components/redis/README.md
+++ b/components/redis/README.md
@ -3,20 +3,17 @@
 ### Description

 Les applications `hydra-dispatcher`, `hydra-sql` et `hydra-oidc` stockent dorénavant le cache et les sessions utilisateur sur un serveur Redis.
+
 Le DSN du serveur est défini dans leur variable d'environnement respective `REDIS_DSN`.
-Les applications peuvent utiliser le mode `sentinel` de redis
-Il est donc nécessaire donc nécessaire de disposer d'un serveur Redis pour utiliser ces applications.

 ### Principe général de fonctionnement

-Un `RedisFailOver` crée un cluster redis en mode sentinel avec 3 réplicats chacun.
-
+Un `Redis` crée une instance Redis dédiée à l'environnement SSO.

 ### Personnalisation

-Via des `patches` sur la ressource `ConfigMap` via un label selector `com.cadoles.forge.sso-kustom/session=redis` il est possible de modifier la valeur du `REDIS_DSN`.
+Un `patch` sur la ressource `ConfigMap` via un label selector `com.cadoles.forge.sso-kustom/session=redis` permet de modifier la valeur de la clé `REDIS_DSN`.

-
-|Clé|Description|Exemple|
-|---|-----------|-------|
-|`REDIS_DSN`| DSN du cluster Redis | `redis://rfs-sso-redis:26379?&redis_sentinel=mymaster`
+| Clé         | Description          | Exemple                  |
+| ----------- | -------------------- | ------------------------ |
+| `REDIS_DSN` | DSN du cluster Redis | `redis://redis-sso:6379` |
--- a/components/redis/kustomization.yaml
+++ b/components/redis/kustomization.yaml
@ -2,10 +2,10 @@ apiVersion: kustomize.config.k8s.io/v1alpha1
 kind: Component

 resources:
-  - ./resources/redis-failover.yaml
+  - ./resources/redis-sso.yaml

 patches:
- path: ./patches/hydra-apps.yaml
-  target:
-    kind: ConfigMap
-    labelSelector: "com.cadoles.forge.sso-kustom/session=redis"
+  - path: ./patches/hydra-apps.yaml
+    target:
+      kind: ConfigMap
+      labelSelector: "com.cadoles.forge.sso-kustom/session=redis"
--- a/components/redis/patches/hydra-apps.yaml
+++ b/components/redis/patches/hydra-apps.yaml
@ -1,3 +1,3 @@
 - op: replace
  path: "/data/REDIS_DSN"
-  value: "redis://rfs-sso-redis:26379?&redis_sentinel=mymaster"
+  value: "redis://redis-sso:6379"
--- a/components/redis/resources/redis-failover.yaml
+++ b/components/redis/resources/redis-failover.yaml
@ -1,21 +0,0 @@
-apiVersion: databases.spotahome.com/v1
-kind: RedisFailover
-metadata:
-  name: sso-redis
-spec:
-  sentinel:
-    replicas: 3
-    resources:
-      requests:
-        cpu: 100m
-      limits:
-        memory: 100Mi
-  redis:
-    replicas: 3
-    resources:
-      requests:
-        cpu: 100m
-        memory: 100Mi
-      limits:
-        cpu: 400m
-        memory: 500Mi
--- a/components/redis/resources/redis-sso.yaml
+++ b/components/redis/resources/redis-sso.yaml
@ -0,0 +1,19 @@
+apiVersion: redis.redis.opstreelabs.in/v1beta1
+kind: Redis
+metadata:
+  name: redis-sso
+spec:
+  kubernetesConfig:
+    image: reg.cadoles.com/quay/opstree/redis:v7.0.15
+    imagePullPolicy: IfNotPresent
+  storage:
+    volumeClaimTemplate:
+      spec:
+        # storageClassName: standard
+        accessModes: ["ReadWriteOnce"]
+        resources:
+          requests:
+            storage: 1Gi
+  securityContext:
+    runAsUser: 1000
+    fsGroup: 1000