Compare commits
	
		
			65 Commits
		
	
	
		
			develop
			...
			eb878ff980
		
	
	| Author | SHA1 | Date | |
|---|---|---|---|
| eb878ff980 | |||
| c1d9ca62d4 | |||
| 09c91e7cae | |||
| 3db15dfc8a | |||
| 77e167b17c | |||
| d09b644b5f | |||
| 5e5670dcdf | |||
| 172d9def39 | |||
| e4b67e0812 | |||
| a26b8aafe1 | |||
| 06235bccad | |||
| 19039c5e1c | |||
| 9e02d7badb | |||
| 87a056be2c | |||
| fedf44a062 | |||
| b0506995e5 | |||
| 7a09045e82 | |||
| f300b91316 | |||
| 30ba1f4d5a | |||
| d9bdbccfe4 | |||
| 2d329501c0 | |||
| dc2c97c7f6 | |||
| c9d8917e6c | |||
| 20e0a20f64 | |||
| c01eb28d8c | |||
| c97266c272 | |||
| 4df11ead1e | |||
| 99056b875e | |||
| ee0349e9df | |||
| 3a255707d1 | |||
| ce1f650a86 | |||
| de24eb0026 | |||
| 40ec4440a7 | |||
| 4ec580fb7d | |||
| 1cf7569678 | |||
| a0ff37edf6 | |||
| a5c9c733f6 | |||
| a5cecb385c | |||
| 15ad23049f | |||
| 78e5b30e1d | |||
| 1ea76c2153 | |||
| af76c99d91 | |||
| 3635f547a1 | |||
| 65fccdc3ce | |||
| 0b3504e631 | |||
| 36a8e117e8 | |||
| 176b5a6696 | |||
| efa00fc6a3 | |||
| f52b3117b5 | |||
| 35c46316d3 | |||
| 456e92ca0e | |||
| e1432cb633 | |||
| 513797be35 | |||
| f38ba80de6 | |||
| 1db87e2d08 | |||
| a7578445b4 | |||
| 119b09ac61 | |||
| 32ccca7616 | |||
| c174ddb734 | |||
| 191024bb17 | |||
| 054f84baef | |||
| a88a8240aa | |||
| 5ea7789cc2 | |||
| 212de51a84 | |||
| 9020c73512 | 
| @@ -2,10 +2,6 @@ | |||||||
|  |  | ||||||
| Kustomization du service "SSO" (Ory Hydra) | Kustomization du service "SSO" (Ory Hydra) | ||||||
|  |  | ||||||
| ## Usage |  | ||||||
|  |  | ||||||
| [Voir la documentation](./doc/README.md) |  | ||||||
|  |  | ||||||
| ## Exemple | ## Exemple | ||||||
|  |  | ||||||
| Ce projet contient un exemple fonctionnel de déploiement dans le répertoire [`./examples/authenticated-app`](./examples/authenticated-app) | Ce projet contient un exemple fonctionnel de déploiement dans le répertoire [`./examples/authenticated-app`](./examples/authenticated-app) | ||||||
							
								
								
									
										116
									
								
								components/hydra-cleaner/files/hydra-cleaner.sh
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										116
									
								
								components/hydra-cleaner/files/hydra-cleaner.sh
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,116 @@ | |||||||
|  | #!/bin/sh | ||||||
|  |  | ||||||
|  | set -e | ||||||
|  | set -o nounset | ||||||
|  |  | ||||||
|  | # 4 tables to empty, at least | ||||||
|  | # oidc, code, flow, authentication_session | ||||||
|  |  | ||||||
|  | # \d hydra_oauth2_flow | ||||||
|  | #Referenced by: | ||||||
|  | #    TABLE "hydra_oauth2_access" CONSTRAINT "hydra_oauth2_access_challenge_id_fk" FOREIGN KEY (challenge_id) REFERENCES hydra_oauth2_flow(consent_challenge_id) ON DELETE CASCADE | ||||||
|  | #    TABLE "hydra_oauth2_code" CONSTRAINT "hydra_oauth2_code_challenge_id_fk" FOREIGN KEY (challenge_id) REFERENCES hydra_oauth2_flow(consent_challenge_id) ON DELETE CASCADE | ||||||
|  | #    TABLE "hydra_oauth2_oidc" CONSTRAINT "hydra_oauth2_oidc_challenge_id_fk" FOREIGN KEY (challenge_id) REFERENCES hydra_oauth2_flow(consent_challenge_id) ON DELETE CASCADE | ||||||
|  | #    TABLE "hydra_oauth2_pkce" CONSTRAINT "hydra_oauth2_pkce_challenge_id_fk" FOREIGN KEY (challenge_id) REFERENCES hydra_oauth2_flow(consent_challenge_id) ON DELETE CASCADE | ||||||
|  | #    TABLE "hydra_oauth2_refresh" CONSTRAINT "hydra_oauth2_refresh_challenge_id_fk" FOREIGN KEY (challenge_id) REFERENCES hydra_oauth2_flow(consent_challenge_id) ON DELETE CASCADE | ||||||
|  |  | ||||||
|  | # -> delete "cascade" on table "flow" cleans access, code, oidc, pkce and refresh tables. | ||||||
|  |  | ||||||
|  |  | ||||||
|  | DSN="${DSN:-postgresql://${HYDRA_DATABASE_USER}:${HYDRA_DATABASE_PASSWORD}@${HYDRA_DATABASE_SERVICE_NAME}:${HYDRA_DATABASE_SERVICE_PORT:-5432}/hydra?sslmode=disable}" | ||||||
|  | RETENTION_HOURS="${RETENTION_HOURS:-48}" | ||||||
|  | BATCH_SIZE="${BATCH_SIZE:-50}" | ||||||
|  | LIMIT="${LIMIT:-1000}" | ||||||
|  | BEFORE_DATE="$(date +'%Y-%m-%d %H:%M:%S' --date=@$(($(date +%s) - RETENTION_HOURS * 3600)))" | ||||||
|  |  | ||||||
|  |  | ||||||
|  | log() { | ||||||
|  |     echo "$(date +'%d-%m-%y %H:%M:%S%z')| $1" | ||||||
|  | } | ||||||
|  |  | ||||||
|  | perror() { | ||||||
|  |     log "Something went wrong, exiting." | ||||||
|  |     trap - EXIT | ||||||
|  |     exit 1 | ||||||
|  | } | ||||||
|  |  | ||||||
|  | trap perror EXIT | ||||||
|  |  | ||||||
|  | if ! [[ ${RETENTION_HOURS} =~ '^[0-9]+$' ]]; then | ||||||
|  |     log "Error: variable RETENTION_HOURS is not a positive integer." | ||||||
|  |     perror | ||||||
|  | fi | ||||||
|  |  | ||||||
|  | if ! [[ ${LIMIT} =~ '^[0-9]+$' ]]; then | ||||||
|  |     log "Error: variable LIMIT is not a positive integer." | ||||||
|  |     perror | ||||||
|  | fi | ||||||
|  |  | ||||||
|  | if ! [[ ${BATCH_SIZE} =~ '^[0-9]+$' ]]; then | ||||||
|  |     log "Error: variable BATCH_SIZE is not a positive integer." | ||||||
|  |     perror | ||||||
|  | fi | ||||||
|  |  | ||||||
|  | log "Starting hydra cleaner" | ||||||
|  |  | ||||||
|  | log "Removing up to ${LIMIT} elements before ${BEFORE_DATE} by batch of ${BATCH_SIZE}" | ||||||
|  |  | ||||||
|  | log "Beginning estimated size:" | ||||||
|  | psql "${DSN}" <<EOF | ||||||
|  | select | ||||||
|  |   table_name, reltuples as estimate, | ||||||
|  |   pg_size_pretty(pg_total_relation_size(quote_ident(table_name))), | ||||||
|  |   pg_total_relation_size(quote_ident(table_name)) | ||||||
|  | from information_schema.tables left join pg_class on information_schema.tables.table_name=pg_class.relname | ||||||
|  | where table_schema = 'public' | ||||||
|  | order by 4 desc; | ||||||
|  | EOF | ||||||
|  |  | ||||||
|  |  | ||||||
|  | REMAINING_ELMTS="${LIMIT}" | ||||||
|  | while [ "${REMAINING_ELMTS}" -gt 0 ]; do | ||||||
|  |     OUTPUT=$(psql "${DSN}" <<EOF | ||||||
|  | DELETE | ||||||
|  | FROM hydra_oauth2_flow | ||||||
|  | WHERE login_challenge = ANY ( | ||||||
|  |   array( | ||||||
|  |     SELECT login_challenge | ||||||
|  |     FROM hydra_oauth2_flow | ||||||
|  |     WHERE requested_at < '${BEFORE_DATE}' | ||||||
|  |     LIMIT ${BATCH_SIZE} | ||||||
|  |   ) | ||||||
|  | ); | ||||||
|  | EOF | ||||||
|  |     ) | ||||||
|  |  | ||||||
|  |     log "${OUTPUT}" | ||||||
|  |  | ||||||
|  |     if ! [[ "${OUTPUT}" =~ '^DELETE ' ]] ; then | ||||||
|  | 	log "Output doesn't seems OK..." | ||||||
|  | 	break | ||||||
|  |     fi | ||||||
|  |     OUTPUT_NB=$(echo "${OUTPUT}" | cut -d' ' -f 2) | ||||||
|  |  | ||||||
|  |     if [ "${OUTPUT_NB}" -lt "${BATCH_SIZE}" ]; then | ||||||
|  | 	break | ||||||
|  |     fi | ||||||
|  |  | ||||||
|  |     REMAINING_ELMTS=$((REMAINING_ELMTS - BATCH_SIZE)) | ||||||
|  |     if [ "${REMAINING_ELMTS}" -lt "${BATCH_SIZE}" ]; then | ||||||
|  | 	BATCH_SIZE="${REMAINING_ELMTS}" | ||||||
|  |     fi | ||||||
|  | done | ||||||
|  |  | ||||||
|  |  | ||||||
|  | log "Final estimated size:" | ||||||
|  | psql "${DSN}" <<EOF | ||||||
|  | select | ||||||
|  |   table_name, reltuples as estimate, | ||||||
|  |   pg_size_pretty(pg_total_relation_size(quote_ident(table_name))), | ||||||
|  |   pg_total_relation_size(quote_ident(table_name)) | ||||||
|  | from information_schema.tables left join pg_class on information_schema.tables.table_name=pg_class.relname | ||||||
|  | where table_schema = 'public' | ||||||
|  | order by 4 desc; | ||||||
|  | EOF | ||||||
|  |  | ||||||
|  | trap - EXIT | ||||||
							
								
								
									
										17
									
								
								components/hydra-cleaner/kustomization.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										17
									
