Merge pull request 'feat(redis): manage limits' (#60) from feat/redis_limits into unstable

Reviewed-on: #60

README.md

@@ -2,10 +2,6 @@
 
 Kustomization du service "SSO" (Ory Hydra)
 
-## Usage
-
-[Voir la documentation](./doc/README.md)
-
 ## Exemple
 
-Ce projet contient un exemple fonctionnel de déploiement dans le répertoire [`./examples/authenticated-app`](./examples/authenticated-app)
+Ce projet contient un exemple fonctionnel de déploiement dans le répertoire [`./examples/authenticated-app`](./examples/authenticated-app)

components/hydra-cnpg-database/kustomization.yaml

@@ -7,28 +7,6 @@ configurations:
 resources:
 - ./resources/hydra-cnpg-cluster.yaml
 
-secretGenerator:
-- name: hydra-postgres-admin
-  type: Secret
-  literals:
-  - username=postgres
-  - password=NotSoSecret
-- name: hydra-postgres-user
-  type: Secret
-  literals:
-  - username=hydra
-  - password=NotSoSecret
-
-
-vars:
-- name: HYDRA_DATABASE_SERVICE_NAME
-  objref:
-    name: hydra-postgres
-    kind: Cluster
-    apiVersion: postgresql.cnpg.io/v1
-  fieldref:
-    fieldpath: metadata.name
-
 patches:
 - target:
     group: apps

components/hydra-cnpg-database/patches/hydra-deployment.yaml

@@ -4,7 +4,7 @@
     name: HYDRA_DATABASE_USER
     valueFrom:
       secretKeyRef:
-        name: hydra-postgres-user
+        name: hydra-postgres-app
         key: username
 - op: add
   path: "/spec/template/spec/containers/0/env/-"
@@ -12,10 +12,18 @@
     name: HYDRA_DATABASE_PASSWORD
     valueFrom:
       secretKeyRef:
-        name: hydra-postgres-user
+        name: hydra-postgres-app
         key: password
+- op: add
+  path: "/spec/template/spec/containers/0/env/-"
+  value:
+    name: HYDRA_DATABASE_SERVICE_NAME
+    valueFrom:
+      secretKeyRef:
+        name: hydra-postgres-app
+        key: host
 - op: add
   path: "/spec/template/spec/containers/0/env/-"
   value:
     name: DSN
-    value: "postgres://$(HYDRA_DATABASE_USER):$(HYDRA_DATABASE_PASSWORD)@$(HYDRA_DATABASE_SERVICE_NAME)-rw:5432/hydra?sslmode=disable"
+    value: "postgres://$(HYDRA_DATABASE_USER):$(HYDRA_DATABASE_PASSWORD)@$(HYDRA_DATABASE_SERVICE_NAME):5432/hydra?sslmode=disable&max_conns=$(HYDRA_DATABASE_MAX_CONN)"

components/hydra-cnpg-database/patches/hydra-janitor-cronjob.yaml

@@ -4,7 +4,7 @@
     name: HYDRA_DATABASE_USER
     valueFrom:
       secretKeyRef:
-        name: hydra-postgres-user
+        name: hydra-postgres-app
         key: username
 - op: add
   path: "/spec/jobTemplate/spec/template/spec/containers/0/env/-"
@@ -12,10 +12,18 @@
     name: HYDRA_DATABASE_PASSWORD
     valueFrom:
       secretKeyRef:
-        name: hydra-postgres-user
+        name: hydra-postgres-app
         key: password
+- op: add
+  path: "/spec/jobTemplate/spec/template/spec/containers/0/env/-"
+  value:
+    name: HYDRA_DATABASE_SERVICE_NAME
+    valueFrom:
+      secretKeyRef:
+        name: hydra-postgres-app
+        key: host
 - op: add
   path: "/spec/jobTemplate/spec/template/spec/containers/0/env/-"
   value:
     name: DSN
-    value: "postgres://$(HYDRA_DATABASE_USER):$(HYDRA_DATABASE_PASSWORD)@$(HYDRA_DATABASE_SERVICE_NAME)-rw:5432/hydra?sslmode=disable"
+    value: "postgres://$(HYDRA_DATABASE_USER):$(HYDRA_DATABASE_PASSWORD)@$(HYDRA_DATABASE_SERVICE_NAME):5432/hydra?sslmode=disable"

components/hydra-cnpg-database/patches/hydra-migrate-job.yaml

@@ -4,7 +4,7 @@
     name: HYDRA_DATABASE_USER
     valueFrom:
       secretKeyRef:
-        name: hydra-postgres-user
+        name: hydra-postgres-app
         key: username
 - op: add
   path: "/spec/template/spec/containers/0/env/-"
@@ -12,10 +12,18 @@
     name: HYDRA_DATABASE_PASSWORD
     valueFrom:
       secretKeyRef:
-        name: hydra-postgres-user
+        name: hydra-postgres-app
         key: password
+- op: add
+  path: "/spec/template/spec/containers/0/env/-"
+  value:
+    name: HYDRA_DATABASE_SERVICE_NAME
+    valueFrom:
+      secretKeyRef:
+        name: hydra-postgres-app
+        key: host
 - op: add
   path: "/spec/template/spec/containers/0/env/-"
   value:
     name: DSN
-    value: "postgres://$(HYDRA_DATABASE_USER):$(HYDRA_DATABASE_PASSWORD)@$(HYDRA_DATABASE_SERVICE_NAME)-rw:5432/hydra?sslmode=disable"
+    value: "postgres://$(HYDRA_DATABASE_USER):$(HYDRA_DATABASE_PASSWORD)@$(HYDRA_DATABASE_SERVICE_NAME):5432/hydra?sslmode=disable"

components/hydra-cnpg-database/resources/hydra-cnpg-cluster.yaml

@@ -5,13 +5,9 @@ metadata:
 spec:
   instances: 3
   primaryUpdateStrategy: unsupervised
-  superuserSecret:
-    name: hydra-postgres-admin
   bootstrap:
     initdb:
       database: hydra
       owner: hydra
-      secret:
-        name: hydra-postgres-user
   storage:
-    size: 2Gi
+    size: 2Gi

components/hydra-ldap/kustomization.yaml

@@ -7,6 +7,7 @@ resources:
 
 configMapGenerator:
   - name: hydra-ldap-env
+    behavior: create
     literals:
       - WERTHER_DEV_MODE=false
       - WERTHER_LDAP_ROLE_CLAIM="https://hydra/claims/roles"
@@ -21,6 +22,7 @@ configMapGenerator:
 
 secretGenerator:
   - name: hydra-ldap-sc
+    behavior: create
     literals:
       - WERTHER_LDAP_BINDDN="cn=reader,o=test,c=fr"
       - WERTHER_LDAP_BINDPW=ThisMustBeAbsolutelyChanged

components/hydra-ldap/resources/deployment.yaml

@@ -17,34 +17,32 @@ spec:
         app.kubernetes.io/version: "v1.2.2"
     spec:
       containers:
-      - name: werther
-        image: reg.cadoles.com/cadoles/hydra-werther:2023.12.6-stable.1421.15a4717
-        imagePullPolicy: IfNotPresent
-        envFrom:
-        - configMapRef:
-            name: hydra-ldap-env
-        env:
-        - name: WERTHER_WEB_DIR
-          value: "/usr/share/werther/login/"
-        - name: WERTHER_LDAP_BINDDN
-          valueFrom:
-            secretKeyRef:
-              name: hydra-ldap-sc
-              key: WERTHER_LDAP_BINDDN
-        - name: WERTHER_LDAP_BINDPW
-          valueFrom:
-            secretKeyRef:
-              name: hydra-ldap-sc
-              key: WERTHER_LDAP_BINDPW
-        ports:
-        - containerPort: 8080
-          name: hydra-ldap-http
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
-          privileged: false
-          readOnlyRootFilesystem: true
-          runAsNonRoot: true
-          runAsUser: 100
+        - name: werther
+          image: reg.cadoles.com/cadoles/hydra-werther:2025.2.17-stable.1544.8ded23c
+          imagePullPolicy: IfNotPresent
+          envFrom:
+            - configMapRef:
+                name: hydra-ldap-env
+          env:
+            - name: WERTHER_LDAP_BINDDN
+              valueFrom:
+                secretKeyRef:
+                  name: hydra-ldap-sc
+                  key: WERTHER_LDAP_BINDDN
+            - name: WERTHER_LDAP_BINDPW
+              valueFrom:
+                secretKeyRef:
+                  name: hydra-ldap-sc
+                  key: WERTHER_LDAP_BINDPW
+          ports:
+            - containerPort: 8080
+              name: hydra-ldap-http
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 100

