fix: use hydra-ldap and olm operator to fix example

README.md

@@ -2,10 +2,6 @@
 
 Kustomization du service "SSO" (Ory Hydra)
 
-## Usage
-
-[Voir la documentation](./doc/README.md)
-
 ## Exemple
 
 Ce projet contient un exemple fonctionnel de déploiement dans le répertoire [`./examples/authenticated-app`](./examples/authenticated-app)

components/hydra-ldap/resources/deployment.yaml

@@ -18,14 +18,12 @@ spec:
     spec:
       containers:
         - name: werther
-        image: reg.cadoles.com/cadoles/hydra-werther:2023.12.6-stable.1421.15a4717
+          image: reg.cadoles.com/cadoles/hydra-werther:2025.2.17-stable.1544.8ded23c
           imagePullPolicy: IfNotPresent
           envFrom:
             - configMapRef:
                 name: hydra-ldap-env
           env:
-        - name: WERTHER_WEB_DIR
-          value: "/usr/share/werther/login/"
             - name: WERTHER_LDAP_BINDDN
               valueFrom:
                 secretKeyRef:

components/hydra-saml/resources/hydra-saml-remote-user.yaml

@@ -24,6 +24,8 @@ spec:
                 name: hydra-saml-env
           ports:
             - containerPort: 8080
+          command:
+            - /bin/apache2-foreground
           resources: {}
       restartPolicy: Always
 ---

components/oidc-test/kustomization.yaml

@@ -17,4 +17,5 @@ configMapGenerator:
       - OIDC_REDIRECT_URL=https://example.net/oauth2/callback
       - OIDC_POST_LOGOUT_REDIRECT_URL=https://example.net
       - OIDC_SKIP_ISSUER_VERIFICATION="true"
+      - OIDC_SCOPES="openid profile"
       - OIDC_INSECURE_SKIP_VERIFY="true"

components/oidc-test/resources/deployment.yaml

@@ -30,10 +30,10 @@ spec:
               valueFrom:
                 secretKeyRef:
                   name: oidc-test-oauth2-client
-                key: client_id
+                  key: CLIENT_ID
             - name: OIDC_CLIENT_SECRET
               valueFrom:
                 secretKeyRef:
                   name: oidc-test-oauth2-client
-                key: client_secret
+                  key: CLIENT_SECRET
       restartPolicy: Always

components/oidc-test/resources/oauth2-client.yaml

@@ -10,7 +10,7 @@ spec:
     - refresh_token
   responseTypes:
     - code
-  scope: "openid email"
+  scope: "openid email profile"
   secretName: oidc-test-oauth2-client
   redirectUris:
     - https://example.net/oauth2/callback

components/redis/README.md

@@ -3,20 +3,17 @@
 ### Description
 
 Les applications `hydra-dispatcher`, `hydra-sql` et `hydra-oidc` stockent dorénavant le cache et les sessions utilisateur sur un serveur Redis.
+
 Le DSN du serveur est défini dans leur variable d'environnement respective `REDIS_DSN`.
-Les applications peuvent utiliser le mode `sentinel` de redis
-Il est donc nécessaire donc nécessaire de disposer d'un serveur Redis pour utiliser ces applications.
 
 ### Principe général de fonctionnement
 
-Un `RedisFailOver` crée un cluster redis en mode sentinel avec 3 réplicats chacun.
+Un `Redis` crée une instance Redis dédiée à l'environnement SSO.
-
 
 ### Personnalisation
 
-Via des `patches` sur la ressource `ConfigMap` via un label selector `com.cadoles.forge.sso-kustom/session=redis` il est possible de modifier la valeur du `REDIS_DSN`.
+Un `patch` sur la ressource `ConfigMap` via un label selector `com.cadoles.forge.sso-kustom/session=redis` permet de modifier la valeur de la clé `REDIS_DSN`.
-
 
 | Clé         | Description          | Exemple                  |
-|---|-----------|-------|
+| ----------- | -------------------- | ------------------------ |
-|`REDIS_DSN`| DSN du cluster Redis | `redis://rfs-sso-redis:26379?&redis_sentinel=mymaster`
+| `REDIS_DSN` | DSN du cluster Redis | `redis://redis-sso:6379` |