								
								components/hydra-cleaner/kustomization.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,17 @@ | |||||||
|  | apiVersion: kustomize.config.k8s.io/v1alpha1 | ||||||
|  | kind: Component | ||||||
|  |  | ||||||
|  | resources: | ||||||
|  | - ./resources/hydra-cleaner-cronjob.yaml | ||||||
|  |  | ||||||
|  | configMapGenerator: | ||||||
|  | - name: hydra-cleaner-env | ||||||
|  |   behavior: create | ||||||
|  |   literals: | ||||||
|  |   - RETENTION_HOURS="48" | ||||||
|  |   - BATCH_SIZE="100" | ||||||
|  |   - LIMIT="1000" | ||||||
|  | - name: hydra-cleaner-script | ||||||
|  |   behavior: create | ||||||
|  |   files: | ||||||
|  |   - ./files/hydra-cleaner.sh | ||||||
| @@ -0,0 +1,54 @@ | |||||||
|  | apiVersion: batch/v1 | ||||||
|  | kind: CronJob | ||||||
|  | metadata: | ||||||
|  |   name: hydra-cleaner | ||||||
|  |   labels: | ||||||
|  |     app.kubernetes.io/name: hydra-cleaner | ||||||
|  | spec: | ||||||
|  |   concurrencyPolicy: Forbid | ||||||
|  |   schedule: "30 */1 * * *" | ||||||
|  |   jobTemplate: | ||||||
|  |     spec: | ||||||
|  |       template: | ||||||
|  |         metadata: | ||||||
|  |           labels: | ||||||
|  |             app.kubernetes.io/name: hydra-cleaner | ||||||
|  |         spec: | ||||||
|  |           restartPolicy: OnFailure | ||||||
|  |           serviceAccountName: hydra-sa | ||||||
|  |           containers: | ||||||
|  |           - name: hydra-cleaner | ||||||
|  |             image: reg.cadoles.com/proxy_cache/alpine/psql:17.4 | ||||||
|  |             envFrom: | ||||||
|  |             - configMapRef: | ||||||
|  |                 name: hydra-env | ||||||
|  |             - configMapRef: | ||||||
|  |                 name: hydra-cleaner-env | ||||||
|  |             imagePullPolicy: IfNotPresent | ||||||
|  |             command: ["/hydra-cleaner.sh"] | ||||||
|  |             env: | ||||||
|  |             - name: HYDRA_DATABASE_USER | ||||||
|  |               valueFrom: | ||||||
|  |                 secretKeyRef: | ||||||
|  |                   name: hydra-postgres-app | ||||||
|  |                   key: username | ||||||
|  |             - name: HYDRA_DATABASE_PASSWORD | ||||||
|  |               valueFrom: | ||||||
|  |                 secretKeyRef: | ||||||
|  |                   name: hydra-postgres-app | ||||||
|  |                   key: password | ||||||
|  |             - name: HYDRA_DATABASE_SERVICE_NAME | ||||||
|  |               valueFrom: | ||||||
|  |                 secretKeyRef: | ||||||
|  |                   name: hydra-postgres-app | ||||||
|  |                   key: host | ||||||
|  |             args: [] | ||||||
|  |             volumeMounts: | ||||||
|  |             - name: hydra-cleaner-script | ||||||
|  |               mountPath: "/hydra-cleaner.sh" | ||||||
|  |               subPath: "hydra-cleaner.sh" | ||||||
|  |           volumes: | ||||||
|  |           - name: hydra-cleaner-script | ||||||
|  |             configMap: | ||||||
|  |               name: hydra-cleaner-script | ||||||
|  |               defaultMode: 0544 | ||||||
| @@ -7,28 +7,6 @@ configurations: | |||||||
| resources: | resources: | ||||||
| - ./resources/hydra-cnpg-cluster.yaml | - ./resources/hydra-cnpg-cluster.yaml | ||||||
|  |  | ||||||
| secretGenerator: |  | ||||||
| - name: hydra-postgres-admin |  | ||||||
|   type: Secret |  | ||||||
|   literals: |  | ||||||
|   - username=postgres |  | ||||||
|   - password=NotSoSecret |  | ||||||
| - name: hydra-postgres-user |  | ||||||
|   type: Secret |  | ||||||
|   literals: |  | ||||||
|   - username=hydra |  | ||||||
|   - password=NotSoSecret |  | ||||||
|  |  | ||||||
|  |  | ||||||
| vars: |  | ||||||
| - name: HYDRA_DATABASE_SERVICE_NAME |  | ||||||
|   objref: |  | ||||||
|     name: hydra-postgres |  | ||||||
|     kind: Cluster |  | ||||||
|     apiVersion: postgresql.cnpg.io/v1 |  | ||||||
|   fieldref: |  | ||||||
|     fieldpath: metadata.name |  | ||||||
|  |  | ||||||
| patches: | patches: | ||||||
| - target: | - target: | ||||||
|     group: apps |     group: apps | ||||||
|   | |||||||
| @@ -4,7 +4,7 @@ | |||||||
|     name: HYDRA_DATABASE_USER |     name: HYDRA_DATABASE_USER | ||||||
|     valueFrom: |     valueFrom: | ||||||
|       secretKeyRef: |       secretKeyRef: | ||||||
|         name: hydra-postgres-user |         name: hydra-postgres-app | ||||||
|         key: username |         key: username | ||||||
| - op: add | - op: add | ||||||
|   path: "/spec/template/spec/containers/0/env/-" |   path: "/spec/template/spec/containers/0/env/-" | ||||||
| @@ -12,10 +12,18 @@ | |||||||
|     name: HYDRA_DATABASE_PASSWORD |     name: HYDRA_DATABASE_PASSWORD | ||||||
|     valueFrom: |     valueFrom: | ||||||
|       secretKeyRef: |       secretKeyRef: | ||||||
|         name: hydra-postgres-user |         name: hydra-postgres-app | ||||||
|         key: password |         key: password | ||||||
|  | - op: add | ||||||
|  |   path: "/spec/template/spec/containers/0/env/-" | ||||||
|  |   value: | ||||||
|  |     name: HYDRA_DATABASE_SERVICE_NAME | ||||||
|  |     valueFrom: | ||||||
|  |       secretKeyRef: | ||||||
|  |         name: hydra-postgres-app | ||||||
|  |         key: host | ||||||
| - op: add | - op: add | ||||||
|   path: "/spec/template/spec/containers/0/env/-" |   path: "/spec/template/spec/containers/0/env/-" | ||||||
|   value: |   value: | ||||||
|     name: DSN |     name: DSN | ||||||
|     value: "postgres://$(HYDRA_DATABASE_USER):$(HYDRA_DATABASE_PASSWORD)@$(HYDRA_DATABASE_SERVICE_NAME)-rw:5432/hydra?sslmode=disable" |     value: "postgres://$(HYDRA_DATABASE_USER):$(HYDRA_DATABASE_PASSWORD)@$(HYDRA_DATABASE_SERVICE_NAME):5432/hydra?sslmode=disable&max_conns=$(HYDRA_DATABASE_MAX_CONN)&max_idle_conns=$(HYDRA_DATABASE_MAX_IDLE_CONNS)&max_conn_lifetime=$(HYDRA_DATABASE_MAX_CONN_LIFETIME)&max_conn_idle_time=$(HYDRA_DATABASE_MAX_CONN_IDLE_TIME)&connect_timeout=$(HYDRA_DATABASE_CONNECT_TIMEOUT)" | ||||||
|   | |||||||
| @@ -4,7 +4,7 @@ | |||||||
|     name: HYDRA_DATABASE_USER |     name: HYDRA_DATABASE_USER | ||||||
|     valueFrom: |     valueFrom: | ||||||
|       secretKeyRef: |       secretKeyRef: | ||||||
|         name: hydra-postgres-user |         name: hydra-postgres-app | ||||||
|         key: username |         key: username | ||||||
| - op: add | - op: add | ||||||
|   path: "/spec/jobTemplate/spec/template/spec/containers/0/env/-" |   path: "/spec/jobTemplate/spec/template/spec/containers/0/env/-" | ||||||
| @@ -12,10 +12,18 @@ | |||||||
|     name: HYDRA_DATABASE_PASSWORD |     name: HYDRA_DATABASE_PASSWORD | ||||||
|     valueFrom: |     valueFrom: | ||||||
|       secretKeyRef: |       secretKeyRef: | ||||||
|         name: hydra-postgres-user |         name: hydra-postgres-app | ||||||
|         key: password |         key: password | ||||||
|  | - op: add | ||||||
|  |   path: "/spec/jobTemplate/spec/template/spec/containers/0/env/-" | ||||||
|  |   value: | ||||||
|  |     name: HYDRA_DATABASE_SERVICE_NAME | ||||||
|  |     valueFrom: | ||||||
|  |       secretKeyRef: | ||||||
|  |         name: hydra-postgres-app | ||||||
|  |         key: host | ||||||
| - op: add | - op: add | ||||||
|   path: "/spec/jobTemplate/spec/template/spec/containers/0/env/-" |   path: "/spec/jobTemplate/spec/template/spec/containers/0/env/-" | ||||||
|   value: |   value: | ||||||
|     name: DSN |     name: DSN | ||||||
|     value: "postgres://$(HYDRA_DATABASE_USER):$(HYDRA_DATABASE_PASSWORD)@$(HYDRA_DATABASE_SERVICE_NAME)-rw:5432/hydra?sslmode=disable" |     value: "postgres://$(HYDRA_DATABASE_USER):$(HYDRA_DATABASE_PASSWORD)@$(HYDRA_DATABASE_SERVICE_NAME):5432/hydra?sslmode=disable" | ||||||
|   | |||||||
| @@ -4,7 +4,7 @@ | |||||||
|     name: HYDRA_DATABASE_USER |     name: HYDRA_DATABASE_USER | ||||||
|     valueFrom: |     valueFrom: | ||||||
|       secretKeyRef: |       secretKeyRef: | ||||||
|         name: hydra-postgres-user |         name: hydra-postgres-app | ||||||
|         key: username |         key: username | ||||||
| - op: add | - op: add | ||||||
|   path: "/spec/template/spec/containers/0/env/-" |   path: "/spec/template/spec/containers/0/env/-" | ||||||
| @@ -12,10 +12,18 @@ | |||||||
|     name: HYDRA_DATABASE_PASSWORD |     name: HYDRA_DATABASE_PASSWORD | ||||||
|     valueFrom: |     valueFrom: | ||||||
|       secretKeyRef: |       secretKeyRef: | ||||||
|         name: hydra-postgres-user |         name: hydra-postgres-app | ||||||
|         key: password |         key: password | ||||||
|  | - op: add | ||||||
|  |   path: "/spec/template/spec/containers/0/env/-" | ||||||
|  |   value: | ||||||
|  |     name: HYDRA_DATABASE_SERVICE_NAME | ||||||
|  |     valueFrom: | ||||||
|  |       secretKeyRef: | ||||||
|  |         name: hydra-postgres-app | ||||||
|  |         key: host | ||||||
| - op: add | - op: add | ||||||
|   path: "/spec/template/spec/containers/0/env/-" |   path: "/spec/template/spec/containers/0/env/-" | ||||||
|   value: |   value: | ||||||
|     name: DSN |     name: DSN | ||||||
|     value: "postgres://$(HYDRA_DATABASE_USER):$(HYDRA_DATABASE_PASSWORD)@$(HYDRA_DATABASE_SERVICE_NAME)-rw:5432/hydra?sslmode=disable" |     value: "postgres://$(HYDRA_DATABASE_USER):$(HYDRA_DATABASE_PASSWORD)@$(HYDRA_DATABASE_SERVICE_NAME):5432/hydra?sslmode=disable" | ||||||
|   | |||||||
| @@ -5,13 +5,9 @@ metadata: | |||||||
| spec: | spec: | ||||||
|   instances: 3 |   instances: 3 | ||||||
|   primaryUpdateStrategy: unsupervised |   primaryUpdateStrategy: unsupervised | ||||||
|   superuserSecret: |  | ||||||
|     name: hydra-postgres-admin |  | ||||||
|   bootstrap: |   bootstrap: | ||||||
|     initdb: |     initdb: | ||||||
|       database: hydra |       database: hydra | ||||||
|       owner: hydra |       owner: hydra | ||||||
|       secret: |  | ||||||
|         name: hydra-postgres-user |  | ||||||
|   storage: |   storage: | ||||||
|     size: 2Gi |     size: 2Gi | ||||||
| @@ -7,6 +7,7 @@ resources: | |||||||
|  |  | ||||||
| configMapGenerator: | configMapGenerator: | ||||||
|   - name: hydra-ldap-env |   - name: hydra-ldap-env | ||||||
|  |     behavior: create | ||||||
|     literals: |     literals: | ||||||
|       - WERTHER_DEV_MODE=false |       - WERTHER_DEV_MODE=false | ||||||
|       - WERTHER_LDAP_ROLE_CLAIM="https://hydra/claims/roles" |       - WERTHER_LDAP_ROLE_CLAIM="https://hydra/claims/roles" | ||||||
| @@ -21,6 +22,7 @@ configMapGenerator: | |||||||
|  |  | ||||||
| secretGenerator: | secretGenerator: | ||||||
|   - name: hydra-ldap-sc |   - name: hydra-ldap-sc | ||||||
|  |     behavior: create | ||||||
|     literals: |     literals: | ||||||
|       - WERTHER_LDAP_BINDDN="cn=reader,o=test,c=fr" |       - WERTHER_LDAP_BINDDN="cn=reader,o=test,c=fr" | ||||||
|       - WERTHER_LDAP_BINDPW=ThisMustBeAbsolutelyChanged |       - WERTHER_LDAP_BINDPW=ThisMustBeAbsolutelyChanged | ||||||
|   | |||||||
| @@ -18,14 +18,12 @@ spec: | |||||||
|     spec: |     spec: | ||||||
|       containers: |       containers: | ||||||
|         - name: werther |         - name: werther | ||||||
|         image: reg.cadoles.com/cadoles/hydra-werther:2023.12.6-stable.1421.15a4717 |           image: reg.cadoles.com/cadoles/hydra-werther:2025.2.17-stable.1544.8ded23c | ||||||
|           imagePullPolicy: IfNotPresent |           imagePullPolicy: IfNotPresent | ||||||
|           envFrom: |           envFrom: | ||||||
|             - configMapRef: |             - configMapRef: | ||||||
|                 name: hydra-ldap-env |                 name: hydra-ldap-env | ||||||
|           env: |           env: | ||||||
|         - name: WERTHER_WEB_DIR |  | ||||||
|           value: "/usr/share/werther/login/" |  | ||||||
|             - name: WERTHER_LDAP_BINDDN |             - name: WERTHER_LDAP_BINDDN | ||||||
|               valueFrom: |               valueFrom: | ||||||
|                 secretKeyRef: |                 secretKeyRef: | ||||||
|   | |||||||
| @@ -11,6 +11,7 @@ generatorOptions: | |||||||
|  |  | ||||||
| configMapGenerator: | configMapGenerator: | ||||||
| - name: hydra-oidc-env | - name: hydra-oidc-env | ||||||
|  |   behavior: create | ||||||
|   literals: |   literals: | ||||||
|   - APP_ENV=prod |   - APP_ENV=prod | ||||||
|   - APP_DEBUG=false |   - APP_DEBUG=false | ||||||
|   | |||||||
| @@ -18,8 +18,8 @@ spec: | |||||||
|     spec: |     spec: | ||||||
|       containers: |       containers: | ||||||
|       - name: hydra-oidc-php-fpm |       - name: hydra-oidc-php-fpm | ||||||
|         image: reg.cadoles.com/cadoles/hydra-oidc-base:2023.12.15-develop.1012.d57f2ad |         image: reg.cadoles.com/cadoles/hydra-oidc-base:2024.4.2-develop.1349.c4711f6 | ||||||
|         imagePullPolicy: Always |         imagePullPolicy: IfNotPresent | ||||||
|         args: ["/usr/sbin/php-fpm81", "-F", "-e"] |         args: ["/usr/sbin/php-fpm81", "-F", "-e"] | ||||||
|         readinessProbe: |         readinessProbe: | ||||||
|           exec: |           exec: | ||||||
| @@ -46,11 +46,23 @@ spec: | |||||||
|           - configMapRef: |           - configMapRef: | ||||||
|               name: hydra-oidc-env |               name: hydra-oidc-env | ||||||
|         resources: {} |         resources: {} | ||||||
|  |         securityContext: | ||||||
|  |           runAsNonRoot: true | ||||||
|  |           runAsGroup: 1000 | ||||||
|  |           runAsUser: 1000 | ||||||
|  |  | ||||||
|       - image: reg.cadoles.com/cadoles/hydra-oidc-base:2023.12.15-develop.1012.d57f2ad |       - name: hydra-oidc-caddy | ||||||
|         imagePullPolicy: Always |         image: reg.cadoles.com/cadoles/hydra-oidc-base:2024.4.2-develop.1349.c4711f6 | ||||||
|         name: hydra-oidc-nginx |         imagePullPolicy: IfNotPresent | ||||||
|         args: ["/usr/sbin/nginx"] |         args: | ||||||
|  |           [ | ||||||
|  |             "/usr/sbin/caddy", | ||||||
|  |             "run", | ||||||
|  |             "--adapter", | ||||||
|  |             "caddyfile", | ||||||
|  |             "--config", | ||||||
|  |             "/etc/caddy/Caddyfile", | ||||||
|  |           ] | ||||||
|         readinessProbe: |         readinessProbe: | ||||||
|           httpGet: |           httpGet: | ||||||
|             path: /healthy |             path: /healthy | ||||||
| @@ -65,22 +77,26 @@ spec: | |||||||
|           initialDelaySeconds: 15 |           initialDelaySeconds: 15 | ||||||
|           timeoutSeconds: 5 |           timeoutSeconds: 5 | ||||||
|           periodSeconds: 15 |           periodSeconds: 15 | ||||||
|  |         ports: | ||||||
|  |           - containerPort: 8080 | ||||||
|  |             name: http | ||||||
|         envFrom: |         envFrom: | ||||||
|           - configMapRef: |           - configMapRef: | ||||||
|               name: hydra-oidc-env |               name: hydra-oidc-env | ||||||
|         env: |         env: | ||||||
|         - name: NGINX_APP_UPSTREAM_BACKEND_SERVER |           - name: CADDY_APP_UPSTREAM_BACKEND_SERVER | ||||||
|             value: 127.0.0.1:9000 |             value: 127.0.0.1:9000 | ||||||
|         - name: NGINX_APP_ROOT |           - name: CADDY_HTTPS_PORT | ||||||
|           value: "/public/" |             value: "8443" | ||||||
|         - name: NGINX_APP_PHP_INDEX |           - name: CADDY_HTTP_PORT | ||||||
|           value: "/index.php" |             value: "8080" | ||||||
|         - name: NGINX_ERROR_LOG_LEVEL |           - name: CADDY_DATA_FS | ||||||
|           value: "warn" |             value: "/tmp/caddy" | ||||||
|         - name: NGINX_APP_PHP_NON_FILE_PATTERN |           - name: CADDY_APP_ROOT_PUBLIC | ||||||
|           value: "^/index\\.php(/|$)" |             value: "/app/public/" | ||||||
|         ports: |  | ||||||
|         - containerPort: 8080 |  | ||||||
|         resources: {} |         resources: {} | ||||||
|  |         securityContext: | ||||||
|  |           runAsNonRoot: true | ||||||
|  |           runAsGroup: 1000 | ||||||
|  |           runAsUser: 1000 | ||||||
|       restartPolicy: Always |       restartPolicy: Always | ||||||
|  |  | ||||||
|   | |||||||
| @@ -6,8 +6,9 @@ metadata: | |||||||
|   name: hydra-oidc |   name: hydra-oidc | ||||||
| spec: | spec: | ||||||
|   ports: |   ports: | ||||||
|   - name: hydra-oidc |   - name: http | ||||||
|     port: 8080 |     port: 80 | ||||||
|  |     targetPort: http | ||||||
|   selector: |   selector: | ||||||
|     app.kubernetes.io/name: hydra-oidc |     app.kubernetes.io/name: hydra-oidc | ||||||
| status: | status: | ||||||
|   | |||||||
| @@ -20,11 +20,3 @@ hydra: | |||||||
|         eduPersonAffiliation: |         eduPersonAffiliation: | ||||||
|           rules: |           rules: | ||||||
|           - "property_exists(consent.session.id_token, 'eduPersonAffiliation') ? consent.session.id_token.eduPersonAffiliation : null" |           - "property_exists(consent.session.id_token, 'eduPersonAffiliation') ? consent.session.id_token.eduPersonAffiliation : null" | ||||||
|   firewall: |  | ||||||
|     rules: |  | ||||||
|       email: |  | ||||||
|         required: false |  | ||||||
|       uid: |  | ||||||
|         required: false |  | ||||||
|       eduPersonAffiliation: |  | ||||||
|         required: false |  | ||||||
|   | |||||||
| @@ -24,6 +24,8 @@ spec: | |||||||
|                 name: hydra-saml-env |                 name: hydra-saml-env | ||||||
|           ports: |           ports: | ||||||
|             - containerPort: 8080 |             - containerPort: 8080 | ||||||
|  |           command: | ||||||
|  |             - /bin/apache2-foreground | ||||||
|           resources: {} |           resources: {} | ||||||
|       restartPolicy: Always |       restartPolicy: Always | ||||||
| --- | --- | ||||||
|   | |||||||
							
