Compare commits
	
		
			122 Commits
		
	
	
		
			fix-exampl
			...
			eb878ff980
		
	
	| Author | SHA1 | Date | |
|---|---|---|---|
| eb878ff980 | |||
| c1d9ca62d4 | |||
| 09c91e7cae | |||
| 3db15dfc8a | |||
| 77e167b17c | |||
| d09b644b5f | |||
| 5e5670dcdf | |||
| 172d9def39 | |||
| e4b67e0812 | |||
| a26b8aafe1 | |||
| 06235bccad | |||
| 19039c5e1c | |||
| 9e02d7badb | |||
| 87a056be2c | |||
| fedf44a062 | |||
| b0506995e5 | |||
| 7a09045e82 | |||
| f300b91316 | |||
| 30ba1f4d5a | |||
| d9bdbccfe4 | |||
| 2d329501c0 | |||
| dc2c97c7f6 | |||
| c9d8917e6c | |||
| 20e0a20f64 | |||
| c01eb28d8c | |||
| c97266c272 | |||
| 4df11ead1e | |||
| 99056b875e | |||
| ee0349e9df | |||
| 3a255707d1 | |||
| ce1f650a86 | |||
| de24eb0026 | |||
| 40ec4440a7 | |||
| 4ec580fb7d | |||
| 1cf7569678 | |||
| a0ff37edf6 | |||
| a5c9c733f6 | |||
| a5cecb385c | |||
| 15ad23049f | |||
| 78e5b30e1d | |||
| 1ea76c2153 | |||
| af76c99d91 | |||
| 3635f547a1 | |||
| 65fccdc3ce | |||
| 0b3504e631 | |||
| 36a8e117e8 | |||
| 176b5a6696 | |||
| efa00fc6a3 | |||
| f52b3117b5 | |||
| 35c46316d3 | |||
| 456e92ca0e | |||
| e1432cb633 | |||
| 513797be35 | |||
| f38ba80de6 | |||
| 1db87e2d08 | |||
| a7578445b4 | |||
| 119b09ac61 | |||
| 32ccca7616 | |||
| c174ddb734 | |||
| 191024bb17 | |||
| 054f84baef | |||
| a88a8240aa | |||
| 5ea7789cc2 | |||
| 212de51a84 | |||
| 9020c73512 | |||
| 380a116fa8 | |||
| 72a9932fc5 | |||
| 1060fdf4be | |||
| 45953d5531 | |||
| 29f539f7ab | |||
| 0084707bbc | |||
| 0dbd5dd551 | |||
| f1d621d4a9 | |||
| 83b81b1056 | |||
| 1fccf5f8dc | |||
| 907618902e | |||
| 6b1702b7ed | |||
| fce733374c | |||
| 824b8613c4 | |||
| 19910617bd | |||
| f4146345d5 | |||
| bbeb1ec62f | |||
| fcfbb6cc30 | |||
| 7a802a6d28 | |||
| a02622b516 | |||
| 61d9dade3b | |||
| e333d07c14 | |||
| 06f58a061d | |||
| dd6804aa11 | |||
| c7b937adaf | |||
| 77eb73818f | |||
| cc3d07d654 | |||
| 86754cf518 | |||
| 8b02e8a875 | |||
| caa180747e | |||
| 4d29851350 | |||
| d88cc2de65 | |||
| 435597f9f1 | |||
| ee2bb1ea45 | |||
| 63c5d7259c | |||
| 815917c306 | |||
| bc6fe46e1c | |||
| 1b1cc27916 | |||
| d37e85000f | |||
| d9570ec8d0 | |||
| d56ae059a3 | |||
| 5ec48c8b22 | |||
| aaae6e2f20 | |||
| 081e854454 | |||
| 3dba6c0d69 | |||
| 8c6dc30bde | |||
| 4ff0f83880 | |||
| e93bc069d3 | |||
| a56089efe5 | |||
| c4998279d5 | |||
| 6de80b1d9c | |||
| 2f3cf60974 | |||
| bf865b02e2 | |||
| 063b575117 | |||
| 38d3f1c1df | |||
| 6acda0553e | |||
| 6217c7b3fd | 
| @@ -2,10 +2,6 @@ | |||||||
|  |  | ||||||
| Kustomization du service "SSO" (Ory Hydra) | Kustomization du service "SSO" (Ory Hydra) | ||||||
|  |  | ||||||
| ## Usage |  | ||||||
|  |  | ||||||
| [Voir la documentation](./doc/README.md) |  | ||||||
|  |  | ||||||
| ## Exemple | ## Exemple | ||||||
|  |  | ||||||
| Ce projet contient un exemple fonctionnel de déploiement dans le répertoire [`./examples/authenticated-app`](./examples/authenticated-app) | Ce projet contient un exemple fonctionnel de déploiement dans le répertoire [`./examples/authenticated-app`](./examples/authenticated-app) | ||||||
							
								
								
									
										116
									
								
								components/hydra-cleaner/files/hydra-cleaner.sh
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										116
									
								
								components/hydra-cleaner/files/hydra-cleaner.sh
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,116 @@ | |||||||
|  | #!/bin/sh | ||||||
|  |  | ||||||
|  | set -e | ||||||
|  | set -o nounset | ||||||
|  |  | ||||||
|  | # 4 tables to empty, at least | ||||||
|  | # oidc, code, flow, authentication_session | ||||||
|  |  | ||||||
|  | # \d hydra_oauth2_flow | ||||||
|  | #Referenced by: | ||||||
|  | #    TABLE "hydra_oauth2_access" CONSTRAINT "hydra_oauth2_access_challenge_id_fk" FOREIGN KEY (challenge_id) REFERENCES hydra_oauth2_flow(consent_challenge_id) ON DELETE CASCADE | ||||||
|  | #    TABLE "hydra_oauth2_code" CONSTRAINT "hydra_oauth2_code_challenge_id_fk" FOREIGN KEY (challenge_id) REFERENCES hydra_oauth2_flow(consent_challenge_id) ON DELETE CASCADE | ||||||
|  | #    TABLE "hydra_oauth2_oidc" CONSTRAINT "hydra_oauth2_oidc_challenge_id_fk" FOREIGN KEY (challenge_id) REFERENCES hydra_oauth2_flow(consent_challenge_id) ON DELETE CASCADE | ||||||
|  | #    TABLE "hydra_oauth2_pkce" CONSTRAINT "hydra_oauth2_pkce_challenge_id_fk" FOREIGN KEY (challenge_id) REFERENCES hydra_oauth2_flow(consent_challenge_id) ON DELETE CASCADE | ||||||
|  | #    TABLE "hydra_oauth2_refresh" CONSTRAINT "hydra_oauth2_refresh_challenge_id_fk" FOREIGN KEY (challenge_id) REFERENCES hydra_oauth2_flow(consent_challenge_id) ON DELETE CASCADE | ||||||
|  |  | ||||||
|  | # -> delete "cascade" on table "flow" cleans access, code, oidc, pkce and refresh tables. | ||||||
|  |  | ||||||
|  |  | ||||||
|  | DSN="${DSN:-postgresql://${HYDRA_DATABASE_USER}:${HYDRA_DATABASE_PASSWORD}@${HYDRA_DATABASE_SERVICE_NAME}:${HYDRA_DATABASE_SERVICE_PORT:-5432}/hydra?sslmode=disable}" | ||||||
|  | RETENTION_HOURS="${RETENTION_HOURS:-48}" | ||||||
|  | BATCH_SIZE="${BATCH_SIZE:-50}" | ||||||
|  | LIMIT="${LIMIT:-1000}" | ||||||
|  | BEFORE_DATE="$(date +'%Y-%m-%d %H:%M:%S' --date=@$(($(date +%s) - RETENTION_HOURS * 3600)))" | ||||||
|  |  | ||||||
|  |  | ||||||
|  | log() { | ||||||
|  |     echo "$(date +'%d-%m-%y %H:%M:%S%z')| $1" | ||||||
|  | } | ||||||
|  |  | ||||||
|  | perror() { | ||||||
|  |     log "Something went wrong, exiting." | ||||||
|  |     trap - EXIT | ||||||
|  |     exit 1 | ||||||
|  | } | ||||||
|  |  | ||||||
|  | trap perror EXIT | ||||||
|  |  | ||||||
|  | if ! [[ ${RETENTION_HOURS} =~ '^[0-9]+$' ]]; then | ||||||
|  |     log "Error: variable RETENTION_HOURS is not a positive integer." | ||||||
|  |     perror | ||||||
|  | fi | ||||||
|  |  | ||||||
|  | if ! [[ ${LIMIT} =~ '^[0-9]+$' ]]; then | ||||||
|  |     log "Error: variable LIMIT is not a positive integer." | ||||||
|  |     perror | ||||||
|  | fi | ||||||
|  |  | ||||||
|  | if ! [[ ${BATCH_SIZE} =~ '^[0-9]+$' ]]; then | ||||||
|  |     log "Error: variable BATCH_SIZE is not a positive integer." | ||||||
|  |     perror | ||||||
|  | fi | ||||||
|  |  | ||||||
|  | log "Starting hydra cleaner" | ||||||
|  |  | ||||||
|  | log "Removing up to ${LIMIT} elements before ${BEFORE_DATE} by batch of ${BATCH_SIZE}" | ||||||
|  |  | ||||||
|  | log "Beginning estimated size:" | ||||||
|  | psql "${DSN}" <<EOF | ||||||
|  | select | ||||||
|  |   table_name, reltuples as estimate, | ||||||
|  |   pg_size_pretty(pg_total_relation_size(quote_ident(table_name))), | ||||||
|  |   pg_total_relation_size(quote_ident(table_name)) | ||||||
|  | from information_schema.tables left join pg_class on information_schema.tables.table_name=pg_class.relname | ||||||
|  | where table_schema = 'public' | ||||||
|  | order by 4 desc; | ||||||
|  | EOF | ||||||
|  |  | ||||||
|  |  | ||||||
|  | REMAINING_ELMTS="${LIMIT}" | ||||||
|  | while [ "${REMAINING_ELMTS}" -gt 0 ]; do | ||||||
|  |     OUTPUT=$(psql "${DSN}" <<EOF | ||||||
|  | DELETE | ||||||
|  | FROM hydra_oauth2_flow | ||||||
|  | WHERE login_challenge = ANY ( | ||||||
|  |   array( | ||||||
|  |     SELECT login_challenge | ||||||
|  |     FROM hydra_oauth2_flow | ||||||
|  |     WHERE requested_at < '${BEFORE_DATE}' | ||||||
|  |     LIMIT ${BATCH_SIZE} | ||||||
|  |   ) | ||||||
|  | ); | ||||||
|  | EOF | ||||||
|  |     ) | ||||||
|  |  | ||||||
|  |     log "${OUTPUT}" | ||||||
|  |  | ||||||
|  |     if ! [[ "${OUTPUT}" =~ '^DELETE ' ]] ; then | ||||||
|  | 	log "Output doesn't seems OK..." | ||||||
|  | 	break | ||||||
|  |     fi | ||||||
|  |     OUTPUT_NB=$(echo "${OUTPUT}" | cut -d' ' -f 2) | ||||||
|  |  | ||||||
|  |     if [ "${OUTPUT_NB}" -lt "${BATCH_SIZE}" ]; then | ||||||
|  | 	break | ||||||
|  |     fi | ||||||
|  |  | ||||||
|  |     REMAINING_ELMTS=$((REMAINING_ELMTS - BATCH_SIZE)) | ||||||
|  |     if [ "${REMAINING_ELMTS}" -lt "${BATCH_SIZE}" ]; then | ||||||
|  | 	BATCH_SIZE="${REMAINING_ELMTS}" | ||||||
|  |     fi | ||||||
|  | done | ||||||
|  |  | ||||||
|  |  | ||||||
|  | log "Final estimated size:" | ||||||
|  | psql "${DSN}" <<EOF | ||||||
|  | select | ||||||
|  |   table_name, reltuples as estimate, | ||||||
|  |   pg_size_pretty(pg_total_relation_size(quote_ident(table_name))), | ||||||
|  |   pg_total_relation_size(quote_ident(table_name)) | ||||||
|  | from information_schema.tables left join pg_class on information_schema.tables.table_name=pg_class.relname | ||||||
|  | where table_schema = 'public' | ||||||
|  | order by 4 desc; | ||||||
|  | EOF | ||||||
|  |  | ||||||
|  | trap - EXIT | ||||||
							
								
								
									
										17
									
								
								components/hydra-cleaner/kustomization.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										17
									
