From f606af27288e66d1f29f604d8685073ae0219ac8 Mon Sep 17 00:00:00 2001 From: William Petit Date: Thu, 13 Feb 2025 17:02:48 +0100 Subject: [PATCH] fix: use hydra-ldap to fix isolated example --- .../hydra-ldap/resources/deployment.yaml | 60 +++--- components/hydra-ldap/resources/service.yaml | 6 +- .../resources/hydra-saml-remote-user.yaml | 2 + .../oidc-test/resources/deployment.yaml | 24 +-- examples/authenticated-app/files/glauth.conf | 46 +++++ .../files/hydra-dispatcher-apps.yaml | 29 +++ examples/authenticated-app/kustomization.yaml | 31 ++- .../patches/hydra-dispatcher-env.yaml | 21 +- .../patches/hydra-ldap-env.yaml | 27 +++ .../patches/hydra-ldap-sc.yaml | 7 + .../patches/hydra-saml-env.yaml | 43 ---- .../resources/glauth-ldap.yaml | 50 +++++ .../authenticated-app/resources/ingress.yaml | 131 +++++------- .../authenticated-app/resources/saml-idp.yaml | 51 ----- examples/k8s/kind/cluster/kustomization.yaml | 21 +- .../cluster/patches/nginx-controller.yaml | 14 +- .../hydra-dispatcher/files/hydra/default.yaml | 2 + .../hydra-dispatcher-deployment.yaml | 193 +++++++++--------- .../resources/hydra-maester-deployment.yaml | 7 +- 19 files changed, 418 insertions(+), 347 deletions(-) create mode 100644 examples/authenticated-app/files/glauth.conf create mode 100644 examples/authenticated-app/files/hydra-dispatcher-apps.yaml create mode 100644 examples/authenticated-app/patches/hydra-ldap-env.yaml create mode 100644 examples/authenticated-app/patches/hydra-ldap-sc.yaml delete mode 100644 examples/authenticated-app/patches/hydra-saml-env.yaml create mode 100644 examples/authenticated-app/resources/glauth-ldap.yaml delete mode 100644 examples/authenticated-app/resources/saml-idp.yaml diff --git a/components/hydra-ldap/resources/deployment.yaml b/components/hydra-ldap/resources/deployment.yaml index 0a8bb20..98af053 100644 --- a/components/hydra-ldap/resources/deployment.yaml +++ b/components/hydra-ldap/resources/deployment.yaml @@ -17,34 +17,32 @@ spec: app.kubernetes.io/version: "v1.2.2" spec: containers: - - name: werther - image: reg.cadoles.com/cadoles/hydra-werther:2023.12.6-stable.1421.15a4717 - imagePullPolicy: IfNotPresent - envFrom: - - configMapRef: - name: hydra-ldap-env - env: - - name: WERTHER_WEB_DIR - value: "/usr/share/werther/login/" - - name: WERTHER_LDAP_BINDDN - valueFrom: - secretKeyRef: - name: hydra-ldap-sc - key: WERTHER_LDAP_BINDDN - - name: WERTHER_LDAP_BINDPW - valueFrom: - secretKeyRef: - name: hydra-ldap-sc - key: WERTHER_LDAP_BINDPW - ports: - - containerPort: 8080 - name: hydra-ldap-http - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 100 + - name: werther + image: reg.cadoles.com/cadoles/hydra-werther:2023.12.6-stable.1421.15a4717 + imagePullPolicy: IfNotPresent + envFrom: + - configMapRef: + name: hydra-ldap-env + env: + - name: WERTHER_LDAP_BINDDN + valueFrom: + secretKeyRef: + name: hydra-ldap-sc + key: WERTHER_LDAP_BINDDN + - name: WERTHER_LDAP_BINDPW + valueFrom: + secretKeyRef: + name: hydra-ldap-sc + key: WERTHER_LDAP_BINDPW + ports: + - containerPort: 8080 + name: http + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 100 diff --git a/components/hydra-ldap/resources/service.yaml b/components/hydra-ldap/resources/service.yaml index 29db7ec..98764fa 100644 --- a/components/hydra-ldap/resources/service.yaml +++ b/components/hydra-ldap/resources/service.yaml @@ -7,9 +7,9 @@ metadata: spec: type: ClusterIP ports: - - name: hydra-ldap - port: 8080 - targetPort: hydra-ldap-http + - name: http + port: 80 + targetPort: http protocol: TCP selector: app.kubernetes.io/name: hydra-ldap diff --git a/components/hydra-saml/resources/hydra-saml-remote-user.yaml b/components/hydra-saml/resources/hydra-saml-remote-user.yaml index 580dc75..4d01f14 100644 --- a/components/hydra-saml/resources/hydra-saml-remote-user.yaml +++ b/components/hydra-saml/resources/hydra-saml-remote-user.yaml @@ -24,6 +24,8 @@ spec: name: hydra-saml-env ports: - containerPort: 8080 + command: + - /bin/apache2-foreground resources: {} restartPolicy: Always --- diff --git a/components/oidc-test/resources/deployment.yaml b/components/oidc-test/resources/deployment.yaml index a237882..24f55db 100644 --- a/components/oidc-test/resources/deployment.yaml +++ b/components/oidc-test/resources/deployment.yaml @@ -23,17 +23,17 @@ spec: - containerPort: 8080 resources: {} envFrom: - - configMapRef: - name: oidc-test-env + - configMapRef: + name: oidc-test-env env: - - name: OIDC_CLIENT_ID - valueFrom: - secretKeyRef: - name: oidc-test-oauth2-client - key: client_id - - name: OIDC_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: oidc-test-oauth2-client - key: client_secret + - name: OIDC_CLIENT_ID + valueFrom: + secretKeyRef: + name: oidc-test-oauth2-client + key: CLIENT_ID + - name: OIDC_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: oidc-test-oauth2-client + key: CLIENT_SECRET restartPolicy: Always diff --git a/examples/authenticated-app/files/glauth.conf b/examples/authenticated-app/files/glauth.conf new file mode 100644 index 0000000..adce085 --- /dev/null +++ b/examples/authenticated-app/files/glauth.conf @@ -0,0 +1,46 @@ +debug = true + +[ldap] + enabled = true + listen = "0.0.0.0:3893" + tls = false + +[ldaps] + enabled = false + +[behaviors] + IgnoreCapabilities = true + +[backend] + datastore = "config" + baseDN = "dc=glauth,dc=com" + +[[users]] + name = "serviceuser" + mail = "serviceuser@example.com" + uidnumber = 5003 + primarygroup = 5502 + passsha256 = "652c7dc687d98c9889304ed2e408c74b611e86a40caa51c4b43f1dd5913c5cd0" # mysecret + [[users.capabilities]] + action = "search" + object = "*" + +[[users]] + name = "jdoe" + uidnumber = 5001 + primarygroup = 5501 + givenname = "John" + sn = "Doe" + mail = "jdoe@example.com" + passsha256 = "d30a5f57532a603697ccbb51558fa02ccadd74a0c499fcf9d45b33863ee1582f" # jdoe + [[users.customattributes]] + employeetype = ["Intern", "Temp"] + employeenumber = [12345, 54321] + +[[groups]] + name = "users" + gidnumber = 5501 + +[[groups]] + name = "svcaccts" + gidnumber = 5502 \ No newline at end of file diff --git a/examples/authenticated-app/files/hydra-dispatcher-apps.yaml b/examples/authenticated-app/files/hydra-dispatcher-apps.yaml new file mode 100644 index 0000000..a1acce5 --- /dev/null +++ b/examples/authenticated-app/files/hydra-dispatcher-apps.yaml @@ -0,0 +1,29 @@ +hydra: + apps: + - id: ldap + title: + fr: Connexion LDAP + en: Login LDAP + description: + fr: Authentification avec LDAP + en: Authentication with LDAP + login_url: "%env(string:HYDRA_DISPATCHER_LDAP_LOGIN_URL)%" + consent_url: "%env(string:HYDRA_DISPATCHER_LDAP_CONSENT_URL)%" + logout_url: "%env(string:HYDRA_DISPATCHER_LDAP_LOGOUT_URL)%" + attributes_rewrite_configuration: + uid: + rules: + - "property_exists(consent.session.id_token, 'uid') ? consent.session.id_token.uid : null" + email: + rules: + - "property_exists(consent.session.id_token, 'email') ? consent.session.id_token.email : null" + firewall: + rules: + email: + required: false + uid: + required: false + webhook: + enabled: false + webhook_post_login: + enabled: false diff --git a/examples/authenticated-app/kustomization.yaml b/examples/authenticated-app/kustomization.yaml index af62fc2..5dbb697 100644 --- a/examples/authenticated-app/kustomization.yaml +++ b/examples/authenticated-app/kustomization.yaml @@ -2,12 +2,19 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ../../overlays/full + - ../../overlays/base + - ./resources/ingress.yaml - - ./resources/saml-idp.yaml + - ./resources/glauth-ldap.yaml - ./resources/self-signed-issuer.yaml - ./resources/port-forwarder.yaml +components: + - ../../components/hydra-cnpg-database + - ../../components/hydra-ldap + - ../../components/oidc-test + - ../../components/redis + patchesJson6902: - target: version: v1 @@ -22,8 +29,13 @@ patchesJson6902: - target: version: v1 kind: ConfigMap - name: hydra-saml-env - path: patches/hydra-saml-env.yaml + name: hydra-ldap-env + path: patches/hydra-ldap-env.yaml + - target: + version: v1 + kind: Secret + name: hydra-ldap-sc + path: patches/hydra-ldap-sc.yaml - target: version: v1 kind: Secret @@ -38,4 +50,13 @@ patchesJson6902: version: v1alpha1 kind: OAuth2Client name: oidc-test-oauth2-client - path: patches/oidc-test-oauth2-client.yaml \ No newline at end of file + path: patches/oidc-test-oauth2-client.yaml + +configMapGenerator: + - name: hydra-dispatcher-apps + behavior: replace + files: + - ./files/hydra-dispatcher-apps.yaml + - name: glauth-ldap-conf + files: + - ./files/glauth.conf diff --git a/examples/authenticated-app/patches/hydra-dispatcher-env.yaml b/examples/authenticated-app/patches/hydra-dispatcher-env.yaml index 464288a..463cedf 100644 --- a/examples/authenticated-app/patches/hydra-dispatcher-env.yaml +++ b/examples/authenticated-app/patches/hydra-dispatcher-env.yaml @@ -1,3 +1,9 @@ +- op: replace + path: "/data/APP_ENV" + value: dev +- op: replace + path: "/data/APP_DEBUG" + value: "true" - op: replace path: "/data/HYDRA_BASE_URL" value: http://hydra:4444 @@ -17,14 +23,13 @@ path: "/data/COOKIE_PATH" value: /auth/dispatcher -# Hydra SAML configuration +# Hydra LDAP configuration - op: replace - path: "/data/HYDRA_DISPATCHER_SAML_LOGIN_URL" - value: https://ssokustom/auth/saml/login + path: "/data/HYDRA_DISPATCHER_LDAP_LOGIN_URL" + value: https://ssokustom/auth/ldap/auth/login - op: replace - path: "/data/HYDRA_DISPATCHER_SAML_CONSENT_URL" - value: https://ssokustom/auth/saml/consent + path: "/data/HYDRA_DISPATCHER_LDAP_CONSENT_URL" + value: https://ssokustom/auth/ldap/auth/consent - op: replace - path: "/data/HYDRA_DISPATCHER_SAML_LOGOUT_URL" - value: https://ssokustom/auth/saml/logout - \ No newline at end of file + path: "/data/HYDRA_DISPATCHER_LDAP_LOGOUT_URL" + value: https://ssokustom/auth/ldap/auth/logout diff --git a/examples/authenticated-app/patches/hydra-ldap-env.yaml b/examples/authenticated-app/patches/hydra-ldap-env.yaml