								
								
									
										22
									
								
								components/hydra-sql/files/03_base.ini
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										22
									
								
								components/hydra-sql/files/03_base.ini
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,22 @@ | |||||||
|  | [opcache] | ||||||
|  | ; Determines if Zend OPCache is enabled | ||||||
|  | opcache.enable=1 | ||||||
|  |  | ||||||
|  | ; Determines if Zend OPCache is enabled for the CLI version of PHP | ||||||
|  | opcache.enable_cli=1 | ||||||
|  |  | ||||||
|  | ; The OPcache shared memory storage size. | ||||||
|  | opcache.memory_consumption=512 | ||||||
|  |  | ||||||
|  | ; The maximum number of keys (scripts) in the OPcache hash table. | ||||||
|  | ; Only numbers between 200 and 1000000 are allowed. | ||||||
|  | opcache.max_accelerated_files=20000 | ||||||
|  |  | ||||||
|  | ; When disabled, you must reset the OPcache manually or restart the | ||||||
|  | ; webserver for changes to the filesystem to take effect. | ||||||
|  | opcache.validate_timestamps=${OPCACHE_VALIDATE_TIMESTAMP} | ||||||
|  |  | ||||||
|  | ; How often (in seconds) to check file timestamps for changes to the shared | ||||||
|  | ; memory storage allocation. ("1" means validate once per second, but only | ||||||
|  | ; once per request. "0" means always validate) | ||||||
|  | opcache.revalidate_freq=${OPCACHE_REVALIDATE_FREQ} | ||||||
| @@ -11,6 +11,7 @@ generatorOptions: | |||||||
|  |  | ||||||
| configMapGenerator: | configMapGenerator: | ||||||
| - name: hydra-sql-env | - name: hydra-sql-env | ||||||
|  |   behavior: create | ||||||
|   literals: |   literals: | ||||||
|   - ISSUER_URL="http://localhost:8000" |   - ISSUER_URL="http://localhost:8000" | ||||||
|   - BASE_URL='http://localhost:8080' |   - BASE_URL='http://localhost:8080' | ||||||
| @@ -23,6 +24,12 @@ configMapGenerator: | |||||||
|   - DB_PASSWORD="makeMeASecret" |   - DB_PASSWORD="makeMeASecret" | ||||||
|   - REDIS_DSN="redis://redis:6379" |   - REDIS_DSN="redis://redis:6379" | ||||||
|   - PEPPER="MakeMeABigSecret" |   - PEPPER="MakeMeABigSecret" | ||||||
|  |   - ALTCHA_HOST=http://altcha:3333 | ||||||
|  |   - ALTCHA_BASE_URL=/altcha | ||||||
|  |   - ALTCHA_ENABLED=true | ||||||
| - name: sql-login-config | - name: sql-login-config | ||||||
|   files: |   files: | ||||||
|   - ./files/sql_login.yaml |   - ./files/sql_login.yaml | ||||||
|  | - name: hydra-sql-php-ini | ||||||
|  |   files: | ||||||
|  |   - ./files/03_base.ini | ||||||
|   | |||||||
| @@ -10,7 +10,10 @@ spec: | |||||||
|     matchLabels: |     matchLabels: | ||||||
|       app.kubernetes.io/name: hydra-sql |       app.kubernetes.io/name: hydra-sql | ||||||
|   strategy: |   strategy: | ||||||
|     type: Recreate |     type: RollingUpdate | ||||||
|  |     rollingUpdate: | ||||||
|  |       maxSurge: 25% | ||||||
|  |       maxUnavailable: 25% | ||||||
|   template: |   template: | ||||||
|     metadata: |     metadata: | ||||||
|       labels: |       labels: | ||||||
| @@ -18,8 +21,8 @@ spec: | |||||||
|     spec: |     spec: | ||||||
|       containers: |       containers: | ||||||
|       - name: hydra-sql-fpm |       - name: hydra-sql-fpm | ||||||
|         image: reg.cadoles.com/cadoles/hydra-sql-base:2023.12.14-develop.1107.740a756 |         image: reg.cadoles.com/cadoles/hydra-sql-base:2025.3.7-develop.1415.7239d84 | ||||||
|         imagePullPolicy: Always |         imagePullPolicy: IfNotPresent | ||||||
|         args: ["/usr/sbin/php-fpm81", "-F", "-e"] |         args: ["/usr/sbin/php-fpm81", "-F", "-e"] | ||||||
|         readinessProbe: |         readinessProbe: | ||||||
|           exec: |           exec: | ||||||
| @@ -36,6 +39,10 @@ spec: | |||||||
|           initialDelaySeconds: 10 |           initialDelaySeconds: 10 | ||||||
|           periodSeconds: 30 |           periodSeconds: 30 | ||||||
|         resources: {} |         resources: {} | ||||||
|  |         securityContext: | ||||||
|  |           runAsNonRoot: true | ||||||
|  |           runAsGroup: 1000 | ||||||
|  |           runAsUser: 1000 | ||||||
|         envFrom: |         envFrom: | ||||||
|         - configMapRef: |         - configMapRef: | ||||||
|             name: hydra-sql-env |             name: hydra-sql-env | ||||||
| @@ -48,15 +55,22 @@ spec: | |||||||
|           value: 128m |           value: 128m | ||||||
|         - name: PHP_FPM_LOG_LEVEL |         - name: PHP_FPM_LOG_LEVEL | ||||||
|           value: warning |           value: warning | ||||||
|  |         - name: OPCACHE_VALIDATE_TIMESTAMP | ||||||
|  |           value: "0" | ||||||
|  |         - name: OPCACHE_REVALIDATE_FREQ | ||||||
|  |           value: "0" | ||||||
|         volumeMounts: |         volumeMounts: | ||||||
|         - name: sql-login-config |         - name: sql-login-config | ||||||
|           mountPath: "/app/config/sql_login_configuration/sql_login.yaml" |           mountPath: "/app/config/sql_login_configuration/sql_login.yaml" | ||||||
|           subPath: "sql_login.yaml" |           subPath: "sql_login.yaml" | ||||||
|  |         - name: hydra-sql-php-ini | ||||||
|  |           mountPath: /etc/php81/conf.d/03_base.ini | ||||||
|  |           subPath: 03_base.ini | ||||||
|  |  | ||||||
|       - name: hydra-sql-nginx |       - name: hydra-sql-caddy | ||||||
|         image: reg.cadoles.com/cadoles/hydra-sql-base:2023.12.14-develop.1107.740a756 |         image: reg.cadoles.com/cadoles/hydra-sql-base:2025.3.7-develop.1415.7239d84 | ||||||
|         imagePullPolicy: Always |         imagePullPolicy: IfNotPresent | ||||||
|         args: ["/usr/sbin/nginx"] |         args: ["/usr/sbin/caddy", "run", "--adapter", "caddyfile", "--config", "/etc/caddy/Caddyfile"] | ||||||
|         readinessProbe: |         readinessProbe: | ||||||
|           httpGet: |           httpGet: | ||||||
|             path: /health |             path: /health | ||||||
| @@ -75,19 +89,24 @@ spec: | |||||||
|         - configMapRef: |         - configMapRef: | ||||||
|             name: hydra-sql-env |             name: hydra-sql-env | ||||||
|         env: |         env: | ||||||
|         - name: NGINX_APP_UPSTREAM_BACKEND_SERVER |         - name: CADDY_APP_UPSTREAM_BACKEND_SERVER | ||||||
|           value: 127.0.0.1:9000 |           value: 127.0.0.1:9000 | ||||||
|         - name: NGINX_APP_ROOT |         - name: CADDY_HTTPS_PORT | ||||||
|           value: "/public" |           value: "8443" | ||||||
|         - name: NGINX_APP_PHP_INDEX |         - name: CADDY_HTTP_PORT | ||||||
|           value: "/index.php" |           value: "8080" | ||||||
|         - name: NGINX_ERROR_LOG_LEVEL |         - name: CADDY_DATA_FS | ||||||
|           value: "warn" |           value: "/tmp/caddy" | ||||||
|         - name: NGINX_APP_PHP_NON_FILE_PATTERN |         - name: CADDY_APP_ROOT_PUBLIC | ||||||
|           value: "^/index\\.php(/|$)" |           value: "/app/public/" | ||||||
|         resources: {} |         resources: {} | ||||||
|  |         securityContext: | ||||||
|  |           runAsNonRoot: true | ||||||
|  |           runAsGroup: 1000 | ||||||
|  |           runAsUser: 1000 | ||||||
|         ports: |         ports: | ||||||
|         - containerPort: 8080 |         - containerPort: 8080 | ||||||
|  |           name: http | ||||||
|         volumeMounts: |         volumeMounts: | ||||||
|         - name: sql-login-config |         - name: sql-login-config | ||||||
|           mountPath: "/app/config/sql_login_configuration/sql_login.yaml" |           mountPath: "/app/config/sql_login_configuration/sql_login.yaml" | ||||||
| @@ -96,5 +115,8 @@ spec: | |||||||
|       - name: sql-login-config |       - name: sql-login-config | ||||||
|         configMap: |         configMap: | ||||||
|           name: sql-login-config |           name: sql-login-config | ||||||
|  |       - name: hydra-sql-php-ini | ||||||
|  |         configMap: | ||||||
|  |           name: hydra-sql-php-ini | ||||||
|  |  | ||||||
|       restartPolicy: Always |       restartPolicy: Always | ||||||
|   | |||||||
| @@ -6,8 +6,9 @@ metadata: | |||||||
|   name: hydra-sql |   name: hydra-sql | ||||||
| spec: | spec: | ||||||
|   ports: |   ports: | ||||||
|   - name: hydra-sql |   - name: http | ||||||
|     port: 8080 |     port: 80 | ||||||
|  |     targetPort: http | ||||||
|   selector: |   selector: | ||||||
|     app.kubernetes.io/name: hydra-sql |     app.kubernetes.io/name: hydra-sql | ||||||
| status: | status: | ||||||
|   | |||||||
| @@ -17,4 +17,5 @@ configMapGenerator: | |||||||
|       - OIDC_REDIRECT_URL=https://example.net/oauth2/callback |       - OIDC_REDIRECT_URL=https://example.net/oauth2/callback | ||||||
|       - OIDC_POST_LOGOUT_REDIRECT_URL=https://example.net |       - OIDC_POST_LOGOUT_REDIRECT_URL=https://example.net | ||||||
|       - OIDC_SKIP_ISSUER_VERIFICATION="true" |       - OIDC_SKIP_ISSUER_VERIFICATION="true" | ||||||
|  |       - OIDC_SCOPES="openid profile" | ||||||
|       - OIDC_INSECURE_SKIP_VERIFY="true" |       - OIDC_INSECURE_SKIP_VERIFY="true" | ||||||
| @@ -17,7 +17,7 @@ spec: | |||||||
|         app.kubernetes.io/name: oidc-test |         app.kubernetes.io/name: oidc-test | ||||||
|     spec: |     spec: | ||||||
|       containers: |       containers: | ||||||
|         - image: reg.cadoles.com/cadoles/oidc-test:2023.12.6-stable.1502.ebfd504 |         - image: reg.cadoles.com/cadoles/oidc-test:2025.3.11-stable.1428.6545cb3 | ||||||
|           name: oidc-test |           name: oidc-test | ||||||
|           ports: |           ports: | ||||||
|             - containerPort: 8080 |             - containerPort: 8080 | ||||||
| @@ -30,10 +30,10 @@ spec: | |||||||
|               valueFrom: |               valueFrom: | ||||||
|                 secretKeyRef: |                 secretKeyRef: | ||||||
|                   name: oidc-test-oauth2-client |                   name: oidc-test-oauth2-client | ||||||
|                 key: client_id |                   key: CLIENT_ID | ||||||
|             - name: OIDC_CLIENT_SECRET |             - name: OIDC_CLIENT_SECRET | ||||||
|               valueFrom: |               valueFrom: | ||||||
|                 secretKeyRef: |                 secretKeyRef: | ||||||
|                   name: oidc-test-oauth2-client |                   name: oidc-test-oauth2-client | ||||||
|                 key: client_secret |                   key: CLIENT_SECRET | ||||||
|       restartPolicy: Always |       restartPolicy: Always | ||||||
|   | |||||||
| @@ -10,7 +10,7 @@ spec: | |||||||
|     - refresh_token |     - refresh_token | ||||||
|   responseTypes: |   responseTypes: | ||||||
|     - code |     - code | ||||||
|   scope: "openid email" |   scope: "openid email profile" | ||||||
|   secretName: oidc-test-oauth2-client |   secretName: oidc-test-oauth2-client | ||||||
|   redirectUris: |   redirectUris: | ||||||
|     - https://example.net/oauth2/callback |     - https://example.net/oauth2/callback | ||||||
|   | |||||||
| @@ -3,20 +3,17 @@ | |||||||
| ### Description | ### Description | ||||||
|  |  | ||||||
| Les applications `hydra-dispatcher`, `hydra-sql` et `hydra-oidc` stockent dorénavant le cache et les sessions utilisateur sur un serveur Redis. | Les applications `hydra-dispatcher`, `hydra-sql` et `hydra-oidc` stockent dorénavant le cache et les sessions utilisateur sur un serveur Redis. | ||||||
|  |  | ||||||
| Le DSN du serveur est défini dans leur variable d'environnement respective `REDIS_DSN`. | Le DSN du serveur est défini dans leur variable d'environnement respective `REDIS_DSN`. | ||||||
| Les applications peuvent utiliser le mode `sentinel` de redis |  | ||||||
| Il est donc nécessaire donc nécessaire de disposer d'un serveur Redis pour utiliser ces applications. |  | ||||||
|  |  | ||||||
| ### Principe général de fonctionnement | ### Principe général de fonctionnement | ||||||
|  |  | ||||||
| Un `RedisFailOver` crée un cluster redis en mode sentinel avec 3 réplicats chacun. | Un `Redis` crée une instance Redis dédiée à l'environnement SSO. | ||||||
|  |  | ||||||
|  |  | ||||||
| ### Personnalisation | ### Personnalisation | ||||||
|  |  | ||||||
| Via des `patches` sur la ressource `ConfigMap` via un label selector `com.cadoles.forge.sso-kustom/session=redis` il est possible de modifier la valeur du `REDIS_DSN`. | Un `patch` sur la ressource `ConfigMap` via un label selector `com.cadoles.forge.sso-kustom/session=redis` permet de modifier la valeur de la clé `REDIS_DSN`. | ||||||
|  |  | ||||||
|  | | Clé         | Description          | Exemple                  | | ||||||
| |Clé|Description|Exemple| | | ----------- | -------------------- | ------------------------ | | ||||||
| |---|-----------|-------| | | `REDIS_DSN` | DSN du cluster Redis | `redis://redis-sso:6379` | | ||||||
| |`REDIS_DSN`| DSN du cluster Redis | `redis://rfs-sso-redis:26379?&redis_sentinel=mymaster` |  | ||||||
|   | |||||||
							