								
								components/hydra-cleaner/kustomization.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,17 @@ | |||||||
|  | apiVersion: kustomize.config.k8s.io/v1alpha1 | ||||||
|  | kind: Component | ||||||
|  |  | ||||||
|  | resources: | ||||||
|  | - ./resources/hydra-cleaner-cronjob.yaml | ||||||
|  |  | ||||||
|  | configMapGenerator: | ||||||
|  | - name: hydra-cleaner-env | ||||||
|  |   behavior: create | ||||||
|  |   literals: | ||||||
|  |   - RETENTION_HOURS="48" | ||||||
|  |   - BATCH_SIZE="100" | ||||||
|  |   - LIMIT="1000" | ||||||
|  | - name: hydra-cleaner-script | ||||||
|  |   behavior: create | ||||||
|  |   files: | ||||||
|  |   - ./files/hydra-cleaner.sh | ||||||
| @@ -0,0 +1,54 @@ | |||||||
|  | apiVersion: batch/v1 | ||||||
|  | kind: CronJob | ||||||
|  | metadata: | ||||||
|  |   name: hydra-cleaner | ||||||
|  |   labels: | ||||||
|  |     app.kubernetes.io/name: hydra-cleaner | ||||||
|  | spec: | ||||||
|  |   concurrencyPolicy: Forbid | ||||||
|  |   schedule: "30 */1 * * *" | ||||||
|  |   jobTemplate: | ||||||
|  |     spec: | ||||||
|  |       template: | ||||||
|  |         metadata: | ||||||
|  |           labels: | ||||||
|  |             app.kubernetes.io/name: hydra-cleaner | ||||||
|  |         spec: | ||||||
|  |           restartPolicy: OnFailure | ||||||
|  |           serviceAccountName: hydra-sa | ||||||
|  |           containers: | ||||||
|  |           - name: hydra-cleaner | ||||||
|  |             image: reg.cadoles.com/proxy_cache/alpine/psql:17.4 | ||||||
|  |             envFrom: | ||||||
|  |             - configMapRef: | ||||||
|  |                 name: hydra-env | ||||||
|  |             - configMapRef: | ||||||
|  |                 name: hydra-cleaner-env | ||||||
|  |             imagePullPolicy: IfNotPresent | ||||||
|  |             command: ["/hydra-cleaner.sh"] | ||||||
|  |             env: | ||||||
|  |             - name: HYDRA_DATABASE_USER | ||||||
|  |               valueFrom: | ||||||
|  |                 secretKeyRef: | ||||||
|  |                   name: hydra-postgres-app | ||||||
|  |                   key: username | ||||||
|  |             - name: HYDRA_DATABASE_PASSWORD | ||||||
|  |               valueFrom: | ||||||
|  |                 secretKeyRef: | ||||||
|  |                   name: hydra-postgres-app | ||||||
|  |                   key: password | ||||||
|  |             - name: HYDRA_DATABASE_SERVICE_NAME | ||||||
|  |               valueFrom: | ||||||
|  |                 secretKeyRef: | ||||||
|  |                   name: hydra-postgres-app | ||||||
|  |                   key: host | ||||||
|  |             args: [] | ||||||
|  |             volumeMounts: | ||||||
|  |             - name: hydra-cleaner-script | ||||||
|  |               mountPath: "/hydra-cleaner.sh" | ||||||
|  |               subPath: "hydra-cleaner.sh" | ||||||
|  |           volumes: | ||||||
|  |           - name: hydra-cleaner-script | ||||||
|  |             configMap: | ||||||
|  |               name: hydra-cleaner-script | ||||||
|  |               defaultMode: 0544 | ||||||
| @@ -7,29 +7,7 @@ configurations: | |||||||
| resources: | resources: | ||||||
| - ./resources/hydra-cnpg-cluster.yaml | - ./resources/hydra-cnpg-cluster.yaml | ||||||
|  |  | ||||||
| secretGenerator: | patches: | ||||||
| - name: hydra-postgres-admin |  | ||||||
|   type: Secret |  | ||||||
|   literals: |  | ||||||
|   - username=postgres |  | ||||||
|   - password=NotSoSecret |  | ||||||
| - name: hydra-postgres-user |  | ||||||
|   type: Secret |  | ||||||
|   literals: |  | ||||||
|   - username=hydra |  | ||||||
|   - password=NotSoSecret |  | ||||||
|  |  | ||||||
|  |  | ||||||
| vars: |  | ||||||
| - name: HYDRA_DATABASE_SERVICE_NAME |  | ||||||
|   objref: |  | ||||||
|     name: hydra-postgres |  | ||||||
|     kind: Cluster |  | ||||||
|     apiVersion: postgresql.cnpg.io/v1 |  | ||||||
|   fieldref: |  | ||||||
|     fieldpath: metadata.name |  | ||||||
|  |  | ||||||
| patchesJson6902: |  | ||||||
| - target: | - target: | ||||||
|     group: apps |     group: apps | ||||||
|     version: v1 |     version: v1 | ||||||
| @@ -42,3 +20,9 @@ patchesJson6902: | |||||||
|     kind: Job |     kind: Job | ||||||
|     name: hydra-migrate |     name: hydra-migrate | ||||||
|   path: patches/hydra-migrate-job.yaml |   path: patches/hydra-migrate-job.yaml | ||||||
|  | - target: | ||||||
|  |     group: batch | ||||||
|  |     version: v1 | ||||||
|  |     kind: CronJob | ||||||
|  |     name: hydra-janitor | ||||||
|  |   path: patches/hydra-janitor-cronjob.yaml | ||||||
|   | |||||||
| @@ -4,7 +4,7 @@ | |||||||
|     name: HYDRA_DATABASE_USER |     name: HYDRA_DATABASE_USER | ||||||
|     valueFrom: |     valueFrom: | ||||||
|       secretKeyRef: |       secretKeyRef: | ||||||
|         name: hydra-postgres-user |         name: hydra-postgres-app | ||||||
|         key: username |         key: username | ||||||
| - op: add | - op: add | ||||||
|   path: "/spec/template/spec/containers/0/env/-" |   path: "/spec/template/spec/containers/0/env/-" | ||||||
| @@ -12,10 +12,18 @@ | |||||||
|     name: HYDRA_DATABASE_PASSWORD |     name: HYDRA_DATABASE_PASSWORD | ||||||
|     valueFrom: |     valueFrom: | ||||||
|       secretKeyRef: |       secretKeyRef: | ||||||
|         name: hydra-postgres-user |         name: hydra-postgres-app | ||||||
|         key: password |         key: password | ||||||
|  | - op: add | ||||||
|  |   path: "/spec/template/spec/containers/0/env/-" | ||||||
|  |   value: | ||||||
|  |     name: HYDRA_DATABASE_SERVICE_NAME | ||||||
|  |     valueFrom: | ||||||
|  |       secretKeyRef: | ||||||
|  |         name: hydra-postgres-app | ||||||
|  |         key: host | ||||||
| - op: add | - op: add | ||||||
|   path: "/spec/template/spec/containers/0/env/-" |   path: "/spec/template/spec/containers/0/env/-" | ||||||
|   value: |   value: | ||||||
|     name: DSN |     name: DSN | ||||||
|     value: "postgres://$(HYDRA_DATABASE_USER):$(HYDRA_DATABASE_PASSWORD)@$(HYDRA_DATABASE_SERVICE_NAME)-rw:5432/hydra?sslmode=disable" |     value: "postgres://$(HYDRA_DATABASE_USER):$(HYDRA_DATABASE_PASSWORD)@$(HYDRA_DATABASE_SERVICE_NAME):5432/hydra?sslmode=disable&max_conns=$(HYDRA_DATABASE_MAX_CONN)&max_idle_conns=$(HYDRA_DATABASE_MAX_IDLE_CONNS)&max_conn_lifetime=$(HYDRA_DATABASE_MAX_CONN_LIFETIME)&max_conn_idle_time=$(HYDRA_DATABASE_MAX_CONN_IDLE_TIME)&connect_timeout=$(HYDRA_DATABASE_CONNECT_TIMEOUT)" | ||||||
|   | |||||||
| @@ -0,0 +1,29 @@ | |||||||
|  | - op: add | ||||||
|  |   path: "/spec/jobTemplate/spec/template/spec/containers/0/env/-" | ||||||
|  |   value: | ||||||
|  |     name: HYDRA_DATABASE_USER | ||||||
|  |     valueFrom: | ||||||
|  |       secretKeyRef: | ||||||
|  |         name: hydra-postgres-app | ||||||
|  |         key: username | ||||||
|  | - op: add | ||||||
|  |   path: "/spec/jobTemplate/spec/template/spec/containers/0/env/-" | ||||||
|  |   value: | ||||||
|  |     name: HYDRA_DATABASE_PASSWORD | ||||||
|  |     valueFrom: | ||||||
|  |       secretKeyRef: | ||||||
|  |         name: hydra-postgres-app | ||||||
|  |         key: password | ||||||
|  | - op: add | ||||||
|  |   path: "/spec/jobTemplate/spec/template/spec/containers/0/env/-" | ||||||
|  |   value: | ||||||
|  |     name: HYDRA_DATABASE_SERVICE_NAME | ||||||
|  |     valueFrom: | ||||||
|  |       secretKeyRef: | ||||||
|  |         name: hydra-postgres-app | ||||||
|  |         key: host | ||||||
|  | - op: add | ||||||
|  |   path: "/spec/jobTemplate/spec/template/spec/containers/0/env/-" | ||||||
|  |   value: | ||||||
|  |     name: DSN | ||||||
|  |     value: "postgres://$(HYDRA_DATABASE_USER):$(HYDRA_DATABASE_PASSWORD)@$(HYDRA_DATABASE_SERVICE_NAME):5432/hydra?sslmode=disable" | ||||||
| @@ -4,7 +4,7 @@ | |||||||
|     name: HYDRA_DATABASE_USER |     name: HYDRA_DATABASE_USER | ||||||
|     valueFrom: |     valueFrom: | ||||||
|       secretKeyRef: |       secretKeyRef: | ||||||
|         name: hydra-postgres-user |         name: hydra-postgres-app | ||||||
|         key: username |         key: username | ||||||
| - op: add | - op: add | ||||||
|   path: "/spec/template/spec/containers/0/env/-" |   path: "/spec/template/spec/containers/0/env/-" | ||||||
| @@ -12,10 +12,18 @@ | |||||||
|     name: HYDRA_DATABASE_PASSWORD |     name: HYDRA_DATABASE_PASSWORD | ||||||
|     valueFrom: |     valueFrom: | ||||||
|       secretKeyRef: |       secretKeyRef: | ||||||
|         name: hydra-postgres-user |         name: hydra-postgres-app | ||||||
|         key: password |         key: password | ||||||
|  | - op: add | ||||||
|  |   path: "/spec/template/spec/containers/0/env/-" | ||||||
|  |   value: | ||||||
|  |     name: HYDRA_DATABASE_SERVICE_NAME | ||||||
|  |     valueFrom: | ||||||
|  |       secretKeyRef: | ||||||
|  |         name: hydra-postgres-app | ||||||
|  |         key: host | ||||||
| - op: add | - op: add | ||||||
|   path: "/spec/template/spec/containers/0/env/-" |   path: "/spec/template/spec/containers/0/env/-" | ||||||
|   value: |   value: | ||||||
|     name: DSN |     name: DSN | ||||||
|     value: "postgres://$(HYDRA_DATABASE_USER):$(HYDRA_DATABASE_PASSWORD)@$(HYDRA_DATABASE_SERVICE_NAME)-rw:5432/hydra?sslmode=disable" |     value: "postgres://$(HYDRA_DATABASE_USER):$(HYDRA_DATABASE_PASSWORD)@$(HYDRA_DATABASE_SERVICE_NAME):5432/hydra?sslmode=disable" | ||||||
|   | |||||||
| @@ -5,13 +5,9 @@ metadata: | |||||||
| spec: | spec: | ||||||
|   instances: 3 |   instances: 3 | ||||||
|   primaryUpdateStrategy: unsupervised |   primaryUpdateStrategy: unsupervised | ||||||
|   superuserSecret: |  | ||||||
|     name: hydra-postgres-admin |  | ||||||
|   bootstrap: |   bootstrap: | ||||||
|     initdb: |     initdb: | ||||||
|       database: hydra |       database: hydra | ||||||
|       owner: hydra |       owner: hydra | ||||||
|       secret: |  | ||||||
|         name: hydra-postgres-user |  | ||||||
|   storage: |   storage: | ||||||
|     size: 2Gi |     size: 2Gi | ||||||
							
								
								
									
										28
									
								
								components/hydra-ldap/kustomization.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										28
									
								
								components/hydra-ldap/kustomization.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,28 @@ | |||||||
|  | apiVersion: kustomize.config.k8s.io/v1alpha1 | ||||||
|  | kind: Component | ||||||
|  |  | ||||||
|  | resources: | ||||||
|  |   - ./resources/deployment.yaml | ||||||
|  |   - ./resources/service.yaml | ||||||
|  |  | ||||||
|  | configMapGenerator: | ||||||
|  |   - name: hydra-ldap-env | ||||||
|  |     behavior: create | ||||||
|  |     literals: | ||||||
|  |       - WERTHER_DEV_MODE=false | ||||||
|  |       - WERTHER_LDAP_ROLE_CLAIM="https://hydra/claims/roles" | ||||||
|  |       - WERTHER_SKIP_SSL_VERIFICATIONS=false | ||||||
|  |       - WERTHER_IDENTP_CLAIM_SCOPES="name:profile,family_name:profile,given_name:profile,email:email,https%3A%2F%2Fhydra%2Fclaims%2Froles:roles" | ||||||
|  |       - WERTHER_IDENTP_HYDRA_URL="http://hydra:4444" | ||||||
|  |       - WERTHER_LDAP_ENDPOINTS="ldap.test.fr:636" | ||||||
|  |       - WERTHER_LDAP_IS_TLS=true | ||||||
|  |       - WERTHER_LDAP_BASEDN="o=test,c=fr" | ||||||
|  |       - WERTHER_LDAP_ROLE_BASEDN="ou=groups,o=test,c=fr" | ||||||
|  |       - WERTHER_LDAP_CONNECTION_TIMEOUT="10s" | ||||||
|  |  | ||||||
|  | secretGenerator: | ||||||
|  |   - name: hydra-ldap-sc | ||||||
|  |     behavior: create | ||||||
|  |     literals: | ||||||
|  |       - WERTHER_LDAP_BINDDN="cn=reader,o=test,c=fr" | ||||||
|  |       - WERTHER_LDAP_BINDPW=ThisMustBeAbsolutelyChanged | ||||||
							
								
								
									
										48
									
								
								components/hydra-ldap/resources/deployment.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										48
									
								
								components/hydra-ldap/resources/deployment.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,48 @@ | |||||||
|  | apiVersion: apps/v1 | ||||||
|  | kind: Deployment | ||||||
|  | metadata: | ||||||
|  |   name: hydra-ldap | ||||||
|  |   labels: | ||||||
|  |     app.kubernetes.io/name: hydra-ldap | ||||||
|  |     app.kubernetes.io/version: "v1.2.2" | ||||||
|  | spec: | ||||||
|  |   replicas: 1 | ||||||
|  |   selector: | ||||||
|  |     matchLabels: | ||||||
|  |       app.kubernetes.io/name: hydra-ldap | ||||||
|  |   template: | ||||||
|  |     metadata: | ||||||
|  |       labels: | ||||||
|  |         app.kubernetes.io/name: hydra-ldap | ||||||
|  |         app.kubernetes.io/version: "v1.2.2" | ||||||
|  |     spec: | ||||||
|  |       containers: | ||||||
|  |         - name: werther | ||||||
|  |           image: reg.cadoles.com/cadoles/hydra-werther:2025.2.17-stable.1544.8ded23c | ||||||
|  |           imagePullPolicy: IfNotPresent | ||||||
|  |           envFrom: | ||||||
|  |             - configMapRef: | ||||||
|  |                 name: hydra-ldap-env | ||||||
|  |           env: | ||||||
|  |             - name: WERTHER_LDAP_BINDDN | ||||||
|  |               valueFrom: | ||||||
|  |                 secretKeyRef: | ||||||
|  |                   name: hydra-ldap-sc | ||||||
|  |                   key: WERTHER_LDAP_BINDDN | ||||||
|  |             - name: WERTHER_LDAP_BINDPW | ||||||
|  |               valueFrom: | ||||||
|  |                 secretKeyRef: | ||||||
|  |                   name: hydra-ldap-sc | ||||||
|  |                   key: WERTHER_LDAP_BINDPW | ||||||
|  |           ports: | ||||||
|  |             - containerPort: 8080 | ||||||
|  |               name: hydra-ldap-http | ||||||
|  |           securityContext: | ||||||
|  |             allowPrivilegeEscalation: false | ||||||
|  |             capabilities: | ||||||
|  |               drop: | ||||||
|  |                 - ALL | ||||||
|  |             privileged: false | ||||||
|  |             readOnlyRootFilesystem: true | ||||||
|  |             runAsNonRoot: true | ||||||
|  |             runAsUser: 100 | ||||||
							
								
								
									
										17
									
								
								components/hydra-ldap/resources/service.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										17
									