components/redis/kustomization.yaml

@@ -2,7 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1alpha1
 kind: Component
 
 resources:
-  - ./resources/redis-failover.yaml
+  - ./resources/redis-sso.yaml
 
 patches:
   - path: ./patches/hydra-apps.yaml

components/redis/patches/hydra-apps.yaml

@@ -1,3 +1,3 @@
 - op: replace
   path: "/data/REDIS_DSN"
-  value: "redis://rfs-sso-redis:26379?&redis_sentinel=mymaster"
+  value: "redis://redis-sso:6379"

components/redis/resources/redis-failover.yaml

@@ -1,21 +0,0 @@
-apiVersion: databases.spotahome.com/v1
-kind: RedisFailover
-metadata:
-  name: sso-redis
-spec:
-  sentinel:
-    replicas: 3
-    resources:
-      requests:
-        cpu: 100m
-      limits:
-        memory: 100Mi
-  redis:
-    replicas: 3
-    resources:
-      requests:
-        cpu: 100m
-        memory: 100Mi
-      limits:
-        cpu: 400m
-        memory: 500Mi

components/redis/resources/redis-sso.yaml

@@ -0,0 +1,19 @@
+apiVersion: redis.redis.opstreelabs.in/v1beta1
+kind: Redis
+metadata:
+  name: redis-sso
+spec:
+  kubernetesConfig:
+    image: reg.cadoles.com/quay/opstree/redis:v7.0.15
+    imagePullPolicy: IfNotPresent
+  storage:
+    volumeClaimTemplate:
+      spec:
+        # storageClassName: standard
+        accessModes: ["ReadWriteOnce"]
+        resources:
+          requests:
+            storage: 1Gi
+  securityContext:
+    runAsUser: 1000
+    fsGroup: 1000

examples/authenticated-app/README.md

@@ -1,6 +1,6 @@
 # Exemple: Déploiement d'une application authentifiée avec la stack SSO
 
-L'exemple est actuellement déployé avec le composant `hydra-saml` uniquement.
+L'exemple est actuellement déployé avec le composant `hydra-ldap` uniquement.
 
 ## Procédure
 
@@ -18,27 +18,30 @@ L'exemple est actuellement déployé avec le composant `hydra-saml` uniquement.
    kubectl apply  -k ./examples/k8s/kind/cluster --server-side
    ```
 
-3. Déployer l'application
+   > Si une erreur du type `ensure CRDs are installed first` s'affiche, relancer la commande.
+
+3. Attendre que l'opérateur Redis soit opérationnel puis patcher le `ClusterRole` de celui ci (cf. https://github.com/OT-CONTAINER-KIT/redis-operator/issues/526):
+
+   ```bash
+   kubectl wait -n operators --timeout 10m --for=jsonpath=".status.state"=AtLatestKnown subscription my-redis-operator
+   # On attend quelques secondes supplémentaires pour s'assurer que l'opérateur a réellement démarré
+   sleep 30
+   kubectl patch clusterroles.rbac.authorization.k8s.io $(kubectl get clusterrole | awk '/redis-operator/ {print $1}') --patch-file examples/k8s/kind/cluster/fix/redis-operator-clusterrole.yaml
+   ```
+
+4. Déployer l'application
 
    ```
    kubectl apply -k ./examples/authenticated-app
    ```
 
-   **Note** Il est possible d'avoir l'erreur suivante:
+5. Ajouter l'entrée suivante dans votre fichier `/etc/hosts`
-
-   ```
-   error: resource mapping not found for name: "app-oauth2-client" namespace: "" from "./examples/authenticated-app": no matches for kind "OAuth2Client" in version "hydra.ory.sh/v1alpha1"
-   ```
-
-   Cette erreur est "normale" (voir https://github.com/kubernetes/kubectl/issues/1117). Dans ce cas, attendre la création de la CRD (voir ticket) puis relancer la commande.
-
-4. Ajouter l'entrée suivante dans votre fichier `/etc/hosts`
 