								
								
									
										5
									
								
								components/redis/configurations/redis-conf.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										5
									
								
								components/redis/configurations/redis-conf.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,5 @@ | |||||||
|  | nameReference: | ||||||
|  |   - kind: ConfigMap | ||||||
|  |     fieldSpecs: | ||||||
|  |       - kind: Redis | ||||||
|  |         path: spec/redisConfig/additionalRedisConfig | ||||||
							
								
								
									
										3
									
								
								components/redis/files/redis-additional.conf
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										3
									
								
								components/redis/files/redis-additional.conf
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,3 @@ | |||||||
|  | maxmemory-policy allkeys-lru | ||||||
|  | maxmemory 1536mb | ||||||
|  | tcp-keepalive 90 | ||||||
| @@ -1,11 +1,19 @@ | |||||||
| apiVersion: kustomize.config.k8s.io/v1alpha1 | apiVersion: kustomize.config.k8s.io/v1alpha1 | ||||||
| kind: Component | kind: Component | ||||||
|  |  | ||||||
|  | configurations: | ||||||
|  |   - ./configurations/redis-conf.yaml | ||||||
|  |  | ||||||
| resources: | resources: | ||||||
|   - ./resources/redis-failover.yaml |   - ./resources/redis-sso.yaml | ||||||
|  |  | ||||||
|  | configMapGenerator: | ||||||
|  | - name: redis-sso-extra-conf | ||||||
|  |   files: | ||||||
|  |     - ./files/redis-additional.conf | ||||||
|  |  | ||||||
| patches: | patches: | ||||||
| - path: ./patches/hydra-apps.yaml |   - path: ./patches/hydra-apps.yaml | ||||||
|     target: |     target: | ||||||
|       kind: ConfigMap |       kind: ConfigMap | ||||||
|       labelSelector: "com.cadoles.forge.sso-kustom/session=redis" |       labelSelector: "com.cadoles.forge.sso-kustom/session=redis" | ||||||
|   | |||||||
| @@ -1,3 +1,3 @@ | |||||||
| - op: replace | - op: replace | ||||||
|   path: "/data/REDIS_DSN" |   path: "/data/REDIS_DSN" | ||||||
|   value: "redis://rfs-sso-redis:26379?&redis_sentinel=mymaster" |   value: "redis://redis-sso:6379" | ||||||
|   | |||||||
| @@ -1,21 +0,0 @@ | |||||||
| apiVersion: databases.spotahome.com/v1 |  | ||||||
| kind: RedisFailover |  | ||||||
| metadata: |  | ||||||
|   name: sso-redis |  | ||||||
| spec: |  | ||||||
|   sentinel: |  | ||||||
|     replicas: 3 |  | ||||||
|     resources: |  | ||||||
|       requests: |  | ||||||
|         cpu: 100m |  | ||||||
|       limits: |  | ||||||
|         memory: 100Mi |  | ||||||
|   redis: |  | ||||||
|     replicas: 3 |  | ||||||
|     resources: |  | ||||||
|       requests: |  | ||||||
|         cpu: 100m |  | ||||||
|         memory: 100Mi |  | ||||||
|       limits: |  | ||||||
|         cpu: 400m |  | ||||||
|         memory: 500Mi |  | ||||||
							
								
								
									
										27
									
								
								components/redis/resources/redis-sso.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										27
									
								
								components/redis/resources/redis-sso.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,27 @@ | |||||||
|  | apiVersion: redis.redis.opstreelabs.in/v1beta1 | ||||||
|  | kind: Redis | ||||||
|  | metadata: | ||||||
|  |   name: redis-sso | ||||||
|  | spec: | ||||||
|  |   kubernetesConfig: | ||||||
|  |     image: reg.cadoles.com/quay/opstree/redis:v7.0.15 | ||||||
|  |     imagePullPolicy: IfNotPresent | ||||||
|  |     resources: | ||||||
|  |       requests: | ||||||
|  |         cpu: 500m | ||||||
|  |         memory: 1024Mi | ||||||
|  |       limits: | ||||||
|  |         cpu: 2000m | ||||||
|  |         memory: 2048Mi | ||||||
|  |   redisConfig: | ||||||
|  |     additionalRedisConfig: redis-sso-extra-conf | ||||||
|  |   storage: | ||||||
|  |     volumeClaimTemplate: | ||||||
|  |       spec: | ||||||
|  |         # storageClassName: standard | ||||||
|  |         accessModes: ["ReadWriteOnce"] | ||||||
|  |         resources: | ||||||
|  |           requests: | ||||||
|  |             storage: 1Gi | ||||||
|  |   securityContext: | ||||||
|  |     runAsUser: 1000 | ||||||
| @@ -1,6 +1,6 @@ | |||||||
| # Exemple: Déploiement d'une application authentifiée avec la stack SSO | # Exemple: Déploiement d'une application authentifiée avec la stack SSO | ||||||
|  |  | ||||||
| L'exemple est actuellement déployé avec le composant `hydra-saml` uniquement. | L'exemple est actuellement déployé avec le composant `hydra-ldap` uniquement. | ||||||
|  |  | ||||||
| ## Procédure | ## Procédure | ||||||
|  |  | ||||||
| @@ -18,27 +18,30 @@ L'exemple est actuellement déployé avec le composant `hydra-saml` uniquement. | |||||||
|    kubectl apply  -k ./examples/k8s/kind/cluster --server-side |    kubectl apply  -k ./examples/k8s/kind/cluster --server-side | ||||||
|    ``` |    ``` | ||||||
|  |  | ||||||
| 3. Déployer l'application |    > Si une erreur du type `ensure CRDs are installed first` s'affiche, relancer la commande. | ||||||
|  |  | ||||||
|  | 3. Attendre que l'opérateur Redis soit opérationnel puis patcher le `ClusterRole` de celui ci (cf. https://github.com/OT-CONTAINER-KIT/redis-operator/issues/526): | ||||||
|  |  | ||||||
|  |    ```bash | ||||||
|  |    kubectl wait -n operators --timeout 10m --for=jsonpath=".status.state"=AtLatestKnown subscription my-redis-operator | ||||||
|  |    # On attend quelques secondes supplémentaires pour s'assurer que l'opérateur a réellement démarré | ||||||
|  |    sleep 30 | ||||||
|  |    kubectl patch clusterroles.rbac.authorization.k8s.io $(kubectl get clusterrole | awk '/redis-operator/ {print $1}') --patch-file examples/k8s/kind/cluster/fix/redis-operator-clusterrole.yaml | ||||||
|  |    ``` | ||||||
|  |  | ||||||
|  | 4. Déployer l'application | ||||||
|  |  | ||||||
|    ``` |    ``` | ||||||
|    kubectl apply -k ./examples/authenticated-app |    kubectl apply -k ./examples/authenticated-app | ||||||
|    ``` |    ``` | ||||||
|  |  | ||||||
|    **Note** Il est possible d'avoir l'erreur suivante: | 5. Ajouter l'entrée suivante dans votre fichier `/etc/hosts` | ||||||
|  |  | ||||||
|    ``` |  | ||||||
|    error: resource mapping not found for name: "app-oauth2-client" namespace: "" from "./examples/authenticated-app": no matches for kind "OAuth2Client" in version "hydra.ory.sh/v1alpha1" |  | ||||||
|    ``` |  | ||||||
|  |  | ||||||
|    Cette erreur est "normale" (voir https://github.com/kubernetes/kubectl/issues/1117). Dans ce cas, attendre la création de la CRD (voir ticket) puis relancer la commande. |  | ||||||
|  |  | ||||||
| 4. Ajouter l'entrée suivante dans votre fichier `/etc/hosts` |  | ||||||
|  |  | ||||||
|    ``` |    ``` | ||||||
|    127.0.0.1 ssokustom |    127.0.0.1 ssokustom | ||||||
|    ``` |    ``` | ||||||
|  |  | ||||||
| 5. Après stabilisation du déploiement, l'application devrait être accessible à l'adresse https://ssokustom | 6. Après stabilisation du déploiement, l'application devrait être accessible à l'adresse https://ssokustom | ||||||
|  |  | ||||||
| #### Supprimer le cluster | #### Supprimer le cluster | ||||||
|  |  | ||||||
| @@ -48,14 +51,15 @@ kind delete cluster -n sso-kustom-example | |||||||
|  |  | ||||||
| ## Authentification | ## Authentification | ||||||
|  |  | ||||||
| ### SAML | ### LDAP | ||||||
|  |  | ||||||
| - Utilisateur: `user1` | #### Comptes par défaut | ||||||
| - Mot de passe `user1pass` |  | ||||||
|  |  | ||||||
| #### URL utiles | 1. `jdoe` / `jdoe` | ||||||
|  | 2. `jdoe2` / `jdoe` | ||||||
|  | 3. `siret1` / `siret` | ||||||
|  | 4. `siret2` / `siret` | ||||||
|  |  | ||||||
| |URL|Description| | #### Gestion des comptes | ||||||
| |---|-----------| |  | ||||||
| |https://ssokustom/auth/saml/Shibboleth.sso/Session|Attributs de la session SP Shibboleth| | Les comptes LDAP sont définis dans le fichier [`./files/glauth.conf`](./files/glauth.conf) | ||||||
| |https://ssokustom/auth/saml/Shibboleth.sso/Metadata|Métadonnées du SP Shibboleth| |  | ||||||
|   | |||||||
							