								
								components/hydra-ldap/resources/service.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,17 @@ | |||||||
|  | apiVersion: v1 | ||||||
|  | kind: Service | ||||||
|  | metadata: | ||||||
|  |   labels: | ||||||
|  |     app.kubernetes.io/name: hydra-ldap | ||||||
|  |   name: hydra-ldap | ||||||
|  | spec: | ||||||
|  |   type: ClusterIP | ||||||
|  |   ports: | ||||||
|  |     - name: hydra-ldap | ||||||
|  |       port: 8080 | ||||||
|  |       targetPort: hydra-ldap-http | ||||||
|  |       protocol: TCP | ||||||
|  |   selector: | ||||||
|  |     app.kubernetes.io/name: hydra-ldap | ||||||
|  | status: | ||||||
|  |   loadBalancer: {} | ||||||
| @@ -10,3 +10,4 @@ hydra: | |||||||
|       login_url: "%env(string:HYDRA_DISPATCHER_OIDC_LOGIN_URL)%" |       login_url: "%env(string:HYDRA_DISPATCHER_OIDC_LOGIN_URL)%" | ||||||
|       consent_url: "%env(string:HYDRA_DISPATCHER_OIDC_CONSENT_URL)%" |       consent_url: "%env(string:HYDRA_DISPATCHER_OIDC_CONSENT_URL)%" | ||||||
|       logout_url: "%env(string:HYDRA_DISPATCHER_OIDC_LOGOUT_URL)%" |       logout_url: "%env(string:HYDRA_DISPATCHER_OIDC_LOGOUT_URL)%" | ||||||
|  |       attributes_rewrite_configuration: [] | ||||||
|   | |||||||
| @@ -2,36 +2,36 @@ apiVersion: kustomize.config.k8s.io/v1alpha1 | |||||||
| kind: Component | kind: Component | ||||||
|  |  | ||||||
| resources: | resources: | ||||||
|   - ./resources/hydra-oidc-deployment.yaml | - ./resources/hydra-oidc-deployment.yaml | ||||||
|   - ./resources/hydra-oidc-service.yaml | - ./resources/hydra-oidc-service.yaml | ||||||
|  |  | ||||||
|  | generatorOptions: | ||||||
|  |   labels: | ||||||
|  |     com.cadoles.forge.sso-kustom/session: redis | ||||||
|  |  | ||||||
| configMapGenerator: | configMapGenerator: | ||||||
|   - name: hydra-oidc-env | - name: hydra-oidc-env | ||||||
|     literals: |   behavior: create | ||||||
|       - APP_ENV=prod |   literals: | ||||||
|       - APP_DEBUG=false |   - APP_ENV=prod | ||||||
|       - HYDRA_ADMIN_BASE_URL=http://hydra-dispatcher |   - APP_DEBUG=false | ||||||
|       - OIC_AUTHORIZE_ENDPOINT=https://oidc-idp/api/v1/authorize |   - PHP_FPM_MEMORY_LIMIT=256m | ||||||
|       - OIDC_TOKEN_ENDPOINT=https://oidc-idp/api/v1/token |   - NGINX_APP_SERVER_LISTEN=80 | ||||||
|       - OIDC_USERINFO_ENDPOINT=https://oidc-idp/api/v1/userinfo |   - HYDRA_ADMIN_BASE_URL=http://hydra-dispatcher | ||||||
|       - POST_LOGOUT_REDIRECT_URL=http://oidc-sp/logout |   - OIC_AUTHORIZE_ENDPOINT=https://oidc-idp/api/v1/authorize | ||||||
|       - OIDC_LOGOUT_ENDPOINT=https://oidc-idp/api/v1/logout?%s |   - OIDC_TOKEN_ENDPOINT=https://oidc-idp/api/v1/token | ||||||
|       - BASE_URL=http://hydra-oidc |   - OIDC_USERINFO_ENDPOINT=https://oidc-idp/api/v1/userinfo | ||||||
|       - PARAMS_TO_DELETE=[] |   - POST_LOGOUT_REDIRECT_URL=http://oidc-sp/logout | ||||||
|       - PARAMS_TO_INSERT={} |   - OIDC_LOGOUT_ENDPOINT=https://oidc-idp/api/v1/logout?%s | ||||||
|       - OIDC_SCOPE=openid email |   - BASE_URL=http://hydra-oidc | ||||||
|       - CLIENT_ID_FC=MyClientID |   - PARAMS_TO_DELETE=[] | ||||||
|       - CLIENT_SECRET_FC=MyClientSecret |   - PARAMS_TO_INSERT={} | ||||||
|       - COOKIE_PATH=/ |   - OIDC_SCOPE=openid email | ||||||
|       - TRUSTED_PROXIES=127.0.0.1,REMOTE_ADDR |   - CLIENT_ID_FC=MyClientID | ||||||
|   - name: hydra-dispatcher-apps |   - CLIENT_SECRET_FC=MyClientSecret | ||||||
|     behavior: merge |   - COOKIE_PATH=/ | ||||||
|     files: |   - TRUSTED_PROXIES=127.0.0.1,REMOTE_ADDR | ||||||
|       - ./files/hydra/oidc.yaml |   - REDIS_DSN="redis://redis:6379" | ||||||
|  |   - HYDRA_DISPATCHER_OIDC_LOGIN_URL="http://hydra-oidc/login" | ||||||
| patchesJson6902: |   - HYDRA_DISPATCHER_OIDC_CONSENT_URL="http://hydra-oidc/consent" | ||||||
|   - target: |   - HYDRA_DISPATCHER_OIDC_LOGOUT_URL="http://hydra-oidc/logout" | ||||||
|       version: v1 |  | ||||||
|       kind: ConfigMap |  | ||||||
|       name: hydra-dispatcher-env |  | ||||||
|     path: patches/hydra-dispatcher-env.yaml |  | ||||||
|   | |||||||
| @@ -1,9 +0,0 @@ | |||||||
| - op: replace |  | ||||||
|   path: "/data/HYDRA_DISPATCHER_OIDC_LOGIN_URL" |  | ||||||
|   value: http://hydra-oidc/login |  | ||||||
| - op: replace |  | ||||||
|   path: "/data/HYDRA_DISPATCHER_OIDC_CONSENT_URL" |  | ||||||
|   value: http://hydra-oidc/consent |  | ||||||
| - op: replace |  | ||||||
|   path: "/data/HYDRA_DISPATCHER_OIDC_LOGOUT_URL" |  | ||||||
|   value: http://hydra-oidc/logout |  | ||||||
| @@ -2,28 +2,101 @@ apiVersion: apps/v1 | |||||||
| kind: Deployment | kind: Deployment | ||||||
| metadata: | metadata: | ||||||
|   labels: |   labels: | ||||||
|     io.kompose.service: hydra-oidc |     app.kubernetes.io/name: hydra-oidc | ||||||
|   name: hydra-oidc |   name: hydra-oidc | ||||||
| spec: | spec: | ||||||
|   replicas: 1 |   replicas: 1 | ||||||
|   selector: |   selector: | ||||||
|     matchLabels: |     matchLabels: | ||||||
|       io.kompose.service: hydra-oidc |       app.kubernetes.io/name: hydra-oidc | ||||||
|   strategy: |   strategy: | ||||||
|     type: Recreate |     type: Recreate | ||||||
|   template: |   template: | ||||||
|     metadata: |     metadata: | ||||||
|       labels: |       labels: | ||||||
|         io.kompose.service: hydra-oidc |         app.kubernetes.io/name: hydra-oidc | ||||||
|     spec: |     spec: | ||||||
|       containers: |       containers: | ||||||
|         - name: hydra-oidc |       - name: hydra-oidc-php-fpm | ||||||
|           image: reg.cadoles.com/cadoles/hydra-oidc-v1:v0.0.0-170-g485b138 |         image: reg.cadoles.com/cadoles/hydra-oidc-base:2024.4.2-develop.1349.c4711f6 | ||||||
|           envFrom: |         imagePullPolicy: IfNotPresent | ||||||
|             - configMapRef: |         args: ["/usr/sbin/php-fpm81", "-F", "-e"] | ||||||
|                 name: hydra-oidc-env |         readinessProbe: | ||||||
|           ports: |           exec: | ||||||
|             - containerPort: 80 |             command: | ||||||
|           resources: {} |               - sh | ||||||
|       restartPolicy: Always |               - -c | ||||||
|  |               - test -f /etc/php81/php-fpm.d/www.conf | ||||||
|  |         livenessProbe: | ||||||
|  |           exec: | ||||||
|  |             command: | ||||||
|  |               - php | ||||||
|  |               - bin/console | ||||||
|  |               - -V | ||||||
|  |           initialDelaySeconds: 10 | ||||||
|  |           periodSeconds: 30 | ||||||
|  |         env: | ||||||
|  |           - name: PHP_FPM_LISTEN | ||||||
|  |             value: 127.0.0.1:9000 | ||||||
|  |           - name: PHP_MEMORY_LIMIT | ||||||
|  |             value: 128m | ||||||
|  |           - name: PHP_FPM_MEMORY_LIMIT | ||||||
|  |             value: 128m | ||||||
|  |         envFrom: | ||||||
|  |           - configMapRef: | ||||||
|  |               name: hydra-oidc-env | ||||||
|  |         resources: {} | ||||||
|  |         securityContext: | ||||||
|  |           runAsNonRoot: true | ||||||
|  |           runAsGroup: 1000 | ||||||
|  |           runAsUser: 1000 | ||||||
|  |  | ||||||
|  |       - name: hydra-oidc-caddy | ||||||
|  |         image: reg.cadoles.com/cadoles/hydra-oidc-base:2024.4.2-develop.1349.c4711f6 | ||||||
|  |         imagePullPolicy: IfNotPresent | ||||||
|  |         args: | ||||||
|  |           [ | ||||||
|  |             "/usr/sbin/caddy", | ||||||
|  |             "run", | ||||||
|  |             "--adapter", | ||||||
|  |             "caddyfile", | ||||||
|  |             "--config", | ||||||
|  |             "/etc/caddy/Caddyfile", | ||||||
|  |           ] | ||||||
|  |         readinessProbe: | ||||||
|  |           httpGet: | ||||||
|  |             path: /healthy | ||||||
|  |             port: 8080 | ||||||
|  |           initialDelaySeconds: 5 | ||||||
|  |           timeoutSeconds: 5 | ||||||
|  |           periodSeconds: 10 | ||||||
|  |         livenessProbe: | ||||||
|  |           httpGet: | ||||||
|  |             path: /healthy | ||||||
|  |             port: 8080 | ||||||
|  |           initialDelaySeconds: 15 | ||||||
|  |           timeoutSeconds: 5 | ||||||
|  |           periodSeconds: 15 | ||||||
|  |         ports: | ||||||
|  |           - containerPort: 8080 | ||||||
|  |             name: http | ||||||
|  |         envFrom: | ||||||
|  |           - configMapRef: | ||||||
|  |               name: hydra-oidc-env | ||||||
|  |         env: | ||||||
|  |           - name: CADDY_APP_UPSTREAM_BACKEND_SERVER | ||||||
|  |             value: 127.0.0.1:9000 | ||||||
|  |           - name: CADDY_HTTPS_PORT | ||||||
|  |             value: "8443" | ||||||
|  |           - name: CADDY_HTTP_PORT | ||||||
|  |             value: "8080" | ||||||
|  |           - name: CADDY_DATA_FS | ||||||
|  |             value: "/tmp/caddy" | ||||||
|  |           - name: CADDY_APP_ROOT_PUBLIC | ||||||
|  |             value: "/app/public/" | ||||||
|  |         resources: {} | ||||||
|  |         securityContext: | ||||||
|  |           runAsNonRoot: true | ||||||
|  |           runAsGroup: 1000 | ||||||
|  |           runAsUser: 1000 | ||||||
|  |       restartPolicy: Always | ||||||
|   | |||||||
| @@ -2,13 +2,14 @@ apiVersion: v1 | |||||||
| kind: Service | kind: Service | ||||||
| metadata: | metadata: | ||||||
|   labels: |   labels: | ||||||
|     io.kompose.service: hydra-oidc |     app.kubernetes.io/name: hydra-oidc | ||||||
|   name: hydra-oidc |   name: hydra-oidc | ||||||
| spec: | spec: | ||||||
|   ports: |   ports: | ||||||
|     - name: hydra-oidc |   - name: http | ||||||
|       port: 80 |     port: 80 | ||||||
|  |     targetPort: http | ||||||
|   selector: |   selector: | ||||||
|     io.kompose.service: hydra-oidc |     app.kubernetes.io/name: hydra-oidc | ||||||
| status: | status: | ||||||
|   loadBalancer: {} |   loadBalancer: {} | ||||||
|   | |||||||
| @@ -20,11 +20,3 @@ hydra: | |||||||
|         eduPersonAffiliation: |         eduPersonAffiliation: | ||||||
|           rules: |           rules: | ||||||
|           - "property_exists(consent.session.id_token, 'eduPersonAffiliation') ? consent.session.id_token.eduPersonAffiliation : null" |           - "property_exists(consent.session.id_token, 'eduPersonAffiliation') ? consent.session.id_token.eduPersonAffiliation : null" | ||||||
|   firewall: |  | ||||||
|     rules: |  | ||||||
|       email: |  | ||||||
|         required: false |  | ||||||
|       uid: |  | ||||||
|         required: false |  | ||||||
|       eduPersonAffiliation: |  | ||||||
|         required: false |  | ||||||
| @@ -2,28 +2,30 @@ apiVersion: apps/v1 | |||||||
| kind: Deployment | kind: Deployment | ||||||
| metadata: | metadata: | ||||||
|   labels: |   labels: | ||||||
|     io.kompose.service: hydra-saml-remote-user |     app.kubernetes.io/name: hydra-saml-remote-user | ||||||
|   name: hydra-saml-remote-user |   name: hydra-saml-remote-user | ||||||
| spec: | spec: | ||||||
|   replicas: 1 |   replicas: 1 | ||||||
|   selector: |   selector: | ||||||
|     matchLabels: |     matchLabels: | ||||||
|       io.kompose.service: hydra-saml-remote-user |       app.kubernetes.io/name: hydra-saml-remote-user | ||||||
|   strategy: |   strategy: | ||||||
|     type: Recreate |     type: Recreate | ||||||
|   template: |   template: | ||||||
|     metadata: |     metadata: | ||||||
|       labels: |       labels: | ||||||
|         io.kompose.service: hydra-saml-remote-user |         app.kubernetes.io/name: hydra-saml-remote-user | ||||||
|     spec: |     spec: | ||||||
|       containers: |       containers: | ||||||
|         - name: hydra-saml-remote-user |         - name: hydra-saml-remote-user | ||||||
|           image: reg.cadoles.com/cadoles/hydra-remote-user-v1:v0.0.0-233-g64fcacc |           image: reg.cadoles.com/cadoles/hydra-remote-user-base:2023.12.11-develop.1523.5f14595 | ||||||
|           envFrom: |           envFrom: | ||||||
|             - configMapRef: |             - configMapRef: | ||||||
|                 name: hydra-saml-env |                 name: hydra-saml-env | ||||||
|           ports: |           ports: | ||||||
|             - containerPort: 80 |             - containerPort: 8080 | ||||||
|  |           command: | ||||||
|  |             - /bin/apache2-foreground | ||||||
|           resources: {} |           resources: {} | ||||||
|       restartPolicy: Always |       restartPolicy: Always | ||||||
| --- | --- | ||||||
| @@ -31,13 +33,14 @@ apiVersion: v1 | |||||||
| kind: Service | kind: Service | ||||||
| metadata: | metadata: | ||||||
|   labels: |   labels: | ||||||
|     io.kompose.service: hydra-saml-remote-user |     app.kubernetes.io/name: hydra-saml-remote-user | ||||||
|   name: hydra-saml-remote-user |   name: hydra-saml-remote-user | ||||||
| spec: | spec: | ||||||
|   ports: |   ports: | ||||||
|     - name: http |     - name: http | ||||||
|       port: 80 |       port: 80 | ||||||
|  |       targetPort: 8080 | ||||||
|   selector: |   selector: | ||||||
|     io.kompose.service: hydra-saml-remote-user |     app.kubernetes.io/name: hydra-saml-remote-user | ||||||
| status: | status: | ||||||
|   loadBalancer: {} |   loadBalancer: {} | ||||||
|   | |||||||
| @@ -2,25 +2,25 @@ apiVersion: apps/v1 | |||||||
| kind: Deployment | kind: Deployment | ||||||
| metadata: | metadata: | ||||||
|   labels: |   labels: | ||||||
|     io.kompose.service: hydra-saml-shibboleth-sp |     app.kubernetes.io/name: hydra-saml-shibboleth-sp | ||||||
|   name: hydra-saml-shibboleth-sp |   name: hydra-saml-shibboleth-sp | ||||||
| spec: | spec: | ||||||
|   replicas: 1 |   replicas: 1 | ||||||
|   selector: |   selector: | ||||||
|     matchLabels: |     matchLabels: | ||||||
|       io.kompose.service: hydra-saml-shibboleth-sp |       app.kubernetes.io/name: hydra-saml-shibboleth-sp | ||||||
|   strategy: |   strategy: | ||||||
|     type: Recreate |     type: Recreate | ||||||
|   template: |   template: | ||||||
|     metadata: |     metadata: | ||||||
|       labels: |       labels: | ||||||
|         io.kompose.service: hydra-saml-shibboleth-sp |         app.kubernetes.io/name: hydra-saml-shibboleth-sp | ||||||
|     spec: |     spec: | ||||||
|       securityContext: |       securityContext: | ||||||
|         fsGroup: 102 |         fsGroup: 102 | ||||||
|       containers: |       containers: | ||||||
|         - name: hydra-saml-shibboleth-sp |         - name: hydra-saml-shibboleth-sp | ||||||
|           image: reg.cadoles.com/cadoles/shibboleth-sp-v3:v0.0.0-233-g64fcacc |           image: reg.cadoles.com/cadoles/shibboleth-sp-v3:2023.12.12-develop.1039.49b85e1 | ||||||
|           envFrom: |           envFrom: | ||||||
|             - configMapRef: |             - configMapRef: | ||||||
|                 name: hydra-saml-env |                 name: hydra-saml-env | ||||||
| @@ -41,14 +41,14 @@ apiVersion: v1 | |||||||
| kind: Service | kind: Service | ||||||
| metadata: | metadata: | ||||||
|   labels: |   labels: | ||||||
|     io.kompose.service: hydra-saml |     app.kubernetes.io/name: hydra-saml | ||||||
|   name: hydra-saml |   name: hydra-saml | ||||||
| spec: | spec: | ||||||
|   ports: |   ports: | ||||||
|     - name: http |     - name: http | ||||||
|       port: 80 |       port: 80 | ||||||
|   selector: |   selector: | ||||||
|     io.kompose.service: hydra-saml-shibboleth-sp |     app.kubernetes.io/name: hydra-saml-shibboleth-sp | ||||||
| status: | status: | ||||||
|   loadBalancer: {} |   loadBalancer: {} | ||||||
|  |  | ||||||
|   | |||||||
							
								
								
									
										22
									
								
								components/hydra-sql/files/03_base.ini
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										22
									
								
								components/hydra-sql/files/03_base.ini
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,22 @@ | |||||||
|  | [opcache] | ||||||
|  | ; Determines if Zend OPCache is enabled | ||||||
|  | opcache.enable=1 | ||||||
|  |  | ||||||
|  | ; Determines if Zend OPCache is enabled for the CLI version of PHP | ||||||
|  | opcache.enable_cli=1 | ||||||
|  |  | ||||||
|  | ; The OPcache shared memory storage size. | ||||||
|  | opcache.memory_consumption=512 | ||||||
|  |  | ||||||
|  | ; The maximum number of keys (scripts) in the OPcache hash table. | ||||||
|  | ; Only numbers between 200 and 1000000 are allowed. | ||||||
|  | opcache.max_accelerated_files=20000 | ||||||
|  |  | ||||||
|  | ; When disabled, you must reset the OPcache manually or restart the | ||||||
|  | ; webserver for changes to the filesystem to take effect. | ||||||
|  | opcache.validate_timestamps=${OPCACHE_VALIDATE_TIMESTAMP} | ||||||
|  |  | ||||||
|  | ; How often (in seconds) to check file timestamps for changes to the shared | ||||||
|  | ; memory storage allocation. ("1" means validate once per second, but only | ||||||
|  | ; once per request. "0" means always validate) | ||||||
|  | opcache.revalidate_freq=${OPCACHE_REVALIDATE_FREQ} | ||||||
							
								
								
									
										7
									
								
								components/hydra-sql/files/sql_login.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										7
									
								
								components/hydra-sql/files/sql_login.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,7 @@ | |||||||
|  | sql_login: | ||||||
|  |   login_column_name: mail | ||||||
|  |   password_column_name: password | ||||||
|  |   salt_column_name: salt | ||||||
|  |   table_name: user | ||||||
|  |   data_to_fetch: | ||||||
|  |   - mail | ||||||
							
								
								
									
										35
									
								
								components/hydra-sql/kustomization.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										35
									
								
								components/hydra-sql/kustomization.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,35 @@ | |||||||
|  | apiVersion: kustomize.config.k8s.io/v1alpha1 | ||||||
|  | kind: Component | ||||||
|  |  | ||||||
|  | resources: | ||||||
|  | - ./resources/hydra-sql-service.yaml | ||||||
|  | - ./resources/hydra-sql-deployment.yaml | ||||||
|  |  | ||||||
|  | generatorOptions: | ||||||
|  |   labels: | ||||||
|  |      com.cadoles.forge.sso-kustom/session: redis | ||||||
|  |  | ||||||
|  | configMapGenerator: | ||||||
|  | - name: hydra-sql-env | ||||||
|  |   behavior: create | ||||||
|  |   literals: | ||||||
|  |   - ISSUER_URL="http://localhost:8000" | ||||||
|  |   - BASE_URL='http://localhost:8080' | ||||||
|  |   - HYDRA_ADMIN_BASE_URL='http://hydra:4445/admin' | ||||||
|  |   - APP_LOCALES="fr,en" | ||||||
|  |   - HASH_ALGO_LEGACY="sha256, bcrypt" | ||||||
|  |   - SECURITY_PATTERN="password,salt,pepper" | ||||||
|  |   - DSN_REMOTE_DATABASE="pgsql:host='postgres';port=5432;dbname=lasql" | ||||||
|  |   - DB_USER="makeMeASecret" | ||||||
|  |   - DB_PASSWORD="makeMeASecret" | ||||||
|  |   - REDIS_DSN="redis://redis:6379" | ||||||
|  |   - PEPPER="MakeMeABigSecret" | ||||||
|  |   - ALTCHA_HOST=http://altcha:3333 | ||||||
|  |   - ALTCHA_BASE_URL=/altcha | ||||||
|  |   - ALTCHA_ENABLED=true | ||||||
|  | - name: sql-login-config | ||||||
|  |   files: | ||||||
|  |   - ./files/sql_login.yaml | ||||||
|  | - name: hydra-sql-php-ini | ||||||
|  |   files: | ||||||
|  |   - ./files/03_base.ini | ||||||
							
								
								
									
										122
									
								
								components/hydra-sql/resources/hydra-sql-deployment.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										122
									