components/hydra-oidc/kustomization.yaml

@@ -11,6 +11,7 @@ generatorOptions:
 
 configMapGenerator:
 - name: hydra-oidc-env
+  behavior: create
   literals:
   - APP_ENV=prod
   - APP_DEBUG=false

components/hydra-oidc/resources/hydra-oidc-deployment.yaml

@@ -18,39 +18,51 @@ spec:
     spec:
       containers:
       - name: hydra-oidc-php-fpm
-        image: reg.cadoles.com/cadoles/hydra-oidc-base:2023.12.15-develop.1012.d57f2ad
-        imagePullPolicy: Always
+        image: reg.cadoles.com/cadoles/hydra-oidc-base:2024.4.2-develop.1349.c4711f6
+        imagePullPolicy: IfNotPresent
         args: ["/usr/sbin/php-fpm81", "-F", "-e"]
         readinessProbe:
           exec:
             command:
-            - sh
-            - -c
-            - test -f /etc/php81/php-fpm.d/www.conf
+              - sh
+              - -c
+              - test -f /etc/php81/php-fpm.d/www.conf
         livenessProbe:
           exec:
             command:
-            - php
-            - bin/console
-            - -V
+              - php
+              - bin/console
+              - -V
           initialDelaySeconds: 10
           periodSeconds: 30
         env:
-        - name: PHP_FPM_LISTEN
-          value: 127.0.0.1:9000
-        - name: PHP_MEMORY_LIMIT
-          value: 128m
-        - name: PHP_FPM_MEMORY_LIMIT
-          value: 128m
+          - name: PHP_FPM_LISTEN
+            value: 127.0.0.1:9000
+          - name: PHP_MEMORY_LIMIT
+            value: 128m
+          - name: PHP_FPM_MEMORY_LIMIT
+            value: 128m
         envFrom:
-        - configMapRef:
-            name: hydra-oidc-env
+          - configMapRef:
+              name: hydra-oidc-env
         resources: {}
+        securityContext:
+          runAsNonRoot: true
+          runAsGroup: 1000
+          runAsUser: 1000
 
-      - image: reg.cadoles.com/cadoles/hydra-oidc-base:2023.12.15-develop.1012.d57f2ad
-        imagePullPolicy: Always
-        name: hydra-oidc-nginx
-        args: ["/usr/sbin/nginx"]
+      - name: hydra-oidc-caddy
+        image: reg.cadoles.com/cadoles/hydra-oidc-base:2024.4.2-develop.1349.c4711f6
+        imagePullPolicy: IfNotPresent
+        args:
+          [
+            "/usr/sbin/caddy",
+            "run",
+            "--adapter",
+            "caddyfile",
+            "--config",
+            "/etc/caddy/Caddyfile",
+          ]
         readinessProbe:
           httpGet:
             path: /healthy
@@ -65,22 +77,26 @@ spec:
           initialDelaySeconds: 15
           timeoutSeconds: 5
           periodSeconds: 15
-        envFrom:
-        - configMapRef:
-            name: hydra-oidc-env
-        env:
-        - name: NGINX_APP_UPSTREAM_BACKEND_SERVER
-          value: 127.0.0.1:9000
-        - name: NGINX_APP_ROOT
-          value: "/public/"
-        - name: NGINX_APP_PHP_INDEX
-          value: "/index.php"
-        - name: NGINX_ERROR_LOG_LEVEL
-          value: "warn"
-        - name: NGINX_APP_PHP_NON_FILE_PATTERN
-          value: "^/index\\.php(/|$)"
         ports:
-        - containerPort: 8080
+          - containerPort: 8080
+            name: http
+        envFrom:
+          - configMapRef:
+              name: hydra-oidc-env
+        env:
+          - name: CADDY_APP_UPSTREAM_BACKEND_SERVER
+            value: 127.0.0.1:9000
+          - name: CADDY_HTTPS_PORT
+            value: "8443"
+          - name: CADDY_HTTP_PORT
+            value: "8080"
+          - name: CADDY_DATA_FS
+            value: "/tmp/caddy"
+          - name: CADDY_APP_ROOT_PUBLIC
+            value: "/app/public/"
         resources: {}
+        securityContext:
+          runAsNonRoot: true
+          runAsGroup: 1000
+          runAsUser: 1000
       restartPolicy: Always
-

components/hydra-oidc/resources/hydra-oidc-service.yaml

@@ -6,8 +6,9 @@ metadata:
   name: hydra-oidc
 spec:
   ports:
-  - name: hydra-oidc
-    port: 8080
+  - name: http
+    port: 80
+    targetPort: http
   selector:
     app.kubernetes.io/name: hydra-oidc
 status:

components/hydra-saml/resources/hydra-saml-remote-user.yaml

@@ -24,6 +24,8 @@ spec:
                 name: hydra-saml-env
           ports:
             - containerPort: 8080
+          command:
+            - /bin/apache2-foreground
           resources: {}
       restartPolicy: Always
 ---

components/hydra-sql/files/03_base.ini

@@ -0,0 +1,22 @@
+[opcache]
+; Determines if Zend OPCache is enabled
+opcache.enable=1
+
+; Determines if Zend OPCache is enabled for the CLI version of PHP
+opcache.enable_cli=1
+
+; The OPcache shared memory storage size.
+opcache.memory_consumption=512
+
+; The maximum number of keys (scripts) in the OPcache hash table.
+; Only numbers between 200 and 1000000 are allowed.
+opcache.max_accelerated_files=20000
+
+; When disabled, you must reset the OPcache manually or restart the
+; webserver for changes to the filesystem to take effect.
+opcache.validate_timestamps=${OPCACHE_VALIDATE_TIMESTAMP}
+
+; How often (in seconds) to check file timestamps for changes to the shared
+; memory storage allocation. ("1" means validate once per second, but only
+; once per request. "0" means always validate)
+opcache.revalidate_freq=${OPCACHE_REVALIDATE_FREQ}

components/hydra-sql/kustomization.yaml

@@ -11,6 +11,7 @@ generatorOptions:
 
 configMapGenerator:
 - name: hydra-sql-env
+  behavior: create
   literals:
   - ISSUER_URL="http://localhost:8000"
   - BASE_URL='http://localhost:8080'
@@ -26,3 +27,6 @@ configMapGenerator:
 - name: sql-login-config
   files:
   - ./files/sql_login.yaml
+- name: hydra-sql-php-ini
+  files:
+  - ./files/03_base.ini

components/hydra-sql/resources/hydra-sql-deployment.yaml

@@ -10,7 +10,10 @@ spec:
     matchLabels:
       app.kubernetes.io/name: hydra-sql
   strategy:
-    type: Recreate
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 25%
+      maxUnavailable: 25%
   template:
     metadata:
       labels:
@@ -18,8 +21,8 @@ spec:
     spec:
       containers:
       - name: hydra-sql-fpm
-        image: reg.cadoles.com/cadoles/hydra-sql-base:2023.12.14-develop.1107.740a756
-        imagePullPolicy: Always
+        image: reg.cadoles.com/cadoles/hydra-sql-base:2024.11.6-develop.1113.075be9b
+        imagePullPolicy: IfNotPresent
         args: ["/usr/sbin/php-fpm81", "-F", "-e"]
         readinessProbe:
           exec:
@@ -36,6 +39,10 @@ spec:
           initialDelaySeconds: 10
           periodSeconds: 30
         resources: {}
+        securityContext:
+          runAsNonRoot: true
+          runAsGroup: 1000
+          runAsUser: 1000
         envFrom:
         - configMapRef:
             name: hydra-sql-env
@@ -48,15 +55,22 @@ spec:
           value: 128m
         - name: PHP_FPM_LOG_LEVEL
           value: warning
+        - name: OPCACHE_VALIDATE_TIMESTAMP
+          value: "0"
+        - name: OPCACHE_REVALIDATE_FREQ
+          value: "0"
         volumeMounts:
         - name: sql-login-config
           mountPath: "/app/config/sql_login_configuration/sql_login.yaml"
           subPath: "sql_login.yaml"
+        - name: hydra-sql-php-ini
+          mountPath: /etc/php81/conf.d/03_base.ini
+          subPath: 03_base.ini
 