								
								
									
										83
									
								
								examples/authenticated-app/files/glauth.conf
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										83
									
								
								examples/authenticated-app/files/glauth.conf
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,83 @@ | |||||||
|  | debug = true | ||||||
|  |  | ||||||
|  | [ldap] | ||||||
|  |   enabled = true | ||||||
|  |   listen = "0.0.0.0:3893" | ||||||
|  |   tls = false | ||||||
|  |  | ||||||
|  | [ldaps] | ||||||
|  |   enabled = false | ||||||
|  |  | ||||||
|  | [behaviors] | ||||||
|  |   IgnoreCapabilities = true | ||||||
|  |  | ||||||
|  | [backend] | ||||||
|  |   datastore = "config" | ||||||
|  |   baseDN = "dc=glauth,dc=com" | ||||||
|  |  | ||||||
|  | [[users]] | ||||||
|  |   uid = "serviceuser" | ||||||
|  |   name = "serviceuser" | ||||||
|  |   mail = "serviceuser@example.com" | ||||||
|  |   uidnumber = 5001 | ||||||
|  |   primarygroup = 5502 | ||||||
|  |   # use echo -n "mysecret" | openssl dgst -sha256 | ||||||
|  |   passsha256 = "652c7dc687d98c9889304ed2e408c74b611e86a40caa51c4b43f1dd5913c5cd0" # mysecret | ||||||
|  |     [[users.capabilities]] | ||||||
|  |     action = "search" | ||||||
|  |     object = "*" | ||||||
|  |  | ||||||
|  | [[users]] | ||||||
|  |   uid = "jdoe" | ||||||
|  |   name = "jdoe" | ||||||
|  |   uidnumber = 5002 | ||||||
|  |   primarygroup = 5501 | ||||||
|  |   givenname = "John" | ||||||
|  |   sn = "Doe" | ||||||
|  |   mail = "jdoe@example.com" | ||||||
|  |   passsha256 = "d30a5f57532a603697ccbb51558fa02ccadd74a0c499fcf9d45b33863ee1582f" # jdoe | ||||||
|  |     [[users.customattributes]] | ||||||
|  |     employeetype = ["Intern", "Temp"] | ||||||
|  |     employeenumber = [12345, 54321] | ||||||
|  |  | ||||||
|  | [[users]] | ||||||
|  |   uid = "jdoe2" | ||||||
|  |   name = "jdoe2" | ||||||
|  |   uidnumber = 5003 | ||||||
|  |   primarygroup = 5501 | ||||||
|  |   givenname = "John" | ||||||
|  |   sn = "Doe2" | ||||||
|  |   mail = "jdoe2@jdoe2.com" | ||||||
|  |   passsha256 = "d30a5f57532a603697ccbb51558fa02ccadd74a0c499fcf9d45b33863ee1582f" # jdoe | ||||||
|  |  | ||||||
|  | [[users]] | ||||||
|  |   uid = "siret1" | ||||||
|  |   name = "siret1" | ||||||
|  |   uidnumber = 5004 | ||||||
|  |   primarygroup = 5501 | ||||||
|  |   givenname = "Siret" | ||||||
|  |   sn = "Siret" | ||||||
|  |   mail = "siret1@siret.com" | ||||||
|  |   passsha256 = "7926ef18c7ae8eb23d4d325aa6bd81cc9ae99b429e9299a18dbd2c4729486ebc" # siret | ||||||
|  |     [[users.customattributes]] | ||||||
|  |     siret = ["0001"] | ||||||
|  |  | ||||||
|  | [[users]] | ||||||
|  |   uid = "siret2" | ||||||
|  |   name = "siret2" | ||||||
|  |   uidnumber = 5005 | ||||||
|  |   primarygroup = 5501 | ||||||
|  |   givenname = "Siret" | ||||||
|  |   sn = "Siret" | ||||||
|  |   mail = "siret2@siret.com" | ||||||
|  |   passsha256 = "7926ef18c7ae8eb23d4d325aa6bd81cc9ae99b429e9299a18dbd2c4729486ebc" # siret | ||||||
|  |     [[users.customattributes]] | ||||||
|  |     siret = ["0002"] | ||||||
|  |  | ||||||
|  | [[groups]] | ||||||
|  |   name = "users" | ||||||
|  |   gidnumber = 5501 | ||||||
|  |  | ||||||
|  | [[groups]] | ||||||
|  |   name = "svcaccts" | ||||||
|  |   gidnumber = 5502 | ||||||
							
								
								
									
										31
									
								
								examples/authenticated-app/files/hydra-dispatcher-apps.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										31
									
								
								examples/authenticated-app/files/hydra-dispatcher-apps.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,31 @@ | |||||||
|  | hydra: | ||||||
|  |   apps: | ||||||
|  |     - id: ldap | ||||||
|  |       title: | ||||||
|  |         fr: Connexion LDAP | ||||||
|  |         en: Login LDAP | ||||||
|  |       description: | ||||||
|  |         fr: Authentification avec LDAP | ||||||
|  |         en: Authentication with LDAP | ||||||
|  |       login_url: "%env(string:HYDRA_DISPATCHER_LDAP_LOGIN_URL)%" | ||||||
|  |       consent_url: "%env(string:HYDRA_DISPATCHER_LDAP_CONSENT_URL)%" | ||||||
|  |       logout_url: "%env(string:HYDRA_DISPATCHER_LDAP_LOGOUT_URL)%" | ||||||
|  |       attributes_rewrite_configuration: | ||||||
|  |         siret: | ||||||
|  |           rules: | ||||||
|  |             - "property_exists(consent.session.id_token, 'siret') ?  consent.session.id_token.siret : null" | ||||||
|  |             - "value ?: ( consent.session.id_token.email matches '/.*@example.com$/' ? '0000' : null )" | ||||||
|  |             - "value ?: ( consent.session.id_token.email matches '/.*@jdoe.com$/' ? '0001' : null )" | ||||||
|  |         family_name: | ||||||
|  |           rules: | ||||||
|  |             - "property_exists(consent.session.id_token, 'family_name') ? consent.session.id_token.family_name : null" | ||||||
|  |         given_name: | ||||||
|  |           rules: | ||||||
|  |             - "property_exists(consent.session.id_token, 'given_name') ? consent.session.id_token.given_name : null" | ||||||
|  |         email: | ||||||
|  |           rules: | ||||||
|  |             - "property_exists(consent.session.id_token, 'email') ? consent.session.id_token.email : null" | ||||||
|  |   webhook: | ||||||
|  |     enabled: false | ||||||
|  |   webhook_post_login: | ||||||
|  |     enabled: false | ||||||
| @@ -2,12 +2,20 @@ apiVersion: kustomize.config.k8s.io/v1beta1 | |||||||
| kind: Kustomization | kind: Kustomization | ||||||
|  |  | ||||||
| resources: | resources: | ||||||
|   - ../../overlays/full |   - ../../overlays/base | ||||||
|  |  | ||||||
|   - ./resources/ingress.yaml |   - ./resources/ingress.yaml | ||||||
|   - ./resources/saml-idp.yaml |   - ./resources/glauth-ldap.yaml | ||||||
|   - ./resources/self-signed-issuer.yaml |   - ./resources/self-signed-issuer.yaml | ||||||
|   - ./resources/port-forwarder.yaml |   - ./resources/port-forwarder.yaml | ||||||
|  |  | ||||||
|  | components: | ||||||
|  |   - ../../components/hydra-cnpg-database | ||||||
|  |   - ../../components/hydra-ldap | ||||||
|  |   - ../../components/oidc-test | ||||||
|  |   - ../../components/redis | ||||||
|  |   - ../../components/hydra-cleaner | ||||||
|  |  | ||||||
| patchesJson6902: | patchesJson6902: | ||||||
|   - target: |   - target: | ||||||
|       version: v1 |       version: v1 | ||||||
| @@ -22,8 +30,13 @@ patchesJson6902: | |||||||
|   - target: |   - target: | ||||||
|       version: v1 |       version: v1 | ||||||
|       kind: ConfigMap |       kind: ConfigMap | ||||||
|       name: hydra-saml-env |       name: hydra-ldap-env | ||||||
|     path: patches/hydra-saml-env.yaml |     path: patches/hydra-ldap-env.yaml | ||||||
|  |   - target: | ||||||
|  |       version: v1 | ||||||
|  |       kind: Secret | ||||||
|  |       name: hydra-ldap-sc | ||||||
|  |     path: patches/hydra-ldap-sc.yaml | ||||||
|   - target: |   - target: | ||||||
|       version: v1 |       version: v1 | ||||||
|       kind: Secret |       kind: Secret | ||||||
| @@ -32,10 +45,29 @@ patchesJson6902: | |||||||
|   - target: |   - target: | ||||||
|       version: v1 |       version: v1 | ||||||
|       kind: ConfigMap |       kind: ConfigMap | ||||||
|       name: oidc-test |       name: oidc-test-env | ||||||
|     path: patches/oidc-test.yaml |     path: patches/oidc-test.yaml | ||||||
|   - target: |   - target: | ||||||
|       version: v1alpha1 |       version: v1alpha1 | ||||||
|       kind: OAuth2Client |       kind: OAuth2Client | ||||||
|       name: oidc-test-oauth2-client |       name: oidc-test-oauth2-client | ||||||
|     path: patches/oidc-test-oauth2-client.yaml |     path: patches/oidc-test-oauth2-client.yaml | ||||||
|  |   - target: | ||||||
|  |       version: v1 | ||||||
|  |       kind: ConfigMap | ||||||
|  |       name: hydra-cleaner-env | ||||||
|  |     path: patches/hydra-cleaner-env.yaml | ||||||
|  |   - target: | ||||||
|  |       version: v1 | ||||||
|  |       kind: CronJob | ||||||
|  |       name: hydra-cleaner | ||||||
|  |     path: patches/hydra-cleaner.yaml | ||||||
|  |  | ||||||
|  | configMapGenerator: | ||||||
|  |   - name: hydra-dispatcher-apps | ||||||
|  |     behavior: replace | ||||||
|  |     files: | ||||||
|  |       - ./files/hydra-dispatcher-apps.yaml | ||||||
|  |   - name: glauth-ldap-conf | ||||||
|  |     files: | ||||||
|  |       - ./files/glauth.conf | ||||||
|   | |||||||
| @@ -0,0 +1,9 @@ | |||||||
|  | - op: replace | ||||||
|  |   path: "/data/RETENTION_HOURS" | ||||||
|  |   value: "1" # 1 HOUR | ||||||
|  | - op: replace | ||||||
|  |   path: "/data/BATCH_SIZE" | ||||||
|  |   value: "100" | ||||||
|  | - op: replace | ||||||
|  |   path: "/data/LIMIT" | ||||||
|  |   value: "1000" | ||||||
							
								
								
									
										3
									
								
								examples/authenticated-app/patches/hydra-cleaner.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										3
									
								
								examples/authenticated-app/patches/hydra-cleaner.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,3 @@ | |||||||
|  | - op: replace | ||||||
|  |   path: "/spec/schedule" | ||||||
|  |   value: "* * * * *" | ||||||
| @@ -1,3 +1,9 @@ | |||||||
|  | - op: replace | ||||||
|  |   path: "/data/APP_ENV" | ||||||
|  |   value: dev | ||||||
|  | - op: replace | ||||||
|  |   path: "/data/APP_DEBUG" | ||||||
|  |   value: "true" | ||||||
| - op: replace | - op: replace | ||||||
|   path: "/data/HYDRA_BASE_URL" |   path: "/data/HYDRA_BASE_URL" | ||||||
|   value: http://hydra:4444 |   value: http://hydra:4444 | ||||||
| @@ -17,14 +23,13 @@ | |||||||
|   path: "/data/COOKIE_PATH" |   path: "/data/COOKIE_PATH" | ||||||
|   value: /auth/dispatcher |   value: /auth/dispatcher | ||||||
|  |  | ||||||
| # Hydra SAML configuration | # Hydra LDAP configuration | ||||||
| - op: replace | - op: replace | ||||||
|   path: "/data/HYDRA_DISPATCHER_SAML_LOGIN_URL" |   path: "/data/HYDRA_DISPATCHER_LDAP_LOGIN_URL" | ||||||
|   value: https://ssokustom/auth/saml/login |   value: https://ssokustom/auth/ldap/auth/login | ||||||
| - op: replace | - op: replace | ||||||
|   path: "/data/HYDRA_DISPATCHER_SAML_CONSENT_URL" |   path: "/data/HYDRA_DISPATCHER_LDAP_CONSENT_URL" | ||||||
|   value: https://ssokustom/auth/saml/consent |   value: https://ssokustom/auth/ldap/auth/consent | ||||||
| - op: replace | - op: replace | ||||||
|   path: "/data/HYDRA_DISPATCHER_SAML_LOGOUT_URL" |   path: "/data/HYDRA_DISPATCHER_LDAP_LOGOUT_URL" | ||||||
|   value: https://ssokustom/auth/saml/logout |   value: https://ssokustom/auth/ldap/auth/logout | ||||||
|    |  | ||||||
|   | |||||||
| @@ -13,3 +13,12 @@ | |||||||
| - op: replace | - op: replace | ||||||
|   path: "/data/HYDRA_SERVE_ALL_ARGS" |   path: "/data/HYDRA_SERVE_ALL_ARGS" | ||||||
|   value: "--dev" |   value: "--dev" | ||||||
|  | - op: replace | ||||||
|  |   path: "/data/SERVE_COOKIES_SAME_SITE_MODE" | ||||||
|  |   value: "Lax" | ||||||
|  | - op: replace | ||||||
|  |   path: "/data/SERVE_COOKIES_SAME_SITE_LEGACY_WORKAROUND" | ||||||
|  |   value: "true" | ||||||
|  | - op: replace | ||||||
|  |   path: "/data/SERVE_COOKIES_DOMAIN" | ||||||
|  |   value: "ssokustom" | ||||||
|   | |||||||
							