								
								components/hydra-sql/resources/hydra-sql-deployment.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,122 @@ | |||||||
|  | apiVersion: apps/v1 | ||||||
|  | kind: Deployment | ||||||
|  | metadata: | ||||||
|  |   labels: | ||||||
|  |     app.kubernetes.io/name: hydra-sql | ||||||
|  |   name: hydra-sql | ||||||
|  | spec: | ||||||
|  |   replicas: 1 | ||||||
|  |   selector: | ||||||
|  |     matchLabels: | ||||||
|  |       app.kubernetes.io/name: hydra-sql | ||||||
|  |   strategy: | ||||||
|  |     type: RollingUpdate | ||||||
|  |     rollingUpdate: | ||||||
|  |       maxSurge: 25% | ||||||
|  |       maxUnavailable: 25% | ||||||
|  |   template: | ||||||
|  |     metadata: | ||||||
|  |       labels: | ||||||
|  |         app.kubernetes.io/name: hydra-sql | ||||||
|  |     spec: | ||||||
|  |       containers: | ||||||
|  |       - name: hydra-sql-fpm | ||||||
|  |         image: reg.cadoles.com/cadoles/hydra-sql-base:2025.3.7-develop.1415.7239d84 | ||||||
|  |         imagePullPolicy: IfNotPresent | ||||||
|  |         args: ["/usr/sbin/php-fpm81", "-F", "-e"] | ||||||
|  |         readinessProbe: | ||||||
|  |           exec: | ||||||
|  |             command: | ||||||
|  |             - sh | ||||||
|  |             - -c | ||||||
|  |             - test -f /etc/php81/php-fpm.d/www.conf | ||||||
|  |         livenessProbe: | ||||||
|  |           exec: | ||||||
|  |             command: | ||||||
|  |             - php | ||||||
|  |             - bin/console | ||||||
|  |             - -V | ||||||
|  |           initialDelaySeconds: 10 | ||||||
|  |           periodSeconds: 30 | ||||||
|  |         resources: {} | ||||||
|  |         securityContext: | ||||||
|  |           runAsNonRoot: true | ||||||
|  |           runAsGroup: 1000 | ||||||
|  |           runAsUser: 1000 | ||||||
|  |         envFrom: | ||||||
|  |         - configMapRef: | ||||||
|  |             name: hydra-sql-env | ||||||
|  |         env: | ||||||
|  |         - name: PHP_FPM_LISTEN | ||||||
|  |           value: 127.0.0.1:9000 | ||||||
|  |         - name: PHP_MEMORY_LIMIT | ||||||
|  |           value: 128m | ||||||
|  |         - name: PHP_FPM_MEMORY_LIMIT | ||||||
|  |           value: 128m | ||||||
|  |         - name: PHP_FPM_LOG_LEVEL | ||||||
|  |           value: warning | ||||||
|  |         - name: OPCACHE_VALIDATE_TIMESTAMP | ||||||
|  |           value: "0" | ||||||
|  |         - name: OPCACHE_REVALIDATE_FREQ | ||||||
|  |           value: "0" | ||||||
|  |         volumeMounts: | ||||||
|  |         - name: sql-login-config | ||||||
|  |           mountPath: "/app/config/sql_login_configuration/sql_login.yaml" | ||||||
|  |           subPath: "sql_login.yaml" | ||||||
|  |         - name: hydra-sql-php-ini | ||||||
|  |           mountPath: /etc/php81/conf.d/03_base.ini | ||||||
|  |           subPath: 03_base.ini | ||||||
|  |  | ||||||
|  |       - name: hydra-sql-caddy | ||||||
|  |         image: reg.cadoles.com/cadoles/hydra-sql-base:2025.3.7-develop.1415.7239d84 | ||||||
|  |         imagePullPolicy: IfNotPresent | ||||||
|  |         args: ["/usr/sbin/caddy", "run", "--adapter", "caddyfile", "--config", "/etc/caddy/Caddyfile"] | ||||||
|  |         readinessProbe: | ||||||
|  |           httpGet: | ||||||
|  |             path: /health | ||||||
|  |             port: 8080 | ||||||
|  |           initialDelaySeconds: 5 | ||||||
|  |           timeoutSeconds: 5 | ||||||
|  |           periodSeconds: 10 | ||||||
|  |         livenessProbe: | ||||||
|  |           httpGet: | ||||||
|  |             path: /health | ||||||
|  |             port: 8080 | ||||||
|  |           initialDelaySeconds: 15 | ||||||
|  |           timeoutSeconds: 5 | ||||||
|  |           periodSeconds: 15 | ||||||
|  |         envFrom: | ||||||
|  |         - configMapRef: | ||||||
|  |             name: hydra-sql-env | ||||||
|  |         env: | ||||||
|  |         - name: CADDY_APP_UPSTREAM_BACKEND_SERVER | ||||||
|  |           value: 127.0.0.1:9000 | ||||||
|  |         - name: CADDY_HTTPS_PORT | ||||||
|  |           value: "8443" | ||||||
|  |         - name: CADDY_HTTP_PORT | ||||||
|  |           value: "8080" | ||||||
|  |         - name: CADDY_DATA_FS | ||||||
|  |           value: "/tmp/caddy" | ||||||
|  |         - name: CADDY_APP_ROOT_PUBLIC | ||||||
|  |           value: "/app/public/" | ||||||
|  |         resources: {} | ||||||
|  |         securityContext: | ||||||
|  |           runAsNonRoot: true | ||||||
|  |           runAsGroup: 1000 | ||||||
|  |           runAsUser: 1000 | ||||||
|  |         ports: | ||||||
|  |         - containerPort: 8080 | ||||||
|  |           name: http | ||||||
|  |         volumeMounts: | ||||||
|  |         - name: sql-login-config | ||||||
|  |           mountPath: "/app/config/sql_login_configuration/sql_login.yaml" | ||||||
|  |           subPath: "sql_login.yaml" | ||||||
|  |       volumes: | ||||||
|  |       - name: sql-login-config | ||||||
|  |         configMap: | ||||||
|  |           name: sql-login-config | ||||||
|  |       - name: hydra-sql-php-ini | ||||||
|  |         configMap: | ||||||
|  |           name: hydra-sql-php-ini | ||||||
|  |  | ||||||
|  |       restartPolicy: Always | ||||||
							
								
								
									
										15
									
								
								components/hydra-sql/resources/hydra-sql-service.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										15
									
								
								components/hydra-sql/resources/hydra-sql-service.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,15 @@ | |||||||
|  | apiVersion: v1 | ||||||
|  | kind: Service | ||||||
|  | metadata: | ||||||
|  |   labels: | ||||||
|  |     app.kubernetes.io/name: hydra-sql | ||||||
|  |   name: hydra-sql | ||||||
|  | spec: | ||||||
|  |   ports: | ||||||
|  |   - name: http | ||||||
|  |     port: 80 | ||||||
|  |     targetPort: http | ||||||
|  |   selector: | ||||||
|  |     app.kubernetes.io/name: hydra-sql | ||||||
|  | status: | ||||||
|  |   loadBalancer: {} | ||||||
							
								
								
									
										21
									
								
								components/oidc-test/kustomization.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										21
									
								
								components/oidc-test/kustomization.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,21 @@ | |||||||
|  | apiVersion: kustomize.config.k8s.io/v1alpha1 | ||||||
|  | kind: Component | ||||||
|  |  | ||||||
|  | resources: | ||||||
|  |   - ./resources/deployment.yaml | ||||||
|  |   - ./resources/service.yaml | ||||||
|  |   - ./resources/oauth2-client.yaml | ||||||
|  |  | ||||||
|  | configMapGenerator: | ||||||
|  |   - name: oidc-test-env | ||||||
|  |     literals: | ||||||
|  |       - LOG_LEVEL=0 | ||||||
|  |       - HTTP_ADDRESS=0.0.0.0:8080 | ||||||
|  |       - OIDC_CLIENT_ID=oidc-test | ||||||
|  |       - OIDC_CLIENT_SECRET=NotSoSecret | ||||||
|  |       - OIDC_ISSUER_URL=http://hydra:4444 | ||||||
|  |       - OIDC_REDIRECT_URL=https://example.net/oauth2/callback | ||||||
|  |       - OIDC_POST_LOGOUT_REDIRECT_URL=https://example.net | ||||||
|  |       - OIDC_SKIP_ISSUER_VERIFICATION="true" | ||||||
|  |       - OIDC_SCOPES="openid profile" | ||||||
|  |       - OIDC_INSECURE_SKIP_VERIFY="true" | ||||||
							
								
								
									
										39
									
								
								components/oidc-test/resources/deployment.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										39
									
								
								components/oidc-test/resources/deployment.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,39 @@ | |||||||
|  | apiVersion: apps/v1 | ||||||
|  | kind: Deployment | ||||||
|  | metadata: | ||||||
|  |   labels: | ||||||
|  |     app.kubernetes.io/name: oidc-test | ||||||
|  |   name: oidc-test | ||||||
|  | spec: | ||||||
|  |   replicas: 1 | ||||||
|  |   selector: | ||||||
|  |     matchLabels: | ||||||
|  |       app.kubernetes.io/name: oidc-test | ||||||
|  |   strategy: | ||||||
|  |     type: Recreate | ||||||
|  |   template: | ||||||
|  |     metadata: | ||||||
|  |       labels: | ||||||
|  |         app.kubernetes.io/name: oidc-test | ||||||
|  |     spec: | ||||||
|  |       containers: | ||||||
|  |         - image: reg.cadoles.com/cadoles/oidc-test:2025.3.11-stable.1428.6545cb3 | ||||||
|  |           name: oidc-test | ||||||
|  |           ports: | ||||||
|  |             - containerPort: 8080 | ||||||
|  |           resources: {} | ||||||
|  |           envFrom: | ||||||
|  |             - configMapRef: | ||||||
|  |                 name: oidc-test-env | ||||||
|  |           env: | ||||||
|  |             - name: OIDC_CLIENT_ID | ||||||
|  |               valueFrom: | ||||||
|  |                 secretKeyRef: | ||||||
|  |                   name: oidc-test-oauth2-client | ||||||
|  |                   key: CLIENT_ID | ||||||
|  |             - name: OIDC_CLIENT_SECRET | ||||||
|  |               valueFrom: | ||||||
|  |                 secretKeyRef: | ||||||
|  |                   name: oidc-test-oauth2-client | ||||||
|  |                   key: CLIENT_SECRET | ||||||
|  |       restartPolicy: Always | ||||||
							
								
								
									
										18
									
								
								components/oidc-test/resources/oauth2-client.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										18
									
								
								components/oidc-test/resources/oauth2-client.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,18 @@ | |||||||
|  | apiVersion: hydra.ory.sh/v1alpha1 | ||||||
|  | kind: OAuth2Client | ||||||
|  | metadata: | ||||||
|  |   name: oidc-test-oauth2-client | ||||||
|  | spec: | ||||||
|  |   clientName: "oidc-test" | ||||||
|  |   tokenEndpointAuthMethod: "client_secret_basic" | ||||||
|  |   grantTypes: | ||||||
|  |     - authorization_code | ||||||
|  |     - refresh_token | ||||||
|  |   responseTypes: | ||||||
|  |     - code | ||||||
|  |   scope: "openid email profile" | ||||||
|  |   secretName: oidc-test-oauth2-client | ||||||
|  |   redirectUris: | ||||||
|  |     - https://example.net/oauth2/callback | ||||||
|  |   postLogoutRedirectUris: | ||||||
|  |     - https://example.net | ||||||
							
								
								
									
										15
									
								
								components/oidc-test/resources/service.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										15
									
								
								components/oidc-test/resources/service.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,15 @@ | |||||||
|  | apiVersion: v1 | ||||||
|  | kind: Service | ||||||
|  | metadata: | ||||||
|  |   labels: | ||||||
|  |     app.kubernetes.io/name: oidc-test | ||||||
|  |   name: oidc-test | ||||||
|  | spec: | ||||||
|  |   ports: | ||||||
|  |     - name: http | ||||||
|  |       port: 8080 | ||||||
|  |       targetPort: 8080 | ||||||
|  |   selector: | ||||||
|  |     app.kubernetes.io/name: oidc-test | ||||||
|  | status: | ||||||
|  |   loadBalancer: {} | ||||||
							
								
								
									
										19
									
								
								components/redis/README.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										19
									
								
								components/redis/README.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,19 @@ | |||||||
|  | # Composant `redis` | ||||||
|  |  | ||||||
|  | ### Description | ||||||
|  |  | ||||||
|  | Les applications `hydra-dispatcher`, `hydra-sql` et `hydra-oidc` stockent dorénavant le cache et les sessions utilisateur sur un serveur Redis. | ||||||
|  |  | ||||||
|  | Le DSN du serveur est défini dans leur variable d'environnement respective `REDIS_DSN`. | ||||||
|  |  | ||||||
|  | ### Principe général de fonctionnement | ||||||
|  |  | ||||||
|  | Un `Redis` crée une instance Redis dédiée à l'environnement SSO. | ||||||
|  |  | ||||||
|  | ### Personnalisation | ||||||
|  |  | ||||||
|  | Un `patch` sur la ressource `ConfigMap` via un label selector `com.cadoles.forge.sso-kustom/session=redis` permet de modifier la valeur de la clé `REDIS_DSN`. | ||||||
|  |  | ||||||
|  | | Clé         | Description          | Exemple                  | | ||||||
|  | | ----------- | -------------------- | ------------------------ | | ||||||
|  | | `REDIS_DSN` | DSN du cluster Redis | `redis://redis-sso:6379` | | ||||||
							
								
								
									
										5
									
								
								components/redis/configurations/redis-conf.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										5
									
								
								components/redis/configurations/redis-conf.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,5 @@ | |||||||
|  | nameReference: | ||||||
|  |   - kind: ConfigMap | ||||||
|  |     fieldSpecs: | ||||||
|  |       - kind: Redis | ||||||
|  |         path: spec/redisConfig/additionalRedisConfig | ||||||
							
								
								
									
										3
									
								
								components/redis/files/redis-additional.conf
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										3
									
								
								components/redis/files/redis-additional.conf
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,3 @@ | |||||||
|  | maxmemory-policy allkeys-lru | ||||||
|  | maxmemory 1536mb | ||||||
|  | tcp-keepalive 90 | ||||||
							
								
								
									
										19
									
								
								components/redis/kustomization.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										19
									
								
								components/redis/kustomization.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,19 @@ | |||||||
|  | apiVersion: kustomize.config.k8s.io/v1alpha1 | ||||||
|  | kind: Component | ||||||
|  |  | ||||||
|  | configurations: | ||||||
|  |   - ./configurations/redis-conf.yaml | ||||||
|  |  | ||||||
|  | resources: | ||||||
|  |   - ./resources/redis-sso.yaml | ||||||
|  |  | ||||||
|  | configMapGenerator: | ||||||
|  | - name: redis-sso-extra-conf | ||||||
|  |   files: | ||||||
|  |     - ./files/redis-additional.conf | ||||||
|  |  | ||||||
|  | patches: | ||||||
|  |   - path: ./patches/hydra-apps.yaml | ||||||
|  |     target: | ||||||
|  |       kind: ConfigMap | ||||||
|  |       labelSelector: "com.cadoles.forge.sso-kustom/session=redis" | ||||||
							
								
								
									
										3
									
								
								components/redis/patches/hydra-apps.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										3
									
								
								components/redis/patches/hydra-apps.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,3 @@ | |||||||
|  | - op: replace | ||||||
|  |   path: "/data/REDIS_DSN" | ||||||
|  |   value: "redis://redis-sso:6379" | ||||||
							
								
								
									
										27
									
								
								components/redis/resources/redis-sso.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										27
									
								
								components/redis/resources/redis-sso.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,27 @@ | |||||||
|  | apiVersion: redis.redis.opstreelabs.in/v1beta1 | ||||||
|  | kind: Redis | ||||||
|  | metadata: | ||||||
|  |   name: redis-sso | ||||||
|  | spec: | ||||||
|  |   kubernetesConfig: | ||||||
|  |     image: reg.cadoles.com/quay/opstree/redis:v7.0.15 | ||||||
|  |     imagePullPolicy: IfNotPresent | ||||||
|  |     resources: | ||||||
|  |       requests: | ||||||
|  |         cpu: 500m | ||||||
|  |         memory: 1024Mi | ||||||
|  |       limits: | ||||||
|  |         cpu: 2000m | ||||||
|  |         memory: 2048Mi | ||||||
|  |   redisConfig: | ||||||
|  |     additionalRedisConfig: redis-sso-extra-conf | ||||||
|  |   storage: | ||||||
|  |     volumeClaimTemplate: | ||||||
|  |       spec: | ||||||
|  |         # storageClassName: standard | ||||||
|  |         accessModes: ["ReadWriteOnce"] | ||||||
|  |         resources: | ||||||
|  |           requests: | ||||||
|  |             storage: 1Gi | ||||||
|  |   securityContext: | ||||||
|  |     runAsUser: 1000 | ||||||
| @@ -1 +0,0 @@ | |||||||
| # Documentation |  | ||||||
| @@ -1,6 +1,6 @@ | |||||||
| # Exemple: Déploiement d'une application authentifiée avec la stack SSO | # Exemple: Déploiement d'une application authentifiée avec la stack SSO | ||||||
|  |  | ||||||
| L'exemple est actuellement déployé avec le composant `hydra-saml` uniquement. | L'exemple est actuellement déployé avec le composant `hydra-ldap` uniquement. | ||||||
|  |  | ||||||
| ## Procédure | ## Procédure | ||||||
|  |  | ||||||
| @@ -8,37 +8,40 @@ L'exemple est actuellement déployé avec le composant `hydra-saml` uniquement. | |||||||
|  |  | ||||||
| 1. Créer un cluster avec `kind` | 1. Créer un cluster avec `kind` | ||||||
|  |  | ||||||
|     ``` |    ``` | ||||||
|     kind create cluster --config ./examples/k8s/kind/cluster-config.yaml |    kind create cluster --config ./examples/k8s/kind/cluster-config.yaml | ||||||
|     ``` |    ``` | ||||||
|  |  | ||||||
| 2. Déployer les opérateurs nécessaires au déploiement | 2. Déployer les opérateurs nécessaires au déploiement | ||||||
|  |  | ||||||
|     ``` |  | ||||||
|     kubectl kustomize --enable-helm ./examples/k8s/kind/cluster | kubectl apply -f - |  | ||||||
|     ``` |  | ||||||
|  |  | ||||||
| 3. Déployer l'application |  | ||||||
|  |  | ||||||
|     ``` |  | ||||||
|     kubectl apply -k ./examples/authenticated-app |  | ||||||
|     ``` |  | ||||||
|  |  | ||||||
|    **Note** Il est possible d'avoir l'erreur suivante: |  | ||||||
|  |  | ||||||
|    ``` |    ``` | ||||||
|    error: resource mapping not found for name: "app-oauth2-client" namespace: "" from "./examples/authenticated-app": no matches for kind "OAuth2Client" in version "hydra.ory.sh/v1alpha1" |    kubectl apply  -k ./examples/k8s/kind/cluster --server-side | ||||||
|    ``` |    ``` | ||||||
|  |  | ||||||
|    Cette erreur est "normale" (voir https://github.com/kubernetes/kubectl/issues/1117). Dans ce cas, attendre la création de la CRD (voir ticket) puis relancer la commande. |    > Si une erreur du type `ensure CRDs are installed first` s'affiche, relancer la commande. | ||||||
|  |  | ||||||
| 4. Ajouter l'entrée suivante dans votre fichier `/etc/hosts` | 3. Attendre que l'opérateur Redis soit opérationnel puis patcher le `ClusterRole` de celui ci (cf. https://github.com/OT-CONTAINER-KIT/redis-operator/issues/526): | ||||||
|  |  | ||||||
|     ``` |    ```bash | ||||||
|     127.0.0.1 ssokustom |    kubectl wait -n operators --timeout 10m --for=jsonpath=".status.state"=AtLatestKnown subscription my-redis-operator | ||||||
|     ``` |    # On attend quelques secondes supplémentaires pour s'assurer que l'opérateur a réellement démarré | ||||||
|  |    sleep 30 | ||||||
|  |    kubectl patch clusterroles.rbac.authorization.k8s.io $(kubectl get clusterrole | awk '/redis-operator/ {print $1}') --patch-file examples/k8s/kind/cluster/fix/redis-operator-clusterrole.yaml | ||||||
|  |    ``` | ||||||
|  |  | ||||||
| 5. Après stabilisation du déploiement, l'application devrait être accessible à l'adresse https://ssokustom | 4. Déployer l'application | ||||||
|  |  | ||||||
|  |    ``` | ||||||
|  |    kubectl apply -k ./examples/authenticated-app | ||||||
|  |    ``` | ||||||
|  |  | ||||||
|  | 5. Ajouter l'entrée suivante dans votre fichier `/etc/hosts` | ||||||
|  |  | ||||||
|  |    ``` | ||||||
|  |    127.0.0.1 ssokustom | ||||||
|  |    ``` | ||||||
|  |  | ||||||
|  | 6. Après stabilisation du déploiement, l'application devrait être accessible à l'adresse https://ssokustom | ||||||
|  |  | ||||||
| #### Supprimer le cluster | #### Supprimer le cluster | ||||||
|  |  | ||||||
| @@ -48,14 +51,15 @@ kind delete cluster -n sso-kustom-example | |||||||
|  |  | ||||||
| ## Authentification | ## Authentification | ||||||
|  |  | ||||||
| ### SAML | ### LDAP | ||||||
|  |  | ||||||
| - Utilisateur: `user1` | #### Comptes par défaut | ||||||
| - Mot de passe `user1pass` |  | ||||||
|  |  | ||||||
| #### URL utiles | 1. `jdoe` / `jdoe` | ||||||
|  | 2. `jdoe2` / `jdoe` | ||||||
|  | 3. `siret1` / `siret` | ||||||
|  | 4. `siret2` / `siret` | ||||||
|  |  | ||||||
| |URL|Description| | #### Gestion des comptes | ||||||
| |---|-----------| |  | ||||||
| |https://ssokustom/auth/saml/Shibboleth.sso/Session|Attributs de la session SP Shibboleth| | Les comptes LDAP sont définis dans le fichier [`./files/glauth.conf`](./files/glauth.conf) | ||||||
| |https://ssokustom/auth/saml/Shibboleth.sso/Metadata|Métadonnées du SP Shibboleth| |  | ||||||
|   | |||||||
							