    ```
    127.0.0.1 ssokustom
    ```
 
-5. Après stabilisation du déploiement, l'application devrait être accessible à l'adresse https://ssokustom
+6. Après stabilisation du déploiement, l'application devrait être accessible à l'adresse https://ssokustom
 
 #### Supprimer le cluster
 
@@ -48,14 +51,15 @@ kind delete cluster -n sso-kustom-example
 
 ## Authentification
 
-### SAML
+### LDAP
 
-- Utilisateur: `user1`
+#### Comptes par défaut
-- Mot de passe `user1pass`
 
-#### URL utiles
+1. `jdoe` / `jdoe`
+2. `jdoe2` / `jdoe`
+3. `siret1` / `siret`
+4. `siret2` / `siret`
 
-|URL|Description|
+#### Gestion des comptes
-|---|-----------|
+
-|https://ssokustom/auth/saml/Shibboleth.sso/Session|Attributs de la session SP Shibboleth|
+Les comptes LDAP sont définis dans le fichier [`./files/glauth.conf`](./files/glauth.conf)
-|https://ssokustom/auth/saml/Shibboleth.sso/Metadata|Métadonnées du SP Shibboleth|

examples/authenticated-app/files/glauth.conf

@@ -0,0 +1,83 @@
+debug = true
+
+[ldap]
+  enabled = true
+  listen = "0.0.0.0:3893"
+  tls = false
+
+[ldaps]
+  enabled = false
+
+[behaviors]
+  IgnoreCapabilities = true
+
+[backend]
+  datastore = "config"
+  baseDN = "dc=glauth,dc=com"
+
+[[users]]
+  uid = "serviceuser"
+  name = "serviceuser"
+  mail = "serviceuser@example.com"
+  uidnumber = 5001
+  primarygroup = 5502
+  # use echo -n "mysecret" | openssl dgst -sha256
+  passsha256 = "652c7dc687d98c9889304ed2e408c74b611e86a40caa51c4b43f1dd5913c5cd0" # mysecret
+    [[users.capabilities]]
+    action = "search"
+    object = "*"
+
+[[users]]
+  uid = "jdoe"
+  name = "jdoe"
+  uidnumber = 5002
+  primarygroup = 5501
+  givenname = "John"
+  sn = "Doe"
+  mail = "jdoe@example.com"
+  passsha256 = "d30a5f57532a603697ccbb51558fa02ccadd74a0c499fcf9d45b33863ee1582f" # jdoe
+    [[users.customattributes]]
+    employeetype = ["Intern", "Temp"]
+    employeenumber = [12345, 54321]
+
+[[users]]
+  uid = "jdoe2"
+  name = "jdoe2"
+  uidnumber = 5003
+  primarygroup = 5501
+  givenname = "John"
+  sn = "Doe2"
+  mail = "jdoe2@jdoe2.com"
+  passsha256 = "d30a5f57532a603697ccbb51558fa02ccadd74a0c499fcf9d45b33863ee1582f" # jdoe
+
+[[users]]
+  uid = "siret1"
+  name = "siret1"
+  uidnumber = 5004
+  primarygroup = 5501
+  givenname = "Siret"
+  sn = "Siret"
+  mail = "siret1@siret.com"
+  passsha256 = "7926ef18c7ae8eb23d4d325aa6bd81cc9ae99b429e9299a18dbd2c4729486ebc" # siret
+    [[users.customattributes]]
+    siret = ["0001"]
+
+[[users]]
+  uid = "siret2"
+  name = "siret2"
+  uidnumber = 5005
+  primarygroup = 5501
+  givenname = "Siret"
+  sn = "Siret"
+  mail = "siret2@siret.com"
+  passsha256 = "7926ef18c7ae8eb23d4d325aa6bd81cc9ae99b429e9299a18dbd2c4729486ebc" # siret
+    [[users.customattributes]]
+    siret = ["0002"]
+
+[[groups]]
+  name = "users"
+  gidnumber = 5501
+
+[[groups]]
+  name = "svcaccts"
+  gidnumber = 5502