-      - name: hydra-sql-nginx
-        image: reg.cadoles.com/cadoles/hydra-sql-base:2023.12.14-develop.1107.740a756
-        imagePullPolicy: Always
-        args: ["/usr/sbin/nginx"]
+      - name: hydra-sql-caddy
+        image: reg.cadoles.com/cadoles/hydra-sql-base:2024.11.6-develop.1113.075be9b
+        imagePullPolicy: IfNotPresent
+        args: ["/usr/sbin/caddy", "run", "--adapter", "caddyfile", "--config", "/etc/caddy/Caddyfile"]
         readinessProbe:
           httpGet:
             path: /health
@@ -75,19 +89,24 @@ spec:
         - configMapRef:
             name: hydra-sql-env
         env:
-        - name: NGINX_APP_UPSTREAM_BACKEND_SERVER
+        - name: CADDY_APP_UPSTREAM_BACKEND_SERVER
           value: 127.0.0.1:9000
-        - name: NGINX_APP_ROOT
-          value: "/public"
-        - name: NGINX_APP_PHP_INDEX
-          value: "/index.php"
-        - name: NGINX_ERROR_LOG_LEVEL
-          value: "warn"
-        - name: NGINX_APP_PHP_NON_FILE_PATTERN
-          value: "^/index\\.php(/|$)"
+        - name: CADDY_HTTPS_PORT
+          value: "8443"
+        - name: CADDY_HTTP_PORT
+          value: "8080"
+        - name: CADDY_DATA_FS
+          value: "/tmp/caddy"
+        - name: CADDY_APP_ROOT_PUBLIC
+          value: "/app/public/"
         resources: {}
+        securityContext:
+          runAsNonRoot: true
+          runAsGroup: 1000
+          runAsUser: 1000
         ports:
         - containerPort: 8080
+          name: http
         volumeMounts:
         - name: sql-login-config
           mountPath: "/app/config/sql_login_configuration/sql_login.yaml"
@@ -96,5 +115,8 @@ spec:
       - name: sql-login-config
         configMap:
           name: sql-login-config
+      - name: hydra-sql-php-ini
+        configMap:
+          name: hydra-sql-php-ini
 
       restartPolicy: Always

components/hydra-sql/resources/hydra-sql-service.yaml

@@ -6,8 +6,9 @@ metadata:
   name: hydra-sql
 spec:
   ports:
-  - name: hydra-sql
-    port: 8080
+  - name: http
+    port: 80
+    targetPort: http
   selector:
     app.kubernetes.io/name: hydra-sql
 status:

components/oidc-test/kustomization.yaml

@@ -17,4 +17,5 @@ configMapGenerator:
       - OIDC_REDIRECT_URL=https://example.net/oauth2/callback
       - OIDC_POST_LOGOUT_REDIRECT_URL=https://example.net
       - OIDC_SKIP_ISSUER_VERIFICATION="true"
-      - OIDC_INSECURE_SKIP_VERIFY="true"
+      - OIDC_SCOPES="openid profile"
+      - OIDC_INSECURE_SKIP_VERIFY="true"

components/oidc-test/resources/deployment.yaml

@@ -23,17 +23,17 @@ spec:
             - containerPort: 8080
           resources: {}
           envFrom:
-          - configMapRef:
-              name: oidc-test-env
+            - configMapRef:
+                name: oidc-test-env
           env:
-          - name: OIDC_CLIENT_ID
-            valueFrom:
-              secretKeyRef:
-                name: oidc-test-oauth2-client
-                key: client_id
-          - name: OIDC_CLIENT_SECRET
-            valueFrom:
-              secretKeyRef:
-                name: oidc-test-oauth2-client
-                key: client_secret
+            - name: OIDC_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: oidc-test-oauth2-client
+                  key: CLIENT_ID
+            - name: OIDC_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: oidc-test-oauth2-client
+                  key: CLIENT_SECRET
       restartPolicy: Always

components/oidc-test/resources/oauth2-client.yaml

@@ -6,13 +6,13 @@ spec:
   clientName: "oidc-test"
   tokenEndpointAuthMethod: "client_secret_basic"
   grantTypes:
-  - authorization_code
-  - refresh_token
+    - authorization_code
+    - refresh_token
   responseTypes:
-  - code
-  scope: "openid email"
+    - code
+  scope: "openid email profile"
   secretName: oidc-test-oauth2-client
   redirectUris:
-  - https://example.net/oauth2/callback
+    - https://example.net/oauth2/callback
   postLogoutRedirectUris:
-  - https://example.net
+    - https://example.net

components/redis/README.md

@@ -3,20 +3,17 @@
 ### Description
 
 Les applications `hydra-dispatcher`, `hydra-sql` et `hydra-oidc` stockent dorénavant le cache et les sessions utilisateur sur un serveur Redis.
+
 Le DSN du serveur est défini dans leur variable d'environnement respective `REDIS_DSN`.
-Les applications peuvent utiliser le mode `sentinel` de redis
-Il est donc nécessaire donc nécessaire de disposer d'un serveur Redis pour utiliser ces applications.
 
 ### Principe général de fonctionnement
 
-Un `RedisFailOver` crée un cluster redis en mode sentinel avec 3 réplicats chacun.
-
+Un `Redis` crée une instance Redis dédiée à l'environnement SSO.
 
 ### Personnalisation
 
-Via des `patches` sur la ressource `ConfigMap` via un label selector `com.cadoles.forge.sso-kustom/session=redis` il est possible de modifier la valeur du `REDIS_DSN`.
+Un `patch` sur la ressource `ConfigMap` via un label selector `com.cadoles.forge.sso-kustom/session=redis` permet de modifier la valeur de la clé `REDIS_DSN`.
 
-
-|Clé|Description|Exemple|
-|---|-----------|-------|
-|`REDIS_DSN`| DSN du cluster Redis | `redis://rfs-sso-redis:26379?&redis_sentinel=mymaster`
+| Clé         | Description          | Exemple                  |
+| ----------- | -------------------- | ------------------------ |
+| `REDIS_DSN` | DSN du cluster Redis | `redis://redis-sso:6379` |

components/redis/configurations/redis-conf.yaml

@@ -0,0 +1,5 @@
+nameReference:
+  - kind: ConfigMap
+    fieldSpecs:
+      - kind: Redis
+        path: spec/redisConfig/additionalRedisConfig

components/redis/files/redis-additional.conf

@@ -0,0 +1,3 @@
+maxmemory-policy allkeys-lru
+maxmemory 1536mb
+tcp-keepalive 90

components/redis/kustomization.yaml

@@ -1,11 +1,19 @@
 apiVersion: kustomize.config.k8s.io/v1alpha1
 kind: Component
 
+configurations:
+  - ./configurations/redis-conf.yaml
+
 resources:
-  - ./resources/redis-failover.yaml
+  - ./resources/redis-sso.yaml
+
+configMapGenerator:
+- name: redis-sso-extra-conf
+  files:
+    - ./files/redis-additional.conf
 
 patches:
-- path: ./patches/hydra-apps.yaml
-  target:
-    kind: ConfigMap
-    labelSelector: "com.cadoles.forge.sso-kustom/session=redis"
+  - path: ./patches/hydra-apps.yaml
+    target:
+      kind: ConfigMap
+      labelSelector: "com.cadoles.forge.sso-kustom/session=redis"

components/redis/patches/hydra-apps.yaml

@@ -1,3 +1,3 @@
 - op: replace
   path: "/data/REDIS_DSN"
-  value: "redis://rfs-sso-redis:26379?&redis_sentinel=mymaster"
+  value: "redis://redis-sso:6379"