								
								
									
										83
									
								
								examples/authenticated-app/files/glauth.conf
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										83
									
								
								examples/authenticated-app/files/glauth.conf
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,83 @@ | |||||||
|  | debug = true | ||||||
|  |  | ||||||
|  | [ldap] | ||||||
|  |   enabled = true | ||||||
|  |   listen = "0.0.0.0:3893" | ||||||
|  |   tls = false | ||||||
|  |  | ||||||
|  | [ldaps] | ||||||
|  |   enabled = false | ||||||
|  |  | ||||||
|  | [behaviors] | ||||||
|  |   IgnoreCapabilities = true | ||||||
|  |  | ||||||
|  | [backend] | ||||||
|  |   datastore = "config" | ||||||
|  |   baseDN = "dc=glauth,dc=com" | ||||||
|  |  | ||||||
|  | [[users]] | ||||||
|  |   uid = "serviceuser" | ||||||
|  |   name = "serviceuser" | ||||||
|  |   mail = "serviceuser@example.com" | ||||||
|  |   uidnumber = 5001 | ||||||
|  |   primarygroup = 5502 | ||||||
|  |   # use echo -n "mysecret" | openssl dgst -sha256 | ||||||
|  |   passsha256 = "652c7dc687d98c9889304ed2e408c74b611e86a40caa51c4b43f1dd5913c5cd0" # mysecret | ||||||
|  |     [[users.capabilities]] | ||||||
|  |     action = "search" | ||||||
|  |     object = "*" | ||||||
|  |  | ||||||
|  | [[users]] | ||||||
|  |   uid = "jdoe" | ||||||
|  |   name = "jdoe" | ||||||
|  |   uidnumber = 5002 | ||||||
|  |   primarygroup = 5501 | ||||||
|  |   givenname = "John" | ||||||
|  |   sn = "Doe" | ||||||
|  |   mail = "jdoe@example.com" | ||||||
|  |   passsha256 = "d30a5f57532a603697ccbb51558fa02ccadd74a0c499fcf9d45b33863ee1582f" # jdoe | ||||||
|  |     [[users.customattributes]] | ||||||
|  |     employeetype = ["Intern", "Temp"] | ||||||
|  |     employeenumber = [12345, 54321] | ||||||
|  |  | ||||||
|  | [[users]] | ||||||
|  |   uid = "jdoe2" | ||||||
|  |   name = "jdoe2" | ||||||
|  |   uidnumber = 5003 | ||||||
|  |   primarygroup = 5501 | ||||||
|  |   givenname = "John" | ||||||
|  |   sn = "Doe2" | ||||||
|  |   mail = "jdoe2@jdoe2.com" | ||||||
|  |   passsha256 = "d30a5f57532a603697ccbb51558fa02ccadd74a0c499fcf9d45b33863ee1582f" # jdoe | ||||||
|  |  | ||||||
|  | [[users]] | ||||||
|  |   uid = "siret1" | ||||||
|  |   name = "siret1" | ||||||
|  |   uidnumber = 5004 | ||||||
|  |   primarygroup = 5501 | ||||||
|  |   givenname = "Siret" | ||||||
|  |   sn = "Siret" | ||||||
|  |   mail = "siret1@siret.com" | ||||||
|  |   passsha256 = "7926ef18c7ae8eb23d4d325aa6bd81cc9ae99b429e9299a18dbd2c4729486ebc" # siret | ||||||
|  |     [[users.customattributes]] | ||||||
|  |     siret = ["0001"] | ||||||
|  |  | ||||||
|  | [[users]] | ||||||
|  |   uid = "siret2" | ||||||
|  |   name = "siret2" | ||||||
|  |   uidnumber = 5005 | ||||||
|  |   primarygroup = 5501 | ||||||
|  |   givenname = "Siret" | ||||||
|  |   sn = "Siret" | ||||||
|  |   mail = "siret2@siret.com" | ||||||
|  |   passsha256 = "7926ef18c7ae8eb23d4d325aa6bd81cc9ae99b429e9299a18dbd2c4729486ebc" # siret | ||||||
|  |     [[users.customattributes]] | ||||||
|  |     siret = ["0002"] | ||||||
|  |  | ||||||
|  | [[groups]] | ||||||
|  |   name = "users" | ||||||
|  |   gidnumber = 5501 | ||||||
|  |  | ||||||
|  | [[groups]] | ||||||
|  |   name = "svcaccts" | ||||||
|  |   gidnumber = 5502 | ||||||
							
								
								
									
										31
									
								
								examples/authenticated-app/files/hydra-dispatcher-apps.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										31
									
								
								examples/authenticated-app/files/hydra-dispatcher-apps.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,31 @@ | |||||||
|  | hydra: | ||||||
|  |   apps: | ||||||
|  |     - id: ldap | ||||||
|  |       title: | ||||||
|  |         fr: Connexion LDAP | ||||||
|  |         en: Login LDAP | ||||||
|  |       description: | ||||||
|  |         fr: Authentification avec LDAP | ||||||
|  |         en: Authentication with LDAP | ||||||
|  |       login_url: "%env(string:HYDRA_DISPATCHER_LDAP_LOGIN_URL)%" | ||||||
|  |       consent_url: "%env(string:HYDRA_DISPATCHER_LDAP_CONSENT_URL)%" | ||||||
|  |       logout_url: "%env(string:HYDRA_DISPATCHER_LDAP_LOGOUT_URL)%" | ||||||
|  |       attributes_rewrite_configuration: | ||||||
|  |         siret: | ||||||
|  |           rules: | ||||||
|  |             - "property_exists(consent.session.id_token, 'siret') ?  consent.session.id_token.siret : null" | ||||||
|  |             - "value ?: ( consent.session.id_token.email matches '/.*@example.com$/' ? '0000' : null )" | ||||||
|  |             - "value ?: ( consent.session.id_token.email matches '/.*@jdoe.com$/' ? '0001' : null )" | ||||||
|  |         family_name: | ||||||
|  |           rules: | ||||||
|  |             - "property_exists(consent.session.id_token, 'family_name') ? consent.session.id_token.family_name : null" | ||||||
|  |         given_name: | ||||||
|  |           rules: | ||||||
|  |             - "property_exists(consent.session.id_token, 'given_name') ? consent.session.id_token.given_name : null" | ||||||
|  |         email: | ||||||
|  |           rules: | ||||||
|  |             - "property_exists(consent.session.id_token, 'email') ? consent.session.id_token.email : null" | ||||||
|  |   webhook: | ||||||
|  |     enabled: false | ||||||
|  |   webhook_post_login: | ||||||
|  |     enabled: false | ||||||
| @@ -2,19 +2,19 @@ apiVersion: kustomize.config.k8s.io/v1beta1 | |||||||
| kind: Kustomization | kind: Kustomization | ||||||
|  |  | ||||||
| resources: | resources: | ||||||
|   - ../../resources/hydra |   - ../../overlays/base | ||||||
|   - ../../resources/hydra-dispatcher |  | ||||||
|   - ./resources/app.yaml |  | ||||||
|   - ./resources/ingress.yaml |   - ./resources/ingress.yaml | ||||||
|   - ./resources/oauth2-client.yaml |   - ./resources/glauth-ldap.yaml | ||||||
|   - ./resources/saml-idp.yaml |  | ||||||
|   - ./resources/self-signed-issuer.yaml |   - ./resources/self-signed-issuer.yaml | ||||||
|   - ./resources/port-forwarder.yaml |   - ./resources/port-forwarder.yaml | ||||||
|  |  | ||||||
| components: | components: | ||||||
|   - ../../components/hydra-cnpg-database |   - ../../components/hydra-cnpg-database | ||||||
|   #- ../../components/hydra-oidc |   - ../../components/hydra-ldap | ||||||
|   - ../../components/hydra-saml |   - ../../components/oidc-test | ||||||
|  |   - ../../components/redis | ||||||
|  |   - ../../components/hydra-cleaner | ||||||
|  |  | ||||||
| patchesJson6902: | patchesJson6902: | ||||||
|   - target: |   - target: | ||||||
| @@ -30,10 +30,44 @@ patchesJson6902: | |||||||
|   - target: |   - target: | ||||||
|       version: v1 |       version: v1 | ||||||
|       kind: ConfigMap |       kind: ConfigMap | ||||||
|       name: hydra-saml-env |       name: hydra-ldap-env | ||||||
|     path: patches/hydra-saml-env.yaml |     path: patches/hydra-ldap-env.yaml | ||||||
|  |   - target: | ||||||
|  |       version: v1 | ||||||
|  |       kind: Secret | ||||||
|  |       name: hydra-ldap-sc | ||||||
|  |     path: patches/hydra-ldap-sc.yaml | ||||||
|   - target: |   - target: | ||||||
|       version: v1 |       version: v1 | ||||||
|       kind: Secret |       kind: Secret | ||||||
|       name: hydra-secret |       name: hydra-secret | ||||||
|     path: patches/hydra-secret.yaml |     path: patches/hydra-secret.yaml | ||||||
|  |   - target: | ||||||
|  |       version: v1 | ||||||
|  |       kind: ConfigMap | ||||||
|  |       name: oidc-test-env | ||||||
|  |     path: patches/oidc-test.yaml | ||||||
|  |   - target: | ||||||
|  |       version: v1alpha1 | ||||||
|  |       kind: OAuth2Client | ||||||
|  |       name: oidc-test-oauth2-client | ||||||
|  |     path: patches/oidc-test-oauth2-client.yaml | ||||||
|  |   - target: | ||||||
|  |       version: v1 | ||||||
|  |       kind: ConfigMap | ||||||
|  |       name: hydra-cleaner-env | ||||||
|  |     path: patches/hydra-cleaner-env.yaml | ||||||
|  |   - target: | ||||||
|  |       version: v1 | ||||||
|  |       kind: CronJob | ||||||
|  |       name: hydra-cleaner | ||||||
|  |     path: patches/hydra-cleaner.yaml | ||||||
|  |  | ||||||
|  | configMapGenerator: | ||||||
|  |   - name: hydra-dispatcher-apps | ||||||
|  |     behavior: replace | ||||||
|  |     files: | ||||||
|  |       - ./files/hydra-dispatcher-apps.yaml | ||||||
|  |   - name: glauth-ldap-conf | ||||||
|  |     files: | ||||||
|  |       - ./files/glauth.conf | ||||||
|   | |||||||
| @@ -0,0 +1,9 @@ | |||||||
|  | - op: replace | ||||||
|  |   path: "/data/RETENTION_HOURS" | ||||||
|  |   value: "1" # 1 HOUR | ||||||
|  | - op: replace | ||||||
|  |   path: "/data/BATCH_SIZE" | ||||||
|  |   value: "100" | ||||||
|  | - op: replace | ||||||
|  |   path: "/data/LIMIT" | ||||||
|  |   value: "1000" | ||||||
							
								
								
									
										3
									
								
								examples/authenticated-app/patches/hydra-cleaner.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										3
									
								
								examples/authenticated-app/patches/hydra-cleaner.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,3 @@ | |||||||
|  | - op: replace | ||||||
|  |   path: "/spec/schedule" | ||||||
|  |   value: "* * * * *" | ||||||
| @@ -1,3 +1,9 @@ | |||||||
|  | - op: replace | ||||||
|  |   path: "/data/APP_ENV" | ||||||
|  |   value: dev | ||||||
|  | - op: replace | ||||||
|  |   path: "/data/APP_DEBUG" | ||||||
|  |   value: "true" | ||||||
| - op: replace | - op: replace | ||||||
|   path: "/data/HYDRA_BASE_URL" |   path: "/data/HYDRA_BASE_URL" | ||||||
|   value: http://hydra:4444 |   value: http://hydra:4444 | ||||||
| @@ -17,14 +23,13 @@ | |||||||
|   path: "/data/COOKIE_PATH" |   path: "/data/COOKIE_PATH" | ||||||
|   value: /auth/dispatcher |   value: /auth/dispatcher | ||||||
|  |  | ||||||
| # Hydra SAML configuration | # Hydra LDAP configuration | ||||||
| - op: replace | - op: replace | ||||||
|   path: "/data/HYDRA_DISPATCHER_SAML_LOGIN_URL" |   path: "/data/HYDRA_DISPATCHER_LDAP_LOGIN_URL" | ||||||
|   value: https://ssokustom/auth/saml/login |   value: https://ssokustom/auth/ldap/auth/login | ||||||
| - op: replace | - op: replace | ||||||
|   path: "/data/HYDRA_DISPATCHER_SAML_CONSENT_URL" |   path: "/data/HYDRA_DISPATCHER_LDAP_CONSENT_URL" | ||||||
|   value: https://ssokustom/auth/saml/consent |   value: https://ssokustom/auth/ldap/auth/consent | ||||||
| - op: replace | - op: replace | ||||||
|   path: "/data/HYDRA_DISPATCHER_SAML_LOGOUT_URL" |   path: "/data/HYDRA_DISPATCHER_LDAP_LOGOUT_URL" | ||||||
|   value: https://ssokustom/auth/saml/logout |   value: https://ssokustom/auth/ldap/auth/logout | ||||||
|    |  | ||||||
|   | |||||||
| @@ -13,3 +13,12 @@ | |||||||
| - op: replace | - op: replace | ||||||
|   path: "/data/HYDRA_SERVE_ALL_ARGS" |   path: "/data/HYDRA_SERVE_ALL_ARGS" | ||||||
|   value: "--dev" |   value: "--dev" | ||||||
|  | - op: replace | ||||||
|  |   path: "/data/SERVE_COOKIES_SAME_SITE_MODE" | ||||||
|  |   value: "Lax" | ||||||
|  | - op: replace | ||||||
|  |   path: "/data/SERVE_COOKIES_SAME_SITE_LEGACY_WORKAROUND" | ||||||
|  |   value: "true" | ||||||
|  | - op: replace | ||||||
|  |   path: "/data/SERVE_COOKIES_DOMAIN" | ||||||
|  |   value: "ssokustom" | ||||||
|   | |||||||
							
								
								
									
										55
									
								
								examples/authenticated-app/patches/hydra-ldap-env.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										55
									
								
								examples/authenticated-app/patches/hydra-ldap-env.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,55 @@ | |||||||
|  | - op: replace | ||||||
|  |   path: "/data/WERTHER_DEV_MODE" | ||||||
|  |   value: "true" | ||||||
|  |  | ||||||
|  | - op: replace | ||||||
|  |   path: "/data/WERTHER_WEB_BASE_PATH" | ||||||
|  |   value: "/auth/ldap/" | ||||||
|  |  | ||||||
|  | - op: replace | ||||||
|  |   path: "/data/WERTHER_IDENTP_HYDRA_URL" | ||||||
|  |   value: "http://hydra-dispatcher" | ||||||
|  |  | ||||||
|  | - op: replace | ||||||
|  |   path: "/data/WERTHER_LDAP_ENDPOINTS" | ||||||
|  |   value: "glauth-ldap:389" | ||||||
|  |  | ||||||
|  | - op: replace | ||||||
|  |   path: "/data/WERTHER_LDAP_BASEDN" | ||||||
|  |   value: "dc=glauth,dc=com" | ||||||
|  |  | ||||||
|  | - op: replace | ||||||
|  |   path: "/data/WERTHER_LDAP_ROLE_BASEDN" | ||||||
|  |   value: "ou=groups,dc=glauth,dc=com" | ||||||
|  |  | ||||||
|  | - op: replace | ||||||
|  |   path: "/data/WERTHER_IDENTP_CLAIM_SCOPES" | ||||||
|  |   value: "uid:profile,name:profile,family_name:profile,given_name:profile,email:profile,https%3A%2F%2Fhydra%2Fclaims%2Froles:roles,siret:siret" | ||||||
|  |  | ||||||
|  | - op: replace | ||||||
|  |   path: "/data/WERTHER_INSECURE_SKIP_VERIFY" | ||||||
|  |   value: "true" | ||||||
|  |  | ||||||
|  | - op: replace | ||||||
|  |   path: "/data/WERTHER_LDAP_IS_TLS" | ||||||
|  |   value: "false" | ||||||
|  |  | ||||||
|  | - op: replace | ||||||
|  |   path: "/data/WERTHER_LDAP_ATTR_CLAIMS" | ||||||
|  |   value: "name:name,sn:family_name,givenName:given_name,mail:email,siret:siret" | ||||||
|  |  | ||||||
|  | - op: replace | ||||||
|  |   path: "/data/WERTHER_LDAP_CONNECTION_TIMEOUT" | ||||||
|  |   value: "30s" | ||||||
|  |  | ||||||
|  | - op: replace | ||||||
|  |   path: "/data/WERTHER_LDAP_USER_SEARCH_QUERY" | ||||||
|  |   value: "(&(objectClass=*)(|(uid=%[1]s)(mail=%[1]s)(userPrincipalName=%[1]s)(sAMAccountName=%[1]s)))" | ||||||
|  |  | ||||||
|  | - op: replace | ||||||
|  |   path: "/data/WERTHER_IDENTP_ACR" | ||||||
|  |   value: "eidas1" | ||||||
|  |  | ||||||
|  | - op: replace | ||||||
|  |   path: "/data/WERTHER_IDENTP_AMR" | ||||||
|  |   value: "pwd" | ||||||
							
								
								