examples/authenticated-app/files/hydra-dispatcher-apps.yaml

@@ -0,0 +1,42 @@
+hydra:
+  apps:
+    - id: ldap
+      title:
+        fr: Connexion LDAP
+        en: Login LDAP
+      description:
+        fr: Authentification avec LDAP
+        en: Authentication with LDAP
+      login_url: "%env(string:HYDRA_DISPATCHER_LDAP_LOGIN_URL)%"
+      consent_url: "%env(string:HYDRA_DISPATCHER_LDAP_CONSENT_URL)%"
+      logout_url: "%env(string:HYDRA_DISPATCHER_LDAP_LOGOUT_URL)%"
+      attributes_rewrite_configuration:
+        siret:
+          rules:
+            - "property_exists(consent.session.id_token, 'siret') ?  consent.session.id_token.siret : null"
+            - "value ?: ( consent.session.id_token.email matches '/.*@example.com$/' ? '0000' : null )"
+            - "value ?: ( consent.session.id_token.email matches '/.*@jdoe.com$/' ? '0001' : null )"
+        family_name:
+          rules:
+            - "property_exists(consent.session.id_token, 'family_name') ? consent.session.id_token.family_name : null"
+        given_name:
+          rules:
+            - "property_exists(consent.session.id_token, 'given_name') ? consent.session.id_token.given_name : null"
+        email:
+          rules:
+            - "property_exists(consent.session.id_token, 'email') ? consent.session.id_token.email : null"
+  firewall:
+    additional_properties: true
+    rules:
+      siret:
+        required: false
+      email:
+        required: false
+      given_name:
+        required: false
+      family_name:
+        required: false
+  webhook:
+    enabled: false
+  webhook_post_login:
+    enabled: false

examples/authenticated-app/kustomization.yaml

@@ -2,12 +2,19 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
-  - ../../overlays/full
+  - ../../overlays/base
+
   - ./resources/ingress.yaml
-  - ./resources/saml-idp.yaml
+  - ./resources/glauth-ldap.yaml
   - ./resources/self-signed-issuer.yaml
   - ./resources/port-forwarder.yaml
 
+components:
+  - ../../components/hydra-cnpg-database
+  - ../../components/hydra-ldap
+  - ../../components/oidc-test
+  - ../../components/redis
+
 patchesJson6902:
   - target:
       version: v1
@@ -22,8 +29,13 @@ patchesJson6902:
   - target:
       version: v1
       kind: ConfigMap
-      name: hydra-saml-env
+      name: hydra-ldap-env
-    path: patches/hydra-saml-env.yaml
+    path: patches/hydra-ldap-env.yaml
+  - target:
+      version: v1
+      kind: Secret
+      name: hydra-ldap-sc
+    path: patches/hydra-ldap-sc.yaml
   - target:
       version: v1
       kind: Secret
@@ -32,10 +44,19 @@ patchesJson6902:
   - target:
       version: v1
       kind: ConfigMap
-      name: oidc-test
+      name: oidc-test-env
     path: patches/oidc-test.yaml
   - target:
       version: v1alpha1
       kind: OAuth2Client
       name: oidc-test-oauth2-client
     path: patches/oidc-test-oauth2-client.yaml
+
+configMapGenerator:
+  - name: hydra-dispatcher-apps
+    behavior: replace
+    files:
+      - ./files/hydra-dispatcher-apps.yaml
+  - name: glauth-ldap-conf
+    files:
+      - ./files/glauth.conf

examples/authenticated-app/patches/hydra-dispatcher-env.yaml

@@ -1,3 +1,9 @@
+- op: replace
+  path: "/data/APP_ENV"
+  value: dev
+- op: replace
+  path: "/data/APP_DEBUG"
+  value: "true"
 - op: replace
   path: "/data/HYDRA_BASE_URL"
   value: http://hydra:4444
@@ -17,14 +23,13 @@
   path: "/data/COOKIE_PATH"
   value: /auth/dispatcher
 
