fix: example app deployment with saml login app

components/hydra-saml/files/hydra/saml.yaml

@@ -10,4 +10,21 @@ hydra:
       login_url: "%env(string:HYDRA_DISPATCHER_SAML_LOGIN_URL)%"
       consent_url: "%env(string:HYDRA_DISPATCHER_SAML_CONSENT_URL)%"
       logout_url: "%env(string:HYDRA_DISPATCHER_SAML_LOGOUT_URL)%"
-      attributes_rewrite_configuration: {}
+      attributes_rewrite_configuration:
+        uid:
+          rules:
+          - "property_exists(consent.session.id_token, 'uid') ? consent.session.id_token.uid : null"
+        email:
+          rules:
+          - "property_exists(consent.session.id_token, 'email') ? consent.session.id_token.email : null"
+        eduPersonAffiliation:
+          rules:
+          - "property_exists(consent.session.id_token, 'eduPersonAffiliation') ? consent.session.id_token.eduPersonAffiliation : null"
+  firewall:
+    rules:
+      email:
+        required: true
+      uid:
+        required: true
+      eduPersonAffiliation:
+        required: true

components/hydra-saml/files/shibboleth-sp/attribute-map.inc.xml

@@ -0,0 +1,3 @@
+<Attribute name="uid" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="uid" />
+<Attribute name="eduPersonAffiliation" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="eduPersonAffiliation" />
+<Attribute name="email" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" id="email" />

components/hydra-saml/kustomization.yaml

@@ -18,6 +18,7 @@ configMapGenerator:
       - HYDRA_ADMIN_BASE_URL=http://hydra:4445/admin
       - TRUSTED_PROXIES=127.0.0.1,REMOTE_ADDR
       - LOGOUT_REDIRECT_URL_PATTERN=http://hydra-saml/Shibboleth.sso/Logout?return=%s'
+      - PATH_PREFIX=
       # Shibboleth SP environment variables
       - SP_ENTITY_ID=http://hydra-saml-shibboleth-sp
       - IDP_ENTITY_ID=http://saml-idp
@@ -25,10 +26,14 @@ configMapGenerator:
       - APACHE_BACKEND_URL=http://hydra-saml-remote-user
       - APACHE_FORCE_HTTPS=false
       - SP_HANDLER_BASE_PATH=/
+      - SP_SESSIONS_RELAY_STATE=cookie:5
   - name: hydra-dispatcher-apps
     behavior: merge
     files:
       - ./files/hydra/saml.yaml
+  - name: hydra-saml-shibboleth-sp
+    files:
+      - ./files/shibboleth-sp/attribute-map.inc.xml
 
 patchesJson6902:
   - target:

components/hydra-saml/resources/hydra-saml-remote-user-deployment.yaml

@@ -18,7 +18,7 @@ spec:
     spec:
       containers:
         - name: hydra-saml-remote-user
-          image: reg.cadoles.com/cadoles/hydra-remote-user-v1:v0.0.0-218-g4b5e1d9
+          image: reg.cadoles.com/wpetit/hydra-remote-user-v1:v0.0.0-232-g99ae0e5
           envFrom:
             - configMapRef:
                 name: hydra-saml-env

components/hydra-saml/resources/hydra-saml-shibboleth-sp-deployment.yaml

@@ -16,14 +16,24 @@ spec:
       labels:
         io.kompose.service: hydra-saml-shibboleth-sp
     spec:
+      securityContext:
+        fsGroup: 102
       containers:
         - name: hydra-saml-shibboleth-sp
-          image: reg.cadoles.com/wpetit/shibboleth-sp-v3:v0.0.0-231-ge7979bb
+          image: reg.cadoles.com/wpetit/shibboleth-sp-v3:v0.0.0-232-g377af91
           envFrom:
             - configMapRef:
                 name: hydra-saml-env
+          volumeMounts:
+            - name: attributes-map-inc
+              mountPath: /etc/shibboleth/attribute-map.inc.xml
+              subPath: attribute-map.inc.xml
           ports:
             - containerPort: 80
           resources: {}
       restartPolicy: Always
+      volumes:
+        - name: attributes-map-inc
+          configMap:
+            name: hydra-saml-shibboleth-sp
             

examples/authenticated-app/README.md

@@ -40,16 +40,16 @@ L'exemple est actuellement déployé avec le composant `hydra-saml` uniquement.
 