									
										7
									
								
								examples/authenticated-app/patches/hydra-ldap-sc.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										7
									
								
								examples/authenticated-app/patches/hydra-ldap-sc.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,7 @@ | |||||||
|  | - op: replace | ||||||
|  |   path: "/data/WERTHER_LDAP_BINDDN" | ||||||
|  |   value: "Y249c2VydmljZXVzZXIsb3U9c3ZjYWNjdHMsb3U9dXNlcnMsZGM9Z2xhdXRoLGRjPWNvbQ==" # cn=serviceuser,ou=svcaccts,ou=users,dc=glauth,dc=com | ||||||
|  |  | ||||||
|  | - op: replace | ||||||
|  |   path: "/data/WERTHER_LDAP_BINDPW" | ||||||
|  |   value: "bXlzZWNyZXQ=" # mysecret | ||||||
| @@ -1,43 +0,0 @@ | |||||||
| - op: replace |  | ||||||
|   path: "/data/HTTP_BASE_URL" |  | ||||||
|   value: https://ssokustom/auth/saml |  | ||||||
| - op: replace |  | ||||||
|   path: "/data/COOKIE_PATH" |  | ||||||
|   value: /auth/saml |  | ||||||
| - op: replace |  | ||||||
|   path: "/data/HYDRA_ADMIN_BASE_URL" |  | ||||||
|   value: http://hydra-dispatcher |  | ||||||
| - op: replace |  | ||||||
|   path: "/data/LOGOUT_REDIRECT_URL_PATTERN" |  | ||||||
|   value: https://ssokustom/auth/saml/Shibboleth.sso/Logout?return=%s |  | ||||||
| - op: replace |  | ||||||
|   path: "/data/PATH_PREFIX" |  | ||||||
|   value: "/auth/saml" |  | ||||||
|  |  | ||||||
| - op: replace |  | ||||||
|   path: "/data/SP_ENTITY_ID" |  | ||||||
|   value: https://ssokustom/auth/saml |  | ||||||
| - op: replace |  | ||||||
|   path: "/data/IDP_ENTITY_ID" |  | ||||||
|   value: https://ssokustom/simplesaml/saml2/idp/metadata.php |  | ||||||
| - op: replace |  | ||||||
|   path: "/data/IDP_METADATA_URL" |  | ||||||
|   value: https://ssokustom/simplesaml/saml2/idp/metadata.php |  | ||||||
| - op: replace |  | ||||||
|   path: "/data/APACHE_FORCE_HTTPS" |  | ||||||
|   value: "true" |  | ||||||
| - op: replace |  | ||||||
|   path: "/data/SP_HANDLER_BASE_PATH" |  | ||||||
|   value: "/auth/saml" |  | ||||||
| - op: replace |  | ||||||
|   path: "/data/SP_LOG_LEVEL" |  | ||||||
|   value: DEBUG |  | ||||||
| - op: replace |  | ||||||
|   path: "/data/SP_SESSIONS_REDIRECT_LIMIT" |  | ||||||
|   value: none |  | ||||||
| - op: replace |  | ||||||
|   path: "/data/SP_SESSIONS_REDIRECT_ALLOW" |  | ||||||
|   value: https://ssokustom |  | ||||||
| - op: replace |  | ||||||
|   path: "/data/SP_SESSIONS_COOKIE_PROPS" |  | ||||||
|   value: https |  | ||||||
| @@ -0,0 +1,9 @@ | |||||||
|  | - op: replace | ||||||
|  |   path: "/spec/redirectUris/0" | ||||||
|  |   value: https://ssokustom/oauth2/callback | ||||||
|  | - op: replace | ||||||
|  |   path: "/spec/postLogoutRedirectUris/0" | ||||||
|  |   value: https://ssokustom | ||||||
|  | - op: replace | ||||||
|  |   path: "/spec/scope" | ||||||
|  |   value: "openid profile roles siret" | ||||||
							
								
								
									
										9
									
								
								examples/authenticated-app/patches/oidc-test.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										9
									
								
								examples/authenticated-app/patches/oidc-test.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,9 @@ | |||||||
|  | - op: replace | ||||||
|  |   path: "/data/OIDC_REDIRECT_URL" | ||||||
|  |   value: https://ssokustom/oauth2/callback | ||||||
|  | - op: replace | ||||||
|  |   path: "/data/OIDC_POST_LOGOUT_REDIRECT_URL" | ||||||
|  |   value: https://ssokustom | ||||||
|  | - op: replace | ||||||
|  |   path: "/data/OIDC_SCOPES" | ||||||
|  |   value: "openid profile roles siret" | ||||||
| @@ -1,66 +0,0 @@ | |||||||
| apiVersion: apps/v1 |  | ||||||
| kind: Deployment |  | ||||||
| metadata: |  | ||||||
|   labels: |  | ||||||
|     io.kompose.service: app |  | ||||||
|   name: app |  | ||||||
| spec: |  | ||||||
|   replicas: 1 |  | ||||||
|   selector: |  | ||||||
|     matchLabels: |  | ||||||
|       io.kompose.service: app |  | ||||||
|   strategy: |  | ||||||
|     type: Recreate |  | ||||||
|   template: |  | ||||||
|     metadata: |  | ||||||
|       labels: |  | ||||||
|         io.kompose.service: app |  | ||||||
|     spec: |  | ||||||
|       containers: |  | ||||||
|         - image: reg.cadoles.com/cadoles/oidc-test:2023.11.6-stable.1557.e16b905 |  | ||||||
|           name: app |  | ||||||
|           ports: |  | ||||||
|             - containerPort: 8080 |  | ||||||
|           resources: {} |  | ||||||
|           env: |  | ||||||
|             - name: LOG_LEVEL |  | ||||||
|               value: "0" |  | ||||||
|             - name: HTTP_ADDRESS |  | ||||||
|               value: 0.0.0.0:8080 |  | ||||||
|             - name: OIDC_CLIENT_ID |  | ||||||
|               valueFrom: |  | ||||||
|                 secretKeyRef: |  | ||||||
|                   name: app-oidc-secret |  | ||||||
|                   key: client_id |  | ||||||
|             - name: OIDC_CLIENT_SECRET |  | ||||||
|               valueFrom: |  | ||||||
|                 secretKeyRef: |  | ||||||
|                   name: app-oidc-secret |  | ||||||
|                   key: client_secret |  | ||||||
|             - name: OIDC_ISSUER_URL |  | ||||||
|               value: http://hydra:4444 |  | ||||||
|             - name: OIDC_REDIRECT_URL |  | ||||||
|               value: https://ssokustom/oauth2/callback |  | ||||||
|             - name: OIDC_POST_LOGOUT_REDIRECT_URL |  | ||||||
|               value: https://ssokustom |  | ||||||
|             - name: OIDC_SKIP_ISSUER_VERIFICATION |  | ||||||
|               value: "true" |  | ||||||
|             - name: OIDC_INSECURE_SKIP_VERIFY |  | ||||||
|               value: "true" |  | ||||||
|       restartPolicy: Always |  | ||||||
| --- |  | ||||||
| apiVersion: v1 |  | ||||||
| kind: Service |  | ||||||
| metadata: |  | ||||||
|   labels: |  | ||||||
|     io.kompose.service: app |  | ||||||
|   name: app |  | ||||||
| spec: |  | ||||||
|   ports: |  | ||||||
|     - name: http |  | ||||||
|       port: 8080 |  | ||||||
|       targetPort: 8080 |  | ||||||
|   selector: |  | ||||||
|     io.kompose.service: app |  | ||||||
| status: |  | ||||||
|   loadBalancer: {} |  | ||||||
							
								
								
									
										55
									
								
								examples/authenticated-app/resources/glauth-ldap.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										55
									
								
								examples/authenticated-app/resources/glauth-ldap.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,55 @@ | |||||||
|  | apiVersion: apps/v1 | ||||||
|  | kind: Deployment | ||||||
|  | metadata: | ||||||
|  |   labels: | ||||||
|  |     app.kubernetes.io/name: glauth-ldap | ||||||
|  |   name: glauth-ldap | ||||||
|  | spec: | ||||||
|  |   replicas: 1 | ||||||
|  |   selector: | ||||||
|  |     matchLabels: | ||||||
|  |       app.kubernetes.io/name: glauth-ldap | ||||||
|  |   strategy: | ||||||
|  |     type: Recreate | ||||||
|  |   template: | ||||||
|  |     metadata: | ||||||
|  |       labels: | ||||||
|  |         app.kubernetes.io/name: glauth-ldap | ||||||
|  |     spec: | ||||||
|  |       containers: | ||||||
|  |         - image: glauth/glauth:v2.3.2 | ||||||
|  |           name: glauth-ldap | ||||||
|  |           ports: | ||||||
|  |             - containerPort: 3893 | ||||||
|  |               name: ldap | ||||||
|  |             - containerPort: 3894 | ||||||
|  |               name: ldaps | ||||||
|  |           resources: {} | ||||||
|  |           volumeMounts: | ||||||
|  |             - name: glauth-ldap-conf | ||||||
|  |               mountPath: /app/config/config.cfg | ||||||
|  |               subPath: glauth.conf | ||||||
|  |       restartPolicy: Always | ||||||
|  |       volumes: | ||||||
|  |         - name: glauth-ldap-conf | ||||||
|  |           configMap: | ||||||
|  |             name: glauth-ldap-conf | ||||||
|  | --- | ||||||
|  | apiVersion: v1 | ||||||
|  | kind: Service | ||||||
|  | metadata: | ||||||
|  |   labels: | ||||||
|  |     app.kubernetes.io/name: glauth-ldap | ||||||
|  |   name: glauth-ldap | ||||||
|  | spec: | ||||||
|  |   ports: | ||||||
|  |     - name: ldap | ||||||
|  |       port: 389 | ||||||
|  |       targetPort: ldap | ||||||
|  |     - name: ldaps | ||||||
|  |       port: 636 | ||||||
|  |       targetPort: ldaps | ||||||
|  |   selector: | ||||||
|  |     app.kubernetes.io/name: glauth-ldap | ||||||
|  | status: | ||||||
|  |   loadBalancer: {} | ||||||
| @@ -10,43 +10,47 @@ metadata: | |||||||
| spec: | spec: | ||||||
|   ingressClassName: nginx |   ingressClassName: nginx | ||||||
|   tls: |   tls: | ||||||
|   - hosts: |     - hosts: | ||||||
|     - ssokustom |         - ssokustom | ||||||
|     secretName: ssokustom-example-tls |       secretName: ssokustom-example-tls | ||||||
|   rules: |   rules: | ||||||
|   - http: |     - http: | ||||||
|       paths: |         paths: | ||||||
|       - path: / |           - path: / | ||||||
|         pathType: Prefix |             pathType: Prefix | ||||||
|         backend: |             backend: | ||||||
|           service: |               service: | ||||||
|             name: app |                 name: oidc-test | ||||||
|             port: |                 port: | ||||||
|               name: http |                   name: http | ||||||
| --- | --- | ||||||
| apiVersion: networking.k8s.io/v1 | apiVersion: networking.k8s.io/v1 | ||||||
| kind: Ingress | kind: Ingress | ||||||
| metadata: | metadata: | ||||||
|   name: auth-saml |   name: auth-ldap | ||||||
|   annotations: |   annotations: | ||||||
|     cert-manager.io/issuer: "self-signed" |     cert-manager.io/issuer: "self-signed" | ||||||
|     nginx.ingress.kubernetes.io/force-ssl-redirect: "true" |     nginx.ingress.kubernetes.io/force-ssl-redirect: "true" | ||||||
|  |     nginx.ingress.kubernetes.io/rewrite-target: /$2 | ||||||
|  |     nginx.ingress.kubernetes.io/x-forwarded-prefix: /auth/ldap | ||||||
|  |     nginx.ingress.kubernetes.io/configuration-snippet: | | ||||||
|  |       proxy_set_header X-Forwarded-Proto https; | ||||||
| spec: | spec: | ||||||
|   ingressClassName: nginx |   ingressClassName: nginx | ||||||
|   tls: |   tls: | ||||||
|   - hosts: |     - hosts: | ||||||
|     - ssokustom |         - ssokustom | ||||||
|     secretName: ssokustom-example-tls |       secretName: ssokustom-example-tls | ||||||
|   rules: |   rules: | ||||||
|   - http: |     - http: | ||||||
|       paths: |         paths: | ||||||
|       - path: /auth/saml(/|$)(.*) |           - path: /auth/ldap(/|$)(.*) | ||||||
|         pathType: Prefix |             pathType: Prefix | ||||||
|         backend: |             backend: | ||||||
|           service: |               service: | ||||||
|             name: hydra-saml |                 name: hydra-ldap | ||||||
|             port: |                 port: | ||||||
|               name: http |                   name: hydra-ldap | ||||||
| --- | --- | ||||||
| apiVersion: networking.k8s.io/v1 | apiVersion: networking.k8s.io/v1 | ||||||
| kind: Ingress | kind: Ingress | ||||||
| @@ -57,22 +61,24 @@ metadata: | |||||||
|     nginx.ingress.kubernetes.io/force-ssl-redirect: "true" |     nginx.ingress.kubernetes.io/force-ssl-redirect: "true" | ||||||
|     nginx.ingress.kubernetes.io/rewrite-target: /$2 |     nginx.ingress.kubernetes.io/rewrite-target: /$2 | ||||||
|     nginx.ingress.kubernetes.io/x-forwarded-prefix: /auth/dispatcher |     nginx.ingress.kubernetes.io/x-forwarded-prefix: /auth/dispatcher | ||||||
|  |     nginx.ingress.kubernetes.io/configuration-snippet: | | ||||||
|  |       proxy_set_header X-Forwarded-Proto https; | ||||||
| spec: | spec: | ||||||
|   ingressClassName: nginx |   ingressClassName: nginx | ||||||
|   tls: |   tls: | ||||||
|   - hosts: |     - hosts: | ||||||
|     - ssokustom |         - ssokustom | ||||||
|     secretName: ssokustom-example-tls |       secretName: ssokustom-example-tls | ||||||
|   rules: |   rules: | ||||||
|   - http: |     - http: | ||||||
|       paths:       |         paths: | ||||||
|       - path: /auth/dispatcher(/|$)(.*) |           - path: /auth/dispatcher(/|$)(.*) | ||||||
|         pathType: Prefix |             pathType: Prefix | ||||||
|         backend: |             backend: | ||||||
|           service: |               service: | ||||||
|             name: hydra-dispatcher |                 name: hydra-dispatcher | ||||||
|             port: |                 port: | ||||||
|               name: http |                   name: http | ||||||
| --- | --- | ||||||
| apiVersion: networking.k8s.io/v1 | apiVersion: networking.k8s.io/v1 | ||||||
| kind: Ingress | kind: Ingress | ||||||
| @@ -82,50 +88,22 @@ metadata: | |||||||
|     cert-manager.io/issuer: "self-signed" |     cert-manager.io/issuer: "self-signed" | ||||||
|     nginx.ingress.kubernetes.io/force-ssl-redirect: "true" |     nginx.ingress.kubernetes.io/force-ssl-redirect: "true" | ||||||
|     nginx.ingress.kubernetes.io/rewrite-target: /$2 |     nginx.ingress.kubernetes.io/rewrite-target: /$2 | ||||||
|  |     nginx.ingress.kubernetes.io/x-forwarded-prefix: /auth | ||||||
|  |     nginx.ingress.kubernetes.io/configuration-snippet: | | ||||||
|  |       proxy_set_header X-Forwarded-Proto https; | ||||||
| spec: | spec: | ||||||
|   ingressClassName: nginx |   ingressClassName: nginx | ||||||
|   tls: |   tls: | ||||||
|   - hosts: |     - hosts: | ||||||
|     - ssokustom |         - ssokustom | ||||||
|     secretName: ssokustom-example-tls |       secretName: ssokustom-example-tls | ||||||
|   rules: |   rules: | ||||||
|   - http: |     - http: | ||||||
|       paths:       |         paths: | ||||||
|       - path: /auth(/|$)(.*) |           - path: /auth(/|$)(.*) | ||||||
|         pathType: Prefix |             pathType: Prefix | ||||||
|         backend: |             backend: | ||||||
|           service: |               service: | ||||||
|             name: hydra |                 name: hydra | ||||||
|             port: |                 port: | ||||||
|               name: hydra-public |                   name: hydra-public | ||||||
| --- |  | ||||||
| apiVersion: networking.k8s.io/v1 |  | ||||||
| kind: Ingress |  | ||||||
| metadata: |  | ||||||
|   name: saml-idp |  | ||||||
|   annotations: |  | ||||||
|     cert-manager.io/issuer: "self-signed" |  | ||||||
|     nginx.ingress.kubernetes.io/force-ssl-redirect: "true" |  | ||||||
|     nginx.ingress.kubernetes.io/rewrite-target: /simplesaml/$2 |  | ||||||
|     nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" |  | ||||||
| spec: |  | ||||||
|   ingressClassName: nginx |  | ||||||
|   tls: |  | ||||||
|   - hosts: |  | ||||||
|     - ssokustom |  | ||||||
|     secretName: ssokustom-example-tls |  | ||||||
|   rules: |  | ||||||
|   - http: |  | ||||||
|       paths:      |  | ||||||
|       - path: /simplesaml(/|$)(.*) |  | ||||||
|         pathType: Prefix |  | ||||||
|         backend: |  | ||||||
|           service: |  | ||||||
|             name: saml-idp |  | ||||||
|             port: |  | ||||||
|               name: https |  | ||||||
|  |  | ||||||
|       |  | ||||||
|  |  | ||||||
|        |  | ||||||
|            |  | ||||||
|   | |||||||
| @@ -1,18 +0,0 @@ | |||||||
| apiVersion: hydra.ory.sh/v1alpha1 |  | ||||||
| kind: OAuth2Client |  | ||||||
| metadata: |  | ||||||
|   name: app-oauth2-client |  | ||||||
| spec: |  | ||||||
|   clientName: "app" |  | ||||||
|   tokenEndpointAuthMethod: "client_secret_basic" |  | ||||||
|   grantTypes: |  | ||||||
|   - authorization_code |  | ||||||
|   - refresh_token |  | ||||||
|   responseTypes: |  | ||||||
|   - code |  | ||||||
|   scope: "openid email" |  | ||||||
|   secretName: app-oidc-secret |  | ||||||
|   redirectUris: |  | ||||||
|   - https://ssokustom/oauth2/callback |  | ||||||
|   postLogoutRedirectUris: |  | ||||||
|   - https://ssokustom |  | ||||||
| @@ -2,19 +2,19 @@ apiVersion: apps/v1 | |||||||
| kind: Deployment | kind: Deployment | ||||||
| metadata: | metadata: | ||||||
|   labels: |   labels: | ||||||
|     io.kompose.service: port-forwarder |     app.kubernetes.io/name: port-forwarder | ||||||
|   name: port-forwarder |   name: port-forwarder | ||||||
| spec: | spec: | ||||||
|   replicas: 1 |   replicas: 1 | ||||||
|   selector: |   selector: | ||||||
|     matchLabels: |     matchLabels: | ||||||
|       io.kompose.service: port-forwarder |       app.kubernetes.io/name: port-forwarder | ||||||
|   strategy: |   strategy: | ||||||
|     type: Recreate |     type: Recreate | ||||||
|   template: |   template: | ||||||
|     metadata: |     metadata: | ||||||
|       labels: |       labels: | ||||||
|         io.kompose.service: port-forwarder |         app.kubernetes.io/name: port-forwarder | ||||||
|     spec: |     spec: | ||||||
|       containers: |       containers: | ||||||
|         - image: hpello/tcp-proxy:latest |         - image: hpello/tcp-proxy:latest | ||||||
| @@ -42,7 +42,7 @@ apiVersion: v1 | |||||||
| metadata: | metadata: | ||||||
|   name: ssokustom |   name: ssokustom | ||||||
|   labels: |   labels: | ||||||
|     io.kompose.service: port-forwarder |     app.kubernetes.io/name: port-forwarder | ||||||
| spec: | spec: | ||||||
|   ports: |   ports: | ||||||
|   - name: https |   - name: https | ||||||
| @@ -52,4 +52,4 @@ spec: | |||||||
|     port: 80 |     port: 80 | ||||||
|     targetPort: 80 |     targetPort: 80 | ||||||
|   selector: |   selector: | ||||||
|     io.kompose.service: port-forwarder |     app.kubernetes.io/name: port-forwarder | ||||||
| @@ -1,51 +0,0 @@ | |||||||
| apiVersion: apps/v1 |  | ||||||
| kind: Deployment |  | ||||||
| metadata: |  | ||||||
|   labels: |  | ||||||
|     io.kompose.service: saml-idp |  | ||||||
|   name: saml-idp |  | ||||||
| spec: |  | ||||||
|   replicas: 1 |  | ||||||
|   selector: |  | ||||||
|     matchLabels: |  | ||||||
|       io.kompose.service: saml-idp |  | ||||||
|   strategy: |  | ||||||
|     type: Recreate |  | ||||||
|   template: |  | ||||||
|     metadata: |  | ||||||
|       labels: |  | ||||||
|         io.kompose.service: saml-idp |  | ||||||
|     spec: |  | ||||||
|       containers: |  | ||||||
|         - image: kristophjunge/test-saml-idp:1.15 |  | ||||||
|           name: saml-idp |  | ||||||
|           ports: |  | ||||||
|             - containerPort: 8443 |  | ||||||
|           resources: {} |  | ||||||
|           env: |  | ||||||
|             - name: SIMPLESAMLPHP_SP_ENTITY_ID |  | ||||||
|               value: https://ssokustom/auth/saml |  | ||||||
|             - name: SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE |  | ||||||
|               value: https://ssokustom/auth/saml/Shibboleth.sso/SAML2/POST |  | ||||||
|             - name: SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE |  | ||||||
|               value: https://ssokustom/auth/saml/Shibboleth.sso/Logout?return=https://ssokustom |  | ||||||
|       restartPolicy: Always |  | ||||||
| --- |  | ||||||
| apiVersion: v1 |  | ||||||
| kind: Service |  | ||||||
| metadata: |  | ||||||
|   labels: |  | ||||||
|     io.kompose.service: saml-idp |  | ||||||
|   name: saml-idp |  | ||||||
| spec: |  | ||||||
|   ports: |  | ||||||
|     - name: http |  | ||||||
|       port: 8080 |  | ||||||
|       targetPort: 8080 |  | ||||||
|     - name: https |  | ||||||
|       port: 8443 |  | ||||||
|       targetPort: 8443 |  | ||||||
|   selector: |  | ||||||
|     io.kompose.service: saml-idp |  | ||||||
| status: |  | ||||||
|   loadBalancer: {} |  | ||||||
| @@ -0,0 +1,92 @@ | |||||||
|  | apiVersion: rbac.authorization.k8s.io/v1 | ||||||
|  | kind: ClusterRole | ||||||
|  | rules: | ||||||
|  |   - apiGroups: | ||||||
|  |       - redis.redis.opstreelabs.in | ||||||
|  |     resources: | ||||||
|  |       - rediss | ||||||
|  |       - redisclusters | ||||||
|  |       - redis | ||||||
|  |       - rediscluster | ||||||
|  |       - redisreplication | ||||||
|  |       - redisreplications | ||||||
|  |       - redissentinel | ||||||
|  |       - redissentinels | ||||||
|  |     verbs: | ||||||
|  |       - create | ||||||
|  |       - delete | ||||||
|  |       - get | ||||||
|  |       - list | ||||||
|  |       - patch | ||||||
|  |       - update | ||||||
|  |       - watch | ||||||
|  |   - apiGroups: | ||||||
|  |       - redis.redis.opstreelabs.in | ||||||
|  |     resources: | ||||||
|  |       - redis/finalizers | ||||||
|  |       - rediscluster/finalizers | ||||||
|  |     verbs: | ||||||
|  |       - update | ||||||
|  |   - apiGroups: | ||||||
|  |       - redis.redis.opstreelabs.in | ||||||
|  |     resources: | ||||||
|  |       - redis/status | ||||||
|  |       - rediscluster/status | ||||||
|  |     verbs: | ||||||
|  |       - get | ||||||
|  |       - patch | ||||||
|  |       - update | ||||||
|  |   - apiGroups: | ||||||
|  |       - "" | ||||||
|  |     resources: | ||||||
|  |       - secrets | ||||||
|  |       - pods/exec | ||||||
|  |       - services | ||||||
|  |       - configmaps | ||||||
|  |       - pods | ||||||
|  |       - persistentvolumes | ||||||
|  |       - persistentvolumeclaims | ||||||
|  |     verbs: | ||||||
|  |       - create | ||||||
|  |       - delete | ||||||
|  |       - get | ||||||
|  |       - list | ||||||
|  |       - patch | ||||||
|  |       - update | ||||||
|  |       - watch | ||||||
|  |   - apiGroups: | ||||||
|  |       - apps | ||||||
|  |     resources: | ||||||
|  |       - statefulsets | ||||||
|  |     verbs: | ||||||
|  |       - create | ||||||
|  |       - delete | ||||||
|  |       - get | ||||||
|  |       - list | ||||||
|  |       - patch | ||||||
|  |       - update | ||||||
|  |       - watch | ||||||
|  |   - apiGroups: | ||||||
|  |       - coordination.k8s.io | ||||||
|  |     resources: | ||||||
|  |       - leases | ||||||
|  |     verbs: | ||||||
|  |       - create | ||||||
|  |       - delete | ||||||
|  |       - get | ||||||
|  |       - list | ||||||
|  |       - patch | ||||||
|  |       - update | ||||||
|  |       - watch | ||||||
|  |   - apiGroups: | ||||||
|  |       - policy | ||||||
|  |     resources: | ||||||
|  |       - poddisruptionbudgets | ||||||
|  |     verbs: | ||||||
|  |       - create | ||||||
|  |       - delete | ||||||
|  |       - get | ||||||
|  |       - list | ||||||
|  |       - patch | ||||||
|  |       - update | ||||||
|  |       - watch | ||||||
| @@ -1,14 +1,15 @@ | |||||||
| apiVersion: kustomize.config.k8s.io/v1beta1 | apiVersion: kustomize.config.k8s.io/v1beta1 | ||||||
| kind: Kustomization | kind: Kustomization | ||||||
| resources: | resources: | ||||||
| - https://github.com/jetstack/cert-manager/releases/download/v1.13.2/cert-manager.yaml |   - https://forge.cadoles.com/CadolesKube/c-kustom//crds?ref=develop | ||||||
| - https://forge.cadoles.com/CadolesKube/c-kustom//base/cloudnative-pg-operator?ref=develop |   - https://github.com/cert-manager/cert-manager/releases/download/v1.10.0/cert-manager.yaml | ||||||
| - https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml |   - ./resources/olm | ||||||
|  |   - https://forge.cadoles.com/CadolesKube/c-kustom//base/cloudnative-pg-operator?ref=develop | ||||||
|  |   - https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml | ||||||
|  |  | ||||||
| patchesJson6902: | patches: | ||||||
|   - target: |   - path: patches/nginx-controller.yaml | ||||||
|       version: v1 |     target: | ||||||
|       kind: ConfigMap |       kind: ConfigMap | ||||||
|       name: ingress-nginx-controller |       name: ingress-nginx-controller | ||||||
|       namespace: ingress-nginx |       namespace: ingress-nginx | ||||||
|     path: patches/nginx-controller.yaml |  | ||||||
| @@ -1,6 +1,9 @@ | |||||||
| - op: replace | kind: ConfigMap | ||||||
|   path: "/data/allow-snippet-annotations" | apiVersion: v1 | ||||||
|   value: "true" | metadata: | ||||||
| - op: replace |   name: ingress-nginx-controller | ||||||
|   path: "/data/use-forwarded-headers" | data: | ||||||
|   value: "true" |   allow-snippet-annotations: "true" | ||||||
|  |   use-forwarded-headers: "true" | ||||||
|  |   strict-validate-path-type: "false" | ||||||
|  |   annotations-risk-level: "Critical" | ||||||
|   | |||||||
| @@ -0,0 +1,6 @@ | |||||||
|  | apiVersion: kustomize.config.k8s.io/v1beta1 | ||||||
|  | kind: Kustomization | ||||||
|  |  | ||||||
|  | resources: | ||||||
|  |   - https://github.com/operator-framework/operator-lifecycle-manager/releases/download/v0.31.0/olm.yaml | ||||||
|  |   - https://forge.cadoles.com/CadolesKube/c-kustom/raw/branch/develop/base/olm/resources/mandatory-operators/resources/redis-operator.yaml | ||||||
| @@ -2,10 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 | |||||||
| kind: Kustomization | kind: Kustomization | ||||||
|  |  | ||||||
| resources: | resources: | ||||||
| - ./resources/hydra | - ./overlays/base | ||||||
| - ./resources/hydra-dispatcher |  | ||||||
|  |  | ||||||
| components: |  | ||||||
| - ./components/hydra-cnpg-database |  | ||||||
| - ./components/hydra-oidc |  | ||||||
| - ./components/hydra-saml |  | ||||||
							