-# Hydra SAML configuration
+# Hydra LDAP configuration
 - op: replace
-  path: "/data/HYDRA_DISPATCHER_SAML_LOGIN_URL"
+  path: "/data/HYDRA_DISPATCHER_LDAP_LOGIN_URL"
-  value: https://ssokustom/auth/saml/login
+  value: https://ssokustom/auth/ldap/auth/login
 - op: replace
-  path: "/data/HYDRA_DISPATCHER_SAML_CONSENT_URL"
+  path: "/data/HYDRA_DISPATCHER_LDAP_CONSENT_URL"
-  value: https://ssokustom/auth/saml/consent
+  value: https://ssokustom/auth/ldap/auth/consent
 - op: replace
-  path: "/data/HYDRA_DISPATCHER_SAML_LOGOUT_URL"
+  path: "/data/HYDRA_DISPATCHER_LDAP_LOGOUT_URL"
-  value: https://ssokustom/auth/saml/logout
+  value: https://ssokustom/auth/ldap/auth/logout
-  

examples/authenticated-app/patches/hydra-env.yaml

@@ -13,3 +13,12 @@
 - op: replace
   path: "/data/HYDRA_SERVE_ALL_ARGS"
   value: "--dev"
+- op: replace
+  path: "/data/SERVE_COOKIES_SAME_SITE_MODE"
+  value: "Lax"
+- op: replace
+  path: "/data/SERVE_COOKIES_SAME_SITE_LEGACY_WORKAROUND"
+  value: "true"
+- op: replace
+  path: "/data/SERVE_COOKIES_DOMAIN"
+  value: "ssokustom"

examples/authenticated-app/patches/hydra-ldap-env.yaml

@@ -0,0 +1,55 @@
+- op: replace
+  path: "/data/WERTHER_DEV_MODE"
+  value: "true"
+
+- op: replace
+  path: "/data/WERTHER_WEB_BASE_PATH"
+  value: "/auth/ldap/"
+
+- op: replace
+  path: "/data/WERTHER_IDENTP_HYDRA_URL"
+  value: "http://hydra-dispatcher"
+
+- op: replace
+  path: "/data/WERTHER_LDAP_ENDPOINTS"
+  value: "glauth-ldap:389"
+
+- op: replace
+  path: "/data/WERTHER_LDAP_BASEDN"
+  value: "dc=glauth,dc=com"
+
+- op: replace
+  path: "/data/WERTHER_LDAP_ROLE_BASEDN"
+  value: "ou=groups,dc=glauth,dc=com"
+
+- op: replace
+  path: "/data/WERTHER_IDENTP_CLAIM_SCOPES"
+  value: "uid:profile,name:profile,family_name:profile,given_name:profile,email:profile,https%3A%2F%2Fhydra%2Fclaims%2Froles:roles,siret:siret"
+
+- op: replace
+  path: "/data/WERTHER_INSECURE_SKIP_VERIFY"
+  value: "true"
+
+- op: replace
+  path: "/data/WERTHER_LDAP_IS_TLS"
+  value: "false"
+
+- op: replace
+  path: "/data/WERTHER_LDAP_ATTR_CLAIMS"
+  value: "name:name,sn:family_name,givenName:given_name,mail:email,siret:siret"
+
+- op: replace
+  path: "/data/WERTHER_LDAP_CONNECTION_TIMEOUT"
+  value: "30s"
+
+- op: replace
+  path: "/data/WERTHER_LDAP_USER_SEARCH_QUERY"
+  value: "(&(objectClass=*)(|(uid=%[1]s)(mail=%[1]s)(userPrincipalName=%[1]s)(sAMAccountName=%[1]s)))"
+
+- op: replace
+  path: "/data/WERTHER_IDENTP_ACR"
+  value: "eidas1"
+
+- op: replace
+  path: "/data/WERTHER_IDENTP_AMR"
+  value: "pwd"

examples/authenticated-app/patches/hydra-ldap-sc.yaml

@@ -0,0 +1,7 @@
+- op: replace
+  path: "/data/WERTHER_LDAP_BINDDN"
+  value: "Y249c2VydmljZXVzZXIsb3U9c3ZjYWNjdHMsb3U9dXNlcnMsZGM9Z2xhdXRoLGRjPWNvbQ==" # cn=serviceuser,ou=svcaccts,ou=users,dc=glauth,dc=com
+
+- op: replace
+  path: "/data/WERTHER_LDAP_BINDPW"
+  value: "bXlzZWNyZXQ=" # mysecret