 5. Après stabilisation du déploiement, l'application devrait être accessible à l'adresse https://ssokustom
 
-#### Authentification
-
-### SAML
-
-- Utilisateur: `user1`
-- Mot de passe `user1pass`
-
 #### Supprimer le cluster
 
 ```
 kind delete cluster -n sso-kustom-example
 ```
 
+## Authentification
+
+### SAML
+
+- Utilisateur: `user1`
+- Mot de passe `user1pass`
+

examples/authenticated-app/kustomization.yaml

@@ -4,14 +4,12 @@ kind: Kustomization
 resources:
   - ../../resources/hydra
   - ../../resources/hydra-dispatcher
-  - ./resources/app-deployment.yaml
-  - ./resources/app-service.yaml
+  - ./resources/app.yaml
   - ./resources/ingress.yaml
   - ./resources/oauth2-client.yaml
   - ./resources/saml-idp.yaml
   - ./resources/self-signed-issuer.yaml
-  - ./resources/port-forwarder-deployment.yaml
-  - ./resources/port-forwarder-service.yaml
+  - ./resources/port-forwarder.yaml
 
 components:
   - ../../components/hydra-cnpg-database

examples/authenticated-app/patches/hydra-saml-env.yaml

@@ -10,22 +10,25 @@
 - op: replace
   path: "/data/LOGOUT_REDIRECT_URL_PATTERN"
   value: https://ssokustom/auth/saml/Shibboleth.sso/Logout?return=%s
+- op: replace
+  path: "/data/PATH_PREFIX"
+  value: "/auth/saml"
 
 - op: replace
   path: "/data/SP_ENTITY_ID"
   value: https://ssokustom/auth/saml
 - op: replace
   path: "/data/IDP_ENTITY_ID"
-  value: http://ssokustom/simplesaml/saml2/idp/metadata.php
+  value: https://ssokustom/simplesaml/saml2/idp/metadata.php
 - op: replace
   path: "/data/IDP_METADATA_URL"
-  value: http://ssokustom/simplesaml/saml2/idp/metadata.php
+  value: https://ssokustom/simplesaml/saml2/idp/metadata.php
 - op: replace
   path: "/data/APACHE_FORCE_HTTPS"
-  value: "false"
+  value: "true"
 - op: replace
   path: "/data/SP_HANDLER_BASE_PATH"
-  value: /
+  value: "/auth/saml"
 - op: replace
   path: "/data/SP_LOG_LEVEL"
   value: DEBUG

examples/authenticated-app/resources/app-service.yaml

@@ -1,15 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    io.kompose.service: app
-  name: app
-spec:
-  ports:
-    - name: http
-      port: 8080
-      targetPort: 8080
-  selector:
-    io.kompose.service: app
-status:
-  loadBalancer: {}

examples/authenticated-app/resources/app.yaml

@@ -17,7 +17,7 @@ spec:
         io.kompose.service: app
     spec:
       containers:
-        - image: reg.cadoles.com/cadoles/oidc-test:2023.11.2-stable.1831.8496a4e
+        - image: reg.cadoles.com/cadoles/oidc-test:2023.11.6-stable.1557.e16b905
           name: app
           ports:
             - containerPort: 8080
@@ -40,9 +40,27 @@ spec:
             - name: OIDC_ISSUER_URL
               value: http://hydra:4444
             - name: OIDC_REDIRECT_URL
-              value: https://ssokustom
+              value: https://ssokustom/oauth2/callback
             - name: OIDC_POST_LOGOUT_REDIRECT_URL
               value: https://ssokustom
             - name: OIDC_SKIP_ISSUER_VERIFICATION
               value: "true"
+            - name: OIDC_INSECURE_SKIP_VERIFY
+              value: "true"
       restartPolicy: Always
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    io.kompose.service: app
+  name: app
+spec:
+  ports:
+    - name: http
+      port: 8080
+      targetPort: 8080
+  selector:
+    io.kompose.service: app
+status:
+  loadBalancer: {}