components/redis/resources/redis-failover.yaml

@@ -1,21 +0,0 @@
-apiVersion: databases.spotahome.com/v1
-kind: RedisFailover
-metadata:
-  name: sso-redis
-spec:
-  sentinel:
-    replicas: 3
-    resources:
-      requests:
-        cpu: 100m
-      limits:
-        memory: 100Mi
-  redis:
-    replicas: 3
-    resources:
-      requests:
-        cpu: 100m
-        memory: 100Mi
-      limits:
-        cpu: 400m
-        memory: 500Mi

components/redis/resources/redis-sso.yaml

@@ -0,0 +1,27 @@
+apiVersion: redis.redis.opstreelabs.in/v1beta1
+kind: Redis
+metadata:
+  name: redis-sso
+spec:
+  kubernetesConfig:
+    image: reg.cadoles.com/quay/opstree/redis:v7.0.15
+    imagePullPolicy: IfNotPresent
+    resources:
+      requests:
+        cpu: 500m
+        memory: 1024Mi
+      limits:
+        cpu: 2000m
+        memory: 2048Mi
+  redisConfig:
+    additionalRedisConfig: redis-sso-extra-conf
+  storage:
+    volumeClaimTemplate:
+      spec:
+        # storageClassName: standard
+        accessModes: ["ReadWriteOnce"]
+        resources:
+          requests:
+            storage: 1Gi
+  securityContext:
+    runAsUser: 1000

examples/authenticated-app/README.md

@@ -1,6 +1,6 @@
 # Exemple: Déploiement d'une application authentifiée avec la stack SSO
 
-L'exemple est actuellement déployé avec le composant `hydra-saml` uniquement.
+L'exemple est actuellement déployé avec le composant `hydra-ldap` uniquement.
 
 ## Procédure
 
@@ -8,37 +8,40 @@ L'exemple est actuellement déployé avec le composant `hydra-saml` uniquement.
 
 1. Créer un cluster avec `kind`
 
-    ```
-    kind create cluster --config ./examples/k8s/kind/cluster-config.yaml
-    ```
+   ```
+   kind create cluster --config ./examples/k8s/kind/cluster-config.yaml
+   ```
 
 2. Déployer les opérateurs nécessaires au déploiement
 
-    ```
-    kubectl apply  -k ./examples/k8s/kind/cluster --server-side
-    ```
-
-3. Déployer l'application
-
-    ```
-    kubectl apply -k ./examples/authenticated-app
-    ```
-
-   **Note** Il est possible d'avoir l'erreur suivante:
-
    ```
-   error: resource mapping not found for name: "app-oauth2-client" namespace: "" from "./examples/authenticated-app": no matches for kind "OAuth2Client" in version "hydra.ory.sh/v1alpha1"
+   kubectl apply  -k ./examples/k8s/kind/cluster --server-side
    ```
 
-   Cette erreur est "normale" (voir https://github.com/kubernetes/kubectl/issues/1117). Dans ce cas, attendre la création de la CRD (voir ticket) puis relancer la commande.
+   > Si une erreur du type `ensure CRDs are installed first` s'affiche, relancer la commande.
 
-4. Ajouter l'entrée suivante dans votre fichier `/etc/hosts`
+3. Attendre que l'opérateur Redis soit opérationnel puis patcher le `ClusterRole` de celui ci (cf. https://github.com/OT-CONTAINER-KIT/redis-operator/issues/526):
 