examples/authenticated-app/patches/hydra-saml-env.yaml

@@ -1,43 +0,0 @@
-- op: replace
-  path: "/data/HTTP_BASE_URL"
-  value: https://ssokustom/auth/saml
-- op: replace
-  path: "/data/COOKIE_PATH"
-  value: /auth/saml
-- op: replace
-  path: "/data/HYDRA_ADMIN_BASE_URL"
-  value: http://hydra-dispatcher
-- op: replace
-  path: "/data/LOGOUT_REDIRECT_URL_PATTERN"
-  value: https://ssokustom/auth/saml/Shibboleth.sso/Logout?return=%s
-- op: replace
-  path: "/data/PATH_PREFIX"
-  value: "/auth/saml"
-
-- op: replace
-  path: "/data/SP_ENTITY_ID"
-  value: https://ssokustom/auth/saml
-- op: replace
-  path: "/data/IDP_ENTITY_ID"
-  value: https://ssokustom/simplesaml/saml2/idp/metadata.php
-- op: replace
-  path: "/data/IDP_METADATA_URL"
-  value: https://ssokustom/simplesaml/saml2/idp/metadata.php
-- op: replace
-  path: "/data/APACHE_FORCE_HTTPS"
-  value: "true"
-- op: replace
-  path: "/data/SP_HANDLER_BASE_PATH"
-  value: "/auth/saml"
-- op: replace
-  path: "/data/SP_LOG_LEVEL"
-  value: DEBUG
-- op: replace
-  path: "/data/SP_SESSIONS_REDIRECT_LIMIT"
-  value: none
-- op: replace
-  path: "/data/SP_SESSIONS_REDIRECT_ALLOW"
-  value: https://ssokustom
-- op: replace
-  path: "/data/SP_SESSIONS_COOKIE_PROPS"
-  value: https

examples/authenticated-app/patches/oidc-test-oauth2-client.yaml

@@ -4,3 +4,6 @@
 - op: replace
   path: "/spec/postLogoutRedirectUris/0"
   value: https://ssokustom
+- op: replace
+  path: "/spec/scope"
+  value: "openid profile roles siret"

examples/authenticated-app/patches/oidc-test.yaml

@@ -4,3 +4,6 @@
 - op: replace
   path: "/data/OIDC_POST_LOGOUT_REDIRECT_URL"
   value: https://ssokustom
+- op: replace
+  path: "/data/OIDC_SCOPES"
+  value: "openid profile roles siret"

examples/authenticated-app/resources/glauth-ldap.yaml

@@ -0,0 +1,55 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/name: glauth-ldap
+  name: glauth-ldap
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: glauth-ldap
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: glauth-ldap
+    spec:
+      containers:
+        - image: glauth/glauth:v2.3.2
+          name: glauth-ldap
+          ports:
+            - containerPort: 3893
+              name: ldap
+            - containerPort: 3894
+              name: ldaps
+          resources: {}
+          volumeMounts:
+            - name: glauth-ldap-conf
+              mountPath: /app/config/config.cfg
+              subPath: glauth.conf
+      restartPolicy: Always
+      volumes:
+        - name: glauth-ldap-conf
+          configMap:
+            name: glauth-ldap-conf
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/name: glauth-ldap
+  name: glauth-ldap
+spec:
+  ports:
+    - name: ldap
+      port: 389
+      targetPort: ldap
+    - name: ldaps
+      port: 636
+      targetPort: ldaps
+  selector:
+    app.kubernetes.io/name: glauth-ldap
+status:
+  loadBalancer: {}