								
								
									
										55
									
								
								examples/authenticated-app/patches/hydra-ldap-env.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										55
									
								
								examples/authenticated-app/patches/hydra-ldap-env.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,55 @@ | |||||||
|  | - op: replace | ||||||
|  |   path: "/data/WERTHER_DEV_MODE" | ||||||
|  |   value: "true" | ||||||
|  |  | ||||||
|  | - op: replace | ||||||
|  |   path: "/data/WERTHER_WEB_BASE_PATH" | ||||||
|  |   value: "/auth/ldap/" | ||||||
|  |  | ||||||
|  | - op: replace | ||||||
|  |   path: "/data/WERTHER_IDENTP_HYDRA_URL" | ||||||
|  |   value: "http://hydra-dispatcher" | ||||||
|  |  | ||||||
|  | - op: replace | ||||||
|  |   path: "/data/WERTHER_LDAP_ENDPOINTS" | ||||||
|  |   value: "glauth-ldap:389" | ||||||
|  |  | ||||||
|  | - op: replace | ||||||
|  |   path: "/data/WERTHER_LDAP_BASEDN" | ||||||
|  |   value: "dc=glauth,dc=com" | ||||||
|  |  | ||||||
|  | - op: replace | ||||||
|  |   path: "/data/WERTHER_LDAP_ROLE_BASEDN" | ||||||
|  |   value: "ou=groups,dc=glauth,dc=com" | ||||||
|  |  | ||||||
|  | - op: replace | ||||||
|  |   path: "/data/WERTHER_IDENTP_CLAIM_SCOPES" | ||||||
|  |   value: "uid:profile,name:profile,family_name:profile,given_name:profile,email:profile,https%3A%2F%2Fhydra%2Fclaims%2Froles:roles,siret:siret" | ||||||
|  |  | ||||||
|  | - op: replace | ||||||
|  |   path: "/data/WERTHER_INSECURE_SKIP_VERIFY" | ||||||
|  |   value: "true" | ||||||
|  |  | ||||||
|  | - op: replace | ||||||
|  |   path: "/data/WERTHER_LDAP_IS_TLS" | ||||||
|  |   value: "false" | ||||||
|  |  | ||||||
|  | - op: replace | ||||||
|  |   path: "/data/WERTHER_LDAP_ATTR_CLAIMS" | ||||||
|  |   value: "name:name,sn:family_name,givenName:given_name,mail:email,siret:siret" | ||||||
|  |  | ||||||
|  | - op: replace | ||||||
|  |   path: "/data/WERTHER_LDAP_CONNECTION_TIMEOUT" | ||||||
|  |   value: "30s" | ||||||
|  |  | ||||||
|  | - op: replace | ||||||
|  |   path: "/data/WERTHER_LDAP_USER_SEARCH_QUERY" | ||||||
|  |   value: "(&(objectClass=*)(|(uid=%[1]s)(mail=%[1]s)(userPrincipalName=%[1]s)(sAMAccountName=%[1]s)))" | ||||||
|  |  | ||||||
|  | - op: replace | ||||||
|  |   path: "/data/WERTHER_IDENTP_ACR" | ||||||
|  |   value: "eidas1" | ||||||
|  |  | ||||||
|  | - op: replace | ||||||
|  |   path: "/data/WERTHER_IDENTP_AMR" | ||||||
|  |   value: "pwd" | ||||||
							
								
								
									
										7
									
								
								examples/authenticated-app/patches/hydra-ldap-sc.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										7
									
								
								examples/authenticated-app/patches/hydra-ldap-sc.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,7 @@ | |||||||
|  | - op: replace | ||||||
|  |   path: "/data/WERTHER_LDAP_BINDDN" | ||||||
|  |   value: "Y249c2VydmljZXVzZXIsb3U9c3ZjYWNjdHMsb3U9dXNlcnMsZGM9Z2xhdXRoLGRjPWNvbQ==" # cn=serviceuser,ou=svcaccts,ou=users,dc=glauth,dc=com | ||||||
|  |  | ||||||
|  | - op: replace | ||||||
|  |   path: "/data/WERTHER_LDAP_BINDPW" | ||||||
|  |   value: "bXlzZWNyZXQ=" # mysecret | ||||||
| @@ -1,43 +0,0 @@ | |||||||
| - op: replace |  | ||||||
|   path: "/data/HTTP_BASE_URL" |  | ||||||
|   value: https://ssokustom/auth/saml |  | ||||||
| - op: replace |  | ||||||
|   path: "/data/COOKIE_PATH" |  | ||||||
|   value: /auth/saml |  | ||||||
| - op: replace |  | ||||||
|   path: "/data/HYDRA_ADMIN_BASE_URL" |  | ||||||
|   value: http://hydra-dispatcher |  | ||||||
| - op: replace |  | ||||||
|   path: "/data/LOGOUT_REDIRECT_URL_PATTERN" |  | ||||||
|   value: https://ssokustom/auth/saml/Shibboleth.sso/Logout?return=%s |  | ||||||
| - op: replace |  | ||||||
|   path: "/data/PATH_PREFIX" |  | ||||||
|   value: "/auth/saml" |  | ||||||
|  |  | ||||||
| - op: replace |  | ||||||
|   path: "/data/SP_ENTITY_ID" |  | ||||||
|   value: https://ssokustom/auth/saml |  | ||||||
| - op: replace |  | ||||||
|   path: "/data/IDP_ENTITY_ID" |  | ||||||
|   value: https://ssokustom/simplesaml/saml2/idp/metadata.php |  | ||||||
| - op: replace |  | ||||||
|   path: "/data/IDP_METADATA_URL" |  | ||||||
|   value: https://ssokustom/simplesaml/saml2/idp/metadata.php |  | ||||||
| - op: replace |  | ||||||
|   path: "/data/APACHE_FORCE_HTTPS" |  | ||||||
|   value: "true" |  | ||||||
| - op: replace |  | ||||||
|   path: "/data/SP_HANDLER_BASE_PATH" |  | ||||||
|   value: "/auth/saml" |  | ||||||
| - op: replace |  | ||||||
|   path: "/data/SP_LOG_LEVEL" |  | ||||||
|   value: DEBUG |  | ||||||
| - op: replace |  | ||||||
|   path: "/data/SP_SESSIONS_REDIRECT_LIMIT" |  | ||||||
|   value: none |  | ||||||
| - op: replace |  | ||||||
|   path: "/data/SP_SESSIONS_REDIRECT_ALLOW" |  | ||||||
|   value: https://ssokustom |  | ||||||
| - op: replace |  | ||||||
|   path: "/data/SP_SESSIONS_COOKIE_PROPS" |  | ||||||
|   value: https |  | ||||||
| @@ -4,3 +4,6 @@ | |||||||
| - op: replace | - op: replace | ||||||
|   path: "/spec/postLogoutRedirectUris/0" |   path: "/spec/postLogoutRedirectUris/0" | ||||||
|   value: https://ssokustom |   value: https://ssokustom | ||||||
|  | - op: replace | ||||||
|  |   path: "/spec/scope" | ||||||
|  |   value: "openid profile roles siret" | ||||||
|   | |||||||
| @@ -4,3 +4,6 @@ | |||||||
| - op: replace | - op: replace | ||||||
|   path: "/data/OIDC_POST_LOGOUT_REDIRECT_URL" |   path: "/data/OIDC_POST_LOGOUT_REDIRECT_URL" | ||||||
|   value: https://ssokustom |   value: https://ssokustom | ||||||
|  | - op: replace | ||||||
|  |   path: "/data/OIDC_SCOPES" | ||||||
|  |   value: "openid profile roles siret" | ||||||
|   | |||||||
							
								
								
									
										55
									
								
								examples/authenticated-app/resources/glauth-ldap.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										55
									