-    ```
-    127.0.0.1 ssokustom
-    ```
+   ```bash
+   kubectl wait -n operators --timeout 10m --for=jsonpath=".status.state"=AtLatestKnown subscription my-redis-operator
+   # On attend quelques secondes supplémentaires pour s'assurer que l'opérateur a réellement démarré
+   sleep 30
+   kubectl patch clusterroles.rbac.authorization.k8s.io $(kubectl get clusterrole | awk '/redis-operator/ {print $1}') --patch-file examples/k8s/kind/cluster/fix/redis-operator-clusterrole.yaml
+   ```
 
-5. Après stabilisation du déploiement, l'application devrait être accessible à l'adresse https://ssokustom
+4. Déployer l'application
+
+   ```
+   kubectl apply -k ./examples/authenticated-app
+   ```
+
+5. Ajouter l'entrée suivante dans votre fichier `/etc/hosts`
+
+   ```
+   127.0.0.1 ssokustom
+   ```
+
+6. Après stabilisation du déploiement, l'application devrait être accessible à l'adresse https://ssokustom
 
 #### Supprimer le cluster
 
@@ -48,14 +51,15 @@ kind delete cluster -n sso-kustom-example
 
 ## Authentification
 
-### SAML
+### LDAP
 
-- Utilisateur: `user1`
-- Mot de passe `user1pass`
+#### Comptes par défaut
 
-#### URL utiles
+1. `jdoe` / `jdoe`
+2. `jdoe2` / `jdoe`
+3. `siret1` / `siret`
+4. `siret2` / `siret`
 
-|URL|Description|
-|---|-----------|
-|https://ssokustom/auth/saml/Shibboleth.sso/Session|Attributs de la session SP Shibboleth|
-|https://ssokustom/auth/saml/Shibboleth.sso/Metadata|Métadonnées du SP Shibboleth|
+#### Gestion des comptes
+
+Les comptes LDAP sont définis dans le fichier [`./files/glauth.conf`](./files/glauth.conf)

examples/authenticated-app/files/glauth.conf

@@ -0,0 +1,83 @@
+debug = true
+
+[ldap]
+  enabled = true
+  listen = "0.0.0.0:3893"
+  tls = false
+
+[ldaps]
+  enabled = false
+
+[behaviors]
+  IgnoreCapabilities = true
+
+[backend]
+  datastore = "config"
+  baseDN = "dc=glauth,dc=com"
+
+[[users]]
+  uid = "serviceuser"
+  name = "serviceuser"
+  mail = "serviceuser@example.com"
+  uidnumber = 5001
+  primarygroup = 5502
+  # use echo -n "mysecret" | openssl dgst -sha256
+  passsha256 = "652c7dc687d98c9889304ed2e408c74b611e86a40caa51c4b43f1dd5913c5cd0" # mysecret
+    [[users.capabilities]]
+    action = "search"
+    object = "*"
+
+[[users]]
+  uid = "jdoe"
+  name = "jdoe"
+  uidnumber = 5002
+  primarygroup = 5501
+  givenname = "John"
+  sn = "Doe"
+  mail = "jdoe@example.com"
+  passsha256 = "d30a5f57532a603697ccbb51558fa02ccadd74a0c499fcf9d45b33863ee1582f" # jdoe
+    [[users.customattributes]]
+    employeetype = ["Intern", "Temp"]
+    employeenumber = [12345, 54321]
+
+[[users]]
+  uid = "jdoe2"
+  name = "jdoe2"
+  uidnumber = 5003
+  primarygroup = 5501
+  givenname = "John"
+  sn = "Doe2"
+  mail = "jdoe2@jdoe2.com"
+  passsha256 = "d30a5f57532a603697ccbb51558fa02ccadd74a0c499fcf9d45b33863ee1582f" # jdoe
+
+[[users]]
+  uid = "siret1"
+  name = "siret1"
+  uidnumber = 5004
+  primarygroup = 5501
+  givenname = "Siret"
+  sn = "Siret"
+  mail = "siret1@siret.com"
+  passsha256 = "7926ef18c7ae8eb23d4d325aa6bd81cc9ae99b429e9299a18dbd2c4729486ebc" # siret
+    [[users.customattributes]]
+    siret = ["0001"]
+
+[[users]]
+  uid = "siret2"
+  name = "siret2"
+  uidnumber = 5005
+  primarygroup = 5501
+  givenname = "Siret"
+  sn = "Siret"
+  mail = "siret2@siret.com"
+  passsha256 = "7926ef18c7ae8eb23d4d325aa6bd81cc9ae99b429e9299a18dbd2c4729486ebc" # siret
+    [[users.customattributes]]
+    siret = ["0002"]
+
+[[groups]]
+  name = "users"
+  gidnumber = 5501
+
+[[groups]]
+  name = "svcaccts"
+  gidnumber = 5502

examples/authenticated-app/files/hydra-dispatcher-apps.yaml

@@ -0,0 +1,42 @@
+hydra:
+  apps:
+    - id: ldap
+      title:
+        fr: Connexion LDAP
+        en: Login LDAP
+      description:
+        fr: Authentification avec LDAP
+        en: Authentication with LDAP
+      login_url: "%env(string:HYDRA_DISPATCHER_LDAP_LOGIN_URL)%"
+      consent_url: "%env(string:HYDRA_DISPATCHER_LDAP_CONSENT_URL)%"
+      logout_url: "%env(string:HYDRA_DISPATCHER_LDAP_LOGOUT_URL)%"
+      attributes_rewrite_configuration:
+        siret:
+          rules:
+            - "property_exists(consent.session.id_token, 'siret') ?  consent.session.id_token.siret : null"
+            - "value ?: ( consent.session.id_token.email matches '/.*@example.com$/' ? '0000' : null )"
+            - "value ?: ( consent.session.id_token.email matches '/.*@jdoe.com$/' ? '0001' : null )"
+        family_name:
+          rules:
+            - "property_exists(consent.session.id_token, 'family_name') ? consent.session.id_token.family_name : null"
+        given_name:
+          rules:
+            - "property_exists(consent.session.id_token, 'given_name') ? consent.session.id_token.given_name : null"
+        email:
+          rules:
+            - "property_exists(consent.session.id_token, 'email') ? consent.session.id_token.email : null"
+  firewall:
+    additional_properties: true
+    rules:
+      siret:
+        required: false
+      email:
+        required: false
+      given_name:
+        required: false
+      family_name:
+        required: false
+  webhook:
+    enabled: false
+  webhook_post_login:
+    enabled: false

examples/authenticated-app/kustomization.yaml

@@ -2,12 +2,19 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
-  - ../../overlays/full
+  - ../../overlays/base
+
   - ./resources/ingress.yaml
-  - ./resources/saml-idp.yaml
+  - ./resources/glauth-ldap.yaml
   - ./resources/self-signed-issuer.yaml
   - ./resources/port-forwarder.yaml
 
+components:
+  - ../../components/hydra-cnpg-database
+  - ../../components/hydra-ldap
+  - ../../components/oidc-test
+  - ../../components/redis
+
 patchesJson6902:
   - target:
       version: v1
@@ -22,8 +29,13 @@ patchesJson6902:
   - target:
       version: v1
       kind: ConfigMap
-      name: hydra-saml-env
-    path: patches/hydra-saml-env.yaml
+      name: hydra-ldap-env
+    path: patches/hydra-ldap-env.yaml
+  - target:
+      version: v1
+      kind: Secret
+      name: hydra-ldap-sc
+    path: patches/hydra-ldap-sc.yaml
   - target:
       version: v1
       kind: Secret
@@ -32,10 +44,19 @@ patchesJson6902:
   - target:
       version: v1
       kind: ConfigMap
-      name: oidc-test
+      name: oidc-test-env
     path: patches/oidc-test.yaml
   - target:
       version: v1alpha1
       kind: OAuth2Client
       name: oidc-test-oauth2-client
-    path: patches/oidc-test-oauth2-client.yaml
+    path: patches/oidc-test-oauth2-client.yaml
+
+configMapGenerator:
+  - name: hydra-dispatcher-apps
+    behavior: replace
+    files:
+      - ./files/hydra-dispatcher-apps.yaml
+  - name: glauth-ldap-conf
+    files:
+      - ./files/glauth.conf

examples/authenticated-app/patches/hydra-dispatcher-env.yaml

@@ -1,3 +1,9 @@
+- op: replace
+  path: "/data/APP_ENV"
+  value: dev
+- op: replace
+  path: "/data/APP_DEBUG"
+  value: "true"
 - op: replace
   path: "/data/HYDRA_BASE_URL"
   value: http://hydra:4444
@@ -17,14 +23,13 @@
   path: "/data/COOKIE_PATH"
   value: /auth/dispatcher
 
-# Hydra SAML configuration
+# Hydra LDAP configuration
 - op: replace
-  path: "/data/HYDRA_DISPATCHER_SAML_LOGIN_URL"
-  value: https://ssokustom/auth/saml/login
+  path: "/data/HYDRA_DISPATCHER_LDAP_LOGIN_URL"
+  value: https://ssokustom/auth/ldap/auth/login
 - op: replace
-  path: "/data/HYDRA_DISPATCHER_SAML_CONSENT_URL"
-  value: https://ssokustom/auth/saml/consent
+  path: "/data/HYDRA_DISPATCHER_LDAP_CONSENT_URL"
+  value: https://ssokustom/auth/ldap/auth/consent
 - op: replace
-  path: "/data/HYDRA_DISPATCHER_SAML_LOGOUT_URL"
-  value: https://ssokustom/auth/saml/logout
-  
+  path: "/data/HYDRA_DISPATCHER_LDAP_LOGOUT_URL"
+  value: https://ssokustom/auth/ldap/auth/logout

examples/authenticated-app/patches/hydra-env.yaml

@@ -12,4 +12,13 @@
   value: https://ssokustom/auth/dispatcher/consent
 - op: replace
   path: "/data/HYDRA_SERVE_ALL_ARGS"
-  value: "--dev"
+  value: "--dev"
+- op: replace
+  path: "/data/SERVE_COOKIES_SAME_SITE_MODE"
+  value: "Lax"
+- op: replace
+  path: "/data/SERVE_COOKIES_SAME_SITE_LEGACY_WORKAROUND"
+  value: "true"
+- op: replace
+  path: "/data/SERVE_COOKIES_DOMAIN"
+  value: "ssokustom"