examples/authenticated-app/resources/ingress.yaml

@@ -5,11 +5,12 @@ metadata:
   annotations:
     nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
     cert-manager.io/issuer: "self-signed"
+    # nginx.ingress.kubernetes.io/configuration-snippet: |
+    #   more_set_headers "X-Forwarded-Proto: https";
 spec:
   ingressClassName: nginx
   tls:
   - hosts:
-    - ssokustom
     - ssokustom
     secretName: ssokustom-example-tls
   rules:
@@ -26,16 +27,40 @@ spec:
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: auth
+  name: auth-saml
   annotations:
     cert-manager.io/issuer: "self-signed"
     nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/rewrite-target: /$2
 spec:
   ingressClassName: nginx
   tls:
   - hosts:
     - ssokustom
+    secretName: ssokustom-example-tls
+  rules:
+  - http:
+      paths:
+      - path: /auth/saml(/|$)(.*)
+        pathType: Prefix
+        backend:
+          service:
+            name: hydra-saml
+            port:
+              name: http
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: auth-dispatcher
+  annotations:
+    cert-manager.io/issuer: "self-signed"
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/rewrite-target: /$2
+    nginx.ingress.kubernetes.io/x-forwarded-prefix: /auth/dispatcher
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
     - ssokustom
     secretName: ssokustom-example-tls
   rules:
@@ -48,7 +73,24 @@ spec:
             name: hydra-dispatcher
             port:
               name: http
-      
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: auth
+  annotations:
+    cert-manager.io/issuer: "self-signed"
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/rewrite-target: /$2
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - ssokustom
+    secretName: ssokustom-example-tls
+  rules:
+  - http:
+      paths:      
       - path: /auth(/|$)(.*)
         pathType: Prefix
         backend:
@@ -56,14 +98,6 @@ spec:
             name: hydra
             port:
               name: hydra-public
-
-      - path: /auth/saml(/|$)(.*)
-        pathType: Prefix
-        backend:
-          service:
-            name: hydra-saml
-            port:
-              name: http
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
@@ -73,11 +107,11 @@ metadata:
     cert-manager.io/issuer: "self-signed"
     nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
     nginx.ingress.kubernetes.io/rewrite-target: /simplesaml/$2
+    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
 spec:
   ingressClassName: nginx
   tls:
   - hosts:
-    - ssokustom
     - ssokustom
     secretName: ssokustom-example-tls
   rules:
@@ -89,7 +123,7 @@ spec:
           service:
             name: saml-idp
             port:
-              name: http
+              name: https
 
      
 

examples/authenticated-app/resources/oauth2-client.yaml

@@ -10,9 +10,9 @@ spec:
   - refresh_token
   responseTypes:
   - code
-  scope: "openid profile email"
+  scope: "openid email"
   secretName: app-oidc-secret
   redirectUris:
-  - https://ssokustom
+  - https://ssokustom/oauth2/callback
   postLogoutRedirectUris:
   - https://ssokustom

examples/authenticated-app/resources/port-forwarder-service.yaml

@@ -1,16 +0,0 @@
-kind: Service
-apiVersion: v1
-metadata:
-  name: ssokustom
-  labels:
-    io.kompose.service: port-forwarder
-spec:
-  ports:
-  - name: https
-    port: 443
-    targetPort: 443
-  - name: http
-    port: 80
-    targetPort: 80
-  selector:
-    io.kompose.service: port-forwarder

examples/authenticated-app/resources/port-forwarder.yaml

@@ -36,3 +36,20 @@ spec:
           resources: {}
           args: ["ingress-nginx-controller.ingress-nginx.svc.cluster.local", "80"]
       restartPolicy: Always
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: ssokustom
+  labels:
+    io.kompose.service: port-forwarder
+spec:
+  ports:
+  - name: https
+    port: 443
+    targetPort: 443
+  - name: http
+    port: 80
+    targetPort: 80
+  selector:
+    io.kompose.service: port-forwarder

examples/k8s/kind/cluster/kustomization.yaml

@@ -3,4 +3,12 @@ kind: Kustomization
 resources:
 - https://github.com/jetstack/cert-manager/releases/download/v1.13.2/cert-manager.yaml
 - https://forge.cadoles.com/CadolesKube/c-kustom//base/cloudnative-pg-operator?ref=develop
-- https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml
+- https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml
+
+patchesJson6902:
+  - target:
+      version: v1
+      kind: ConfigMap
+      name: ingress-nginx-controller
+      namespace: ingress-nginx
+    path: patches/nginx-controller.yaml

examples/k8s/kind/cluster/patches/nginx-controller.yaml

@@ -0,0 +1,6 @@
+- op: replace
+  path: "/data/allow-snippet-annotations"
+  value: "true"
+- op: replace
+  path: "/data/use-forwarded-headers"
+  value: "true"