new file mode 100644 index 0000000..d815810 --- /dev/null +++ b/examples/authenticated-app/patches/hydra-ldap-env.yaml @@ -0,0 +1,27 @@ +- op: replace + path: "/data/WERTHER_DEV_MODE" + value: "true" + +- op: replace + path: "/data/WERTHER_WEB_BASE_PATH" + value: "/auth/ldap/" + +- op: replace + path: "/data/WERTHER_IDENTP_HYDRA_URL" + value: "http://hydra-dispatcher" + +- op: replace + path: "/data/WERTHER_LDAP_ENDPOINTS" + value: "glauth-ldap:3893" + +- op: replace + path: "/data/WERTHER_LDAP_BASEDN" + value: "dc=glauth,dc=com" + +- op: replace + path: "/data/WERTHER_LDAP_BINDDN" + value: "cn=serviceuser,ou=svcaccts,ou=users,dc=glauth,dc=com" + +- op: replace + path: "/data/WERTHER_LDAP_BINDPW" + value: "mysecret" diff --git a/examples/authenticated-app/patches/hydra-ldap-sc.yaml b/examples/authenticated-app/patches/hydra-ldap-sc.yaml new file mode 100644 index 0000000..24b9ba0 --- /dev/null +++ b/examples/authenticated-app/patches/hydra-ldap-sc.yaml @@ -0,0 +1,7 @@ +- op: replace + path: "/data/WERTHER_LDAP_BINDDN" + value: "Y249c2VydmljZXVzZXIsb3U9c3ZjYWNjdHMsb3U9dXNlcnMsZGM9Z2xhdXRoLGRjPWNvbQ==" + +- op: replace + path: "/data/WERTHER_LDAP_BINDPW" + value: "bXlzZWNyZXQ=" diff --git a/examples/authenticated-app/patches/hydra-saml-env.yaml b/examples/authenticated-app/patches/hydra-saml-env.yaml deleted file mode 100644 index 8d9aa8a..0000000 --- a/examples/authenticated-app/patches/hydra-saml-env.yaml +++ /dev/null @@ -1,43 +0,0 @@ -- op: replace - path: "/data/HTTP_BASE_URL" - value: https://ssokustom/auth/saml -- op: replace - path: "/data/COOKIE_PATH" - value: /auth/saml -- op: replace - path: "/data/HYDRA_ADMIN_BASE_URL" - value: http://hydra-dispatcher -- op: replace - path: "/data/LOGOUT_REDIRECT_URL_PATTERN" - value: https://ssokustom/auth/saml/Shibboleth.sso/Logout?return=%s -- op: replace - path: "/data/PATH_PREFIX" - value: "/auth/saml" - -- op: replace - path: "/data/SP_ENTITY_ID" - value: https://ssokustom/auth/saml -- op: replace - path: "/data/IDP_ENTITY_ID" - value: https://ssokustom/simplesaml/saml2/idp/metadata.php -- op: replace - path: "/data/IDP_METADATA_URL" - value: https://ssokustom/simplesaml/saml2/idp/metadata.php -- op: replace - path: "/data/APACHE_FORCE_HTTPS" - value: "true" -- op: replace - path: "/data/SP_HANDLER_BASE_PATH" - value: "/auth/saml" -- op: replace - path: "/data/SP_LOG_LEVEL" - value: DEBUG -- op: replace - path: "/data/SP_SESSIONS_REDIRECT_LIMIT" - value: none -- op: replace - path: "/data/SP_SESSIONS_REDIRECT_ALLOW" - value: https://ssokustom -- op: replace - path: "/data/SP_SESSIONS_COOKIE_PROPS" - value: https \ No newline at end of file diff --git a/examples/authenticated-app/resources/glauth-ldap.yaml b/examples/authenticated-app/resources/glauth-ldap.yaml new file mode 100644 index 0000000..c26043f --- /dev/null +++ b/examples/authenticated-app/resources/glauth-ldap.yaml @@ -0,0 +1,50 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/name: glauth-ldap + name: glauth-ldap +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: glauth-ldap + strategy: + type: Recreate + template: + metadata: + labels: + app.kubernetes.io/name: glauth-ldap + spec: + containers: + - image: glauth/glauth:v2.3.2 + name: glauth-ldap + ports: + - containerPort: 3893 + name: ldap + resources: {} + volumeMounts: + - name: glauth-ldap-conf + mountPath: /app/config/config.cfg + subPath: glauth.conf + restartPolicy: Always + volumes: + - name: glauth-ldap-conf + configMap: + name: glauth-ldap-conf +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/name: glauth-ldap + name: glauth-ldap +spec: + ports: + - name: ldap + port: 3893 + targetPort: ldap + selector: + app.kubernetes.io/name: glauth-ldap +status: + loadBalancer: {} diff --git a/examples/authenticated-app/resources/ingress.yaml b/examples/authenticated-app/resources/ingress.yaml index 76212ba..f070f2d 100644 --- a/examples/authenticated-app/resources/ingress.yaml +++ b/examples/authenticated-app/resources/ingress.yaml @@ -10,43 +10,45 @@ metadata: spec: ingressClassName: nginx tls: - - hosts: - - ssokustom - secretName: ssokustom-example-tls + - hosts: + - ssokustom + secretName: ssokustom-example-tls rules: - - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: oidc-test - port: - name: http + - http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: oidc-test + port: + name: http --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: auth-saml + name: auth-ldap annotations: cert-manager.io/issuer: "self-signed" nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + nginx.ingress.kubernetes.io/rewrite-target: /$2 + nginx.ingress.kubernetes.io/x-forwarded-prefix: /auth/ldap spec: ingressClassName: nginx tls: - - hosts: - - ssokustom - secretName: ssokustom-example-tls + - hosts: + - ssokustom + secretName: ssokustom-example-tls rules: - - http: - paths: - - path: /auth/saml(/|$)(.*) - pathType: Prefix - backend: - service: - name: hydra-saml - port: - name: http + - http: + paths: + - path: /auth/ldap(/|$)(.*) + pathType: Prefix + backend: + service: + name: hydra-ldap + port: + name: http --- apiVersion: networking.k8s.io/v1 kind: Ingress @@ -60,19 +62,19 @@ metadata: spec: ingressClassName: nginx tls: - - hosts: - - ssokustom - secretName: ssokustom-example-tls + - hosts: + - ssokustom + secretName: ssokustom-example-tls rules: - - http: - paths: - - path: /auth/dispatcher(/|$)(.*) - pathType: Prefix - backend: - service: - name: hydra-dispatcher - port: - name: http + - http: + paths: + - path: /auth/dispatcher(/|$)(.*) + pathType: Prefix + backend: + service: + name: hydra-dispatcher + port: + name: http --- apiVersion: networking.k8s.io/v1 kind: Ingress @@ -85,47 +87,16 @@ metadata: spec: ingressClassName: nginx tls: - - hosts: - - ssokustom - secretName: ssokustom-example-tls + - hosts: + - ssokustom + secretName: ssokustom-example-tls rules: - - http: - paths: - - path: /auth(/|$)(.*) - pathType: Prefix - backend: - service: - name: hydra - port: - name: hydra-public ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: saml-idp - annotations: - cert-manager.io/issuer: "self-signed" - nginx.ingress.kubernetes.io/force-ssl-redirect: "true" - nginx.ingress.kubernetes.io/rewrite-target: /simplesaml/$2 - nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" -spec: - ingressClassName: nginx - tls: - - hosts: - - ssokustom - secretName: ssokustom-example-tls - rules: - - http: - paths: - - path: /simplesaml(/|$)(.*) - pathType: Prefix - backend: - service: - name: saml-idp - port: - name: https - - - - - \ No newline at end of file + - http: + paths: + - path: /auth(/|$)(.