examples/authenticated-app/patches/hydra-ldap-env.yaml

@@ -0,0 +1,55 @@
+- op: replace
+  path: "/data/WERTHER_DEV_MODE"
+  value: "true"
+
+- op: replace
+  path: "/data/WERTHER_WEB_BASE_PATH"
+  value: "/auth/ldap/"
+
+- op: replace
+  path: "/data/WERTHER_IDENTP_HYDRA_URL"
+  value: "http://hydra-dispatcher"
+
+- op: replace
+  path: "/data/WERTHER_LDAP_ENDPOINTS"
+  value: "glauth-ldap:389"
+
+- op: replace
+  path: "/data/WERTHER_LDAP_BASEDN"
+  value: "dc=glauth,dc=com"
+
+- op: replace
+  path: "/data/WERTHER_LDAP_ROLE_BASEDN"
+  value: "ou=groups,dc=glauth,dc=com"
+
+- op: replace
+  path: "/data/WERTHER_IDENTP_CLAIM_SCOPES"
+  value: "uid:profile,name:profile,family_name:profile,given_name:profile,email:profile,https%3A%2F%2Fhydra%2Fclaims%2Froles:roles,siret:siret"
+
+- op: replace
+  path: "/data/WERTHER_INSECURE_SKIP_VERIFY"
+  value: "true"
+
+- op: replace
+  path: "/data/WERTHER_LDAP_IS_TLS"
+  value: "false"
+
+- op: replace
+  path: "/data/WERTHER_LDAP_ATTR_CLAIMS"
+  value: "name:name,sn:family_name,givenName:given_name,mail:email,siret:siret"
+
+- op: replace
+  path: "/data/WERTHER_LDAP_CONNECTION_TIMEOUT"
+  value: "30s"
+
+- op: replace
+  path: "/data/WERTHER_LDAP_USER_SEARCH_QUERY"
+  value: "(&(objectClass=*)(|(uid=%[1]s)(mail=%[1]s)(userPrincipalName=%[1]s)(sAMAccountName=%[1]s)))"
+
+- op: replace
+  path: "/data/WERTHER_IDENTP_ACR"
+  value: "eidas1"
+
+- op: replace
+  path: "/data/WERTHER_IDENTP_AMR"
+  value: "pwd"

examples/authenticated-app/patches/hydra-ldap-sc.yaml

@@ -0,0 +1,7 @@
+- op: replace
+  path: "/data/WERTHER_LDAP_BINDDN"
+  value: "Y249c2VydmljZXVzZXIsb3U9c3ZjYWNjdHMsb3U9dXNlcnMsZGM9Z2xhdXRoLGRjPWNvbQ==" # cn=serviceuser,ou=svcaccts,ou=users,dc=glauth,dc=com
+
+- op: replace
+  path: "/data/WERTHER_LDAP_BINDPW"
+  value: "bXlzZWNyZXQ=" # mysecret

examples/authenticated-app/patches/hydra-saml-env.yaml

@@ -1,43 +0,0 @@
-- op: replace
-  path: "/data/HTTP_BASE_URL"
-  value: https://ssokustom/auth/saml
-- op: replace
-  path: "/data/COOKIE_PATH"
-  value: /auth/saml
-- op: replace
-  path: "/data/HYDRA_ADMIN_BASE_URL"
-  value: http://hydra-dispatcher
-- op: replace
-  path: "/data/LOGOUT_REDIRECT_URL_PATTERN"
-  value: https://ssokustom/auth/saml/Shibboleth.sso/Logout?return=%s
-- op: replace
-  path: "/data/PATH_PREFIX"
-  value: "/auth/saml"
-
-- op: replace
-  path: "/data/SP_ENTITY_ID"
-  value: https://ssokustom/auth/saml
-- op: replace
-  path: "/data/IDP_ENTITY_ID"
-  value: https://ssokustom/simplesaml/saml2/idp/metadata.php
-- op: replace
-  path: "/data/IDP_METADATA_URL"
-  value: https://ssokustom/simplesaml/saml2/idp/metadata.php
-- op: replace
-  path: "/data/APACHE_FORCE_HTTPS"
-  value: "true"
-- op: replace
-  path: "/data/SP_HANDLER_BASE_PATH"
-  value: "/auth/saml"
-- op: replace
-  path: "/data/SP_LOG_LEVEL"
-  value: DEBUG
-- op: replace
-  path: "/data/SP_SESSIONS_REDIRECT_LIMIT"
-  value: none
-- op: replace
-  path: "/data/SP_SESSIONS_REDIRECT_ALLOW"
-  value: https://ssokustom
-- op: replace
-  path: "/data/SP_SESSIONS_COOKIE_PROPS"
-  value: https

examples/authenticated-app/patches/oidc-test-oauth2-client.yaml

@@ -3,4 +3,7 @@
   value: https://ssokustom/oauth2/callback
 - op: replace
   path: "/spec/postLogoutRedirectUris/0"
-  value: https://ssokustom
+  value: https://ssokustom
+- op: replace
+  path: "/spec/scope"
+  value: "openid profile roles siret"

examples/authenticated-app/patches/oidc-test.yaml

@@ -4,3 +4,6 @@
 - op: replace
   path: "/data/OIDC_POST_LOGOUT_REDIRECT_URL"
   value: https://ssokustom
+- op: replace
+  path: "/data/OIDC_SCOPES"
+  value: "openid profile roles siret"

examples/authenticated-app/resources/glauth-ldap.yaml

@@ -0,0 +1,55 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/name: glauth-ldap
+  name: glauth-ldap
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: glauth-ldap
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: glauth-ldap
+    spec:
+      containers:
+        - image: glauth/glauth:v2.3.2
+          name: glauth-ldap
+          ports:
+            - containerPort: 3893
+              name: ldap
+            - containerPort: 3894
+              name: ldaps
+          resources: {}
+          volumeMounts:
+            - name: glauth-ldap-conf
+              mountPath: /app/config/config.cfg
+              subPath: glauth.conf
+      restartPolicy: Always
+      volumes:
+        - name: glauth-ldap-conf
+          configMap:
+            name: glauth-ldap-conf
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/name: glauth-ldap
+  name: glauth-ldap
+spec:
+  ports:
+    - name: ldap
+      port: 389
+      targetPort: ldap
+    - name: ldaps
+      port: 636
+      targetPort: ldaps
+  selector:
+    app.kubernetes.io/name: glauth-ldap
+status:
+  loadBalancer: {}

examples/authenticated-app/resources/ingress.yaml

@@ -10,43 +10,47 @@ metadata:
 spec:
   ingressClassName: nginx
   tls:
-  - hosts:
-    - ssokustom
-    secretName: ssokustom-example-tls
+    - hosts:
+        - ssokustom
+      secretName: ssokustom-example-tls
   rules:
-  - http:
-      paths:
-      - path: /
-        pathType: Prefix
-        backend:
-          service:
-            name: oidc-test
-            port:
-              name: http
+    - http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: oidc-test
+                port:
+                  name: http
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: auth-saml
+  name: auth-ldap
   annotations:
     cert-manager.io/issuer: "self-signed"
     nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/rewrite-target: /$2
+    nginx.ingress.kubernetes.io/x-forwarded-prefix: /auth/ldap
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      proxy_set_header X-Forwarded-Proto https;
 spec:
   ingressClassName: nginx
   tls:
-  - hosts:
-    - ssokustom
-    secretName: ssokustom-example-tls
+    - hosts:
+        - ssokustom
+      secretName: ssokustom-example-tls
   rules:
-  - http:
-      paths:
-      - path: /auth/saml(/|$)(.*)
-        pathType: Prefix
-        backend:
-          service:
-            name: hydra-saml
-            port:
-              name: http
+    - http:
+        paths:
+          - path: /auth/ldap(/|$)(.*)
+            pathType: Prefix
+            backend:
+              service:
+                name: hydra-ldap
+                port:
+                  name: hydra-ldap
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
@@ -57,22 +61,24 @@ metadata:
     nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
     nginx.ingress.kubernetes.io/rewrite-target: /$2
     nginx.ingress.kubernetes.io/x-forwarded-prefix: /auth/dispatcher
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      proxy_set_header X-Forwarded-Proto https;
 spec:
   ingressClassName: nginx
   tls:
-  - hosts:
-    - ssokustom
-    secretName: ssokustom-example-tls
+    - hosts:
+        - ssokustom
+      secretName: ssokustom-example-tls
   rules:
-  - http:
-      paths:      
-      - path: /auth/dispatcher(/|$)(.*)
-        pathType: Prefix
-        backend:
-          service:
-            name: hydra-dispatcher
-            port:
-              name: http
+    - http:
+        paths:
+          - path: /auth/dispatcher(/|$)(.*)
+            pathType: Prefix
+            backend:
+              service:
+                name: hydra-dispatcher
+                port:
+                  name: http
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
@@ -82,50 +88,22 @@ metadata:
     cert-manager.io/issuer: "self-signed"
     nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
     nginx.ingress.kubernetes.io/rewrite-target: /$2
+    nginx.ingress.kubernetes.io/x-forwarded-prefix: /auth
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      proxy_set_header X-Forwarded-Proto https;
 spec:
   ingressClassName: nginx
   tls:
-  - hosts:
-    - ssokustom
-    secretName: ssokustom-example-tls
+    - hosts:
+        - ssokustom
+      secretName: ssokustom-example-tls
   rules:
-  - http:
-      paths:      
-      - path: /auth(/|$)(.*)
-        pathType: Prefix
-        backend:
-          service:
-            name: hydra