examples/authenticated-app/resources/ingress.yaml

@@ -27,10 +27,14 @@ spec:
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: auth-saml
+  name: auth-ldap
   annotations:
     cert-manager.io/issuer: "self-signed"
     nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/rewrite-target: /$2
+    nginx.ingress.kubernetes.io/x-forwarded-prefix: /auth/ldap
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      proxy_set_header X-Forwarded-Proto https;
 spec:
   ingressClassName: nginx
   tls:
@@ -40,13 +44,13 @@ spec:
   rules:
     - http:
         paths:
-      - path: /auth/saml(/|$)(.*)
+          - path: /auth/ldap(/|$)(.*)
             pathType: Prefix
             backend:
               service:
-            name: hydra-saml
+                name: hydra-ldap
                 port:
-              name: http
+                  name: hydra-ldap
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
@@ -57,6 +61,8 @@ metadata:
     nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
     nginx.ingress.kubernetes.io/rewrite-target: /$2
     nginx.ingress.kubernetes.io/x-forwarded-prefix: /auth/dispatcher
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      proxy_set_header X-Forwarded-Proto https;
 spec:
   ingressClassName: nginx
   tls:
@@ -82,6 +88,9 @@ metadata:
     cert-manager.io/issuer: "self-signed"
     nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
     nginx.ingress.kubernetes.io/rewrite-target: /$2
+    nginx.ingress.kubernetes.io/x-forwarded-prefix: /auth
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      proxy_set_header X-Forwarded-Proto https;
 spec:
   ingressClassName: nginx
   tls:
@@ -98,34 +107,3 @@ spec:
                 name: hydra
                 port:
                   name: hydra-public
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: saml-idp
-  annotations:
-    cert-manager.io/issuer: "self-signed"
-    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/rewrite-target: /simplesaml/$2
-    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
-spec:
-  ingressClassName: nginx
-  tls:
-  - hosts:
-    - ssokustom
-    secretName: ssokustom-example-tls
-  rules:
-  - http:
-      paths:     
-      - path: /simplesaml(/|$)(.*)
-        pathType: Prefix
-        backend:
-          service:
-            name: saml-idp
-            port:
-              name: https
-
-     
-
-      
-          

examples/authenticated-app/resources/saml-idp.yaml

@@ -1,51 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels:
-    app.kubernetes.io/name: saml-idp
-  name: saml-idp
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: saml-idp
-  strategy:
-    type: Recreate
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: saml-idp
-    spec:
-      containers:
-        - image: kristophjunge/test-saml-idp:1.15
-          name: saml-idp
-          ports:
-            - containerPort: 8443
-          resources: {}
-          env:
-            - name: SIMPLESAMLPHP_SP_ENTITY_ID
-              value: https://ssokustom/auth/saml
-            - name: SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE
-              value: https://ssokustom/auth/saml/Shibboleth.sso/SAML2/POST
-            - name: SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE
-              value: https://ssokustom/auth/saml/Shibboleth.sso/Logout?return=https://ssokustom
-      restartPolicy: Always
----
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app.kubernetes.io/name: saml-idp
-  name: saml-idp
-spec:
-  ports:
-    - name: http
-      port: 8080
-      targetPort: 8080
-    - name: https
-      port: 8443
-      targetPort: 8443
-  selector:
-    app.kubernetes.io/name: saml-idp
-status:
-  loadBalancer: {}

examples/k8s/kind/cluster/fix/redis-operator-clusterrole.yaml

@@ -0,0 +1,92 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+rules:
+  - apiGroups:
+      - redis.redis.opstreelabs.in
+    resources:
+      - rediss
+      - redisclusters
+      - redis
+      - rediscluster
+      - redisreplication
+      - redisreplications
+      - redissentinel
+      - redissentinels
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - redis.redis.opstreelabs.in
+    resources:
+      - redis/finalizers
+      - rediscluster/finalizers
+    verbs:
+      - update
+  - apiGroups:
+      - redis.redis.opstreelabs.in
+    resources:
+      - redis/status
+      - rediscluster/status
+    verbs:
+      - get
+      - patch
+      - update
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+      - pods/exec
+      - services
+      - configmaps
+      - pods
+      - persistentvolumes
+      - persistentvolumeclaims
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - apps
+    resources:
+      - statefulsets
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - policy
+    resources:
+      - poddisruptionbudgets
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch

examples/k8s/kind/cluster/kustomization.yaml

@@ -1,15 +1,15 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- https://github.com/jetstack/cert-manager/releases/download/v1.13.2/cert-manager.yaml
+  - https://forge.cadoles.com/CadolesKube/c-kustom//crds?ref=develop
+  - https://github.com/cert-manager/cert-manager/releases/download/v1.10.0/cert-manager.yaml
+  - ./resources/olm
   - https://forge.cadoles.com/CadolesKube/c-kustom//base/cloudnative-pg-operator?ref=develop
-- https://forge.cadoles.com/CadolesKube/c-kustom//base/redis?ref=develop
   - https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml
 