								
								examples/authenticated-app/resources/glauth-ldap.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,55 @@ | |||||||
|  | apiVersion: apps/v1 | ||||||
|  | kind: Deployment | ||||||
|  | metadata: | ||||||
|  |   labels: | ||||||
|  |     app.kubernetes.io/name: glauth-ldap | ||||||
|  |   name: glauth-ldap | ||||||
|  | spec: | ||||||
|  |   replicas: 1 | ||||||
|  |   selector: | ||||||
|  |     matchLabels: | ||||||
|  |       app.kubernetes.io/name: glauth-ldap | ||||||
|  |   strategy: | ||||||
|  |     type: Recreate | ||||||
|  |   template: | ||||||
|  |     metadata: | ||||||
|  |       labels: | ||||||
|  |         app.kubernetes.io/name: glauth-ldap | ||||||
|  |     spec: | ||||||
|  |       containers: | ||||||
|  |         - image: glauth/glauth:v2.3.2 | ||||||
|  |           name: glauth-ldap | ||||||
|  |           ports: | ||||||
|  |             - containerPort: 3893 | ||||||
|  |               name: ldap | ||||||
|  |             - containerPort: 3894 | ||||||
|  |               name: ldaps | ||||||
|  |           resources: {} | ||||||
|  |           volumeMounts: | ||||||
|  |             - name: glauth-ldap-conf | ||||||
|  |               mountPath: /app/config/config.cfg | ||||||
|  |               subPath: glauth.conf | ||||||
|  |       restartPolicy: Always | ||||||
|  |       volumes: | ||||||
|  |         - name: glauth-ldap-conf | ||||||
|  |           configMap: | ||||||
|  |             name: glauth-ldap-conf | ||||||
|  | --- | ||||||
|  | apiVersion: v1 | ||||||
|  | kind: Service | ||||||
|  | metadata: | ||||||
|  |   labels: | ||||||
|  |     app.kubernetes.io/name: glauth-ldap | ||||||
|  |   name: glauth-ldap | ||||||
|  | spec: | ||||||
|  |   ports: | ||||||
|  |     - name: ldap | ||||||
|  |       port: 389 | ||||||
|  |       targetPort: ldap | ||||||
|  |     - name: ldaps | ||||||
|  |       port: 636 | ||||||
|  |       targetPort: ldaps | ||||||
|  |   selector: | ||||||
|  |     app.kubernetes.io/name: glauth-ldap | ||||||
|  | status: | ||||||
|  |   loadBalancer: {} | ||||||
| @@ -27,10 +27,14 @@ spec: | |||||||
| apiVersion: networking.k8s.io/v1 | apiVersion: networking.k8s.io/v1 | ||||||
| kind: Ingress | kind: Ingress | ||||||
| metadata: | metadata: | ||||||
|   name: auth-saml |   name: auth-ldap | ||||||
|   annotations: |   annotations: | ||||||
|     cert-manager.io/issuer: "self-signed" |     cert-manager.io/issuer: "self-signed" | ||||||
|     nginx.ingress.kubernetes.io/force-ssl-redirect: "true" |     nginx.ingress.kubernetes.io/force-ssl-redirect: "true" | ||||||
|  |     nginx.ingress.kubernetes.io/rewrite-target: /$2 | ||||||
|  |     nginx.ingress.kubernetes.io/x-forwarded-prefix: /auth/ldap | ||||||
|  |     nginx.ingress.kubernetes.io/configuration-snippet: | | ||||||
|  |       proxy_set_header X-Forwarded-Proto https; | ||||||
| spec: | spec: | ||||||
|   ingressClassName: nginx |   ingressClassName: nginx | ||||||
|   tls: |   tls: | ||||||
| @@ -40,13 +44,13 @@ spec: | |||||||
|   rules: |   rules: | ||||||
|     - http: |     - http: | ||||||
|         paths: |         paths: | ||||||
|       - path: /auth/saml(/|$)(.*) |           - path: /auth/ldap(/|$)(.*) | ||||||
|             pathType: Prefix |             pathType: Prefix | ||||||
|             backend: |             backend: | ||||||
|               service: |               service: | ||||||
|             name: hydra-saml |                 name: hydra-ldap | ||||||
|                 port: |                 port: | ||||||
|               name: http |                   name: hydra-ldap | ||||||
| --- | --- | ||||||
| apiVersion: networking.k8s.io/v1 | apiVersion: networking.k8s.io/v1 | ||||||
| kind: Ingress | kind: Ingress | ||||||
| @@ -57,6 +61,8 @@ metadata: | |||||||
|     nginx.ingress.kubernetes.io/force-ssl-redirect: "true" |     nginx.ingress.kubernetes.io/force-ssl-redirect: "true" | ||||||
|     nginx.ingress.kubernetes.io/rewrite-target: /$2 |     nginx.ingress.kubernetes.io/rewrite-target: /$2 | ||||||
|     nginx.ingress.kubernetes.io/x-forwarded-prefix: /auth/dispatcher |     nginx.ingress.kubernetes.io/x-forwarded-prefix: /auth/dispatcher | ||||||
|  |     nginx.ingress.kubernetes.io/configuration-snippet: | | ||||||
|  |       proxy_set_header X-Forwarded-Proto https; | ||||||
| spec: | spec: | ||||||
|   ingressClassName: nginx |   ingressClassName: nginx | ||||||
|   tls: |   tls: | ||||||
| @@ -82,6 +88,9 @@ metadata: | |||||||
|     cert-manager.io/issuer: "self-signed" |     cert-manager.io/issuer: "self-signed" | ||||||
|     nginx.ingress.kubernetes.io/force-ssl-redirect: "true" |     nginx.ingress.kubernetes.io/force-ssl-redirect: "true" | ||||||
|     nginx.ingress.kubernetes.io/rewrite-target: /$2 |     nginx.ingress.kubernetes.io/rewrite-target: /$2 | ||||||
|  |     nginx.ingress.kubernetes.io/x-forwarded-prefix: /auth | ||||||
|  |     nginx.ingress.kubernetes.io/configuration-snippet: | | ||||||
|  |       proxy_set_header X-Forwarded-Proto https; | ||||||
| spec: | spec: | ||||||
|   ingressClassName: nginx |   ingressClassName: nginx | ||||||
|   tls: |   tls: | ||||||
| @@ -98,34 +107,3 @@ spec: | |||||||
|                 name: hydra |                 name: hydra | ||||||
|                 port: |                 port: | ||||||
|                   name: hydra-public |                   name: hydra-public | ||||||
| --- |  | ||||||
| apiVersion: networking.k8s.io/v1 |  | ||||||
| kind: Ingress |  | ||||||
| metadata: |  | ||||||
|   name: saml-idp |  | ||||||
|   annotations: |  | ||||||
|     cert-manager.io/issuer: "self-signed" |  | ||||||
|     nginx.ingress.kubernetes.io/force-ssl-redirect: "true" |  | ||||||
|     nginx.ingress.kubernetes.io/rewrite-target: /simplesaml/$2 |  | ||||||
|     nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" |  | ||||||
| spec: |  | ||||||
|   ingressClassName: nginx |  | ||||||
|   tls: |  | ||||||
|   - hosts: |  | ||||||
|     - ssokustom |  | ||||||
|     secretName: ssokustom-example-tls |  | ||||||
|   rules: |  | ||||||
|   - http: |  | ||||||
|       paths:      |  | ||||||
|       - path: /simplesaml(/|$)(.*) |  | ||||||
|         pathType: Prefix |  | ||||||
|         backend: |  | ||||||
|           service: |  | ||||||
|             name: saml-idp |  | ||||||
|             port: |  | ||||||
|               name: https |  | ||||||
|  |  | ||||||
|       |  | ||||||
|  |  | ||||||
|        |  | ||||||
|            |  | ||||||
| @@ -1,51 +0,0 @@ | |||||||
| apiVersion: apps/v1 |  | ||||||
| kind: Deployment |  | ||||||
| metadata: |  | ||||||
|   labels: |  | ||||||
|     app.kubernetes.io/name: saml-idp |  | ||||||
|   name: saml-idp |  | ||||||
| spec: |  | ||||||
|   replicas: 1 |  | ||||||
|   selector: |  | ||||||
|     matchLabels: |  | ||||||
|       app.kubernetes.io/name: saml-idp |  | ||||||
|   strategy: |  | ||||||
|     type: Recreate |  | ||||||
|   template: |  | ||||||
|     metadata: |  | ||||||
|       labels: |  | ||||||
|         app.kubernetes.io/name: saml-idp |  | ||||||
|     spec: |  | ||||||
|       containers: |  | ||||||
|         - image: kristophjunge/test-saml-idp:1.15 |  | ||||||
|           name: saml-idp |  | ||||||
|           ports: |  | ||||||
|             - containerPort: 8443 |  | ||||||
|           resources: {} |  | ||||||
|           env: |  | ||||||
|             - name: SIMPLESAMLPHP_SP_ENTITY_ID |  | ||||||
|               value: https://ssokustom/auth/saml |  | ||||||
|             - name: SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE |  | ||||||
|               value: https://ssokustom/auth/saml/Shibboleth.sso/SAML2/POST |  | ||||||
|             - name: SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE |  | ||||||
|               value: https://ssokustom/auth/saml/Shibboleth.sso/Logout?return=https://ssokustom |  | ||||||
|       restartPolicy: Always |  | ||||||
| --- |  | ||||||
| apiVersion: v1 |  | ||||||
| kind: Service |  | ||||||
| metadata: |  | ||||||
|   labels: |  | ||||||
|     app.kubernetes.io/name: saml-idp |  | ||||||
|   name: saml-idp |  | ||||||
| spec: |  | ||||||
|   ports: |  | ||||||
|     - name: http |  | ||||||
|       port: 8080 |  | ||||||
|       targetPort: 8080 |  | ||||||
|     - name: https |  | ||||||
|       port: 8443 |  | ||||||
|       targetPort: 8443 |  | ||||||
|   selector: |  | ||||||
|     app.kubernetes.io/name: saml-idp |  | ||||||
| status: |  | ||||||
|   loadBalancer: {} |  | ||||||
| @@ -0,0 +1,92 @@ | |||||||
|  | apiVersion: rbac.authorization.k8s.io/v1 | ||||||
|  | kind: ClusterRole | ||||||
|  | rules: | ||||||
|  |   - apiGroups: | ||||||
|  |       - redis.redis.opstreelabs.in | ||||||
|  |     resources: | ||||||
|  |       - rediss | ||||||
|  |       - redisclusters | ||||||
|  |       - redis | ||||||
|  |       - rediscluster | ||||||
|  |       - redisreplication | ||||||
|  |       - redisreplications | ||||||
|  |       - redissentinel | ||||||
|  |       - redissentinels | ||||||
|  |     verbs: | ||||||
|  |       - create | ||||||
|  |       - delete | ||||||
|  |       - get | ||||||
|  |       - list | ||||||
|  |       - patch | ||||||
|  |       - update | ||||||
|  |       - watch | ||||||
|  |   - apiGroups: | ||||||
|  |       - redis.redis.opstreelabs.in | ||||||
|  |     resources: | ||||||
|  |       - redis/finalizers | ||||||
|  |       - rediscluster/finalizers | ||||||
|  |     verbs: | ||||||
|  |       - update | ||||||
|  |   - apiGroups: | ||||||
|  |       - redis.redis.opstreelabs.in | ||||||
|  |     resources: | ||||||
|  |       - redis/status | ||||||
|  |       - rediscluster/status | ||||||
|  |     verbs: | ||||||
|  |       - get | ||||||
|  |       - patch | ||||||
|  |       - update | ||||||
|  |   - apiGroups: | ||||||
|  |       - "" | ||||||
|  |     resources: | ||||||
|  |       - secrets | ||||||
|  |       - pods/exec | ||||||
|  |       - services | ||||||
|  |       - configmaps | ||||||
|  |       - pods | ||||||
|  |       - persistentvolumes | ||||||
|  |       - persistentvolumeclaims | ||||||
|  |     verbs: | ||||||
|  |       - create | ||||||
|  |       - delete | ||||||
|  |       - get | ||||||
|  |       - list | ||||||
|  |       - patch | ||||||
|  |       - update | ||||||
|  |       - watch | ||||||
|  |   - apiGroups: | ||||||
|  |       - apps | ||||||
|  |     resources: | ||||||
|  |       - statefulsets | ||||||
|  |     verbs: | ||||||
|  |       - create | ||||||
|  |       - delete | ||||||
|  |       - get | ||||||
|  |       - list | ||||||
|  |       - patch | ||||||
|  |       - update | ||||||
|  |       - watch | ||||||
|  |   - apiGroups: | ||||||
|  |       - coordination.k8s.io | ||||||
|  |     resources: | ||||||
|  |       - leases | ||||||
|  |     verbs: | ||||||
|  |       - create | ||||||
|  |       - delete | ||||||
|  |       - get | ||||||
|  |       - list | ||||||
|  |       - patch | ||||||
|  |       - update | ||||||
|  |       - watch | ||||||
|  |   - apiGroups: | ||||||
|  |       - policy | ||||||
|  |     resources: | ||||||
|  |       - poddisruptionbudgets | ||||||
|  |     verbs: | ||||||
|  |       - create | ||||||
|  |       - delete | ||||||
|  |       - get | ||||||
|  |       - list | ||||||
|  |       - patch | ||||||
|  |       - update | ||||||
|  |       - watch | ||||||
| @@ -1,15 +1,15 @@ | |||||||
| apiVersion: kustomize.config.k8s.io/v1beta1 | apiVersion: kustomize.config.k8s.io/v1beta1 | ||||||
| kind: Kustomization | kind: Kustomization | ||||||
| resources: | resources: | ||||||
| - https://github.com/jetstack/cert-manager/releases/download/v1.13.2/cert-manager.yaml |   - https://forge.cadoles.com/CadolesKube/c-kustom//crds?ref=develop | ||||||
| - https://forge.cadoles.com/CadolesKube/c-kustom//base/cloudnative-pg-operator?ref=develop |   - https://github.com/cert-manager/cert-manager/releases/download/v1.10.0/cert-manager.yaml | ||||||
| - https://forge.cadoles.com/CadolesKube/c-kustom//base/redis?ref=develop |   - ./resources/olm | ||||||
| - https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml |   - https://forge.cadoles.com/CadolesKube/c-kustom//base/cloudnative-pg-operator?ref=develop | ||||||
|  |   - https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml | ||||||
|  |  | ||||||
| patchesJson6902: | patches: | ||||||
|   - target: |   - path: patches/nginx-controller.yaml | ||||||
|       version: v1 |     target: | ||||||
|       kind: ConfigMap |       kind: ConfigMap | ||||||
|       name: ingress-nginx-controller |       name: ingress-nginx-controller | ||||||
|       namespace: ingress-nginx |       namespace: ingress-nginx | ||||||
|     path: patches/nginx-controller.yaml |  | ||||||
|   | |||||||
| @@ -1,6 +1,9 @@ | |||||||
| - op: replace | kind: ConfigMap | ||||||
|   path: "/data/allow-snippet-annotations" | apiVersion: v1 | ||||||
|   value: "true" | metadata: | ||||||
| - op: replace |   name: ingress-nginx-controller | ||||||
|   path: "/data/use-forwarded-headers" | data: | ||||||
|   value: "true" |   allow-snippet-annotations: "true" | ||||||
|  |   use-forwarded-headers: "true" | ||||||
|  |   strict-validate-path-type: "false" | ||||||
|  |   annotations-risk-level: "Critical" | ||||||
|   | |||||||
| @@ -0,0 +1,6 @@ | |||||||
|  | apiVersion: kustomize.config.k8s.io/v1beta1 | ||||||
|  | kind: Kustomization | ||||||
|  |  | ||||||
|  | resources: | ||||||
|  |   - https://github.com/operator-framework/operator-lifecycle-manager/releases/download/v0.31.0/olm.yaml | ||||||
|  |   - https://forge.cadoles.com/CadolesKube/c-kustom/raw/branch/develop/base/olm/resources/mandatory-operators/resources/redis-operator.yaml | ||||||
							
								
								
									
										22
									
								
								resources/hydra-dispatcher/files/03_base.ini
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										22
									