								
								
									
										11
									
								
								overlays/base/kustomization.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										11
									
								
								overlays/base/kustomization.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,11 @@ | |||||||
|  | apiVersion: kustomize.config.k8s.io/v1beta1 | ||||||
|  | kind: Kustomization | ||||||
|  |  | ||||||
|  | resources: | ||||||
|  | - ../../resources/hydra | ||||||
|  | - ../../resources/hydra-dispatcher | ||||||
|  |  | ||||||
|  | labels: | ||||||
|  |   - pairs: | ||||||
|  |       app.kubernetes.io/part-of: sso-kustom | ||||||
|  |       app.kubernetes.io/component: auth | ||||||
							
								
								
									
										18
									
								
								overlays/full/kustomization.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										18
									
								
								overlays/full/kustomization.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,18 @@ | |||||||
|  | apiVersion: kustomize.config.k8s.io/v1beta1 | ||||||
|  | kind: Kustomization | ||||||
|  |  | ||||||
|  | resources: | ||||||
|  | - ../base | ||||||
|  |  | ||||||
|  | labels: | ||||||
|  |   - pairs: | ||||||
|  |       app.kubernetes.io/part-of: sso-kustom | ||||||
|  |       app.kubernetes.io/component: auth | ||||||
|  |  | ||||||
|  | components: | ||||||
|  | - ../../components/hydra-cnpg-database | ||||||
|  | - ../../components/hydra-oidc | ||||||
|  | - ../../components/hydra-saml | ||||||
|  | - ../../components/hydra-sql | ||||||
|  | - ../../components/oidc-test | ||||||
|  | - ../../components/redis | ||||||
							
								
								
									
										22
									
								
								resources/hydra-dispatcher/files/03_base.ini
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										22
									