*) + pathType: Prefix + backend: + service: + name: hydra + port: + name: hydra-public diff --git a/examples/authenticated-app/resources/saml-idp.yaml b/examples/authenticated-app/resources/saml-idp.yaml deleted file mode 100644 index 20146d2..0000000 --- a/examples/authenticated-app/resources/saml-idp.yaml +++ /dev/null @@ -1,51 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app.kubernetes.io/name: saml-idp - name: saml-idp -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: saml-idp - strategy: - type: Recreate - template: - metadata: - labels: - app.kubernetes.io/name: saml-idp - spec: - containers: - - image: kristophjunge/test-saml-idp:1.15 - name: saml-idp - ports: - - containerPort: 8443 - resources: {} - env: - - name: SIMPLESAMLPHP_SP_ENTITY_ID - value: https://ssokustom/auth/saml - - name: SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE - value: https://ssokustom/auth/saml/Shibboleth.sso/SAML2/POST - - name: SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE - value: https://ssokustom/auth/saml/Shibboleth.sso/Logout?return=https://ssokustom - restartPolicy: Always ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/name: saml-idp - name: saml-idp -spec: - ports: - - name: http - port: 8080 - targetPort: 8080 - - name: https - port: 8443 - targetPort: 8443 - selector: - app.kubernetes.io/name: saml-idp -status: - loadBalancer: {} \ No newline at end of file diff --git a/examples/k8s/kind/cluster/kustomization.yaml b/examples/k8s/kind/cluster/kustomization.yaml index af48eba..2b23a19 100644 --- a/examples/k8s/kind/cluster/kustomization.yaml +++ b/examples/k8s/kind/cluster/kustomization.yaml @@ -1,15 +1,20 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- https://github.com/jetstack/cert-manager/releases/download/v1.13.2/cert-manager.yaml -- https://forge.cadoles.com/CadolesKube/c-kustom//base/cloudnative-pg-operator?ref=develop -- https://forge.cadoles.com/CadolesKube/c-kustom//base/redis?ref=develop -- https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml + - https://github.com/jetstack/cert-manager/releases/download/v1.13.2/cert-manager.yaml + - https://forge.cadoles.com/CadolesKube/c-kustom//base/cloudnative-pg-operator?ref=develop + - https://forge.cadoles.com/CadolesKube/c-kustom//base/redis?ref=develop + - https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml -patchesJson6902: - - target: - version: v1 + # 'By executive order', l'inclusion de la CRD OAuth2Client est désormais gérée à la création des clusters Cadoles. + # Dans cet environnement de développement il est cependant nécessaire de l'intégrer manuellement. + # Le numéro de version devrait être raccord avec celui de l'image utilisée par la ressource 'hydra-maester'. + # cf. resources/hydra/resources/hydra-maester/resources/hydra-maester-deployment.yaml + - https://raw.githubusercontent.com/ory/hydra-maester/refs/tags/v0.0.25/config/crd/bases/hydra.ory.sh_oauth2clients.yaml + +patches: + - path: patches/nginx-controller.yaml + target: kind: ConfigMap name: ingress-nginx-controller namespace: ingress-nginx - path: patches/nginx-controller.yaml diff --git a/examples/k8s/kind/cluster/patches/nginx-controller.yaml b/examples/k8s/kind/cluster/patches/nginx-controller.yaml index 799344f..b7a6263 100644 --- a/examples/k8s/kind/cluster/patches/nginx-controller.yaml +++ b/examples/k8s/kind/cluster/patches/nginx-controller.yaml @@ -1,6 +1,8 @@ -- op: replace - path: "/data/allow-snippet-annotations" - value: "true" -- op: replace - path: "/data/use-forwarded-headers" - value: "true" \ No newline at end of file +kind: ConfigMap +apiVersion: v1 +metadata: + name: ingress-nginx-controller +data: + allow-snippet-annotations: "true" + use-forwarded-headers: "true" + strict-validate-path-type: "false" diff --git a/resources/hydra-dispatcher/files/hydra/default.yaml b/resources/hydra-dispatcher/files/hydra/default.yaml index d86c656..9b05778 100644 --- a/resources/hydra-dispatcher/files/hydra/default.yaml +++ b/resources/hydra-dispatcher/files/hydra/default.yaml @@ -15,3 +15,5 @@ hydra: firewall: additional_properties: "%env(bool:HYDRA_DISPATCHER_FIREWALL_ADDITIONAL_PROPERTIES)%" rules: {} + webhook_post_login: + enabled: false diff --git a/resources/hydra-dispatcher/resources/hydra-dispatcher-deployment.yaml b/resources/hydra-dispatcher/resources/hydra-dispatcher-deployment.yaml index c730f23..74d0ed9 100644 --- a/resources/hydra-dispatcher/resources/hydra-dispatcher-deployment.yaml +++ b/resources/hydra-dispatcher/resources/hydra-dispatcher-deployment.yaml @@ -3,6 +3,7 @@ kind: Deployment metadata: labels: app.kubernetes.io/name: hydra-dispatcher + com.cadoles.forge.sso-kustom/session: redis name: hydra-dispatcher spec: replicas: 1 @@ -17,101 +18,101 @@ spec: app.kubernetes.io/name: hydra-dispatcher spec: containers: - - name: hydra-dispatcher-php-fpm - image: reg.cadoles.com/cadoles/hydra-dispatcher-base:2024.9.24-develop.1122.f88a5eb - args: ["/usr/sbin/php-fpm81", "-F", "-e"] - readinessProbe: - exec: - command: - - sh - - -c - - test -f /etc/php81/php-fpm.d/www.conf - livenessProbe: - exec: - command: - - php - - bin/console - - -V - initialDelaySeconds: 10 - periodSeconds: 30 - env: - - name: PHP_FPM_LISTEN - value: 127.0.0.1:9000 - - name: PHP_MEMORY_LIMIT - value: 128m - - name: PHP_FPM_MEMORY_LIMIT - value: 128m - - name: OPCACHE_VALIDATE_TIMESTAMP - value: "0" - - name: OPCACHE_REVALIDATE_FREQ - value: "0" - envFrom: - - configMapRef: - name: hydra-dispatcher-env - volumeMounts: - - mountPath: /app/config/hydra - name: hydra-dispatcher-apps - - name: hydra-dispatcher-php-ini - mountPath: /etc/php81/conf.d/03_base.ini - subPath: 03_base.ini - resources: {} - securityContext: - runAsNonRoot: true - runAsGroup: 1000 - runAsUser: 1000 - - name: hydra-dispatcher-caddy - image: reg.cadoles.com/cadoles/hydra-dispatcher-base:2024.9.24-develop.1122.f88a5eb - imagePullPolicy: IfNotPresent - args: - [ - "/usr/sbin/caddy", - "run", - "--adapter", - "caddyfile", - "--config", - "/etc/caddy/Caddyfile", - ] - readinessProbe: - httpGet: - path: /health - port: 8080 - initialDelaySeconds: 5 - timeoutSeconds: 5 - periodSeconds: 10 - livenessProbe: - httpGet: - path: /health - port: 8080 - initialDelaySeconds: 15 - timeoutSeconds: 5 - periodSeconds: 15 - envFrom: - - configMapRef: - name: hydra-dispatcher-env - env: - - name: CADDY_APP_UPSTREAM_BACKEND_SERVER - value: 127.0.0.1:9000 - - name: CADDY_HTTPS_PORT - value: "8443" - - name: CADDY_HTTP_PORT - value: "8080" - - name: CADDY_DATA_FS - value: "/tmp/caddy" - - name: CADDY_APP_ROOT_PUBLIC - value: "/app/public/" - ports: - - containerPort: 