								
								resources/hydra-dispatcher/files/03_base.ini
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,22 @@ | |||||||
|  | [opcache] | ||||||
|  | ; Determines if Zend OPCache is enabled | ||||||
|  | opcache.enable=1 | ||||||
|  |  | ||||||
|  | ; Determines if Zend OPCache is enabled for the CLI version of PHP | ||||||
|  | opcache.enable_cli=1 | ||||||
|  |  | ||||||
|  | ; The OPcache shared memory storage size. | ||||||
|  | opcache.memory_consumption=512 | ||||||
|  |  | ||||||
|  | ; The maximum number of keys (scripts) in the OPcache hash table. | ||||||
|  | ; Only numbers between 200 and 1000000 are allowed. | ||||||
|  | opcache.max_accelerated_files=20000 | ||||||
|  |  | ||||||
|  | ; When disabled, you must reset the OPcache manually or restart the | ||||||
|  | ; webserver for changes to the filesystem to take effect. | ||||||
|  | opcache.validate_timestamps=${OPCACHE_VALIDATE_TIMESTAMP} | ||||||
|  |  | ||||||
|  | ; How often (in seconds) to check file timestamps for changes to the shared | ||||||
|  | ; memory storage allocation. ("1" means validate once per second, but only | ||||||
|  | ; once per request. "0" means always validate) | ||||||
|  | opcache.revalidate_freq=${OPCACHE_REVALIDATE_FREQ} | ||||||
| @@ -12,6 +12,5 @@ hydra: | |||||||
|     api_url: "%env(string:HYDRA_DISPATCHER_WEBHOOK_API_URL)%" |     api_url: "%env(string:HYDRA_DISPATCHER_WEBHOOK_API_URL)%" | ||||||
|     api_key: "%env(string:HYDRA_DISPATCHER_WEBHOOK_API_KEY)%" |     api_key: "%env(string:HYDRA_DISPATCHER_WEBHOOK_API_KEY)%" | ||||||
|     api_method: "%env(string:HYDRA_DISPATCHER_WEBHOOK_API_METHOD)%" |     api_method: "%env(string:HYDRA_DISPATCHER_WEBHOOK_API_METHOD)%" | ||||||
|   firewall: |   webhook_post_login: | ||||||
|     additional_properties: "%env(bool:HYDRA_DISPATCHER_FIREWALL_ADDITIONAL_PROPERTIES)%" |     enabled: false | ||||||
|     rules: {} |  | ||||||
|   | |||||||
| @@ -29,3 +29,6 @@ configMapGenerator: | |||||||
| - name: hydra-dispatcher-apps | - name: hydra-dispatcher-apps | ||||||
|   files: |   files: | ||||||
|   - apps.yaml=./files/hydra/default.yaml |   - apps.yaml=./files/hydra/default.yaml | ||||||
|  | - name: hydra-dispatcher-php-ini | ||||||
|  |   files: | ||||||
|  |   - ./files/03_base.ini | ||||||
| @@ -3,6 +3,7 @@ kind: Deployment | |||||||
| metadata: | metadata: | ||||||
|   labels: |   labels: | ||||||
|     app.kubernetes.io/name: hydra-dispatcher |     app.kubernetes.io/name: hydra-dispatcher | ||||||
|  |     com.cadoles.forge.sso-kustom/session: redis | ||||||
|   name: hydra-dispatcher |   name: hydra-dispatcher | ||||||
| spec: | spec: | ||||||
|   replicas: 1 |   replicas: 1 | ||||||
| @@ -18,7 +19,7 @@ spec: | |||||||
|     spec: |     spec: | ||||||
|       containers: |       containers: | ||||||
|         - name: hydra-dispatcher-php-fpm |         - name: hydra-dispatcher-php-fpm | ||||||
|         image: reg.cadoles.com/cadoles/hydra-dispatcher-base:2023.12.15-develop.903.b675347 |           image: reg.cadoles.com/cadoles/hydra-dispatcher-base:2025.3.18-develop.1401.4646fbb | ||||||
|           args: ["/usr/sbin/php-fpm81", "-F", "-e"] |           args: ["/usr/sbin/php-fpm81", "-F", "-e"] | ||||||
|           readinessProbe: |           readinessProbe: | ||||||
|             exec: |             exec: | ||||||
| @@ -41,18 +42,36 @@ spec: | |||||||
|               value: 128m |               value: 128m | ||||||
|             - name: PHP_FPM_MEMORY_LIMIT |             - name: PHP_FPM_MEMORY_LIMIT | ||||||
|               value: 128m |               value: 128m | ||||||
|  |             - name: OPCACHE_VALIDATE_TIMESTAMP | ||||||
|  |               value: "0" | ||||||
|  |             - name: OPCACHE_REVALIDATE_FREQ | ||||||
|  |               value: "0" | ||||||
|           envFrom: |           envFrom: | ||||||
|             - configMapRef: |             - configMapRef: | ||||||
|                 name: hydra-dispatcher-env |                 name: hydra-dispatcher-env | ||||||
|           volumeMounts: |           volumeMounts: | ||||||
|             - mountPath: /app/config/hydra |             - mountPath: /app/config/hydra | ||||||
|               name: hydra-dispatcher-apps |               name: hydra-dispatcher-apps | ||||||
|  |             - name: hydra-dispatcher-php-ini | ||||||
|  |               mountPath: /etc/php81/conf.d/03_base.ini | ||||||
|  |               subPath: 03_base.ini | ||||||
|           resources: {} |           resources: {} | ||||||
|  |           securityContext: | ||||||
|       - image: reg.cadoles.com/cadoles/hydra-dispatcher-base:2023.12.15-develop.903.b675347 |             runAsNonRoot: true | ||||||
|         imagePullPolicy: Always |             runAsGroup: 1000 | ||||||
|         name: hydra-dispatcher-nginx |             runAsUser: 1000 | ||||||
|         args: ["/usr/sbin/nginx"] |         - name: hydra-dispatcher-caddy | ||||||
|  |           image: reg.cadoles.com/cadoles/hydra-dispatcher-base:2025.3.18-develop.1401.4646fbb | ||||||
|  |           imagePullPolicy: IfNotPresent | ||||||
|  |           args: | ||||||
|  |             [ | ||||||
|  |               "/usr/sbin/caddy", | ||||||
|  |               "run", | ||||||
|  |               "--adapter", | ||||||
|  |               "caddyfile", | ||||||
|  |               "--config", | ||||||
|  |               "/etc/caddy/Caddyfile", | ||||||
|  |             ] | ||||||
|           readinessProbe: |           readinessProbe: | ||||||
|             httpGet: |             httpGet: | ||||||
|               path: /health |               path: /health | ||||||
| @@ -71,21 +90,29 @@ spec: | |||||||
|             - configMapRef: |             - configMapRef: | ||||||
|                 name: hydra-dispatcher-env |                 name: hydra-dispatcher-env | ||||||
|           env: |           env: | ||||||
|         - name: NGINX_APP_UPSTREAM_BACKEND_SERVER |             - name: CADDY_APP_UPSTREAM_BACKEND_SERVER | ||||||
|               value: 127.0.0.1:9000 |               value: 127.0.0.1:9000 | ||||||
|         - name: NGINX_APP_ROOT |             - name: CADDY_HTTPS_PORT | ||||||
|           value: "/public/" |               value: "8443" | ||||||
|         - name: NGINX_APP_PHP_INDEX |             - name: CADDY_HTTP_PORT | ||||||
|           value: "/index.php" |               value: "8080" | ||||||
|         - name: NGINX_ERROR_LOG_LEVEL |             - name: CADDY_DATA_FS | ||||||
|           value: "warn" |               value: "/tmp/caddy" | ||||||
|         - name: NGINX_APP_PHP_NON_FILE_PATTERN |             - name: CADDY_APP_ROOT_PUBLIC | ||||||
|           value: "^/index\\.php(/|$)" |               value: "/app/public/" | ||||||
|           ports: |           ports: | ||||||
|             - containerPort: 8080 |             - containerPort: 8080 | ||||||
|  |               name: http | ||||||
|           resources: {} |           resources: {} | ||||||
|  |           securityContext: | ||||||
|  |             runAsNonRoot: true | ||||||
|  |             runAsGroup: 1000 | ||||||
|  |             runAsUser: 1000 | ||||||
|       restartPolicy: Always |       restartPolicy: Always | ||||||
|       volumes: |       volumes: | ||||||
|         - name: hydra-dispatcher-apps |         - name: hydra-dispatcher-apps | ||||||
|           configMap: |           configMap: | ||||||
|             name: hydra-dispatcher-apps |             name: hydra-dispatcher-apps | ||||||
|  |         - name: hydra-dispatcher-php-ini | ||||||
|  |           configMap: | ||||||
|  |             name: hydra-dispatcher-php-ini | ||||||
|   | |||||||
| @@ -7,7 +7,8 @@ metadata: | |||||||
| spec: | spec: | ||||||
|   ports: |   ports: | ||||||
|   - name: http |   - name: http | ||||||
|       port: 8080 |     port: 80 | ||||||
|  |     targetPort: http | ||||||
|   selector: |   selector: | ||||||
|     app.kubernetes.io/name: hydra-dispatcher |     app.kubernetes.io/name: hydra-dispatcher | ||||||
| status: | status: | ||||||
|   | |||||||
| @@ -2,41 +2,50 @@ apiVersion: kustomize.config.k8s.io/v1beta1 | |||||||
| kind: Kustomization | kind: Kustomization | ||||||
|  |  | ||||||
| images: | images: | ||||||
| - name: reg.cadoles.com/proxy_cache/oryd/hydra |   - name: reg.cadoles.com/proxy_cache/oryd/hydra | ||||||
|     newTag: v2.1.2 |     newTag: v2.1.2 | ||||||
| - name: reg.cadoles.com/proxy_cache/oryd/hydra-maester |   - name: reg.cadoles.com/proxy_cache/oryd/hydra-maester | ||||||
|     newTag: v0.0.32-amd64 |     newTag: v0.0.32-amd64 | ||||||
|  |  | ||||||
| resources: | resources: | ||||||
| - ./resources/hydra-deployment.yaml |   - ./resources/hydra-deployment.yaml | ||||||
| - ./resources/hydra-service.yaml |   - ./resources/hydra-service.yaml | ||||||
| - ./resources/hydra-role.yaml |   - ./resources/hydra-role.yaml | ||||||
| - ./resources/hydra-rolebinding.yaml |   - ./resources/hydra-rolebinding.yaml | ||||||
| - ./resources/hydra-serviceaccount.yaml |   - ./resources/hydra-serviceaccount.yaml | ||||||
| - ./resources/hydra-migrate-job.yaml |   - ./resources/hydra-migrate-job.yaml | ||||||
| - ./resources/hydra-maester |   - ./resources/hydra-maester | ||||||
| - ./resources/hydra-janitor-cronjob.yaml |   - ./resources/hydra-janitor-cronjob.yaml | ||||||
|  |  | ||||||
| secretGenerator: | secretGenerator: | ||||||
| - name: hydra-secret |   - name: hydra-secret | ||||||
|     literals: |     literals: | ||||||
|       - SECRETS_SYSTEM=ThisShouldBeAbsolutelyChanged |       - SECRETS_SYSTEM=ThisShouldBeAbsolutelyChanged | ||||||
|  |  | ||||||
| configMapGenerator: | configMapGenerator: | ||||||
| - name: hydra-env |   - name: hydra-env | ||||||
|     literals: |     literals: | ||||||
|       - URLS_SELF_ISSUER=http://localhost:4444 |       - URLS_SELF_ISSUER=http://localhost:4444 | ||||||
|       - URLS_LOGIN=http://hydra-login-app/login |       - URLS_LOGIN=http://hydra-login-app/login | ||||||
|       - URLS_CONSENT=http://hydra-consent-app/consent |       - URLS_CONSENT=http://hydra-consent-app/consent | ||||||
|       - URLS_LOGOUT=http://hydra-logout-app/logout |       - URLS_LOGOUT=http://hydra-logout-app/logout | ||||||
|       - HYDRA_SERVE_ALL_ARGS=--dev |       - HYDRA_SERVE_ALL_ARGS=--dev | ||||||
|  |       - HYDRA_DATABASE_MAX_CONN="10" | ||||||
|  |       - HYDRA_DATABASE_MAX_IDLE_CONNS="5" | ||||||
|  |       - HYDRA_DATABASE_MAX_CONN_LIFETIME="0"  # Unlimited. ms, s, m, h | ||||||
|  |       - HYDRA_DATABASE_MAX_CONN_IDLE_TIME="0"  # Unlimited. ms, s, m, h | ||||||
|  |       - HYDRA_DATABASE_CONNECT_TIMEOUT="0"  # Unlimited | ||||||
|  |       - SERVE_ADMIN_REQUEST_LOG_DISABLE_FOR_HEALTH="true" | ||||||
|       - LOG_LEVEL=info |       - LOG_LEVEL=info | ||||||
|  |  | ||||||
| vars: | replacements: | ||||||
| - name: HYDRA_MIGRATE_JOB_NAME |   - source: | ||||||
|   objref: |  | ||||||
|     name: hydra-migrate |  | ||||||
|       kind: Job |       kind: Job | ||||||
|     apiVersion: batch/v1 |       name: hydra-migrate | ||||||
|   fieldref: |       fieldPath: metadata.name | ||||||
|     fieldpath: metadata.name |     targets: | ||||||
|  |       - select: | ||||||
|  |           kind: Deployment | ||||||
|  |           name: hydra | ||||||
|  |         fieldPaths: | ||||||
|  |           - spec.template.spec.initContainers.0.args.1 | ||||||
|   | |||||||
| @@ -22,7 +22,7 @@ spec: | |||||||
|           image: reg.cadoles.com/proxy_cache/groundnuty/k8s-wait-for:v1.3 |           image: reg.cadoles.com/proxy_cache/groundnuty/k8s-wait-for:v1.3 | ||||||
|           args: |           args: | ||||||
|             - job |             - job | ||||||
|           - $(HYDRA_MIGRATE_JOB_NAME) |             - REPLACE_ME | ||||||
|       containers: |       containers: | ||||||
|         - name: hydra |         - name: hydra | ||||||
|           image: reg.cadoles.com/proxy_cache/oryd/hydra:v2.0.3 |           image: reg.cadoles.com/proxy_cache/oryd/hydra:v2.0.3 | ||||||
| @@ -46,10 +46,31 @@ spec: | |||||||
|                 - wget |                 - wget | ||||||
|                 - --spider |                 - --spider | ||||||
|                 - -q |                 - -q | ||||||
|                 - http://127.0.0.1:4444/.well-known/openid-configuration |                 - http://127.0.0.1:4445/health/alive | ||||||
|             failureThreshold: 6 |             failureThreshold: 6 | ||||||
|             periodSeconds: 10 |             periodSeconds: 10 | ||||||
|             timeoutSeconds: 10 |             timeoutSeconds: 10 | ||||||
|  |           readinessProbe: | ||||||
|  |             exec: | ||||||
|  |               command: | ||||||
|  |                 - wget | ||||||
|  |                 - --spider | ||||||
|  |                 - -q | ||||||
|  |                 - http://127.0.0.1:4445/health/ready | ||||||
|  |             failureThreshold: 6 | ||||||
|  |             periodSeconds: 10 | ||||||
|  |             timeoutSeconds: 10 | ||||||
|  |           startupProbe: | ||||||
|  |             exec: | ||||||
|  |               command: | ||||||
|  |                 - wget | ||||||
|  |                 - --spider | ||||||
|  |                 - -q | ||||||
|  |                 - http://127.0.0.1:4445/health/ready | ||||||
|  |             failureThreshold: 60 | ||||||
|  |             successThreshold: 1 | ||||||
|  |             periodSeconds: 1 | ||||||
|  |             timeoutSeconds: 1 | ||||||
|           ports: |           ports: | ||||||
|             - containerPort: 4444 |             - containerPort: 4444 | ||||||
|               name: hydra-public |               name: hydra-public | ||||||
| @@ -57,4 +78,3 @@ spec: | |||||||
|               name: hydra-admin |               name: hydra-admin | ||||||
|           resources: {} |           resources: {} | ||||||
|       restartPolicy: Always |       restartPolicy: Always | ||||||
|    |  | ||||||
|   | |||||||
| @@ -7,7 +7,7 @@ metadata: | |||||||
|   labels: |   labels: | ||||||
|     app.kubernetes.io/name: hydra-maester |     app.kubernetes.io/name: hydra-maester | ||||||
|     app.kubernetes.io/instance: hydra-master |     app.kubernetes.io/instance: hydra-master | ||||||
|     app.kubernetes.io/version: "v0.0.23" |     app.kubernetes.io/version: "v0.0.25" | ||||||
| spec: | spec: | ||||||
|   replicas: 1 |   replicas: 1 | ||||||
|   revisionHistoryLimit: 10 |   revisionHistoryLimit: 10 | ||||||
| @@ -38,8 +38,7 @@ spec: | |||||||
|             - --hydra-url=$(HYDRA_ADMIN_BASE_URL) |             - --hydra-url=$(HYDRA_ADMIN_BASE_URL) | ||||||
|             - --hydra-port=$(HYDRA_ADMIN_PORT) |             - --hydra-port=$(HYDRA_ADMIN_PORT) | ||||||
|             - --endpoint=/admin/clients |             - --endpoint=/admin/clients | ||||||
|           resources: |           resources: {} | ||||||
|             {} |  | ||||||
|           terminationMessagePath: /dev/termination-log |           terminationMessagePath: /dev/termination-log | ||||||
|           terminationMessagePolicy: File |           terminationMessagePolicy: File | ||||||
|           securityContext: |           securityContext: | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user