								
								resources/hydra-dispatcher/files/03_base.ini
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,22 @@ | |||||||
|  | [opcache] | ||||||
|  | ; Determines if Zend OPCache is enabled | ||||||
|  | opcache.enable=1 | ||||||
|  |  | ||||||
|  | ; Determines if Zend OPCache is enabled for the CLI version of PHP | ||||||
|  | opcache.enable_cli=1 | ||||||
|  |  | ||||||
|  | ; The OPcache shared memory storage size. | ||||||
|  | opcache.memory_consumption=512 | ||||||
|  |  | ||||||
|  | ; The maximum number of keys (scripts) in the OPcache hash table. | ||||||
|  | ; Only numbers between 200 and 1000000 are allowed. | ||||||
|  | opcache.max_accelerated_files=20000 | ||||||
|  |  | ||||||
|  | ; When disabled, you must reset the OPcache manually or restart the | ||||||
|  | ; webserver for changes to the filesystem to take effect. | ||||||
|  | opcache.validate_timestamps=${OPCACHE_VALIDATE_TIMESTAMP} | ||||||
|  |  | ||||||
|  | ; How often (in seconds) to check file timestamps for changes to the shared | ||||||
|  | ; memory storage allocation. ("1" means validate once per second, but only | ||||||
|  | ; once per request. "0" means always validate) | ||||||
|  | opcache.revalidate_freq=${OPCACHE_REVALIDATE_FREQ} | ||||||
| @@ -12,6 +12,5 @@ hydra: | |||||||
|     api_url: "%env(string:HYDRA_DISPATCHER_WEBHOOK_API_URL)%" |     api_url: "%env(string:HYDRA_DISPATCHER_WEBHOOK_API_URL)%" | ||||||
|     api_key: "%env(string:HYDRA_DISPATCHER_WEBHOOK_API_KEY)%" |     api_key: "%env(string:HYDRA_DISPATCHER_WEBHOOK_API_KEY)%" | ||||||
|     api_method: "%env(string:HYDRA_DISPATCHER_WEBHOOK_API_METHOD)%" |     api_method: "%env(string:HYDRA_DISPATCHER_WEBHOOK_API_METHOD)%" | ||||||
|   firewall: |   webhook_post_login: | ||||||
|     additional_properties: "%env(bool:HYDRA_DISPATCHER_FIREWALL_ADDITIONAL_PROPERTIES)%" |     enabled: false | ||||||
|     rules: {} |  | ||||||
|   | |||||||
| @@ -5,11 +5,17 @@ resources: | |||||||
| - ./resources/hydra-dispatcher-deployment.yaml | - ./resources/hydra-dispatcher-deployment.yaml | ||||||
| - ./resources/hydra-dispatcher-service.yaml | - ./resources/hydra-dispatcher-service.yaml | ||||||
|  |  | ||||||
|  | generatorOptions: | ||||||
|  |   labels: | ||||||
|  |      com.cadoles.forge.sso-kustom/session: redis | ||||||
|  |  | ||||||
| configMapGenerator: | configMapGenerator: | ||||||
| - name: hydra-dispatcher-env | - name: hydra-dispatcher-env | ||||||
|   literals: |   literals: | ||||||
|   - APP_ENV=prod |   - APP_ENV=prod | ||||||
|   - APP_DEBUG=false |   - APP_DEBUG=false | ||||||
|  |   - PHP_FPM_MEMORY_LIMIT=256m | ||||||
|  |   - NGINX_APP_SERVER_LISTEN=80 | ||||||
|   - HYDRA_BASE_URL=http://hydra:4444 |   - HYDRA_BASE_URL=http://hydra:4444 | ||||||
|   - HYDRA_ADMIN_BASE_URL=http://hydra:4445 |   - HYDRA_ADMIN_BASE_URL=http://hydra:4445 | ||||||
|   - HYDRA_REWRITE_ISSUER=yes |   - HYDRA_REWRITE_ISSUER=yes | ||||||
| @@ -19,6 +25,10 @@ configMapGenerator: | |||||||
|   - COOKIE_PATH=/ |   - COOKIE_PATH=/ | ||||||
|   - DEFAULT_LOCALE=fr |   - DEFAULT_LOCALE=fr | ||||||
|   - APP_LOCALES=fr,en |   - APP_LOCALES=fr,en | ||||||
|  |   - REDIS_DSN="redis://redis:6379" | ||||||
| - name: hydra-dispatcher-apps | - name: hydra-dispatcher-apps | ||||||
|   files: |   files: | ||||||
|   - ./files/hydra/default.yaml |   - apps.yaml=./files/hydra/default.yaml | ||||||
|  | - name: hydra-dispatcher-php-ini | ||||||
|  |   files: | ||||||
|  |   - ./files/03_base.ini | ||||||
| @@ -2,35 +2,117 @@ apiVersion: apps/v1 | |||||||
| kind: Deployment | kind: Deployment | ||||||
| metadata: | metadata: | ||||||
|   labels: |   labels: | ||||||
|     io.kompose.service: hydra-dispatcher |     app.kubernetes.io/name: hydra-dispatcher | ||||||
|  |     com.cadoles.forge.sso-kustom/session: redis | ||||||
|   name: hydra-dispatcher |   name: hydra-dispatcher | ||||||
| spec: | spec: | ||||||
|   replicas: 1 |   replicas: 1 | ||||||
|   selector: |   selector: | ||||||
|     matchLabels: |     matchLabels: | ||||||
|       io.kompose.service: hydra-dispatcher |       app.kubernetes.io/name: hydra-dispatcher | ||||||
|   strategy: |   strategy: | ||||||
|     type: Recreate |     type: Recreate | ||||||
|   template: |   template: | ||||||
|     metadata: |     metadata: | ||||||
|       labels: |       labels: | ||||||
|         io.kompose.service: hydra-dispatcher |         app.kubernetes.io/name: hydra-dispatcher | ||||||
|     spec: |     spec: | ||||||
|       containers: |       containers: | ||||||
|       - name: hydra-dispatcher |         - name: hydra-dispatcher-php-fpm | ||||||
|         image: reg.cadoles.com/cadoles/hydra-dispatcher-v1:v0.0.0-238-g7236416 |           image: reg.cadoles.com/cadoles/hydra-dispatcher-base:2025.3.18-develop.1401.4646fbb | ||||||
|         envFrom: |           args: ["/usr/sbin/php-fpm81", "-F", "-e"] | ||||||
|         - configMapRef: |           readinessProbe: | ||||||
|             name: hydra-dispatcher-env |             exec: | ||||||
|         volumeMounts: |               command: | ||||||
|         - mountPath: /var/www/config/hydra |                 - sh | ||||||
|           name: hydra-dispatcher-apps |                 - -c | ||||||
|         ports: |                 - test -f /etc/php81/php-fpm.d/www.conf | ||||||
|         - containerPort: 80 |           livenessProbe: | ||||||
|         resources: {} |             exec: | ||||||
|  |               command: | ||||||
|  |                 - php | ||||||
|  |                 - bin/console | ||||||
|  |                 - -V | ||||||
|  |             initialDelaySeconds: 10 | ||||||
|  |             periodSeconds: 30 | ||||||
|  |           env: | ||||||
|  |             - name: PHP_FPM_LISTEN | ||||||
|  |               value: 127.0.0.1:9000 | ||||||
|  |             - name: PHP_MEMORY_LIMIT | ||||||
|  |               value: 128m | ||||||
|  |             - name: PHP_FPM_MEMORY_LIMIT | ||||||
|  |               value: 128m | ||||||
|  |             - name: OPCACHE_VALIDATE_TIMESTAMP | ||||||
|  |               value: "0" | ||||||
|  |             - name: OPCACHE_REVALIDATE_FREQ | ||||||
|  |               value: "0" | ||||||
|  |           envFrom: | ||||||
|  |             - configMapRef: | ||||||
|  |                 name: hydra-dispatcher-env | ||||||
|  |           volumeMounts: | ||||||
|  |             - mountPath: /app/config/hydra | ||||||
|  |               name: hydra-dispatcher-apps | ||||||
|  |             - name: hydra-dispatcher-php-ini | ||||||
|  |               mountPath: /etc/php81/conf.d/03_base.ini | ||||||
|  |               subPath: 03_base.ini | ||||||
|  |           resources: {} | ||||||
|  |           securityContext: | ||||||
|  |             runAsNonRoot: true | ||||||
|  |             runAsGroup: 1000 | ||||||
|  |             runAsUser: 1000 | ||||||
|  |         - name: hydra-dispatcher-caddy | ||||||
|  |           image: reg.cadoles.com/cadoles/hydra-dispatcher-base:2025.3.18-develop.1401.4646fbb | ||||||
|  |           imagePullPolicy: IfNotPresent | ||||||
|  |           args: | ||||||
|  |             [ | ||||||
|  |               "/usr/sbin/caddy", | ||||||
|  |               "run", | ||||||
|  |               "--adapter", | ||||||
|  |               "caddyfile", | ||||||
|  |               "--config", | ||||||
|  |               "/etc/caddy/Caddyfile", | ||||||
|  |             ] | ||||||
|  |           readinessProbe: | ||||||
|  |             httpGet: | ||||||
|  |               path: /health | ||||||
|  |               port: 8080 | ||||||
|  |             initialDelaySeconds: 5 | ||||||
|  |             timeoutSeconds: 5 | ||||||
|  |             periodSeconds: 10 | ||||||
|  |           livenessProbe: | ||||||
|  |             httpGet: | ||||||
|  |               path: /health | ||||||
|  |               port: 8080 | ||||||
|  |             initialDelaySeconds: 15 | ||||||
|  |             timeoutSeconds: 5 | ||||||
|  |             periodSeconds: 15 | ||||||
|  |           envFrom: | ||||||
|  |             - configMapRef: | ||||||
|  |                 name: hydra-dispatcher-env | ||||||
|  |           env: | ||||||
|  |             - name: CADDY_APP_UPSTREAM_BACKEND_SERVER | ||||||
|  |               value: 127.0.0.1:9000 | ||||||
|  |             - name: CADDY_HTTPS_PORT | ||||||
|  |               value: "8443" | ||||||
|  |             - name: CADDY_HTTP_PORT | ||||||
|  |               value: "8080" | ||||||
|  |             - name: CADDY_DATA_FS | ||||||
|  |               value: "/tmp/caddy" | ||||||
|  |             - name: CADDY_APP_ROOT_PUBLIC | ||||||
|  |               value: "/app/public/" | ||||||
|  |           ports: | ||||||
|  |             - containerPort: 8080 | ||||||
|  |               name: http | ||||||
|  |           resources: {} | ||||||
|  |           securityContext: | ||||||
|  |             runAsNonRoot: true | ||||||
|  |             runAsGroup: 1000 | ||||||
|  |             runAsUser: 1000 | ||||||
|       restartPolicy: Always |       restartPolicy: Always | ||||||
|       volumes: |       volumes: | ||||||
|       - name: hydra-dispatcher-apps |         - name: hydra-dispatcher-apps | ||||||
|         configMap: |           configMap: | ||||||
|           name: hydra-dispatcher-apps |             name: hydra-dispatcher-apps | ||||||
|  |         - name: hydra-dispatcher-php-ini | ||||||
|  |           configMap: | ||||||
|  |             name: hydra-dispatcher-php-ini | ||||||
|   | |||||||
| @@ -2,13 +2,14 @@ apiVersion: v1 | |||||||
| kind: Service | kind: Service | ||||||
| metadata: | metadata: | ||||||
|   labels: |   labels: | ||||||
|     io.kompose.service: hydra-dispatcher |     app.kubernetes.io/name: hydra-dispatcher | ||||||
|   name: hydra-dispatcher |   name: hydra-dispatcher | ||||||
| spec: | spec: | ||||||
|   ports: |   ports: | ||||||
|     - name: http |   - name: http | ||||||
|       port: 80 |     port: 80 | ||||||
|  |     targetPort: http | ||||||
|   selector: |   selector: | ||||||
|     io.kompose.service: hydra-dispatcher |     app.kubernetes.io/name: hydra-dispatcher | ||||||
| status: | status: | ||||||
|   loadBalancer: {} |   loadBalancer: {} | ||||||
|   | |||||||
| @@ -1,6 +1,12 @@ | |||||||
| apiVersion: kustomize.config.k8s.io/v1beta1 | apiVersion: kustomize.config.k8s.io/v1beta1 | ||||||
| kind: Kustomization | kind: Kustomization | ||||||
|  |  | ||||||
|  | images: | ||||||
|  |   - name: reg.cadoles.com/proxy_cache/oryd/hydra | ||||||
|  |     newTag: v2.1.2 | ||||||
|  |   - name: reg.cadoles.com/proxy_cache/oryd/hydra-maester | ||||||
|  |     newTag: v0.0.32-amd64 | ||||||
|  |  | ||||||
| resources: | resources: | ||||||
|   - ./resources/hydra-deployment.yaml |   - ./resources/hydra-deployment.yaml | ||||||
|   - ./resources/hydra-service.yaml |   - ./resources/hydra-service.yaml | ||||||
| @@ -9,6 +15,7 @@ resources: | |||||||
|   - ./resources/hydra-serviceaccount.yaml |   - ./resources/hydra-serviceaccount.yaml | ||||||
|   - ./resources/hydra-migrate-job.yaml |   - ./resources/hydra-migrate-job.yaml | ||||||
|   - ./resources/hydra-maester |   - ./resources/hydra-maester | ||||||
|  |   - ./resources/hydra-janitor-cronjob.yaml | ||||||
|  |  | ||||||
| secretGenerator: | secretGenerator: | ||||||
|   - name: hydra-secret |   - name: hydra-secret | ||||||
| @@ -23,13 +30,22 @@ configMapGenerator: | |||||||
|       - URLS_CONSENT=http://hydra-consent-app/consent |       - URLS_CONSENT=http://hydra-consent-app/consent | ||||||
|       - URLS_LOGOUT=http://hydra-logout-app/logout |       - URLS_LOGOUT=http://hydra-logout-app/logout | ||||||
|       - HYDRA_SERVE_ALL_ARGS=--dev |       - HYDRA_SERVE_ALL_ARGS=--dev | ||||||
|  |       - HYDRA_DATABASE_MAX_CONN="10" | ||||||
|  |       - HYDRA_DATABASE_MAX_IDLE_CONNS="5" | ||||||
|  |       - HYDRA_DATABASE_MAX_CONN_LIFETIME="0"  # Unlimited. ms, s, m, h | ||||||
|  |       - HYDRA_DATABASE_MAX_CONN_IDLE_TIME="0"  # Unlimited. ms, s, m, h | ||||||
|  |       - HYDRA_DATABASE_CONNECT_TIMEOUT="0"  # Unlimited | ||||||
|  |       - SERVE_ADMIN_REQUEST_LOG_DISABLE_FOR_HEALTH="true" | ||||||
|       - LOG_LEVEL=info |       - LOG_LEVEL=info | ||||||
|  |  | ||||||
| vars: | replacements: | ||||||
| - name: HYDRA_MIGRATE_JOB_NAME |   - source: | ||||||
|   objref: |       kind: Job | ||||||
|     name: hydra-migrate |       name: hydra-migrate | ||||||
|     kind: Job  |       fieldPath: metadata.name | ||||||
|     apiVersion: batch/v1 |     targets: | ||||||
|   fieldref: |       - select: | ||||||
|     fieldpath: metadata.name |           kind: Deployment | ||||||
|  |           name: hydra | ||||||
|  |         fieldPaths: | ||||||
|  |           - spec.template.spec.initContainers.0.args.1 | ||||||
|   | |||||||
| @@ -2,27 +2,27 @@ apiVersion: apps/v1 | |||||||
| kind: Deployment | kind: Deployment | ||||||
| metadata: | metadata: | ||||||
|   labels: |   labels: | ||||||
|     io.kompose.service: hydra |     app.kubernetes.io/name: hydra | ||||||
|   name: hydra |   name: hydra | ||||||
| spec: | spec: | ||||||
|   replicas: 1 |   replicas: 1 | ||||||
|   selector: |   selector: | ||||||
|     matchLabels: |     matchLabels: | ||||||
|       io.kompose.service: hydra |       app.kubernetes.io/name: hydra | ||||||
|   strategy: |   strategy: | ||||||
|     type: Recreate |     type: Recreate | ||||||
|   template: |   template: | ||||||
|     metadata: |     metadata: | ||||||
|       labels: |       labels: | ||||||
|         io.kompose.service: hydra |         app.kubernetes.io/name: hydra | ||||||
|     spec: |     spec: | ||||||
|       serviceAccountName: hydra-sa |       serviceAccountName: hydra-sa | ||||||
|       initContainers: |       initContainers: | ||||||
|         - name: wait-for-migrate |         - name: wait-for-migrate | ||||||
|           image: reg.cadoles.com/proxy_cache/groundnuty/k8s-wait-for:v1.3 |           image: reg.cadoles.com/proxy_cache/groundnuty/k8s-wait-for:v1.3 | ||||||
|           args: |           args: | ||||||
|           - job |             - job | ||||||
|           - $(HYDRA_MIGRATE_JOB_NAME) |             - REPLACE_ME | ||||||
|       containers: |       containers: | ||||||
|         - name: hydra |         - name: hydra | ||||||
|           image: reg.cadoles.com/proxy_cache/oryd/hydra:v2.0.3 |           image: reg.cadoles.com/proxy_cache/oryd/hydra:v2.0.3 | ||||||
| @@ -46,10 +46,31 @@ spec: | |||||||
|                 - wget |                 - wget | ||||||
|                 - --spider |                 - --spider | ||||||
|                 - -q |                 - -q | ||||||
|                 - http://127.0.0.1:4444/.well-known/openid-configuration |                 - http://127.0.0.1:4445/health/alive | ||||||
|             failureThreshold: 6 |             failureThreshold: 6 | ||||||
|             periodSeconds: 10 |             periodSeconds: 10 | ||||||
|             timeoutSeconds: 10 |             timeoutSeconds: 10 | ||||||
|  |           readinessProbe: | ||||||
|  |             exec: | ||||||
|  |               command: | ||||||
|  |                 - wget | ||||||
|  |                 - --spider | ||||||
|  |                 - -q | ||||||
|  |                 - http://127.0.0.1:4445/health/ready | ||||||
|  |             failureThreshold: 6 | ||||||
|  |             periodSeconds: 10 | ||||||
|  |             timeoutSeconds: 10 | ||||||
|  |           startupProbe: | ||||||
|  |             exec: | ||||||
|  |               command: | ||||||
|  |                 - wget | ||||||
|  |                 - --spider | ||||||
|  |                 - -q | ||||||
|  |                 - http://127.0.0.1:4445/health/ready | ||||||
|  |             failureThreshold: 60 | ||||||
|  |             successThreshold: 1 | ||||||
|  |             periodSeconds: 1 | ||||||
|  |             timeoutSeconds: 1 | ||||||
|           ports: |           ports: | ||||||
|             - containerPort: 4444 |             - containerPort: 4444 | ||||||
|               name: hydra-public |               name: hydra-public | ||||||
| @@ -57,4 +78,3 @@ spec: | |||||||
|               name: hydra-admin |               name: hydra-admin | ||||||
|           resources: {} |           resources: {} | ||||||
|       restartPolicy: Always |       restartPolicy: Always | ||||||
|    |  | ||||||
|   | |||||||
							
								
								
									
										34
									
								
								resources/hydra/resources/hydra-janitor-cronjob.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										34
									
								
								resources/hydra/resources/hydra-janitor-cronjob.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,34 @@ | |||||||
|  | apiVersion: batch/v1 | ||||||
|  | kind: CronJob | ||||||
|  | metadata: | ||||||
|  |   name: hydra-janitor | ||||||
|  |   labels: | ||||||
|  |     app.kubernetes.io/name: hydra-janitor | ||||||
|  | spec: | ||||||
|  |   concurrencyPolicy: Forbid | ||||||
|  |   schedule: "0 */1 * * *" | ||||||
|  |   jobTemplate: | ||||||
|  |     spec: | ||||||
|  |       template: | ||||||
|  |         metadata: | ||||||
|  |           labels: | ||||||
|  |             app.kubernetes.io/name: hydra-janitor | ||||||
|  |         spec: | ||||||
|  |           restartPolicy: OnFailure | ||||||
|  |           serviceAccountName: hydra-sa | ||||||
|  |           containers: | ||||||
|  |             - name: janitor | ||||||
|  |               image: reg.cadoles.com/proxy_cache/oryd/hydra:v2.0.3 | ||||||
|  |               envFrom: | ||||||
|  |               - configMapRef: | ||||||
|  |                   name: hydra-env | ||||||
|  |               imagePullPolicy: IfNotPresent | ||||||
|  |               command: ["hydra"] | ||||||
|  |               env: [] | ||||||
|  |               args: | ||||||
|  |                 - janitor | ||||||
|  |                 - --read-from-env | ||||||
|  |                 - --grants | ||||||
|  |                 - --requests | ||||||
|  |                 - --tokens | ||||||
|  |               resources: {} | ||||||
| @@ -2,14 +2,13 @@ apiVersion: kustomize.config.k8s.io/v1beta1 | |||||||
| kind: Kustomization | kind: Kustomization | ||||||
|  |  | ||||||
| resources: | resources: | ||||||
|   - ./resources/hydra-maester-deployment.yaml | - ./resources/hydra-maester-deployment.yaml | ||||||
|   - ./resources/hydra-maester-rbac.yaml | - ./resources/hydra-maester-rbac.yaml | ||||||
|   - https://raw.githubusercontent.com/ory/k8s/v0.28.2/helm/charts/hydra-maester/crds/crd-oauth2clients.yaml |  | ||||||
|  |  | ||||||
| configMapGenerator: | configMapGenerator: | ||||||
|   - name: hydra-maester-env | - name: hydra-maester-env | ||||||
|     literals: |   literals: | ||||||
|       - APP_ENV=prod |   - APP_ENV=prod | ||||||
|       - APP_DEBUG=false |   - APP_DEBUG=false | ||||||
|       - HYDRA_ADMIN_BASE_URL=http://hydra |   - HYDRA_ADMIN_BASE_URL=http://hydra | ||||||
|       - HYDRA_ADMIN_PORT=4445 |   - HYDRA_ADMIN_PORT=4445 | ||||||
|   | |||||||
| @@ -7,7 +7,7 @@ metadata: | |||||||
|   labels: |   labels: | ||||||
|     app.kubernetes.io/name: hydra-maester |     app.kubernetes.io/name: hydra-maester | ||||||
|     app.kubernetes.io/instance: hydra-master |     app.kubernetes.io/instance: hydra-master | ||||||
|     app.kubernetes.io/version: "v0.0.23" |     app.kubernetes.io/version: "v0.0.25" | ||||||
| spec: | spec: | ||||||
|   replicas: 1 |   replicas: 1 | ||||||
|   revisionHistoryLimit: 10 |   revisionHistoryLimit: 10 | ||||||
| @@ -38,15 +38,14 @@ spec: | |||||||
|             - --hydra-url=$(HYDRA_ADMIN_BASE_URL) |             - --hydra-url=$(HYDRA_ADMIN_BASE_URL) | ||||||
|             - --hydra-port=$(HYDRA_ADMIN_PORT) |             - --hydra-port=$(HYDRA_ADMIN_PORT) | ||||||
|             - --endpoint=/admin/clients |             - --endpoint=/admin/clients | ||||||
|           resources: |           resources: {} | ||||||
|             {} |  | ||||||
|           terminationMessagePath: /dev/termination-log |           terminationMessagePath: /dev/termination-log | ||||||
|           terminationMessagePolicy: File |           terminationMessagePolicy: File | ||||||
|           securityContext: |           securityContext: | ||||||
|             allowPrivilegeEscalation: false |             allowPrivilegeEscalation: false | ||||||
|             capabilities: |             capabilities: | ||||||
|               drop: |               drop: | ||||||
|               - ALL |                 - ALL | ||||||
|             privileged: false |             privileged: false | ||||||
|             readOnlyRootFilesystem: true |             readOnlyRootFilesystem: true | ||||||
|             runAsNonRoot: true |             runAsNonRoot: true | ||||||
|   | |||||||
| @@ -2,7 +2,7 @@ apiVersion: v1 | |||||||
| kind: Service | kind: Service | ||||||
| metadata: | metadata: | ||||||
|   labels: |   labels: | ||||||
|     io.kompose.service: hydra |     app.kubernetes.io/name: hydra | ||||||
|   name: hydra |   name: hydra | ||||||
| spec: | spec: | ||||||
|   ports: |   ports: | ||||||
| @@ -13,6 +13,6 @@ spec: | |||||||
|       port: 4445 |       port: 4445 | ||||||
|       targetPort: hydra-admin |       targetPort: hydra-admin | ||||||
|   selector: |   selector: | ||||||
|     io.kompose.service: hydra |     app.kubernetes.io/name: hydra | ||||||
| status: | status: | ||||||
|   loadBalancer: {} |   loadBalancer: {} | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user