8080 - name: http - resources: {} - securityContext: - runAsNonRoot: true - runAsGroup: 1000 - runAsUser: 1000 + - name: hydra-dispatcher-php-fpm + image: reg.cadoles.com/cadoles/hydra-dispatcher-base:2024.9.24-develop.1122.f88a5eb + args: ["/usr/sbin/php-fpm81", "-F", "-e"] + readinessProbe: + exec: + command: + - sh + - -c + - test -f /etc/php81/php-fpm.d/www.conf + livenessProbe: + exec: + command: + - php + - bin/console + - -V + initialDelaySeconds: 10 + periodSeconds: 30 + env: + - name: PHP_FPM_LISTEN + value: 127.0.0.1:9000 + - name: PHP_MEMORY_LIMIT + value: 128m + - name: PHP_FPM_MEMORY_LIMIT + value: 128m + - name: OPCACHE_VALIDATE_TIMESTAMP + value: "0" + - name: OPCACHE_REVALIDATE_FREQ + value: "0" + envFrom: + - configMapRef: + name: hydra-dispatcher-env + volumeMounts: + - mountPath: /app/config/hydra + name: hydra-dispatcher-apps + - name: hydra-dispatcher-php-ini + mountPath: /etc/php81/conf.d/03_base.ini + subPath: 03_base.ini + resources: {} + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 1000 + - name: hydra-dispatcher-caddy + image: reg.cadoles.com/cadoles/hydra-dispatcher-base:2024.9.24-develop.1122.f88a5eb + imagePullPolicy: IfNotPresent + args: + [ + "/usr/sbin/caddy", + "run", + "--adapter", + "caddyfile", + "--config", + "/etc/caddy/Caddyfile", + ] + readinessProbe: + httpGet: + path: /health + port: 8080 + initialDelaySeconds: 5 + timeoutSeconds: 5 + periodSeconds: 10 + livenessProbe: + httpGet: + path: /health + port: 8080 + initialDelaySeconds: 15 + timeoutSeconds: 5 + periodSeconds: 15 + envFrom: + - configMapRef: + name: hydra-dispatcher-env + env: + - name: CADDY_APP_UPSTREAM_BACKEND_SERVER + value: 127.0.0.1:9000 + - name: CADDY_HTTPS_PORT + value: "8443" + - name: CADDY_HTTP_PORT + value: "8080" + - name: CADDY_DATA_FS + value: "/tmp/caddy" + - name: CADDY_APP_ROOT_PUBLIC + value: "/app/public/" + ports: + - containerPort: 8080 + name: http + resources: {} + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 1000 restartPolicy: Always volumes: - - name: hydra-dispatcher-apps - configMap: - name: hydra-dispatcher-apps - - name: hydra-dispatcher-php-ini - configMap: - name: hydra-dispatcher-php-ini + - name: hydra-dispatcher-apps + configMap: + name: hydra-dispatcher-apps + - name: hydra-dispatcher-php-ini + configMap: + name: hydra-dispatcher-php-ini diff --git a/resources/hydra/resources/hydra-maester/resources/hydra-maester-deployment.yaml b/resources/hydra/resources/hydra-maester/resources/hydra-maester-deployment.yaml index 0b5b7bb..743e15a 100644 --- a/resources/hydra/resources/hydra-maester/resources/hydra-maester-deployment.yaml +++ b/resources/hydra/resources/hydra-maester/resources/hydra-maester-deployment.yaml @@ -7,7 +7,7 @@ metadata: labels: app.kubernetes.io/name: hydra-maester app.kubernetes.io/instance: hydra-master - app.kubernetes.io/version: "v0.0.23" + app.kubernetes.io/version: "v0.0.25" spec: replicas: 1 revisionHistoryLimit: 10 @@ -38,15 +38,14 @@ spec: - --hydra-url=$(HYDRA_ADMIN_BASE_URL) - --hydra-port=$(HYDRA_ADMIN_PORT) - --endpoint=/admin/clients - resources: - {} + resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File securityContext: allowPrivilegeEscalation: false capabilities: drop: - - ALL + - ALL privileged: false readOnlyRootFilesystem: true runAsNonRoot: true