-            port:
-              name: hydra-public
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: saml-idp
-  annotations:
-    cert-manager.io/issuer: "self-signed"
-    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/rewrite-target: /simplesaml/$2
-    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
-spec:
-  ingressClassName: nginx
-  tls:
-  - hosts:
-    - ssokustom
-    secretName: ssokustom-example-tls
-  rules:
-  - http:
-      paths:     
-      - path: /simplesaml(/|$)(.*)
-        pathType: Prefix
-        backend:
-          service:
-            name: saml-idp
-            port:
-              name: https
-
-     
-
-      
-          
+    - http:
+        paths:
+          - path: /auth(/|$)(.*)
+            pathType: Prefix
+            backend:
+              service:
+                name: hydra
+                port:
+                  name: hydra-public

examples/authenticated-app/resources/saml-idp.yaml

@@ -1,51 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels:
-    app.kubernetes.io/name: saml-idp
-  name: saml-idp
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: saml-idp
-  strategy:
-    type: Recreate
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: saml-idp
-    spec:
-      containers:
-        - image: kristophjunge/test-saml-idp:1.15
-          name: saml-idp
-          ports:
-            - containerPort: 8443
-          resources: {}
-          env:
-            - name: SIMPLESAMLPHP_SP_ENTITY_ID
-              value: https://ssokustom/auth/saml
-            - name: SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE
-              value: https://ssokustom/auth/saml/Shibboleth.sso/SAML2/POST
-            - name: SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE
-              value: https://ssokustom/auth/saml/Shibboleth.sso/Logout?return=https://ssokustom
-      restartPolicy: Always
----
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app.kubernetes.io/name: saml-idp
-  name: saml-idp
-spec:
-  ports:
-    - name: http
-      port: 8080
-      targetPort: 8080
-    - name: https
-      port: 8443
-      targetPort: 8443
-  selector:
-    app.kubernetes.io/name: saml-idp
-status:
-  loadBalancer: {}

examples/k8s/kind/cluster/fix/redis-operator-clusterrole.yaml

@@ -0,0 +1,92 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+rules:
+  - apiGroups:
+      - redis.redis.opstreelabs.in
+    resources:
+      - rediss
+      - redisclusters
+      - redis
+      - rediscluster
+      - redisreplication
+      - redisreplications
+      - redissentinel
+      - redissentinels
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - redis.redis.opstreelabs.in
+    resources:
+      - redis/finalizers
+      - rediscluster/finalizers
+    verbs:
+      - update
+  - apiGroups:
+      - redis.redis.opstreelabs.in
+    resources:
+      - redis/status
+      - rediscluster/status
+    verbs:
+      - get
+      - patch
+      - update
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+      - pods/exec
+      - services
+      - configmaps
+      - pods
+      - persistentvolumes
+      - persistentvolumeclaims
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - apps
+    resources:
+      - statefulsets
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - policy
+    resources:
+      - poddisruptionbudgets
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch

examples/k8s/kind/cluster/kustomization.yaml

@@ -1,15 +1,15 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- https://github.com/jetstack/cert-manager/releases/download/v1.13.2/cert-manager.yaml
-- https://forge.cadoles.com/CadolesKube/c-kustom//base/cloudnative-pg-operator?ref=develop
-- https://forge.cadoles.com/CadolesKube/c-kustom//base/redis?ref=develop
-- https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml
+  - https://forge.cadoles.com/CadolesKube/c-kustom//crds?ref=develop
+  - https://github.com/cert-manager/cert-manager/releases/download/v1.10.0/cert-manager.yaml
+  - ./resources/olm
+  - https://forge.cadoles.com/CadolesKube/c-kustom//base/cloudnative-pg-operator?ref=develop
+  - https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml
 
-patchesJson6902:
-  - target:
-      version: v1
+patches:
+  - path: patches/nginx-controller.yaml
+    target:
       kind: ConfigMap
       name: ingress-nginx-controller
       namespace: ingress-nginx
-    path: patches/nginx-controller.yaml

examples/k8s/kind/cluster/patches/nginx-controller.yaml

@@ -1,6 +1,9 @@
-- op: replace
-  path: "/data/allow-snippet-annotations"
-  value: "true"
-- op: replace
-  path: "/data/use-forwarded-headers"
-  value: "true"
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: ingress-nginx-controller
+data:
+  allow-snippet-annotations: "true"
+  use-forwarded-headers: "true"
+  strict-validate-path-type: "false"
+  annotations-risk-level: "Critical"

examples/k8s/kind/cluster/resources/olm/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - https://github.com/operator-framework/operator-lifecycle-manager/releases/download/v0.31.0/olm.yaml
+  - https://forge.cadoles.com/CadolesKube/c-kustom/raw/branch/develop/base/olm/resources/mandatory-operators/resources/redis-operator.yaml

resources/hydra-dispatcher/files/03_base.ini

@@ -0,0 +1,22 @@
+[opcache]
+; Determines if Zend OPCache is enabled
+opcache.enable=1
+
+; Determines if Zend OPCache is enabled for the CLI version of PHP
+opcache.enable_cli=1
+
+; The OPcache shared memory storage size.
+opcache.memory_consumption=512
+
+; The maximum number of keys (scripts) in the OPcache hash table.
+; Only numbers between 200 and 1000000 are allowed.
+opcache.max_accelerated_files=20000
+
+; When disabled, you must reset the OPcache manually or restart the
+; webserver for changes to the filesystem to take effect.
+opcache.validate_timestamps=${OPCACHE_VALIDATE_TIMESTAMP}
+
+; How often (in seconds) to check file timestamps for changes to the shared
+; memory storage allocation. ("1" means validate once per second, but only
+; once per request. "0" means always validate)
+opcache.revalidate_freq=${OPCACHE_REVALIDATE_FREQ}

resources/hydra-dispatcher/files/hydra/default.yaml

@@ -15,3 +15,5 @@ hydra:
   firewall:
     additional_properties: "%env(bool:HYDRA_DISPATCHER_FIREWALL_ADDITIONAL_PROPERTIES)%"
     rules: {}
+  webhook_post_login:
+    enabled: false

resources/hydra-dispatcher/kustomization.yaml

@@ -29,3 +29,6 @@ configMapGenerator:
 - name: hydra-dispatcher-apps
   files:
   - apps.yaml=./files/hydra/default.yaml
+- name: hydra-dispatcher-php-ini
+  files:
+  - ./files/03_base.ini

resources/hydra-dispatcher/resources/hydra-dispatcher-deployment.yaml

@@ -3,6 +3,7 @@ kind: Deployment
 metadata:
   labels:
     app.kubernetes.io/name: hydra-dispatcher
+    com.cadoles.forge.sso-kustom/session: redis
   name: hydra-dispatcher
 spec:
   replicas: 1
@@ -17,75 +18,101 @@ spec:
         app.kubernetes.io/name: hydra-dispatcher
     spec:
       containers:
-      - name: hydra-dispatcher-php-fpm
-        image: reg.cadoles.com/cadoles/hydra-dispatcher-base:2023.12.15-develop.903.b675347
-        args: ["/usr/sbin/php-fpm81", "-F", "-e"]
-        readinessProbe:
-          exec:
-            command:
-            - sh
-            - -c
-            - test -f /etc/php81/php-fpm.d/www.conf
-        livenessProbe:
-          exec:
-            command:
-            - php
-            - bin/console
-            - -V
-          initialDelaySeconds: 10
-          periodSeconds: 30
-        env:
-        - name: PHP_FPM_LISTEN
-          value: 127.0.0.1:9000
-        - name: PHP_MEMORY_LIMIT
-          value: 128m
-        - name: PHP_FPM_MEMORY_LIMIT
-          value: 128m
-        envFrom:
-        - configMapRef:
-            name: hydra-dispatcher-env
-        volumeMounts:
-        - mountPath: /app/config/hydra
-          name: hydra-dispatcher-apps
-        resources: {}
-
-      - image: reg.cadoles.com/cadoles/hydra-dispatcher-base:2023.12.15-develop.903.b675347
-        imagePullPolicy: Always
-        name: hydra-dispatcher-nginx
-        args: ["/usr/sbin/nginx"]
-        readinessProbe:
-          httpGet:
-            path: /health
-            port: 8080
-          initialDelaySeconds: 5
-          timeoutSeconds: 5
-          periodSeconds: 10
-        livenessProbe:
-          httpGet:
-            path: /health
-            port: 8080
-          initialDelaySeconds: 15
-          timeoutSeconds: 5
-          periodSeconds: 15
-        envFrom:
-        - configMapRef:
-            name: hydra-dispatcher-env
-        env:
-        - name: NGINX_APP_UPSTREAM_BACKEND_SERVER
-          value: 127.0.0.1:9000
-        - name: NGINX_APP_ROOT
-          value: "/public/"
-        - name: NGINX_APP_PHP_INDEX
-          value: "/index.php"
-        - name: NGINX_ERROR_LOG_LEVEL
-          value: "warn"
-        - name: NGINX_APP_PHP_NON_FILE_PATTERN
-          value: "^/index\\.php(/|$)"
-        ports:
-        - containerPort: 8080
-        resources: {}
+        - name: hydra-dispatcher-php-fpm
+          image: reg.cadoles.com/cadoles/hydra-dispatcher-base:2024.9.24-develop.1122.f88a5eb
+          args: ["/usr/sbin/php-fpm81", "-F", "-e"]
+          readinessProbe:
+            exec:
+              command:
+                - sh
+                - -c
+                - test -f /etc/php81/php-fpm.d/www.conf
+          livenessProbe:
+            exec:
+              command:
+                - php
+                - bin/console
+                - -V
+            initialDelaySeconds: 10
+            periodSeconds: 30
+          env:
+            - name: PHP_FPM_LISTEN
+              value: 127.0.0.1:9000
+            - name: PHP_MEMORY_LIMIT
+              value: 128m
+            - name: PHP_FPM_MEMORY_LIMIT
+              value: 128m
+            - name: OPCACHE_VALIDATE_TIMESTAMP
+              value: "0"
+            - name: OPCACHE_REVALIDATE_FREQ
+              value: "0"
+          envFrom:
+            - configMapRef:
+                name: hydra-dispatcher-env
+          volumeMounts:
+            - mountPath: /app/config/hydra
+              name: hydra-dispatcher-apps
+            - name: hydra-dispatcher-php-ini
+              mountPath: /etc/php81/conf.d/03_base.ini
+              subPath: 03_base.ini
+          resources: {}
+          securityContext:
+            runAsNonRoot: true
+            runAsGroup: 1000
+            runAsUser: 1000
+        - name: hydra-dispatcher-caddy
+          image: reg.cadoles.com/cadoles/hydra-dispatcher-base:2024.9.24-develop.1122.f88a5eb
+          imagePullPolicy: IfNotPresent
+          args:
+            [
+              "/usr/sbin/caddy",
+              "run",
+              "--adapter",
+              "caddyfile",
+              "--config",
+              "/etc/caddy/Caddyfile",
+            ]
+          readinessProbe:
+            httpGet:
+              path: /health
+              port: 8080
+            initialDelaySeconds: 5
+            timeoutSeconds: 5
+            periodSeconds: 10
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: 8080
+            initialDelaySeconds: 15
+            timeoutSeconds: 5
+            periodSeconds: 15
+          envFrom:
+            - configMapRef:
+                name: hydra-dispatcher-env
+          env:
+            - name: CADDY_APP_UPSTREAM_BACKEND_SERVER
+              value: 127.0.0.1:9000
+            - name: CADDY_HTTPS_PORT
+              value: "8443"
+            - name: CADDY_HTTP_PORT
+              value: "8080"
+            - name: CADDY_DATA_FS
+              value: "/tmp/caddy"
+            - name: CADDY_APP_ROOT_PUBLIC
+              value: "/app/public/"
+          ports:
+            - containerPort: 8080
+              name: http
+          resources: {}
+          securityContext:
+            runAsNonRoot: true
+            runAsGroup: 1000
+            runAsUser: 1000
       restartPolicy: Always
       volumes:
-      - name: hydra-dispatcher-apps
-        configMap:
-          name: hydra-dispatcher-apps
+        - name: hydra-dispatcher-apps
+          configMap:
+            name: hydra-dispatcher-apps
+        - name: hydra-dispatcher-php-ini
+          configMap:
+            name: hydra-dispatcher-php-ini

resources/hydra-dispatcher/resources/hydra-dispatcher-service.yaml

@@ -6,8 +6,9 @@ metadata:
   name: hydra-dispatcher
 spec:
   ports:
-    - name: http
-      port: 8080
+  - name: http
+    port: 80
+    targetPort: http
   selector:
     app.kubernetes.io/name: hydra-dispatcher
 status:

resources/hydra/kustomization.yaml

@@ -2,41 +2,45 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 images:
-- name: reg.cadoles.com/proxy_cache/oryd/hydra
-  newTag: v2.1.2
-- name: reg.cadoles.com/proxy_cache/oryd/hydra-maester
-  newTag: v0.0.32-amd64
+  - name: reg.cadoles.com/proxy_cache/oryd/hydra
+    newTag: v2.1.2
+  - name: reg.cadoles.com/proxy_cache/oryd/hydra-maester
+    newTag: v0.0.32-amd64
 
 resources:
-- ./resources/hydra-deployment.yaml
-- ./resources/hydra-service.yaml
-- ./resources/hydra-role.yaml
-- ./resources/hydra-rolebinding.yaml
-- ./resources/hydra-serviceaccount.yaml
-- ./resources/hydra-migrate-job.yaml
-- ./resources/hydra-maester
-- ./resources/hydra-janitor-cronjob.yaml
+  - ./resources/hydra-deployment.yaml
+  - ./resources/hydra-service.yaml
+  - ./resources/hydra-role.yaml
+  - ./resources/hydra-rolebinding.yaml
+  - ./resources/hydra-serviceaccount.yaml
+  - ./resources/hydra-migrate-job.yaml
+  - ./resources/hydra-maester
+  - ./resources/hydra-janitor-cronjob.yaml
 
 secretGenerator:
-- name: hydra-secret
-  literals:
-  - SECRETS_SYSTEM=ThisShouldBeAbsolutelyChanged
+  - name: hydra-secret
+    literals:
+      - SECRETS_SYSTEM=ThisShouldBeAbsolutelyChanged
 
 configMapGenerator:
-- name: hydra-env
-  literals:
-  - URLS_SELF_ISSUER=http://localhost:4444
-  - URLS_LOGIN=http://hydra-login-app/login
-  - URLS_CONSENT=http://hydra-consent-app/consent
-  - URLS_LOGOUT=http://hydra-logout-app/logout
-  - HYDRA_SERVE_ALL_ARGS=--dev
-  - LOG_LEVEL=info
+  - name: hydra-env
+    literals:
+      - URLS_SELF_ISSUER=http://localhost:4444
+      - URLS_LOGIN=http://hydra-login-app/login
+      - URLS_CONSENT=http://hydra-consent-app/consent
+      - URLS_LOGOUT=http://hydra-logout-app/logout
+      - HYDRA_SERVE_ALL_ARGS=--dev
+      - HYDRA_DATABASE_MAX_CONN="10"
+      - LOG_LEVEL=info
 
-vars:
-- name: HYDRA_MIGRATE_JOB_NAME
-  objref:
-    name: hydra-migrate
-    kind: Job
-    apiVersion: batch/v1
-  fieldref:
-    fieldpath: metadata.name
+replacements:
+  - source:
+      kind: Job
+      name: hydra-migrate
+      fieldPath: metadata.name
+    targets:
+      - select:
+          kind: Deployment
+          name: hydra
+        fieldPaths:
+          - spec.template.spec.initContainers.0.args.1

resources/hydra/resources/hydra-deployment.yaml

@@ -21,8 +21,8 @@ spec:
         - name: wait-for-migrate
           image: reg.cadoles.com/proxy_cache/groundnuty/k8s-wait-for:v1.3
           args:
-          - job
-          - $(HYDRA_MIGRATE_JOB_NAME)
+            - job
+            - REPLACE_ME
       containers:
         - name: hydra
           image: reg.cadoles.com/proxy_cache/oryd/hydra:v2.0.3
@@ -57,4 +57,3 @@ spec:
               name: hydra-admin
           resources: {}
       restartPolicy: Always
-  

resources/hydra/resources/hydra-maester/resources/hydra-maester-deployment.yaml

@@ -7,7 +7,7 @@ metadata:
   labels:
     app.kubernetes.io/name: hydra-maester
     app.kubernetes.io/instance: hydra-master
-    app.kubernetes.io/version: "v0.0.23"
+    app.kubernetes.io/version: "v0.0.25"
 spec:
   replicas: 1
   revisionHistoryLimit: 10
@@ -38,15 +38,14 @@ spec:
             - --hydra-url=$(HYDRA_ADMIN_BASE_URL)
             - --hydra-port=$(HYDRA_ADMIN_PORT)
             - --endpoint=/admin/clients
-          resources:
-            {}
+          resources: {}
           terminationMessagePath: /dev/termination-log
           terminationMessagePolicy: File
           securityContext:
             allowPrivilegeEscalation: false
             capabilities:
               drop:
-              - ALL
+                - ALL
             privileged: false
             readOnlyRootFilesystem: true
             runAsNonRoot: true