-patchesJson6902:
+patches:
-  - target:
+  - path: patches/nginx-controller.yaml
-      version: v1
+    target:
       kind: ConfigMap
       name: ingress-nginx-controller
       namespace: ingress-nginx
-    path: patches/nginx-controller.yaml

examples/k8s/kind/cluster/patches/nginx-controller.yaml

@@ -1,6 +1,9 @@
-- op: replace
+kind: ConfigMap
-  path: "/data/allow-snippet-annotations"
+apiVersion: v1
-  value: "true"
+metadata:
-- op: replace
+  name: ingress-nginx-controller
-  path: "/data/use-forwarded-headers"
+data:
-  value: "true"
+  allow-snippet-annotations: "true"
+  use-forwarded-headers: "true"
+  strict-validate-path-type: "false"
+  annotations-risk-level: "Critical"

examples/k8s/kind/cluster/resources/olm/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - https://github.com/operator-framework/operator-lifecycle-manager/releases/download/v0.31.0/olm.yaml
+  - https://forge.cadoles.com/CadolesKube/c-kustom/raw/branch/develop/base/olm/resources/mandatory-operators/resources/redis-operator.yaml

resources/hydra-dispatcher/files/hydra/default.yaml

@@ -15,3 +15,5 @@ hydra:
   firewall:
     additional_properties: "%env(bool:HYDRA_DISPATCHER_FIREWALL_ADDITIONAL_PROPERTIES)%"
     rules: {}
+  webhook_post_login:
+    enabled: false

resources/hydra-dispatcher/resources/hydra-dispatcher-deployment.yaml

@@ -3,6 +3,7 @@ kind: Deployment
 metadata:
   labels:
     app.kubernetes.io/name: hydra-dispatcher
+    com.cadoles.forge.sso-kustom/session: redis
   name: hydra-dispatcher
 spec:
   replicas: 1

resources/hydra/kustomization.yaml

@@ -33,11 +33,14 @@ configMapGenerator:
       - HYDRA_DATABASE_MAX_CONN="10"
       - LOG_LEVEL=info
 
-vars:
+replacements:
-- name: HYDRA_MIGRATE_JOB_NAME
+  - source:
-  objref:
-    name: hydra-migrate
       kind: Job
-    apiVersion: batch/v1
+      name: hydra-migrate
-  fieldref:
+      fieldPath: metadata.name
-    fieldpath: metadata.name
+    targets:
+      - select:
+          kind: Deployment
+          name: hydra
+        fieldPaths:
+          - spec.template.spec.initContainers.0.args.1

resources/hydra/resources/hydra-deployment.yaml

@@ -22,7 +22,7 @@ spec:
           image: reg.cadoles.com/proxy_cache/groundnuty/k8s-wait-for:v1.3
           args:
             - job
-          - $(HYDRA_MIGRATE_JOB_NAME)
+            - REPLACE_ME
       containers:
         - name: hydra
           image: reg.cadoles.com/proxy_cache/oryd/hydra:v2.0.3
@@ -57,4 +57,3 @@ spec:
               name: hydra-admin
           resources: {}
       restartPolicy: Always
-  

resources/hydra/resources/hydra-maester/resources/hydra-maester-deployment.yaml

@@ -7,7 +7,7 @@ metadata:
   labels:
     app.kubernetes.io/name: hydra-maester
     app.kubernetes.io/instance: hydra-master
-    app.kubernetes.io/version: "v0.0.23"
+    app.kubernetes.io/version: "v0.0.25"
 spec:
   replicas: 1
   revisionHistoryLimit: 10
@@ -38,8 +38,7 @@ spec:
             - --hydra-url=$(HYDRA_ADMIN_BASE_URL)
             - --hydra-port=$(HYDRA_ADMIN_PORT)
             - --endpoint=/admin/clients
-          resources:
+          resources: {}
-            {}
           terminationMessagePath: /dev/termination-log
           terminationMessagePolicy: File
           securityContext: