Merge pull request 'feat(oidc-test): update image ref' (#68 ) from feat/update_oidc-test_20250311 into unstable

Reviewed-on: #68
feat(oidc-test): update image ref
2025-03-11 15:46:07 +01:00 · 2025-03-11 15:42:32 +01:00 · 2025-03-11 15:35:46 +01:00 · 2025-03-07 15:31:59 +01:00 · 2025-03-07 14:48:31 +01:00 · 2025-03-07 14:26:20 +01:00
74 changed files with 1674 additions and 504 deletions
--- a/README.md
+++ b/README.md
@ -2,10 +2,6 @@

 Kustomization du service "SSO" (Ory Hydra)

-## Usage
-
-[Voir la documentation](./doc/README.md)
-
 ## Exemple

-Ce projet contient un exemple fonctionnel de déploiement dans le répertoire [`./examples/authenticated-app`](./examples/authenticated-app)
+Ce projet contient un exemple fonctionnel de déploiement dans le répertoire [`./examples/authenticated-app`](./examples/authenticated-app)
--- a/components/hydra-cleaner/files/hydra-cleaner.sh
+++ b/components/hydra-cleaner/files/hydra-cleaner.sh
@ -0,0 +1,116 @@
+#!/bin/sh
+
+set -e
+set -o nounset
+
+# 4 tables to empty, at least
+# oidc, code, flow, authentication_session
+
+# \d hydra_oauth2_flow
+#Referenced by:
+#    TABLE "hydra_oauth2_access" CONSTRAINT "hydra_oauth2_access_challenge_id_fk" FOREIGN KEY (challenge_id) REFERENCES hydra_oauth2_flow(consent_challenge_id) ON DELETE CASCADE
+#    TABLE "hydra_oauth2_code" CONSTRAINT "hydra_oauth2_code_challenge_id_fk" FOREIGN KEY (challenge_id) REFERENCES hydra_oauth2_flow(consent_challenge_id) ON DELETE CASCADE
+#    TABLE "hydra_oauth2_oidc" CONSTRAINT "hydra_oauth2_oidc_challenge_id_fk" FOREIGN KEY (challenge_id) REFERENCES hydra_oauth2_flow(consent_challenge_id) ON DELETE CASCADE
+#    TABLE "hydra_oauth2_pkce" CONSTRAINT "hydra_oauth2_pkce_challenge_id_fk" FOREIGN KEY (challenge_id) REFERENCES hydra_oauth2_flow(consent_challenge_id) ON DELETE CASCADE
+#    TABLE "hydra_oauth2_refresh" CONSTRAINT "hydra_oauth2_refresh_challenge_id_fk" FOREIGN KEY (challenge_id) REFERENCES hydra_oauth2_flow(consent_challenge_id) ON DELETE CASCADE
+
+# -> delete "cascade" on table "flow" cleans access, code, oidc, pkce and refresh tables.
+
+
+DSN="${DSN:-postgresql://${HYDRA_DATABASE_USER}:${HYDRA_DATABASE_PASSWORD}@${HYDRA_DATABASE_SERVICE_NAME}:${HYDRA_DATABASE_SERVICE_PORT:-5432}/hydra?sslmode=disable}"
+RETENTION_HOURS="${RETENTION_HOURS:-48}"
+BATCH_SIZE="${BATCH_SIZE:-50}"
+LIMIT="${LIMIT:-1000}"
+BEFORE_DATE="$(date +'%Y-%m-%d %H:%M:%S' --date=@$(($(date +%s) - RETENTION_HOURS * 3600)))"
+
+
+log() {
+    echo "$(date +'%d-%m-%y %H:%M:%S%z')| $1"
+}
+
+perror() {
+    log "Something went wrong, exiting."
+    trap - EXIT
+    exit 1
+}
+
+trap perror EXIT
+
+if ! [[ ${RETENTION_HOURS} =~ '^[0-9]+$' ]]; then
+    log "Error: variable RETENTION_HOURS is not a positive integer."
+    perror
+fi
+
+if ! [[ ${LIMIT} =~ '^[0-9]+$' ]]; then
+    log "Error: variable LIMIT is not a positive integer."
+    perror
+fi
+
+if ! [[ ${BATCH_SIZE} =~ '^[0-9]+$' ]]; then
+    log "Error: variable BATCH_SIZE is not a positive integer."
+    perror
+fi
+
+log "Starting hydra cleaner"
+
+log "Removing up to ${LIMIT} elements before ${BEFORE_DATE} by batch of ${BATCH_SIZE}"
+
+log "Beginning estimated size:"
+psql "${DSN}" <<EOF
+select
+  table_name, reltuples as estimate,
+  pg_size_pretty(pg_total_relation_size(quote_ident(table_name))),
+  pg_total_relation_size(quote_ident(table_name))
+from information_schema.tables left join pg_class on information_schema.tables.table_name=pg_class.relname
+where table_schema = 'public'
+order by 4 desc;
+EOF
+
+
+REMAINING_ELMTS="${LIMIT}"
+while [ "${REMAINING_ELMTS}" -gt 0 ]; do
+    OUTPUT=$(psql "${DSN}" <<EOF
+DELETE
+FROM hydra_oauth2_flow
+WHERE login_challenge = ANY (
+  array(
+    SELECT login_challenge
+    FROM hydra_oauth2_flow
+    WHERE requested_at < '${BEFORE_DATE}'
+    LIMIT ${BATCH_SIZE}
+  )
+);
+EOF
+    )
+
+    log "${OUTPUT}"
+
+    if ! [[ "${OUTPUT}" =~ '^DELETE ' ]] ; then
+	log "Output doesn't seems OK..."
+	break
+    fi
+    OUTPUT_NB=$(echo "${OUTPUT}" | cut -d' ' -f 2)
+
+    if [ "${OUTPUT_NB}" -lt "${BATCH_SIZE}" ]; then
+	break
+    fi
+
+    REMAINING_ELMTS=$((REMAINING_ELMTS - BATCH_SIZE))
+    if [ "${REMAINING_ELMTS}" -lt "${BATCH_SIZE}" ]; then
+	BATCH_SIZE="${REMAINING_ELMTS}"
+    fi
+done
+
+
+log "Final estimated size:"
+psql "${DSN}" <<EOF
+select
+  table_name, reltuples as estimate,
+  pg_size_pretty(pg_total_relation_size(quote_ident(table_name))),
+  pg_total_relation_size(quote_ident(table_name))
+from information_schema.tables left join pg_class on information_schema.tables.table_name=pg_class.relname
+where table_schema = 'public'
+order by 4 desc;
+EOF
+
+trap - EXIT
--- a/components/hydra-cleaner/kustomization.yaml
+++ b/components/hydra-cleaner/kustomization.yaml
@ -0,0 +1,17 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+resources:
+- ./resources/hydra-cleaner-cronjob.yaml
+
+configMapGenerator:
+- name: hydra-cleaner-env
+  behavior: create
+  literals:
+  - RETENTION_HOURS="48"
+  - BATCH_SIZE="100"
+  - LIMIT="1000"
+- name: hydra-cleaner-script
+  behavior: create
+  files:
+  - ./files/hydra-cleaner.sh
--- a/components/hydra-cleaner/resources/hydra-cleaner-cronjob.yaml
+++ b/components/hydra-cleaner/resources/hydra-cleaner-cronjob.yaml
@ -0,0 +1,54 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: hydra-cleaner
+  labels:
+    app.kubernetes.io/name: hydra-cleaner
+spec:
+  concurrencyPolicy: Forbid
+  schedule: "30 */1 * * *"
+  jobTemplate:
+    spec:
+      template:
+        metadata:
+          labels:
+            app.kubernetes.io/name: hydra-cleaner
+        spec:
+          restartPolicy: OnFailure
+          serviceAccountName: hydra-sa
+          containers:
+          - name: hydra-cleaner
+            image: reg.cadoles.com/proxy_cache/alpine/psql:17.4
+            envFrom:
+            - configMapRef:
+                name: hydra-env
+            - configMapRef:
+                name: hydra-cleaner-env
+            imagePullPolicy: IfNotPresent
+            command: ["/hydra-cleaner.sh"]
+            env:
+            - name: HYDRA_DATABASE_USER
+              valueFrom:
+                secretKeyRef:
+                  name: hydra-postgres-app
+                  key: username
+            - name: HYDRA_DATABASE_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: hydra-postgres-app
+                  key: password
+            - name: HYDRA_DATABASE_SERVICE_NAME
+              valueFrom:
+                secretKeyRef:
+                  name: hydra-postgres-app
+                  key: host
+            args: []
+            volumeMounts:
+            - name: hydra-cleaner-script
+              mountPath: "/hydra-cleaner.sh"
+              subPath: "hydra-cleaner.sh"
+          volumes:
+          - name: hydra-cleaner-script
+            configMap:
+              name: hydra-cleaner-script
+              defaultMode: 0544
--- a/components/hydra-cnpg-database/kustomization.yaml
+++ b/components/hydra-cnpg-database/kustomization.yaml
@ -7,29 +7,7 @@ configurations:
 resources:
 - ./resources/hydra-cnpg-cluster.yaml

-secretGenerator:
- name: hydra-postgres-admin
-  type: Secret
-  literals:
-  - username=postgres
-  - password=NotSoSecret
- name: hydra-postgres-user
-  type: Secret
-  literals:
-  - username=hydra
-  - password=NotSoSecret
-
-
-vars:
- name: HYDRA_DATABASE_SERVICE_NAME
-  objref:
-    name: hydra-postgres
-    kind: Cluster
-    apiVersion: postgresql.cnpg.io/v1
-  fieldref:
-    fieldpath: metadata.name
-
-patchesJson6902:
+patches:
 - target:
    group: apps
    version: v1
@ -42,3 +20,9 @@ patchesJson6902:
    kind: Job
    name: hydra-migrate
  path: patches/hydra-migrate-job.yaml
+- target:
+    group: batch
+    version: v1
+    kind: CronJob
+    name: hydra-janitor
+  path: patches/hydra-janitor-cronjob.yaml
--- a/components/hydra-cnpg-database/patches/hydra-deployment.yaml
+++ b/components/hydra-cnpg-database/patches/hydra-deployment.yaml
@ -4,7 +4,7 @@
    name: HYDRA_DATABASE_USER
    valueFrom:
      secretKeyRef:
-        name: hydra-postgres-user
+        name: hydra-postgres-app
        key: username
 - op: add
  path: "/spec/template/spec/containers/0/env/-"
@ -12,10 +12,18 @@
    name: HYDRA_DATABASE_PASSWORD
    valueFrom:
      secretKeyRef:
-        name: hydra-postgres-user
+        name: hydra-postgres-app
        key: password
+- op: add
+  path: "/spec/template/spec/containers/0/env/-"
+  value:
+    name: HYDRA_DATABASE_SERVICE_NAME
+    valueFrom:
+      secretKeyRef:
+        name: hydra-postgres-app
+        key: host
 - op: add
  path: "/spec/template/spec/containers/0/env/-"
  value:
    name: DSN
-    value: "postgres://$(HYDRA_DATABASE_USER):$(HYDRA_DATABASE_PASSWORD)@$(HYDRA_DATABASE_SERVICE_NAME)-rw:5432/hydra?sslmode=disable"
+    value: "postgres://$(HYDRA_DATABASE_USER):$(HYDRA_DATABASE_PASSWORD)@$(HYDRA_DATABASE_SERVICE_NAME):5432/hydra?sslmode=disable&max_conns=$(HYDRA_DATABASE_MAX_CONN)&max_idle_conns=$(HYDRA_DATABASE_MAX_IDLE_CONNS)&max_conn_lifetime=$(HYDRA_DATABASE_MAX_CONN_LIFETIME)&max_conn_idle_time=$(HYDRA_DATABASE_MAX_CONN_IDLE_TIME)&connect_timeout=$(HYDRA_DATABASE_CONNECT_TIMEOUT)"
--- a/components/hydra-cnpg-database/patches/hydra-janitor-cronjob.yaml
+++ b/components/hydra-cnpg-database/patches/hydra-janitor-cronjob.yaml
@ -0,0 +1,29 @@
+- op: add
+  path: "/spec/jobTemplate/spec/template/spec/containers/0/env/-"
+  value:
+    name: HYDRA_DATABASE_USER
+    valueFrom:
+      secretKeyRef:
+        name: hydra-postgres-app
+        key: username
+- op: add
+  path: "/spec/jobTemplate/spec/template/spec/containers/0/env/-"
+  value:
+    name: HYDRA_DATABASE_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: hydra-postgres-app
+        key: password
+- op: add
+  path: "/spec/jobTemplate/spec/template/spec/containers/0/env/-"
+  value:
+    name: HYDRA_DATABASE_SERVICE_NAME
+    valueFrom:
+      secretKeyRef:
+        name: hydra-postgres-app
+        key: host
+- op: add
+  path: "/spec/jobTemplate/spec/template/spec/containers/0/env/-"
+  value:
+    name: DSN
+    value: "postgres://$(HYDRA_DATABASE_USER):$(HYDRA_DATABASE_PASSWORD)@$(HYDRA_DATABASE_SERVICE_NAME):5432/hydra?sslmode=disable"
--- a/components/hydra-cnpg-database/patches/hydra-migrate-job.yaml
+++ b/components/hydra-cnpg-database/patches/hydra-migrate-job.yaml
@ -4,7 +4,7 @@
    name: HYDRA_DATABASE_USER
    valueFrom:
      secretKeyRef:
-        name: hydra-postgres-user
+        name: hydra-postgres-app
        key: username
 - op: add
  path: "/spec/template/spec/containers/0/env/-"
@ -12,10 +12,18 @@
    name: HYDRA_DATABASE_PASSWORD
    valueFrom:
      secretKeyRef:
-        name: hydra-postgres-user
+        name: hydra-postgres-app
        key: password
+- op: add
+  path: "/spec/template/spec/containers/0/env/-"
+  value:
+    name: HYDRA_DATABASE_SERVICE_NAME
+    valueFrom:
+      secretKeyRef:
+        name: hydra-postgres-app
+        key: host
 - op: add
  path: "/spec/template/spec/containers/0/env/-"
  value:
    name: DSN
-    value: "postgres://$(HYDRA_DATABASE_USER):$(HYDRA_DATABASE_PASSWORD)@$(HYDRA_DATABASE_SERVICE_NAME)-rw:5432/hydra?sslmode=disable"
+    value: "postgres://$(HYDRA_DATABASE_USER):$(HYDRA_DATABASE_PASSWORD)@$(HYDRA_DATABASE_SERVICE_NAME):5432/hydra?sslmode=disable"
--- a/components/hydra-cnpg-database/resources/hydra-cnpg-cluster.yaml
+++ b/components/hydra-cnpg-database/resources/hydra-cnpg-cluster.yaml
@ -5,13 +5,9 @@ metadata:
 spec:
  instances: 3
  primaryUpdateStrategy: unsupervised
-  superuserSecret:
-    name: hydra-postgres-admin
  bootstrap:
    initdb:
      database: hydra
      owner: hydra
-      secret:
-        name: hydra-postgres-user
  storage:
-    size: 2Gi
+    size: 2Gi
--- a/components/hydra-ldap/kustomization.yaml
+++ b/components/hydra-ldap/kustomization.yaml
@ -0,0 +1,28 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+resources:
+  - ./resources/deployment.yaml
+  - ./resources/service.yaml
+
+configMapGenerator:
+  - name: hydra-ldap-env
+    behavior: create
+    literals:
+      - WERTHER_DEV_MODE=false
+      - WERTHER_LDAP_ROLE_CLAIM="https://hydra/claims/roles"
+      - WERTHER_SKIP_SSL_VERIFICATIONS=false
+      - WERTHER_IDENTP_CLAIM_SCOPES="name:profile,family_name:profile,given_name:profile,email:email,https%3A%2F%2Fhydra%2Fclaims%2Froles:roles"
+      - WERTHER_IDENTP_HYDRA_URL="http://hydra:4444"
+      - WERTHER_LDAP_ENDPOINTS="ldap.test.fr:636"
+      - WERTHER_LDAP_IS_TLS=true
+      - WERTHER_LDAP_BASEDN="o=test,c=fr"
+      - WERTHER_LDAP_ROLE_BASEDN="ou=groups,o=test,c=fr"
+      - WERTHER_LDAP_CONNECTION_TIMEOUT="10s"
+
+secretGenerator:
+  - name: hydra-ldap-sc
+    behavior: create
+    literals:
+      - WERTHER_LDAP_BINDDN="cn=reader,o=test,c=fr"
+      - WERTHER_LDAP_BINDPW=ThisMustBeAbsolutelyChanged
--- a/components/hydra-ldap/resources/deployment.yaml
+++ b/components/hydra-ldap/resources/deployment.yaml
@ -0,0 +1,48 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: hydra-ldap
+  labels:
+    app.kubernetes.io/name: hydra-ldap
+    app.kubernetes.io/version: "v1.2.2"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: hydra-ldap
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: hydra-ldap
+        app.kubernetes.io/version: "v1.2.2"
+    spec:
+      containers:
+        - name: werther
+          image: reg.cadoles.com/cadoles/hydra-werther:2025.2.17-stable.1544.8ded23c
+          imagePullPolicy: IfNotPresent
+          envFrom:
+            - configMapRef:
+                name: hydra-ldap-env
+          env:
+            - name: WERTHER_LDAP_BINDDN
+              valueFrom:
+                secretKeyRef:
+                  name: hydra-ldap-sc
+                  key: WERTHER_LDAP_BINDDN
+            - name: WERTHER_LDAP_BINDPW
+              valueFrom:
+                secretKeyRef:
+                  name: hydra-ldap-sc
+                  key: WERTHER_LDAP_BINDPW
+          ports:
+            - containerPort: 8080
+              name: hydra-ldap-http
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 100
--- a/components/hydra-ldap/resources/service.yaml
+++ b/components/hydra-ldap/resources/service.yaml
@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/name: hydra-ldap
+  name: hydra-ldap
+spec:
+  type: ClusterIP
+  ports:
+    - name: hydra-ldap
+      port: 8080
+      targetPort: hydra-ldap-http
+      protocol: TCP
+  selector:
+    app.kubernetes.io/name: hydra-ldap
+status:
+  loadBalancer: {}
--- a/components/hydra-oidc/files/hydra/oidc.yaml
+++ b/components/hydra-oidc/files/hydra/oidc.yaml
@ -1,12 +1,13 @@
 hydra:
  apps:
    - id: oidc
-      title: 
+      title:
        fr: Connexion OIDC
        en: Login OIDC
-      description: 
+      description:
        fr: Authentification avec OpenID Connect
        en: Authentication with OpenID Connect
      login_url: "%env(string:HYDRA_DISPATCHER_OIDC_LOGIN_URL)%"
      consent_url: "%env(string:HYDRA_DISPATCHER_OIDC_CONSENT_URL)%"
-      logout_url: "%env(string:HYDRA_DISPATCHER_OIDC_LOGOUT_URL)%"
+      logout_url: "%env(string:HYDRA_DISPATCHER_OIDC_LOGOUT_URL)%"
+      attributes_rewrite_configuration: []
--- a/components/hydra-oidc/kustomization.yaml
+++ b/components/hydra-oidc/kustomization.yaml
@ -2,36 +2,36 @@ apiVersion: kustomize.config.k8s.io/v1alpha1
 kind: Component

 resources:
-  - ./resources/hydra-oidc-deployment.yaml
-  - ./resources/hydra-oidc-service.yaml
+- ./resources/hydra-oidc-deployment.yaml
+- ./resources/hydra-oidc-service.yaml
+
+generatorOptions:
+  labels:
+    com.cadoles.forge.sso-kustom/session: redis

 configMapGenerator:
-  - name: hydra-oidc-env
-    literals:
-      - APP_ENV=prod
-      - APP_DEBUG=false
-      - HYDRA_ADMIN_BASE_URL=http://hydra-dispatcher
-      - OIC_AUTHORIZE_ENDPOINT=https://oidc-idp/api/v1/authorize
-      - OIDC_TOKEN_ENDPOINT=https://oidc-idp/api/v1/token
-      - OIDC_USERINFO_ENDPOINT=https://oidc-idp/api/v1/userinfo
-      - POST_LOGOUT_REDIRECT_URL=http://oidc-sp/logout
-      - OIDC_LOGOUT_ENDPOINT=https://oidc-idp/api/v1/logout?%s
-      - BASE_URL=http://hydra-oidc
-      - PARAMS_TO_DELETE=[]
-      - PARAMS_TO_INSERT={}
-      - OIDC_SCOPE=openid email
-      - CLIENT_ID_FC=MyClientID
-      - CLIENT_SECRET_FC=MyClientSecret
-      - COOKIE_PATH=/
-      - TRUSTED_PROXIES=127.0.0.1,REMOTE_ADDR
-  - name: hydra-dispatcher-apps
-    behavior: merge
-    files:
-      - ./files/hydra/oidc.yaml
-
-patchesJson6902:
-  - target:
-      version: v1
-      kind: ConfigMap
-      name: hydra-dispatcher-env
-    path: patches/hydra-dispatcher-env.yaml
+- name: hydra-oidc-env
+  behavior: create
+  literals:
+  - APP_ENV=prod
+  - APP_DEBUG=false
+  - PHP_FPM_MEMORY_LIMIT=256m
+  - NGINX_APP_SERVER_LISTEN=80
+  - HYDRA_ADMIN_BASE_URL=http://hydra-dispatcher
+  - OIC_AUTHORIZE_ENDPOINT=https://oidc-idp/api/v1/authorize
+  - OIDC_TOKEN_ENDPOINT=https://oidc-idp/api/v1/token
+  - OIDC_USERINFO_ENDPOINT=https://oidc-idp/api/v1/userinfo
+  - POST_LOGOUT_REDIRECT_URL=http://oidc-sp/logout
+  - OIDC_LOGOUT_ENDPOINT=https://oidc-idp/api/v1/logout?%s
+  - BASE_URL=http://hydra-oidc
+  - PARAMS_TO_DELETE=[]
+  - PARAMS_TO_INSERT={}
+  - OIDC_SCOPE=openid email
+  - CLIENT_ID_FC=MyClientID
+  - CLIENT_SECRET_FC=MyClientSecret
+  - COOKIE_PATH=/
+  - TRUSTED_PROXIES=127.0.0.1,REMOTE_ADDR
+  - REDIS_DSN="redis://redis:6379"
+  - HYDRA_DISPATCHER_OIDC_LOGIN_URL="http://hydra-oidc/login"
+  - HYDRA_DISPATCHER_OIDC_CONSENT_URL="http://hydra-oidc/consent"
+  - HYDRA_DISPATCHER_OIDC_LOGOUT_URL="http://hydra-oidc/logout"
--- a/components/hydra-oidc/patches/hydra-dispatcher-env.yaml
+++ b/components/hydra-oidc/patches/hydra-dispatcher-env.yaml
@ -1,9 +0,0 @@
- op: replace
-  path: "/data/HYDRA_DISPATCHER_OIDC_LOGIN_URL"
-  value: http://hydra-oidc/login
- op: replace
-  path: "/data/HYDRA_DISPATCHER_OIDC_CONSENT_URL"
-  value: http://hydra-oidc/consent
- op: replace
-  path: "/data/HYDRA_DISPATCHER_OIDC_LOGOUT_URL"
-  value: http://hydra-oidc/logout
--- a/components/hydra-oidc/resources/hydra-oidc-deployment.yaml
+++ b/components/hydra-oidc/resources/hydra-oidc-deployment.yaml
@ -2,28 +2,101 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  labels:
-    io.kompose.service: hydra-oidc
+    app.kubernetes.io/name: hydra-oidc
  name: hydra-oidc
 spec:
  replicas: 1
  selector:
    matchLabels:
-      io.kompose.service: hydra-oidc
+      app.kubernetes.io/name: hydra-oidc
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
-        io.kompose.service: hydra-oidc
+        app.kubernetes.io/name: hydra-oidc
    spec:
      containers:
-        - name: hydra-oidc
-          image: reg.cadoles.com/cadoles/hydra-oidc-v1:v0.0.0-170-g485b138
-          envFrom:
-            - configMapRef:
-                name: hydra-oidc-env
-          ports:
-            - containerPort: 80
-          resources: {}
+      - name: hydra-oidc-php-fpm
+        image: reg.cadoles.com/cadoles/hydra-oidc-base:2024.4.2-develop.1349.c4711f6
+        imagePullPolicy: IfNotPresent
+        args: ["/usr/sbin/php-fpm81", "-F", "-e"]
+        readinessProbe:
+          exec:
+            command:
+              - sh
+              - -c
+              - test -f /etc/php81/php-fpm.d/www.conf
+        livenessProbe:
+          exec:
+            command:
+              - php
+              - bin/console
+              - -V
+          initialDelaySeconds: 10
+          periodSeconds: 30
+        env:
+          - name: PHP_FPM_LISTEN
+            value: 127.0.0.1:9000
+          - name: PHP_MEMORY_LIMIT
+            value: 128m
+          - name: PHP_FPM_MEMORY_LIMIT
+            value: 128m
+        envFrom:
+          - configMapRef:
+              name: hydra-oidc-env
+        resources: {}
+        securityContext:
+          runAsNonRoot: true
+          runAsGroup: 1000
+          runAsUser: 1000
+
+      - name: hydra-oidc-caddy
+        image: reg.cadoles.com/cadoles/hydra-oidc-base:2024.4.2-develop.1349.c4711f6
+        imagePullPolicy: IfNotPresent
+        args:
+          [
+            "/usr/sbin/caddy",
+            "run",
+            "--adapter",
+            "caddyfile",
+            "--config",
+            "/etc/caddy/Caddyfile",
+          ]
+        readinessProbe:
+          httpGet:
+            path: /healthy
+            port: 8080
+          initialDelaySeconds: 5
+          timeoutSeconds: 5
+          periodSeconds: 10
+        livenessProbe:
+          httpGet:
+            path: /healthy
+            port: 8080
+          initialDelaySeconds: 15
+          timeoutSeconds: 5
+          periodSeconds: 15
+        ports:
+          - containerPort: 8080
+            name: http
+        envFrom:
+          - configMapRef:
+              name: hydra-oidc-env
+        env:
+          - name: CADDY_APP_UPSTREAM_BACKEND_SERVER
+            value: 127.0.0.1:9000
+          - name: CADDY_HTTPS_PORT
+            value: "8443"
+          - name: CADDY_HTTP_PORT
+            value: "8080"
+          - name: CADDY_DATA_FS
+            value: "/tmp/caddy"
+          - name: CADDY_APP_ROOT_PUBLIC
+            value: "/app/public/"
+        resources: {}
+        securityContext:
+          runAsNonRoot: true
+          runAsGroup: 1000
+          runAsUser: 1000
      restartPolicy: Always
-            
--- a/components/hydra-oidc/resources/hydra-oidc-service.yaml
+++ b/components/hydra-oidc/resources/hydra-oidc-service.yaml
@ -2,13 +2,14 @@ apiVersion: v1
 kind: Service
 metadata:
  labels:
-    io.kompose.service: hydra-oidc
+    app.kubernetes.io/name: hydra-oidc
  name: hydra-oidc
 spec:
  ports:
-    - name: hydra-oidc
-      port: 80
+  - name: http
+    port: 80
+    targetPort: http
  selector:
-    io.kompose.service: hydra-oidc
+    app.kubernetes.io/name: hydra-oidc
 status:
  loadBalancer: {}
--- a/components/hydra-saml/files/hydra/saml.yaml
+++ b/components/hydra-saml/files/hydra/saml.yaml
@ -1,10 +1,10 @@
 hydra:
  apps:
    - id: saml
-      title: 
+      title:
        fr: Connexion SAML
        en: Login SAML
-      description: 
+      description:
        fr: Authentification avec SAML
        en: Authentication with SAML
      login_url: "%env(string:HYDRA_DISPATCHER_SAML_LOGIN_URL)%"
@ -27,4 +27,4 @@ hydra:
      uid:
        required: false
      eduPersonAffiliation:
-        required: false
+        required: false
--- a/components/hydra-saml/kustomization.yaml
+++ b/components/hydra-saml/kustomization.yaml
@ -37,4 +37,4 @@ patchesJson6902:
      version: v1
      kind: ConfigMap
      name: hydra-dispatcher-env
-    path: patches/hydra-dispatcher-env.yaml
+    path: patches/hydra-dispatcher-env.yaml
--- a/components/hydra-saml/resources/hydra-saml-remote-user.yaml
+++ b/components/hydra-saml/resources/hydra-saml-remote-user.yaml
@ -2,28 +2,30 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  labels:
-    io.kompose.service: hydra-saml-remote-user
+    app.kubernetes.io/name: hydra-saml-remote-user
  name: hydra-saml-remote-user
 spec:
  replicas: 1
  selector:
    matchLabels:
-      io.kompose.service: hydra-saml-remote-user
+      app.kubernetes.io/name: hydra-saml-remote-user
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
-        io.kompose.service: hydra-saml-remote-user
+        app.kubernetes.io/name: hydra-saml-remote-user
    spec:
      containers:
        - name: hydra-saml-remote-user
-          image: reg.cadoles.com/cadoles/hydra-remote-user-v1:v0.0.0-233-g64fcacc
+          image: reg.cadoles.com/cadoles/hydra-remote-user-base:2023.12.11-develop.1523.5f14595
          envFrom:
            - configMapRef:
                name: hydra-saml-env
          ports:
-            - containerPort: 80
+            - containerPort: 8080
+          command:
+            - /bin/apache2-foreground
          resources: {}
      restartPolicy: Always
 ---
@ -31,13 +33,14 @@ apiVersion: v1
 kind: Service
 metadata:
  labels:
-    io.kompose.service: hydra-saml-remote-user
+    app.kubernetes.io/name: hydra-saml-remote-user
  name: hydra-saml-remote-user
 spec:
  ports:
    - name: http
      port: 80
+      targetPort: 8080
  selector:
-    io.kompose.service: hydra-saml-remote-user
+    app.kubernetes.io/name: hydra-saml-remote-user
 status:
  loadBalancer: {}
--- a/components/hydra-saml/resources/hydra-saml-shibboleth-sp.yaml
+++ b/components/hydra-saml/resources/hydra-saml-shibboleth-sp.yaml
@ -2,25 +2,25 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  labels:
-    io.kompose.service: hydra-saml-shibboleth-sp
+    app.kubernetes.io/name: hydra-saml-shibboleth-sp
  name: hydra-saml-shibboleth-sp
 spec:
  replicas: 1
  selector:
    matchLabels:
-      io.kompose.service: hydra-saml-shibboleth-sp
+      app.kubernetes.io/name: hydra-saml-shibboleth-sp
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
-        io.kompose.service: hydra-saml-shibboleth-sp
+        app.kubernetes.io/name: hydra-saml-shibboleth-sp
    spec:
      securityContext:
        fsGroup: 102
      containers:
        - name: hydra-saml-shibboleth-sp
-          image: reg.cadoles.com/cadoles/shibboleth-sp-v3:v0.0.0-233-g64fcacc
+          image: reg.cadoles.com/cadoles/shibboleth-sp-v3:2023.12.12-develop.1039.49b85e1
          envFrom:
            - configMapRef:
                name: hydra-saml-env
@ -41,14 +41,14 @@ apiVersion: v1
 kind: Service
 metadata:
  labels:
-    io.kompose.service: hydra-saml
+    app.kubernetes.io/name: hydra-saml
  name: hydra-saml
 spec:
  ports:
    - name: http
      port: 80
  selector:
-    io.kompose.service: hydra-saml-shibboleth-sp
+    app.kubernetes.io/name: hydra-saml-shibboleth-sp
 status:
  loadBalancer: {}
-            
+
--- a/components/hydra-sql/files/03_base.ini
+++ b/components/hydra-sql/files/03_base.ini
@ -0,0 +1,22 @@
+[opcache]
+; Determines if Zend OPCache is enabled
+opcache.enable=1
+
+; Determines if Zend OPCache is enabled for the CLI version of PHP
+opcache.enable_cli=1
+
+; The OPcache shared memory storage size.
+opcache.memory_consumption=512
+
+; The maximum number of keys (scripts) in the OPcache hash table.
+; Only numbers between 200 and 1000000 are allowed.
+opcache.max_accelerated_files=20000
+
+; When disabled, you must reset the OPcache manually or restart the
+; webserver for changes to the filesystem to take effect.
+opcache.validate_timestamps=${OPCACHE_VALIDATE_TIMESTAMP}
+
+; How often (in seconds) to check file timestamps for changes to the shared
+; memory storage allocation. ("1" means validate once per second, but only
+; once per request. "0" means always validate)
+opcache.revalidate_freq=${OPCACHE_REVALIDATE_FREQ}
--- a/components/hydra-sql/files/sql_login.yaml
+++ b/components/hydra-sql/files/sql_login.yaml
@ -0,0 +1,7 @@
+sql_login:
+  login_column_name: mail
+  password_column_name: password
+  salt_column_name: salt
+  table_name: user
+  data_to_fetch:
+  - mail
--- a/components/hydra-sql/kustomization.yaml
+++ b/components/hydra-sql/kustomization.yaml
@ -0,0 +1,32 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+resources:
+- ./resources/hydra-sql-service.yaml
+- ./resources/hydra-sql-deployment.yaml
+
+generatorOptions:
+  labels:
+     com.cadoles.forge.sso-kustom/session: redis
+
+configMapGenerator:
+- name: hydra-sql-env
+  behavior: create
+  literals:
+  - ISSUER_URL="http://localhost:8000"
+  - BASE_URL='http://localhost:8080'
+  - HYDRA_ADMIN_BASE_URL='http://hydra:4445/admin'
+  - APP_LOCALES="fr,en"
+  - HASH_ALGO_LEGACY="sha256, bcrypt"
+  - SECURITY_PATTERN="password,salt,pepper"
+  - DSN_REMOTE_DATABASE="pgsql:host='postgres';port=5432;dbname=lasql"
+  - DB_USER="makeMeASecret"
+  - DB_PASSWORD="makeMeASecret"
+  - REDIS_DSN="redis://redis:6379"
+  - PEPPER="MakeMeABigSecret"
+- name: sql-login-config
+  files:
+  - ./files/sql_login.yaml
+- name: hydra-sql-php-ini
+  files:
+  - ./files/03_base.ini
--- a/components/hydra-sql/resources/hydra-sql-deployment.yaml
+++ b/components/hydra-sql/resources/hydra-sql-deployment.yaml
@ -0,0 +1,122 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/name: hydra-sql
+  name: hydra-sql
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: hydra-sql
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 25%
+      maxUnavailable: 25%
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: hydra-sql
+    spec:
+      containers:
+      - name: hydra-sql-fpm
+        image: reg.cadoles.com/cadoles/hydra-sql-base:2025.3.7-develop.1415.7239d84
+        imagePullPolicy: IfNotPresent
+        args: ["/usr/sbin/php-fpm81", "-F", "-e"]
+        readinessProbe:
+          exec:
+            command:
+            - sh
+            - -c
+            - test -f /etc/php81/php-fpm.d/www.conf
+        livenessProbe:
+          exec:
+            command:
+            - php
+            - bin/console
+            - -V
+          initialDelaySeconds: 10
+          periodSeconds: 30
+        resources: {}
+        securityContext:
+          runAsNonRoot: true
+          runAsGroup: 1000
+          runAsUser: 1000
+        envFrom:
+        - configMapRef:
+            name: hydra-sql-env
+        env:
+        - name: PHP_FPM_LISTEN
+          value: 127.0.0.1:9000
+        - name: PHP_MEMORY_LIMIT
+          value: 128m
+        - name: PHP_FPM_MEMORY_LIMIT
+          value: 128m
+        - name: PHP_FPM_LOG_LEVEL
+          value: warning
+        - name: OPCACHE_VALIDATE_TIMESTAMP
+          value: "0"
+        - name: OPCACHE_REVALIDATE_FREQ
+          value: "0"
+        volumeMounts:
+        - name: sql-login-config
+          mountPath: "/app/config/sql_login_configuration/sql_login.yaml"
+          subPath: "sql_login.yaml"
+        - name: hydra-sql-php-ini
+          mountPath: /etc/php81/conf.d/03_base.ini
+          subPath: 03_base.ini
+
+      - name: hydra-sql-caddy
+        image: reg.cadoles.com/cadoles/hydra-sql-base:2025.3.7-develop.1415.7239d84
+        imagePullPolicy: IfNotPresent
+        args: ["/usr/sbin/caddy", "run", "--adapter", "caddyfile", "--config", "/etc/caddy/Caddyfile"]
+        readinessProbe:
+          httpGet:
+            path: /health
+            port: 8080
+          initialDelaySeconds: 5
+          timeoutSeconds: 5
+          periodSeconds: 10
+        livenessProbe:
+          httpGet:
+            path: /health
+            port: 8080
+          initialDelaySeconds: 15
+          timeoutSeconds: 5
+          periodSeconds: 15
+        envFrom:
+        - configMapRef:
+            name: hydra-sql-env
+        env:
+        - name: CADDY_APP_UPSTREAM_BACKEND_SERVER
+          value: 127.0.0.1:9000
+        - name: CADDY_HTTPS_PORT
+          value: "8443"
+        - name: CADDY_HTTP_PORT
+          value: "8080"
+        - name: CADDY_DATA_FS
+          value: "/tmp/caddy"
+        - name: CADDY_APP_ROOT_PUBLIC
+          value: "/app/public/"
+        resources: {}
+        securityContext:
+          runAsNonRoot: true
+          runAsGroup: 1000
+          runAsUser: 1000
+        ports:
+        - containerPort: 8080
+          name: http
+        volumeMounts:
+        - name: sql-login-config
+          mountPath: "/app/config/sql_login_configuration/sql_login.yaml"
+          subPath: "sql_login.yaml"
+      volumes:
+      - name: sql-login-config
+        configMap:
+          name: sql-login-config
+      - name: hydra-sql-php-ini
+        configMap:
+          name: hydra-sql-php-ini
+
+      restartPolicy: Always
--- a/components/hydra-sql/resources/hydra-sql-service.yaml
+++ b/components/hydra-sql/resources/hydra-sql-service.yaml
@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/name: hydra-sql
+  name: hydra-sql
+spec:
+  ports:
+  - name: http
+    port: 80
+    targetPort: http
+  selector:
+    app.kubernetes.io/name: hydra-sql
+status:
+  loadBalancer: {}
--- a/components/oidc-test/kustomization.yaml
+++ b/components/oidc-test/kustomization.yaml
@ -0,0 +1,21 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+resources:
+  - ./resources/deployment.yaml
+  - ./resources/service.yaml
+  - ./resources/oauth2-client.yaml
+
+configMapGenerator:
+  - name: oidc-test-env
+    literals:
+      - LOG_LEVEL=0
+      - HTTP_ADDRESS=0.0.0.0:8080
+      - OIDC_CLIENT_ID=oidc-test
+      - OIDC_CLIENT_SECRET=NotSoSecret
+      - OIDC_ISSUER_URL=http://hydra:4444
+      - OIDC_REDIRECT_URL=https://example.net/oauth2/callback
+      - OIDC_POST_LOGOUT_REDIRECT_URL=https://example.net
+      - OIDC_SKIP_ISSUER_VERIFICATION="true"
+      - OIDC_SCOPES="openid profile"
+      - OIDC_INSECURE_SKIP_VERIFY="true"
--- a/components/oidc-test/resources/deployment.yaml
+++ b/components/oidc-test/resources/deployment.yaml
@ -0,0 +1,39 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/name: oidc-test
+  name: oidc-test
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: oidc-test
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: oidc-test
+    spec:
+      containers:
+        - image: reg.cadoles.com/cadoles/oidc-test:2025.3.11-stable.1428.6545cb3
+          name: oidc-test
+          ports:
+            - containerPort: 8080
+          resources: {}
+          envFrom:
+            - configMapRef:
+                name: oidc-test-env
+          env:
+            - name: OIDC_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: oidc-test-oauth2-client
+                  key: CLIENT_ID
+            - name: OIDC_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: oidc-test-oauth2-client
+                  key: CLIENT_SECRET
+      restartPolicy: Always
--- a/components/oidc-test/resources/oauth2-client.yaml
+++ b/components/oidc-test/resources/oauth2-client.yaml
@ -0,0 +1,18 @@
+apiVersion: hydra.ory.sh/v1alpha1
+kind: OAuth2Client
+metadata:
+  name: oidc-test-oauth2-client
+spec:
+  clientName: "oidc-test"
+  tokenEndpointAuthMethod: "client_secret_basic"
+  grantTypes:
+    - authorization_code
+    - refresh_token
+  responseTypes:
+    - code
+  scope: "openid email profile"
+  secretName: oidc-test-oauth2-client
+  redirectUris:
+    - https://example.net/oauth2/callback
+  postLogoutRedirectUris:
+    - https://example.net
--- a/components/oidc-test/resources/service.yaml
+++ b/components/oidc-test/resources/service.yaml
@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/name: oidc-test
+  name: oidc-test
+spec:
+  ports:
+    - name: http
+      port: 8080
+      targetPort: 8080
+  selector:
+    app.kubernetes.io/name: oidc-test
+status:
+  loadBalancer: {}
--- a/components/redis/README.md
+++ b/components/redis/README.md
@ -0,0 +1,19 @@
+# Composant `redis`
+
+### Description
+
+Les applications `hydra-dispatcher`, `hydra-sql` et `hydra-oidc` stockent dorénavant le cache et les sessions utilisateur sur un serveur Redis.
+
+Le DSN du serveur est défini dans leur variable d'environnement respective `REDIS_DSN`.
+
+### Principe général de fonctionnement
+
+Un `Redis` crée une instance Redis dédiée à l'environnement SSO.
+
+### Personnalisation
+
+Un `patch` sur la ressource `ConfigMap` via un label selector `com.cadoles.forge.sso-kustom/session=redis` permet de modifier la valeur de la clé `REDIS_DSN`.
+
+| Clé         | Description          | Exemple                  |
+| ----------- | -------------------- | ------------------------ |
+| `REDIS_DSN` | DSN du cluster Redis | `redis://redis-sso:6379` |
--- a/components/redis/configurations/redis-conf.yaml
+++ b/components/redis/configurations/redis-conf.yaml
@ -0,0 +1,5 @@
+nameReference:
+  - kind: ConfigMap
+    fieldSpecs:
+      - kind: Redis
+        path: spec/redisConfig/additionalRedisConfig
--- a/components/redis/files/redis-additional.conf
+++ b/components/redis/files/redis-additional.conf
@ -0,0 +1,3 @@
+maxmemory-policy allkeys-lru
+maxmemory 1536mb
+tcp-keepalive 90
--- a/components/redis/kustomization.yaml
+++ b/components/redis/kustomization.yaml
@ -0,0 +1,19 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+configurations:
+  - ./configurations/redis-conf.yaml
+
+resources:
+  - ./resources/redis-sso.yaml
+
+configMapGenerator:
+- name: redis-sso-extra-conf
+  files:
+    - ./files/redis-additional.conf
+
+patches:
+  - path: ./patches/hydra-apps.yaml
+    target:
+      kind: ConfigMap
+      labelSelector: "com.cadoles.forge.sso-kustom/session=redis"
--- a/components/redis/patches/hydra-apps.yaml
+++ b/components/redis/patches/hydra-apps.yaml
@ -0,0 +1,3 @@
+- op: replace
+  path: "/data/REDIS_DSN"
+  value: "redis://redis-sso:6379"
--- a/components/redis/resources/redis-sso.yaml
+++ b/components/redis/resources/redis-sso.yaml
@ -0,0 +1,27 @@
+apiVersion: redis.redis.opstreelabs.in/v1beta1
+kind: Redis
+metadata:
+  name: redis-sso
+spec:
+  kubernetesConfig:
+    image: reg.cadoles.com/quay/opstree/redis:v7.0.15
+    imagePullPolicy: IfNotPresent
+    resources:
+      requests:
+        cpu: 500m
+        memory: 1024Mi
+      limits:
+        cpu: 2000m
+        memory: 2048Mi
+  redisConfig:
+    additionalRedisConfig: redis-sso-extra-conf
+  storage:
+    volumeClaimTemplate:
+      spec:
+        # storageClassName: standard
+        accessModes: ["ReadWriteOnce"]
+        resources:
+          requests:
+            storage: 1Gi
+  securityContext:
+    runAsUser: 1000
--- a/doc/README.md
+++ b/doc/README.md
@ -1 +0,0 @@
-# Documentation
--- a/examples/authenticated-app/README.md
+++ b/examples/authenticated-app/README.md
@ -1,6 +1,6 @@
 # Exemple: Déploiement d'une application authentifiée avec la stack SSO

-L'exemple est actuellement déployé avec le composant `hydra-saml` uniquement.
+L'exemple est actuellement déployé avec le composant `hydra-ldap` uniquement.

 ## Procédure

@ -8,37 +8,40 @@ L'exemple est actuellement déployé avec le composant `hydra-saml` uniquement.

 1. Créer un cluster avec `kind`

-    ```
-    kind create cluster --config ./examples/k8s/kind/cluster-config.yaml
-    ```
+   ```
+   kind create cluster --config ./examples/k8s/kind/cluster-config.yaml
+   ```

 2. Déployer les opérateurs nécessaires au déploiement

-    ```
-    kubectl kustomize --enable-helm ./examples/k8s/kind/cluster | kubectl apply -f -
-    ```
-
-3. Déployer l'application
-
-    ```
-    kubectl apply -k ./examples/authenticated-app
-    ```
-
-   **Note** Il est possible d'avoir l'erreur suivante:
-
   ```
-   error: resource mapping not found for name: "app-oauth2-client" namespace: "" from "./examples/authenticated-app": no matches for kind "OAuth2Client" in version "hydra.ory.sh/v1alpha1"
+   kubectl apply  -k ./examples/k8s/kind/cluster --server-side
   ```

-   Cette erreur est "normale" (voir https://github.com/kubernetes/kubectl/issues/1117). Dans ce cas, attendre la création de la CRD (voir ticket) puis relancer la commande.
+   > Si une erreur du type `ensure CRDs are installed first` s'affiche, relancer la commande.

-4. Ajouter l'entrée suivante dans votre fichier `/etc/hosts`
+3. Attendre que l'opérateur Redis soit opérationnel puis patcher le `ClusterRole` de celui ci (cf. https://github.com/OT-CONTAINER-KIT/redis-operator/issues/526):

-    ```
-    127.0.0.1 ssokustom
-    ```
+   ```bash
+   kubectl wait -n operators --timeout 10m --for=jsonpath=".status.state"=AtLatestKnown subscription my-redis-operator
+   # On attend quelques secondes supplémentaires pour s'assurer que l'opérateur a réellement démarré
+   sleep 30
+   kubectl patch clusterroles.rbac.authorization.k8s.io $(kubectl get clusterrole | awk '/redis-operator/ {print $1}') --patch-file examples/k8s/kind/cluster/fix/redis-operator-clusterrole.yaml
+   ```

-5. Après stabilisation du déploiement, l'application devrait être accessible à l'adresse https://ssokustom
+4. Déployer l'application
+
+   ```
+   kubectl apply -k ./examples/authenticated-app
+   ```
+
+5. Ajouter l'entrée suivante dans votre fichier `/etc/hosts`
+
+   ```
+   127.0.0.1 ssokustom
+   ```
+
+6. Après stabilisation du déploiement, l'application devrait être accessible à l'adresse https://ssokustom

 #### Supprimer le cluster

@ -48,14 +51,15 @@ kind delete cluster -n sso-kustom-example

 ## Authentification

-### SAML
+### LDAP

- Utilisateur: `user1`
- Mot de passe `user1pass`
+#### Comptes par défaut

-#### URL utiles
+1. `jdoe` / `jdoe`
+2. `jdoe2` / `jdoe`
+3. `siret1` / `siret`
+4. `siret2` / `siret`

-|URL|Description|
-|---|-----------|
-|https://ssokustom/auth/saml/Shibboleth.sso/Session|Attributs de la session SP Shibboleth|
-|https://ssokustom/auth/saml/Shibboleth.sso/Metadata|Métadonnées du SP Shibboleth|
+#### Gestion des comptes
+
+Les comptes LDAP sont définis dans le fichier [`./files/glauth.conf`](./files/glauth.conf)
--- a/examples/authenticated-app/files/glauth.conf
+++ b/examples/authenticated-app/files/glauth.conf
@ -0,0 +1,83 @@
+debug = true
+
+[ldap]
+  enabled = true
+  listen = "0.0.0.0:3893"
+  tls = false
+
+[ldaps]
+  enabled = false
+
+[behaviors]
+  IgnoreCapabilities = true
+
+[backend]
+  datastore = "config"
+  baseDN = "dc=glauth,dc=com"
+
+[[users]]
+  uid = "serviceuser"
+  name = "serviceuser"
+  mail = "serviceuser@example.com"
+  uidnumber = 5001
+  primarygroup = 5502
+  # use echo -n "mysecret" | openssl dgst -sha256
+  passsha256 = "652c7dc687d98c9889304ed2e408c74b611e86a40caa51c4b43f1dd5913c5cd0" # mysecret
+    [[users.capabilities]]
+    action = "search"
+    object = "*"
+
+[[users]]
+  uid = "jdoe"
+  name = "jdoe"
+  uidnumber = 5002
+  primarygroup = 5501
+  givenname = "John"
+  sn = "Doe"
+  mail = "jdoe@example.com"
+  passsha256 = "d30a5f57532a603697ccbb51558fa02ccadd74a0c499fcf9d45b33863ee1582f" # jdoe
+    [[users.customattributes]]
+    employeetype = ["Intern", "Temp"]
+    employeenumber = [12345, 54321]
+
+[[users]]
+  uid = "jdoe2"
+  name = "jdoe2"
+  uidnumber = 5003
+  primarygroup = 5501
+  givenname = "John"
+  sn = "Doe2"
+  mail = "jdoe2@jdoe2.com"
+  passsha256 = "d30a5f57532a603697ccbb51558fa02ccadd74a0c499fcf9d45b33863ee1582f" # jdoe
+
+[[users]]
+  uid = "siret1"
+  name = "siret1"
+  uidnumber = 5004
+  primarygroup = 5501
+  givenname = "Siret"
+  sn = "Siret"
+  mail = "siret1@siret.com"
+  passsha256 = "7926ef18c7ae8eb23d4d325aa6bd81cc9ae99b429e9299a18dbd2c4729486ebc" # siret
+    [[users.customattributes]]
+    siret = ["0001"]
+
+[[users]]
+  uid = "siret2"
+  name = "siret2"
+  uidnumber = 5005
+  primarygroup = 5501
+  givenname = "Siret"
+  sn = "Siret"
+  mail = "siret2@siret.com"
+  passsha256 = "7926ef18c7ae8eb23d4d325aa6bd81cc9ae99b429e9299a18dbd2c4729486ebc" # siret
+    [[users.customattributes]]
+    siret = ["0002"]
+
+[[groups]]
+  name = "users"
+  gidnumber = 5501
+
+[[groups]]
+  name = "svcaccts"
+  gidnumber = 5502
--- a/examples/authenticated-app/files/hydra-dispatcher-apps.yaml
+++ b/examples/authenticated-app/files/hydra-dispatcher-apps.yaml
@ -0,0 +1,42 @@
+hydra:
+  apps:
+    - id: ldap
+      title:
+        fr: Connexion LDAP
+        en: Login LDAP
+      description:
+        fr: Authentification avec LDAP
+        en: Authentication with LDAP
+      login_url: "%env(string:HYDRA_DISPATCHER_LDAP_LOGIN_URL)%"
+      consent_url: "%env(string:HYDRA_DISPATCHER_LDAP_CONSENT_URL)%"
+      logout_url: "%env(string:HYDRA_DISPATCHER_LDAP_LOGOUT_URL)%"
+      attributes_rewrite_configuration:
+        siret:
+          rules:
+            - "property_exists(consent.session.id_token, 'siret') ?  consent.session.id_token.siret : null"
+            - "value ?: ( consent.session.id_token.email matches '/.*@example.com$/' ? '0000' : null )"
+            - "value ?: ( consent.session.id_token.email matches '/.*@jdoe.com$/' ? '0001' : null )"
+        family_name:
+          rules:
+            - "property_exists(consent.session.id_token, 'family_name') ? consent.session.id_token.family_name : null"
+        given_name:
+          rules:
+            - "property_exists(consent.session.id_token, 'given_name') ? consent.session.id_token.given_name : null"
+        email:
+          rules:
+            - "property_exists(consent.session.id_token, 'email') ? consent.session.id_token.email : null"
+  firewall:
+    additional_properties: true
+    rules:
+      siret:
+        required: false
+      email:
+        required: false
+      given_name:
+        required: false
+      family_name:
+        required: false
+  webhook:
+    enabled: false
+  webhook_post_login:
+    enabled: false
--- a/examples/authenticated-app/kustomization.yaml
+++ b/examples/authenticated-app/kustomization.yaml
@ -2,19 +2,19 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization

 resources:
-  - ../../resources/hydra
-  - ../../resources/hydra-dispatcher
-  - ./resources/app.yaml
+  - ../../overlays/base
+
  - ./resources/ingress.yaml
-  - ./resources/oauth2-client.yaml
-  - ./resources/saml-idp.yaml
+  - ./resources/glauth-ldap.yaml
  - ./resources/self-signed-issuer.yaml
  - ./resources/port-forwarder.yaml

 components:
  - ../../components/hydra-cnpg-database
-  #- ../../components/hydra-oidc
-  - ../../components/hydra-saml
+  - ../../components/hydra-ldap
+  - ../../components/oidc-test
+  - ../../components/redis
+  - ../../components/hydra-cleaner

 patchesJson6902:
  - target:
@ -30,10 +30,44 @@ patchesJson6902:
  - target:
      version: v1
      kind: ConfigMap
-      name: hydra-saml-env
-    path: patches/hydra-saml-env.yaml
+      name: hydra-ldap-env
+    path: patches/hydra-ldap-env.yaml
+  - target:
+      version: v1
+      kind: Secret
+      name: hydra-ldap-sc
+    path: patches/hydra-ldap-sc.yaml
  - target:
      version: v1
      kind: Secret
      name: hydra-secret
-    path: patches/hydra-secret.yaml
+    path: patches/hydra-secret.yaml
+  - target:
+      version: v1
+      kind: ConfigMap
+      name: oidc-test-env
+    path: patches/oidc-test.yaml
+  - target:
+      version: v1alpha1
+      kind: OAuth2Client
+      name: oidc-test-oauth2-client
+    path: patches/oidc-test-oauth2-client.yaml
+  - target:
+      version: v1
+      kind: ConfigMap
+      name: hydra-cleaner-env
+    path: patches/hydra-cleaner-env.yaml
+  - target:
+      version: v1
+      kind: CronJob
+      name: hydra-cleaner
+    path: patches/hydra-cleaner.yaml
+
+configMapGenerator:
+  - name: hydra-dispatcher-apps
+    behavior: replace
+    files:
+      - ./files/hydra-dispatcher-apps.yaml
+  - name: glauth-ldap-conf
+    files:
+      - ./files/glauth.conf
--- a/examples/authenticated-app/patches/hydra-cleaner-env.yaml
+++ b/examples/authenticated-app/patches/hydra-cleaner-env.yaml
@ -0,0 +1,9 @@
+- op: replace
+  path: "/data/RETENTION_HOURS"
+  value: "1" # 1 HOUR
+- op: replace
+  path: "/data/BATCH_SIZE"
+  value: "100"
+- op: replace
+  path: "/data/LIMIT"
+  value: "1000"
--- a/examples/authenticated-app/patches/hydra-cleaner.yaml
+++ b/examples/authenticated-app/patches/hydra-cleaner.yaml
@ -0,0 +1,3 @@
+- op: replace
+  path: "/spec/schedule"
+  value: "* * * * *"
--- a/examples/authenticated-app/patches/hydra-dispatcher-env.yaml
+++ b/examples/authenticated-app/patches/hydra-dispatcher-env.yaml
@ -1,3 +1,9 @@
+- op: replace
+  path: "/data/APP_ENV"
+  value: dev
+- op: replace
+  path: "/data/APP_DEBUG"
+  value: "true"
 - op: replace
  path: "/data/HYDRA_BASE_URL"
  value: http://hydra:4444
@ -17,14 +23,13 @@
  path: "/data/COOKIE_PATH"
  value: /auth/dispatcher

-# Hydra SAML configuration
+# Hydra LDAP configuration
 - op: replace
-  path: "/data/HYDRA_DISPATCHER_SAML_LOGIN_URL"
-  value: https://ssokustom/auth/saml/login
+  path: "/data/HYDRA_DISPATCHER_LDAP_LOGIN_URL"
+  value: https://ssokustom/auth/ldap/auth/login
 - op: replace
-  path: "/data/HYDRA_DISPATCHER_SAML_CONSENT_URL"
-  value: https://ssokustom/auth/saml/consent
+  path: "/data/HYDRA_DISPATCHER_LDAP_CONSENT_URL"
+  value: https://ssokustom/auth/ldap/auth/consent
 - op: replace
-  path: "/data/HYDRA_DISPATCHER_SAML_LOGOUT_URL"
-  value: https://ssokustom/auth/saml/logout
-  
+  path: "/data/HYDRA_DISPATCHER_LDAP_LOGOUT_URL"
+  value: https://ssokustom/auth/ldap/auth/logout
--- a/examples/authenticated-app/patches/hydra-env.yaml
+++ b/examples/authenticated-app/patches/hydra-env.yaml
@ -12,4 +12,13 @@
  value: https://ssokustom/auth/dispatcher/consent
 - op: replace
  path: "/data/HYDRA_SERVE_ALL_ARGS"
-  value: "--dev"
+  value: "--dev"
+- op: replace
+  path: "/data/SERVE_COOKIES_SAME_SITE_MODE"
+  value: "Lax"
+- op: replace
+  path: "/data/SERVE_COOKIES_SAME_SITE_LEGACY_WORKAROUND"
+  value: "true"
+- op: replace
+  path: "/data/SERVE_COOKIES_DOMAIN"
+  value: "ssokustom"
--- a/examples/authenticated-app/patches/hydra-ldap-env.yaml
+++ b/examples/authenticated-app/patches/hydra-ldap-env.yaml
@ -0,0 +1,55 @@
+- op: replace
+  path: "/data/WERTHER_DEV_MODE"
+  value: "true"
+
+- op: replace
+  path: "/data/WERTHER_WEB_BASE_PATH"
+  value: "/auth/ldap/"
+
+- op: replace
+  path: "/data/WERTHER_IDENTP_HYDRA_URL"
+  value: "http://hydra-dispatcher"
+
+- op: replace
+  path: "/data/WERTHER_LDAP_ENDPOINTS"
+  value: "glauth-ldap:389"
+
+- op: replace
+  path: "/data/WERTHER_LDAP_BASEDN"
+  value: "dc=glauth,dc=com"
+
+- op: replace
+  path: "/data/WERTHER_LDAP_ROLE_BASEDN"
+  value: "ou=groups,dc=glauth,dc=com"
+
+- op: replace
+  path: "/data/WERTHER_IDENTP_CLAIM_SCOPES"
+  value: "uid:profile,name:profile,family_name:profile,given_name:profile,email:profile,https%3A%2F%2Fhydra%2Fclaims%2Froles:roles,siret:siret"
+
+- op: replace
+  path: "/data/WERTHER_INSECURE_SKIP_VERIFY"
+  value: "true"
+
+- op: replace
+  path: "/data/WERTHER_LDAP_IS_TLS"
+  value: "false"
+
+- op: replace
+  path: "/data/WERTHER_LDAP_ATTR_CLAIMS"
+  value: "name:name,sn:family_name,givenName:given_name,mail:email,siret:siret"
+
+- op: replace
+  path: "/data/WERTHER_LDAP_CONNECTION_TIMEOUT"
+  value: "30s"
+
+- op: replace
+  path: "/data/WERTHER_LDAP_USER_SEARCH_QUERY"
+  value: "(&(objectClass=*)(|(uid=%[1]s)(mail=%[1]s)(userPrincipalName=%[1]s)(sAMAccountName=%[1]s)))"
+
+- op: replace
+  path: "/data/WERTHER_IDENTP_ACR"
+  value: "eidas1"
+
+- op: replace
+  path: "/data/WERTHER_IDENTP_AMR"
+  value: "pwd"
--- a/examples/authenticated-app/patches/hydra-ldap-sc.yaml
+++ b/examples/authenticated-app/patches/hydra-ldap-sc.yaml
@ -0,0 +1,7 @@
+- op: replace
+  path: "/data/WERTHER_LDAP_BINDDN"
+  value: "Y249c2VydmljZXVzZXIsb3U9c3ZjYWNjdHMsb3U9dXNlcnMsZGM9Z2xhdXRoLGRjPWNvbQ==" # cn=serviceuser,ou=svcaccts,ou=users,dc=glauth,dc=com
+
+- op: replace
+  path: "/data/WERTHER_LDAP_BINDPW"
+  value: "bXlzZWNyZXQ=" # mysecret
--- a/examples/authenticated-app/patches/hydra-saml-env.yaml
+++ b/examples/authenticated-app/patches/hydra-saml-env.yaml
@ -1,43 +0,0 @@
- op: replace
-  path: "/data/HTTP_BASE_URL"
-  value: https://ssokustom/auth/saml
- op: replace
-  path: "/data/COOKIE_PATH"
-  value: /auth/saml
- op: replace
-  path: "/data/HYDRA_ADMIN_BASE_URL"
-  value: http://hydra-dispatcher
- op: replace
-  path: "/data/LOGOUT_REDIRECT_URL_PATTERN"
-  value: https://ssokustom/auth/saml/Shibboleth.sso/Logout?return=%s
- op: replace
-  path: "/data/PATH_PREFIX"
-  value: "/auth/saml"
-
- op: replace
-  path: "/data/SP_ENTITY_ID"
-  value: https://ssokustom/auth/saml
- op: replace
-  path: "/data/IDP_ENTITY_ID"
-  value: https://ssokustom/simplesaml/saml2/idp/metadata.php
- op: replace
-  path: "/data/IDP_METADATA_URL"
-  value: https://ssokustom/simplesaml/saml2/idp/metadata.php
- op: replace
-  path: "/data/APACHE_FORCE_HTTPS"
-  value: "true"
- op: replace
-  path: "/data/SP_HANDLER_BASE_PATH"
-  value: "/auth/saml"
- op: replace
-  path: "/data/SP_LOG_LEVEL"
-  value: DEBUG
- op: replace
-  path: "/data/SP_SESSIONS_REDIRECT_LIMIT"
-  value: none
- op: replace
-  path: "/data/SP_SESSIONS_REDIRECT_ALLOW"
-  value: https://ssokustom
- op: replace
-  path: "/data/SP_SESSIONS_COOKIE_PROPS"
-  value: https
--- a/examples/authenticated-app/patches/oidc-test-oauth2-client.yaml
+++ b/examples/authenticated-app/patches/oidc-test-oauth2-client.yaml
@ -0,0 +1,9 @@
+- op: replace
+  path: "/spec/redirectUris/0"
+  value: https://ssokustom/oauth2/callback
+- op: replace
+  path: "/spec/postLogoutRedirectUris/0"
+  value: https://ssokustom
+- op: replace
+  path: "/spec/scope"
+  value: "openid profile roles siret"
--- a/examples/authenticated-app/patches/oidc-test.yaml
+++ b/examples/authenticated-app/patches/oidc-test.yaml
@ -0,0 +1,9 @@
+- op: replace
+  path: "/data/OIDC_REDIRECT_URL"
+  value: https://ssokustom/oauth2/callback
+- op: replace
+  path: "/data/OIDC_POST_LOGOUT_REDIRECT_URL"
+  value: https://ssokustom
+- op: replace
+  path: "/data/OIDC_SCOPES"
+  value: "openid profile roles siret"
--- a/examples/authenticated-app/resources/app.yaml
+++ b/examples/authenticated-app/resources/app.yaml
@ -1,66 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels:
-    io.kompose.service: app
-  name: app
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      io.kompose.service: app
-  strategy:
-    type: Recreate
-  template:
-    metadata:
-      labels:
-        io.kompose.service: app
-    spec:
-      containers:
-        - image: reg.cadoles.com/cadoles/oidc-test:2023.11.6-stable.1557.e16b905
-          name: app
-          ports:
-            - containerPort: 8080
-          resources: {}
-          env:
-            - name: LOG_LEVEL
-              value: "0"
-            - name: HTTP_ADDRESS
-              value: 0.0.0.0:8080
-            - name: OIDC_CLIENT_ID
-              valueFrom:
-                secretKeyRef:
-                  name: app-oidc-secret
-                  key: client_id
-            - name: OIDC_CLIENT_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: app-oidc-secret
-                  key: client_secret
-            - name: OIDC_ISSUER_URL
-              value: http://hydra:4444
-            - name: OIDC_REDIRECT_URL
-              value: https://ssokustom/oauth2/callback
-            - name: OIDC_POST_LOGOUT_REDIRECT_URL
-              value: https://ssokustom
-            - name: OIDC_SKIP_ISSUER_VERIFICATION
-              value: "true"
-            - name: OIDC_INSECURE_SKIP_VERIFY
-              value: "true"
-      restartPolicy: Always
---
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    io.kompose.service: app
-  name: app
-spec:
-  ports:
-    - name: http
-      port: 8080
-      targetPort: 8080
-  selector:
-    io.kompose.service: app
-status:
-  loadBalancer: {}
--- a/examples/authenticated-app/resources/glauth-ldap.yaml
+++ b/examples/authenticated-app/resources/glauth-ldap.yaml
@ -0,0 +1,55 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/name: glauth-ldap
+  name: glauth-ldap
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: glauth-ldap
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: glauth-ldap
+    spec:
+      containers:
+        - image: glauth/glauth:v2.3.2
+          name: glauth-ldap
+          ports:
+            - containerPort: 3893
+              name: ldap
+            - containerPort: 3894
+              name: ldaps
+          resources: {}
+          volumeMounts:
+            - name: glauth-ldap-conf
+              mountPath: /app/config/config.cfg
+              subPath: glauth.conf
+      restartPolicy: Always
+      volumes:
+        - name: glauth-ldap-conf
+          configMap:
+            name: glauth-ldap-conf
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/name: glauth-ldap
+  name: glauth-ldap
+spec:
+  ports:
+    - name: ldap
+      port: 389
+      targetPort: ldap
+    - name: ldaps
+      port: 636
+      targetPort: ldaps
+  selector:
+    app.kubernetes.io/name: glauth-ldap
+status:
+  loadBalancer: {}
--- a/examples/authenticated-app/resources/ingress.yaml
+++ b/examples/authenticated-app/resources/ingress.yaml
@ -10,43 +10,47 @@ metadata:
 spec:
  ingressClassName: nginx
  tls:
-  - hosts:
-    - ssokustom
-    secretName: ssokustom-example-tls
+    - hosts:
+        - ssokustom
+      secretName: ssokustom-example-tls
  rules:
-  - http:
-      paths:
-      - path: /
-        pathType: Prefix
-        backend:
-          service:
-            name: app
-            port:
-              name: http
+    - http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: oidc-test
+                port:
+                  name: http
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: auth-saml
+  name: auth-ldap
  annotations:
    cert-manager.io/issuer: "self-signed"
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/rewrite-target: /$2
+    nginx.ingress.kubernetes.io/x-forwarded-prefix: /auth/ldap
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      proxy_set_header X-Forwarded-Proto https;
 spec:
  ingressClassName: nginx
  tls:
-  - hosts:
-    - ssokustom
-    secretName: ssokustom-example-tls
+    - hosts:
+        - ssokustom
+      secretName: ssokustom-example-tls
  rules:
-  - http:
-      paths:
-      - path: /auth/saml(/|$)(.*)
-        pathType: Prefix
-        backend:
-          service:
-            name: hydra-saml
-            port:
-              name: http
+    - http:
+        paths:
+          - path: /auth/ldap(/|$)(.*)
+            pathType: Prefix
+            backend:
+              service:
+                name: hydra-ldap
+                port:
+                  name: hydra-ldap
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
@ -57,22 +61,24 @@ metadata:
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/rewrite-target: /$2
    nginx.ingress.kubernetes.io/x-forwarded-prefix: /auth/dispatcher
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      proxy_set_header X-Forwarded-Proto https;
 spec:
  ingressClassName: nginx
  tls:
-  - hosts:
-    - ssokustom
-    secretName: ssokustom-example-tls
+    - hosts:
+        - ssokustom
+      secretName: ssokustom-example-tls
  rules:
-  - http:
-      paths:      
-      - path: /auth/dispatcher(/|$)(.*)
-        pathType: Prefix
-        backend:
-          service:
-            name: hydra-dispatcher
-            port:
-              name: http
+    - http:
+        paths:
+          - path: /auth/dispatcher(/|$)(.*)
+            pathType: Prefix
+            backend:
+              service:
+                name: hydra-dispatcher
+                port:
+                  name: http
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
@ -82,50 +88,22 @@ metadata:
    cert-manager.io/issuer: "self-signed"
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/rewrite-target: /$2
+    nginx.ingress.kubernetes.io/x-forwarded-prefix: /auth
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      proxy_set_header X-Forwarded-Proto https;
 spec:
  ingressClassName: nginx
  tls:
-  - hosts:
-    - ssokustom
-    secretName: ssokustom-example-tls
+    - hosts:
+        - ssokustom
+      secretName: ssokustom-example-tls
  rules:
-  - http:
-      paths:      
-      - path: /auth(/|$)(.*)
-        pathType: Prefix
-        backend:
-          service:
-            name: hydra
-            port:
-              name: hydra-public
---
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: saml-idp
-  annotations:
-    cert-manager.io/issuer: "self-signed"
-    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/rewrite-target: /simplesaml/$2
-    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
-spec:
-  ingressClassName: nginx
-  tls:
-  - hosts:
-    - ssokustom
-    secretName: ssokustom-example-tls
-  rules:
-  - http:
-      paths:     
-      - path: /simplesaml(/|$)(.*)
-        pathType: Prefix
-        backend:
-          service:
-            name: saml-idp
-            port:
-              name: https
-
-     
-
-      
-          
+    - http:
+        paths:
+          - path: /auth(/|$)(.*)
+            pathType: Prefix
+            backend:
+              service:
+                name: hydra
+                port:
+                  name: hydra-public
--- a/examples/authenticated-app/resources/oauth2-client.yaml
+++ b/examples/authenticated-app/resources/oauth2-client.yaml
@ -1,18 +0,0 @@
-apiVersion: hydra.ory.sh/v1alpha1
-kind: OAuth2Client
-metadata:
-  name: app-oauth2-client
-spec:
-  clientName: "app"
-  tokenEndpointAuthMethod: "client_secret_basic"
-  grantTypes:
-  - authorization_code
-  - refresh_token
-  responseTypes:
-  - code
-  scope: "openid email"
-  secretName: app-oidc-secret
-  redirectUris:
-  - https://ssokustom/oauth2/callback
-  postLogoutRedirectUris:
-  - https://ssokustom
--- a/examples/authenticated-app/resources/port-forwarder.yaml
+++ b/examples/authenticated-app/resources/port-forwarder.yaml
@ -2,19 +2,19 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  labels:
-    io.kompose.service: port-forwarder
+    app.kubernetes.io/name: port-forwarder
  name: port-forwarder
 spec:
  replicas: 1
  selector:
    matchLabels:
-      io.kompose.service: port-forwarder
+      app.kubernetes.io/name: port-forwarder
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
-        io.kompose.service: port-forwarder
+        app.kubernetes.io/name: port-forwarder
    spec:
      containers:
        - image: hpello/tcp-proxy:latest
@ -42,7 +42,7 @@ apiVersion: v1
 metadata:
  name: ssokustom
  labels:
-    io.kompose.service: port-forwarder
+    app.kubernetes.io/name: port-forwarder
 spec:
  ports:
  - name: https
@ -52,4 +52,4 @@ spec:
    port: 80
    targetPort: 80
  selector:
-    io.kompose.service: port-forwarder
+    app.kubernetes.io/name: port-forwarder
--- a/examples/authenticated-app/resources/saml-idp.yaml
+++ b/examples/authenticated-app/resources/saml-idp.yaml
@ -1,51 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels:
-    io.kompose.service: saml-idp
-  name: saml-idp
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      io.kompose.service: saml-idp
-  strategy:
-    type: Recreate
-  template:
-    metadata:
-      labels:
-        io.kompose.service: saml-idp
-    spec:
-      containers:
-        - image: kristophjunge/test-saml-idp:1.15
-          name: saml-idp
-          ports:
-            - containerPort: 8443
-          resources: {}
-          env:
-            - name: SIMPLESAMLPHP_SP_ENTITY_ID
-              value: https://ssokustom/auth/saml
-            - name: SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE
-              value: https://ssokustom/auth/saml/Shibboleth.sso/SAML2/POST
-            - name: SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE
-              value: https://ssokustom/auth/saml/Shibboleth.sso/Logout?return=https://ssokustom
-      restartPolicy: Always
---
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    io.kompose.service: saml-idp
-  name: saml-idp
-spec:
-  ports:
-    - name: http
-      port: 8080
-      targetPort: 8080
-    - name: https
-      port: 8443
-      targetPort: 8443
-  selector:
-    io.kompose.service: saml-idp
-status:
-  loadBalancer: {}
--- a/examples/k8s/kind/cluster/fix/redis-operator-clusterrole.yaml
+++ b/examples/k8s/kind/cluster/fix/redis-operator-clusterrole.yaml
@ -0,0 +1,92 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+rules:
+  - apiGroups:
+      - redis.redis.opstreelabs.in
+    resources:
+      - rediss
+      - redisclusters
+      - redis
+      - rediscluster
+      - redisreplication
+      - redisreplications
+      - redissentinel
+      - redissentinels
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - redis.redis.opstreelabs.in
+    resources:
+      - redis/finalizers
+      - rediscluster/finalizers
+    verbs:
+      - update
+  - apiGroups:
+      - redis.redis.opstreelabs.in
+    resources:
+      - redis/status
+      - rediscluster/status
+    verbs:
+      - get
+      - patch
+      - update
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+      - pods/exec
+      - services
+      - configmaps
+      - pods
+      - persistentvolumes
+      - persistentvolumeclaims
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - apps
+    resources:
+      - statefulsets
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - policy
+    resources:
+      - poddisruptionbudgets
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
--- a/examples/k8s/kind/cluster/kustomization.yaml
+++ b/examples/k8s/kind/cluster/kustomization.yaml
@ -1,14 +1,15 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- https://github.com/jetstack/cert-manager/releases/download/v1.13.2/cert-manager.yaml
- https://forge.cadoles.com/CadolesKube/c-kustom//base/cloudnative-pg-operator?ref=develop
- https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml
+  - https://forge.cadoles.com/CadolesKube/c-kustom//crds?ref=develop
+  - https://github.com/cert-manager/cert-manager/releases/download/v1.10.0/cert-manager.yaml
+  - ./resources/olm
+  - https://forge.cadoles.com/CadolesKube/c-kustom//base/cloudnative-pg-operator?ref=develop
+  - https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml

-patchesJson6902:
-  - target:
-      version: v1
+patches:
+  - path: patches/nginx-controller.yaml
+    target:
      kind: ConfigMap
      name: ingress-nginx-controller
      namespace: ingress-nginx
-    path: patches/nginx-controller.yaml
--- a/examples/k8s/kind/cluster/patches/nginx-controller.yaml
+++ b/examples/k8s/kind/cluster/patches/nginx-controller.yaml
@ -1,6 +1,9 @@
- op: replace
-  path: "/data/allow-snippet-annotations"
-  value: "true"
- op: replace
-  path: "/data/use-forwarded-headers"
-  value: "true"
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: ingress-nginx-controller
+data:
+  allow-snippet-annotations: "true"
+  use-forwarded-headers: "true"
+  strict-validate-path-type: "false"
+  annotations-risk-level: "Critical"
--- a/examples/k8s/kind/cluster/resources/olm/kustomization.yaml
+++ b/examples/k8s/kind/cluster/resources/olm/kustomization.yaml
@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - https://github.com/operator-framework/operator-lifecycle-manager/releases/download/v0.31.0/olm.yaml
+  - https://forge.cadoles.com/CadolesKube/c-kustom/raw/branch/develop/base/olm/resources/mandatory-operators/resources/redis-operator.yaml
--- a/kustomization.yaml
+++ b/kustomization.yaml
@ -2,10 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization

 resources:
- ./resources/hydra
- ./resources/hydra-dispatcher
-
-components:
- ./components/hydra-cnpg-database
- ./components/hydra-oidc
- ./components/hydra-saml
+- ./overlays/base
--- a/overlays/base/kustomization.yaml
+++ b/overlays/base/kustomization.yaml
@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- ../../resources/hydra
+- ../../resources/hydra-dispatcher
+
+labels:
+  - pairs:
+      app.kubernetes.io/part-of: sso-kustom
+      app.kubernetes.io/component: auth
--- a/overlays/full/kustomization.yaml
+++ b/overlays/full/kustomization.yaml
@ -0,0 +1,18 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- ../base
+
+labels:
+  - pairs:
+      app.kubernetes.io/part-of: sso-kustom
+      app.kubernetes.io/component: auth
+
+components:
+- ../../components/hydra-cnpg-database
+- ../../components/hydra-oidc
+- ../../components/hydra-saml
+- ../../components/hydra-sql
+- ../../components/oidc-test
+- ../../components/redis
--- a/resources/hydra-dispatcher/files/03_base.ini
+++ b/resources/hydra-dispatcher/files/03_base.ini
@ -0,0 +1,22 @@
+[opcache]
+; Determines if Zend OPCache is enabled
+opcache.enable=1
+
+; Determines if Zend OPCache is enabled for the CLI version of PHP
+opcache.enable_cli=1
+
+; The OPcache shared memory storage size.
+opcache.memory_consumption=512
+
+; The maximum number of keys (scripts) in the OPcache hash table.
+; Only numbers between 200 and 1000000 are allowed.
+opcache.max_accelerated_files=20000
+
+; When disabled, you must reset the OPcache manually or restart the
+; webserver for changes to the filesystem to take effect.
+opcache.validate_timestamps=${OPCACHE_VALIDATE_TIMESTAMP}
+
+; How often (in seconds) to check file timestamps for changes to the shared
+; memory storage allocation. ("1" means validate once per second, but only
+; once per request. "0" means always validate)
+opcache.revalidate_freq=${OPCACHE_REVALIDATE_FREQ}
--- a/resources/hydra-dispatcher/files/hydra/default.yaml
+++ b/resources/hydra-dispatcher/files/hydra/default.yaml
@ -14,4 +14,6 @@ hydra:
    api_method: "%env(string:HYDRA_DISPATCHER_WEBHOOK_API_METHOD)%"
  firewall:
    additional_properties: "%env(bool:HYDRA_DISPATCHER_FIREWALL_ADDITIONAL_PROPERTIES)%"
-    rules: {}
+    rules: {}
+  webhook_post_login:
+    enabled: false
--- a/resources/hydra-dispatcher/kustomization.yaml
+++ b/resources/hydra-dispatcher/kustomization.yaml
@ -5,11 +5,17 @@ resources:
 - ./resources/hydra-dispatcher-deployment.yaml
 - ./resources/hydra-dispatcher-service.yaml

+generatorOptions:
+  labels:
+     com.cadoles.forge.sso-kustom/session: redis
+
 configMapGenerator:
 - name: hydra-dispatcher-env
  literals:
  - APP_ENV=prod
  - APP_DEBUG=false
+  - PHP_FPM_MEMORY_LIMIT=256m
+  - NGINX_APP_SERVER_LISTEN=80
  - HYDRA_BASE_URL=http://hydra:4444
  - HYDRA_ADMIN_BASE_URL=http://hydra:4445
  - HYDRA_REWRITE_ISSUER=yes
@ -19,6 +25,10 @@ configMapGenerator:
  - COOKIE_PATH=/
  - DEFAULT_LOCALE=fr
  - APP_LOCALES=fr,en
+  - REDIS_DSN="redis://redis:6379"
 - name: hydra-dispatcher-apps
  files:
-  - ./files/hydra/default.yaml
+  - apps.yaml=./files/hydra/default.yaml
+- name: hydra-dispatcher-php-ini
+  files:
+  - ./files/03_base.ini
--- a/resources/hydra-dispatcher/resources/hydra-dispatcher-deployment.yaml
+++ b/resources/hydra-dispatcher/resources/hydra-dispatcher-deployment.yaml
@ -2,35 +2,117 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  labels:
-    io.kompose.service: hydra-dispatcher
+    app.kubernetes.io/name: hydra-dispatcher
+    com.cadoles.forge.sso-kustom/session: redis
  name: hydra-dispatcher
 spec:
  replicas: 1
  selector:
    matchLabels:
-      io.kompose.service: hydra-dispatcher
+      app.kubernetes.io/name: hydra-dispatcher
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
-        io.kompose.service: hydra-dispatcher
+        app.kubernetes.io/name: hydra-dispatcher
    spec:
      containers:
-      - name: hydra-dispatcher
-        image: reg.cadoles.com/cadoles/hydra-dispatcher-v1:v0.0.0-238-g7236416
-        envFrom:
-        - configMapRef:
-            name: hydra-dispatcher-env
-        volumeMounts:
-        - mountPath: /var/www/config/hydra
-          name: hydra-dispatcher-apps
-        ports:
-        - containerPort: 80
-        resources: {}
+        - name: hydra-dispatcher-php-fpm
+          image: reg.cadoles.com/cadoles/hydra-dispatcher-base:2024.9.24-develop.1122.f88a5eb
+          args: ["/usr/sbin/php-fpm81", "-F", "-e"]
+          readinessProbe:
+            exec:
+              command:
+                - sh
+                - -c
+                - test -f /etc/php81/php-fpm.d/www.conf
+          livenessProbe:
+            exec:
+              command:
+                - php
+                - bin/console
+                - -V
+            initialDelaySeconds: 10
+            periodSeconds: 30
+          env:
+            - name: PHP_FPM_LISTEN
+              value: 127.0.0.1:9000
+            - name: PHP_MEMORY_LIMIT
+              value: 128m
+            - name: PHP_FPM_MEMORY_LIMIT
+              value: 128m
+            - name: OPCACHE_VALIDATE_TIMESTAMP
+              value: "0"
+            - name: OPCACHE_REVALIDATE_FREQ
+              value: "0"
+          envFrom:
+            - configMapRef:
+                name: hydra-dispatcher-env
+          volumeMounts:
+            - mountPath: /app/config/hydra
+              name: hydra-dispatcher-apps
+            - name: hydra-dispatcher-php-ini
+              mountPath: /etc/php81/conf.d/03_base.ini
+              subPath: 03_base.ini
+          resources: {}
+          securityContext:
+            runAsNonRoot: true
+            runAsGroup: 1000
+            runAsUser: 1000
+        - name: hydra-dispatcher-caddy
+          image: reg.cadoles.com/cadoles/hydra-dispatcher-base:2024.9.24-develop.1122.f88a5eb
+          imagePullPolicy: IfNotPresent
+          args:
+            [
+              "/usr/sbin/caddy",
+              "run",
+              "--adapter",
+              "caddyfile",
+              "--config",
+              "/etc/caddy/Caddyfile",
+            ]
+          readinessProbe:
+            httpGet:
+              path: /health
+              port: 8080
+            initialDelaySeconds: 5
+            timeoutSeconds: 5
+            periodSeconds: 10
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: 8080
+            initialDelaySeconds: 15
+            timeoutSeconds: 5
+            periodSeconds: 15
+          envFrom:
+            - configMapRef:
+                name: hydra-dispatcher-env
+          env:
+            - name: CADDY_APP_UPSTREAM_BACKEND_SERVER
+              value: 127.0.0.1:9000
+            - name: CADDY_HTTPS_PORT
+              value: "8443"
+            - name: CADDY_HTTP_PORT
+              value: "8080"
+            - name: CADDY_DATA_FS
+              value: "/tmp/caddy"
+            - name: CADDY_APP_ROOT_PUBLIC
+              value: "/app/public/"
+          ports:
+            - containerPort: 8080
+              name: http
+          resources: {}
+          securityContext:
+            runAsNonRoot: true
+            runAsGroup: 1000
+            runAsUser: 1000
      restartPolicy: Always
      volumes:
-      - name: hydra-dispatcher-apps
-        configMap:
-          name: hydra-dispatcher-apps
-
+        - name: hydra-dispatcher-apps
+          configMap:
+            name: hydra-dispatcher-apps
+        - name: hydra-dispatcher-php-ini
+          configMap:
+            name: hydra-dispatcher-php-ini
--- a/resources/hydra-dispatcher/resources/hydra-dispatcher-service.yaml
+++ b/resources/hydra-dispatcher/resources/hydra-dispatcher-service.yaml
@ -2,13 +2,14 @@ apiVersion: v1
 kind: Service
 metadata:
  labels:
-    io.kompose.service: hydra-dispatcher
+    app.kubernetes.io/name: hydra-dispatcher
  name: hydra-dispatcher
 spec:
  ports:
-    - name: http
-      port: 80
+  - name: http
+    port: 80
+    targetPort: http
  selector:
-    io.kompose.service: hydra-dispatcher
+    app.kubernetes.io/name: hydra-dispatcher
 status:
  loadBalancer: {}
--- a/resources/hydra/kustomization.yaml
+++ b/resources/hydra/kustomization.yaml
@ -1,6 +1,12 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization

+images:
+  - name: reg.cadoles.com/proxy_cache/oryd/hydra
+    newTag: v2.1.2
+  - name: reg.cadoles.com/proxy_cache/oryd/hydra-maester
+    newTag: v0.0.32-amd64
+
 resources:
  - ./resources/hydra-deployment.yaml
  - ./resources/hydra-service.yaml
@ -9,6 +15,7 @@ resources:
  - ./resources/hydra-serviceaccount.yaml
  - ./resources/hydra-migrate-job.yaml
  - ./resources/hydra-maester
+  - ./resources/hydra-janitor-cronjob.yaml

 secretGenerator:
  - name: hydra-secret
@ -23,13 +30,22 @@ configMapGenerator:
      - URLS_CONSENT=http://hydra-consent-app/consent
      - URLS_LOGOUT=http://hydra-logout-app/logout
      - HYDRA_SERVE_ALL_ARGS=--dev
+      - HYDRA_DATABASE_MAX_CONN="10"
+      - HYDRA_DATABASE_MAX_IDLE_CONNS="5"
+      - HYDRA_DATABASE_MAX_CONN_LIFETIME="0"  # Unlimited. ms, s, m, h
+      - HYDRA_DATABASE_MAX_CONN_IDLE_TIME="0"  # Unlimited. ms, s, m, h
+      - HYDRA_DATABASE_CONNECT_TIMEOUT="0"  # Unlimited
+      - SERVE_ADMIN_REQUEST_LOG_DISABLE_FOR_HEALTH="true"
      - LOG_LEVEL=info

-vars:
- name: HYDRA_MIGRATE_JOB_NAME
-  objref:
-    name: hydra-migrate
-    kind: Job 
-    apiVersion: batch/v1
-  fieldref:
-    fieldpath: metadata.name
+replacements:
+  - source:
+      kind: Job
+      name: hydra-migrate
+      fieldPath: metadata.name
+    targets:
+      - select:
+          kind: Deployment
+          name: hydra
+        fieldPaths:
+          - spec.template.spec.initContainers.0.args.1
--- a/resources/hydra/resources/hydra-deployment.yaml
+++ b/resources/hydra/resources/hydra-deployment.yaml
@ -2,27 +2,27 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  labels:
-    io.kompose.service: hydra
+    app.kubernetes.io/name: hydra
  name: hydra
 spec:
  replicas: 1
  selector:
    matchLabels:
-      io.kompose.service: hydra
+      app.kubernetes.io/name: hydra
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
-        io.kompose.service: hydra
+        app.kubernetes.io/name: hydra
    spec:
      serviceAccountName: hydra-sa
      initContainers:
        - name: wait-for-migrate
          image: reg.cadoles.com/proxy_cache/groundnuty/k8s-wait-for:v1.3
          args:
-          - job
-          - $(HYDRA_MIGRATE_JOB_NAME)
+            - job
+            - REPLACE_ME
      containers:
        - name: hydra
          image: reg.cadoles.com/proxy_cache/oryd/hydra:v2.0.3
@ -46,10 +46,31 @@ spec:
                - wget
                - --spider
                - -q
-                - http://127.0.0.1:4444/.well-known/openid-configuration
+                - http://127.0.0.1:4445/health/alive
            failureThreshold: 6
            periodSeconds: 10
            timeoutSeconds: 10
+          readinessProbe:
+            exec:
+              command:
+                - wget
+                - --spider
+                - -q
+                - http://127.0.0.1:4445/health/ready
+            failureThreshold: 6
+            periodSeconds: 10
+            timeoutSeconds: 10
+          startupProbe:
+            exec:
+              command:
+                - wget
+                - --spider
+                - -q
+                - http://127.0.0.1:4445/health/ready
+            failureThreshold: 60
+            successThreshold: 1
+            periodSeconds: 1
+            timeoutSeconds: 1
          ports:
            - containerPort: 4444
              name: hydra-public
@ -57,4 +78,3 @@ spec:
              name: hydra-admin
          resources: {}
      restartPolicy: Always
-  
--- a/resources/hydra/resources/hydra-janitor-cronjob.yaml
+++ b/resources/hydra/resources/hydra-janitor-cronjob.yaml
@ -0,0 +1,34 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: hydra-janitor
+  labels:
+    app.kubernetes.io/name: hydra-janitor
+spec:
+  concurrencyPolicy: Forbid
+  schedule: "0 */1 * * *"
+  jobTemplate:
+    spec:
+      template:
+        metadata:
+          labels:
+            app.kubernetes.io/name: hydra-janitor
+        spec:
+          restartPolicy: OnFailure
+          serviceAccountName: hydra-sa
+          containers:
+            - name: janitor
+              image: reg.cadoles.com/proxy_cache/oryd/hydra:v2.0.3
+              envFrom:
+              - configMapRef:
+                  name: hydra-env
+              imagePullPolicy: IfNotPresent
+              command: ["hydra"]
+              env: []
+              args:
+                - janitor
+                - --read-from-env
+                - --grants
+                - --requests
+                - --tokens
+              resources: {}
--- a/resources/hydra/resources/hydra-maester/kustomization.yaml
+++ b/resources/hydra/resources/hydra-maester/kustomization.yaml
@ -2,14 +2,13 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization

 resources:
-  - ./resources/hydra-maester-deployment.yaml
-  - ./resources/hydra-maester-rbac.yaml
-  - https://raw.githubusercontent.com/ory/k8s/v0.28.2/helm/charts/hydra-maester/crds/crd-oauth2clients.yaml
+- ./resources/hydra-maester-deployment.yaml
+- ./resources/hydra-maester-rbac.yaml

 configMapGenerator:
-  - name: hydra-maester-env
-    literals:
-      - APP_ENV=prod
-      - APP_DEBUG=false
-      - HYDRA_ADMIN_BASE_URL=http://hydra
-      - HYDRA_ADMIN_PORT=4445
+- name: hydra-maester-env
+  literals:
+  - APP_ENV=prod
+  - APP_DEBUG=false
+  - HYDRA_ADMIN_BASE_URL=http://hydra
+  - HYDRA_ADMIN_PORT=4445
--- a/resources/hydra/resources/hydra-maester/resources/hydra-maester-deployment.yaml
+++ b/resources/hydra/resources/hydra-maester/resources/hydra-maester-deployment.yaml
@ -7,7 +7,7 @@ metadata:
  labels:
    app.kubernetes.io/name: hydra-maester
    app.kubernetes.io/instance: hydra-master
-    app.kubernetes.io/version: "v0.0.23"
+    app.kubernetes.io/version: "v0.0.25"
 spec:
  replicas: 1
  revisionHistoryLimit: 10
@ -38,15 +38,14 @@ spec:
            - --hydra-url=$(HYDRA_ADMIN_BASE_URL)
            - --hydra-port=$(HYDRA_ADMIN_PORT)
            - --endpoint=/admin/clients
-          resources:
-            {}
+          resources: {}
          terminationMessagePath: /dev/termination-log
          terminationMessagePolicy: File
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
-              - ALL
+                - ALL
            privileged: false
            readOnlyRootFilesystem: true
            runAsNonRoot: true
--- a/resources/hydra/resources/hydra-service.yaml
+++ b/resources/hydra/resources/hydra-service.yaml
@ -2,7 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
  labels:
-    io.kompose.service: hydra
+    app.kubernetes.io/name: hydra
  name: hydra
 spec:
  ports:
@ -13,6 +13,6 @@ spec:
      port: 4445
      targetPort: hydra-admin
  selector:
-    io.kompose.service: hydra
+    app.kubernetes.io/name: hydra
 status:
  loadBalancer: {}
Author	SHA1	Message	Date
wpetit	3db15dfc8a	Merge pull request 'feat(oidc-test): update image ref' (#68 ) from feat/update_oidc-test_20250311 into unstable Reviewed-on: #68	2025-03-11 15:46:07 +01:00
Laurent Gourvénec	77e167b17c	feat(oidc-test): update image ref	2025-03-11 15:42:32 +01:00
Laurent Gourvenec	d09b644b5f	Merge pull request 'feat(hydra-cnpg): configure DSN with more options' (#66 ) from f/hydra-cnpg_dsn_options into unstable Reviewed-on: #66 Reviewed-by: wpetit <wpetit@cadoles.com> Reviewed-by: pcaseiro <pcaseiro@cadoles.com>	2025-03-11 15:35:46 +01:00
Laurent Gourvénec	5e5670dcdf	feat(hydra-cnpg): configure DSN with more options	2025-03-07 15:31:59 +01:00
pcaseiro	172d9def39	Merge pull request 'hydra-sql: Update ref for lower mail fix' (#65 ) from fix-hydra-sql-lower into unstable Reviewed-on: #65 Reviewed-by: pcaseiro <pcaseiro@cadoles.com>	2025-03-07 14:48:31 +01:00
Gauthier DUPONT	e4b67e0812	fix(hydra-sql): Update ref for lower mail fix	2025-03-07 14:26:20 +01:00
pcaseiro	a26b8aafe1	Merge pull request 'fix(hydra): use same liveness URL as ory's helm' (#63 ) from fix/hydra_liveness_probe_url into unstable Reviewed-on: #63 Reviewed-by: wpetit <wpetit@cadoles.com> Reviewed-by: pcaseiro <pcaseiro@cadoles.com>	2025-03-07 13:52:29 +01:00
Laurent Gourvénec	06235bccad	feat(hydra): disable logs about health requests by default	2025-03-07 12:29:46 +01:00
Laurent Gourvénec	19039c5e1c	feat(hydra): adding readiness and startup probes	2025-03-07 11:50:26 +01:00
Laurent Gourvénec	9e02d7badb	fix(hydra): use same liveness URL as ory's helm	2025-03-07 11:15:43 +01:00
wpetit	87a056be2c	Merge pull request 'feat(hydra-cleaner): add component' (#61 ) from f/hydra_cleaner into unstable Reviewed-on: #61 Reviewed-by: wpetit <wpetit@cadoles.com>	2025-03-06 11:55:17 +01:00
William Petit	fedf44a062	feat(hydra-cleaner): configurable dsn and hydra port	2025-03-06 10:12:18 +01:00
William Petit	b0506995e5	feat: integrate hydra-cleaner in example app	2025-03-06 10:12:18 +01:00
Laurent Gourvénec	7a09045e82	feat(hydra-cleaner): add component	2025-02-27 16:20:34 +01:00
wpetit	f300b91316	Merge pull request 'feat(redis): manage limits' (#60 ) from feat/redis_limits into unstable Reviewed-on: #60	2025-02-21 14:43:22 +01:00
Laurent Gourvénec	30ba1f4d5a	feat(redis): manage limits	2025-02-21 14:34:06 +01:00
wpetit	d9bdbccfe4	Merge pull request 'fix(redis): fsGroup in security context is not applied' (#59 ) from fix/redis_fsgroup into unstable Reviewed-on: #59	2025-02-19 14:55:24 +01:00
Laurent Gourvénec	2d329501c0	fix(redis): fsGroup in security context is not applied The fsGroup is not applied to configuration of the pod and it's disturbing flux.	2025-02-19 14:43:25 +01:00
wpetit	dc2c97c7f6	Merge pull request 'fix(hydra-ldap): adding behavior to secret and CM generators' (#57 ) from fix/hydra_ldap_flux into unstable Reviewed-on: #57	2025-02-19 11:27:49 +01:00
Laurent Gourvénec	c9d8917e6c	fix(hydra-ldap): adding behavior to secret and CM generators	2025-02-19 11:22:36 +01:00
Laurent Gourvenec	20e0a20f64	Merge pull request 'Correction de l'environnement d'exemple' (#55 ) from fix-example into unstable Reviewed-on: #55 Reviewed-by: Laurent Gourvenec <lgourvenec@cadoles.com>	2025-02-18 17:09:43 +01:00
William Petit	c01eb28d8c	fix: use hydra-ldap and olm operator to fix example	2025-02-18 17:08:56 +01:00
pcaseiro	c97266c272	Merge pull request 'feat(pods): change image pull policy from Always to IfNotPresent' (#53 ) from feat/pull-policy-IfNotPresent into unstable Reviewed-on: #53 Reviewed-by: Matthieu Lamalle <mlamalle@cadoles.com> Reviewed-by: pcaseiro <pcaseiro@cadoles.com>	2024-12-16 14:07:35 +01:00
Laurent Gourvénec	4df11ead1e	feat(pods): change image pull policy from Always to IfNotPresent Otherwise, we have a SPOF with the image registry used	2024-12-13 14:06:56 +01:00
vfebvre	99056b875e	Merge pull request 'chore: update hydra-sql image ref to fix email search case' (#52 ) from fix-case-email into unstable Reviewed-on: #52	2024-11-06 14:27:25 +01:00
Matthieu Lamalle	ee0349e9df	chore: update hydra-sql image ref to fix email search case	2024-11-06 11:18:49 +01:00
pcaseiro	3a255707d1	Merge pull request 'chore(hydra-sql) : update image ref to fix error handle' (#50 ) from hydra-sql-fix-error into unstable Reviewed-on: #50	2024-10-14 11:37:26 +02:00
Matthieu Lamalle	ce1f650a86	chore(hydra-sql) : update image ref to fix error handle	2024-10-14 10:49:12 +02:00
pcaseiro	de24eb0026	Merge pull request 'chore(hydra-sql): correction requete password et fetchdata et ajout paquet xdebug' (#49 ) from hydra-sql-fix into unstable Reviewed-on: #49 Reviewed-by: pcaseiro <pcaseiro@cadoles.com>	2024-10-10 10:35:09 +02:00
Matthieu Lamalle	40ec4440a7	chore(hydra-sql): correction requete password et fetchdata et ajout paquet xdebug	2024-10-10 10:31:16 +02:00
Philippe Caseiro	4ec580fb7d	fix(component): oidc adding behavior to secret generator	2024-10-09 11:49:39 +02:00
Philippe Caseiro	1cf7569678	fix(component): adding behavior to secret generator	2024-10-09 11:37:52 +02:00
vfebvre	a0ff37edf6	Merge pull request 'feat(postgres): adding max_conns hydra parameter support for cnpg component' (#47 ) from feat-hydra-pooler into unstable Reviewed-on: #47 Reviewed-by: Laurent Gourvenec <lgourvenec@cadoles.com> Reviewed-by: vfebvre <vfebvre@cadoles.com>	2024-10-09 10:00:02 +02:00
Philippe Caseiro	a5c9c733f6	feat(postgres): adding hydra max_conns parameter support Mandatory for large scale deployements	2024-10-04 10:56:54 +02:00
pcaseiro	a5cecb385c	Merge pull request 'fix(hydra-dispatcher): typo on ref' (#46 ) from sprint-15 into unstable Reviewed-on: #46	2024-09-24 15:19:58 +02:00
Matthieu Lamalle	15ad23049f	fix(hydra-dispatcher): typo on ref	2024-09-24 15:19:58 +02:00
pcaseiro	78e5b30e1d	Merge pull request 'sprint-15' (#45 ) from sprint-15 into unstable Reviewed-on: #45	2024-09-24 14:02:36 +02:00
Matthieu Lamalle	1ea76c2153	chore(hydra-dispatcher) : improve header cache	2024-09-24 13:44:40 +02:00
Matthieu Lamalle	af76c99d91	chore(hydra-sql) : improve sql handler	2024-09-24 13:43:59 +02:00
pcaseiro	3635f547a1	Merge pull request 'Ajout d'opcache sur les app symfony' (#43 ) from opcache into unstable Reviewed-on: #43 Reviewed-by: pcaseiro <pcaseiro@cadoles.com>	2024-08-07 09:49:26 +02:00
vcarroy	65fccdc3ce	Add opcache to symfony apps	2024-08-07 09:49:26 +02:00
pcaseiro	0b3504e631	Merge pull request 'update symfony-container ref, add rewrite subject hydra-sql' (#42 ) from rewrite-subject into unstable Reviewed-on: #42	2024-08-07 08:47:47 +02:00
Matthieu Lamalle	36a8e117e8	update symfony-container ref, add rewrite subject hydra-sql	2024-07-25 10:35:53 +02:00
Philippe Caseiro	176b5a6696	fix(hydra-sql): addin RollingUpdate stratgy config	2024-06-10 11:13:02 +02:00
pcaseiro	efa00fc6a3	Merge pull request 'chore(hydra-sql): update image ref sprint-10' (#41 ) from sprint-10 into unstable Reviewed-on: #41	2024-06-10 11:04:57 +02:00
Matthieu Lamalle	f52b3117b5	chore(hydra-sql): update image ref sprint-10	2024-06-10 10:59:31 +02:00
pcaseiro	35c46316d3	Merge pull request 'sprint-9: update hydra-sql ref image' (#40 ) from sprint-9 into unstable Reviewed-on: #40 Reviewed-by: pcaseiro <pcaseiro@cadoles.com>	2024-05-23 08:21:23 +02:00
Matthieu Lamalle	456e92ca0e	sprint-8: update hydra-sql ref image	2024-05-22 15:42:15 +02:00
pcaseiro	e1432cb633	Merge pull request 'fix(php-fpm): set php-fpm81 for hydra-sql and hydra-dispatcher' (#39 ) from sprint-8 into unstable Reviewed-on: #39 Reviewed-by: pcaseiro <pcaseiro@cadoles.com>	2024-04-29 16:08:44 +02:00
Matthieu Lamalle	513797be35	fix(php-fpm): set php-fpm81 for hydra-sql and hydra-dispatcher	2024-04-29 16:08:44 +02:00
Philippe Caseiro	f38ba80de6	Merge branch 'sprint-8' into unstable	2024-04-29 13:53:01 +02:00
pcaseiro	1db87e2d08	Merge branch 'unstable' into sprint-8	2024-04-29 13:51:36 +02:00
Matthieu Lamalle	a7578445b4	fix(php-fpm): set php-fpm82 for hydra-sql and hydra-dispatcher	2024-04-29 13:47:58 +02:00
pcaseiro	119b09ac61	Merge pull request 'chore(dispatcher sql): update images refs' (#38 ) from sprint-8 into unstable Reviewed-on: #38 Reviewed-by: pcaseiro <pcaseiro@cadoles.com>	2024-04-29 13:32:17 +02:00
Matthieu Lamalle	32ccca7616	typo	2024-04-29 12:11:53 +02:00
Matthieu Lamalle	c174ddb734	chore(dispatcher sql): update images refs	2024-04-29 12:11:01 +02:00
pcaseiro	191024bb17	Merge pull request 'Intégration des images Caddy' (#37 ) from develop into unstable Reviewed-on: #37	2024-04-04 17:49:04 +02:00
Philippe Caseiro	054f84baef	clean(lint): fix indentation	2024-04-04 17:49:04 +02:00
cmsassot	a88a8240aa	feat(deploiement): use port name	2024-04-04 17:49:04 +02:00
cmsassot	5ea7789cc2	feat(hydra-sql): non root deployment with caddy	2024-04-04 17:49:04 +02:00
cmsassot	212de51a84	feat(hydra-oidc): non root deployment with caddy	2024-04-04 17:49:04 +02:00
cmsassot	9020c73512	feat(hydra-dispatcher): non root deployment with caddy	2024-04-04 17:49:04 +02:00
Philippe Caseiro	380a116fa8	fix(all): use app.kubernetes.io/name label instead of io.kompose.service	2024-02-21 15:43:42 +01:00
Philippe Caseiro	72a9932fc5	fix(hydra): update hydra-maester version to 0.0.32-amd64	2024-02-14 11:30:54 +01:00
Philippe Caseiro	1060fdf4be	fix(hydra): update hydra-maester version to 0.0.32	2024-02-14 11:07:47 +01:00
Philippe Caseiro	45953d5531	fix(hydra): update hydra version to 2.1.2	2024-02-14 11:06:36 +01:00
Philippe Caseiro	29f539f7ab	fix(oidc): removing deprecated and useless patch fix container liveness and readyness probes fix service with correct port	2024-02-13 16:49:37 +01:00
Philippe Caseiro	0084707bbc	fix(dispatcher): dispatcher service must use containerport	2024-02-13 15:56:10 +01:00
Philippe Caseiro	0dbd5dd551	fix(dispatcher): liveness probe must use the container port Container port is 8080 so ... the probes must use the same port	2024-02-12 11:46:07 +01:00
Philippe Caseiro	f1d621d4a9	fix(maester): CRD must be installed cluster wide	2024-02-12 11:42:35 +01:00
Philippe Caseiro	83b81b1056	Revert "fix(resources): do not set namespace in maester rolebinding" This reverts commit 1fccf5f8dcd6e9ce8ac9ad62cceb26e4b0db4c40.	2024-01-30 12:34:54 +01:00
Philippe Caseiro	1fccf5f8dc	fix(resources): do not set namespace in maester rolebinding	2024-01-30 12:27:50 +01:00
Philippe Caseiro	907618902e	fix(resources): oauth2client CRD must be installed clusterwide	2024-01-30 12:21:13 +01:00
Philippe Caseiro	6b1702b7ed	fix(component): do not specify namespace for werther component	2024-01-30 10:42:56 +01:00
wpetit	fce733374c	Merge pull request 'feat(hydra): mise en place du stockage des session redis sur la stack hydra, et correction logout sur hydra-oidc' (#31 ) from hydra-redis into develop Reviewed-on: #31	2023-12-18 11:18:31 +01:00
Matthieu Lamalle	824b8613c4	update doc	2023-12-18 11:15:51 +01:00
Matthieu Lamalle	19910617bd	typo	2023-12-18 10:52:54 +01:00
Matthieu Lamalle	f4146345d5	Patche du DSN redis	2023-12-18 10:38:13 +01:00
Matthieu Lamalle	bbeb1ec62f	mise en place d'un component pour Redis	2023-12-18 09:25:30 +01:00
Matthieu Lamalle	fcfbb6cc30	correction port mapping de hydra-remote-user	2023-12-15 15:25:02 +01:00
Matthieu Lamalle	7a802a6d28	ajout redis à l'example	2023-12-15 14:44:04 +01:00
Matthieu Lamalle	a02622b516	feat(hydra): mise en place du stockage des session redis sur la stack hydra, et correction logout sur hydra-oidc	2023-12-15 10:17:23 +01:00
wpetit	61d9dade3b	Merge pull request 'feat(hydra-dispatcher): maj ref image hydra-dispatcher pour ajout url_link env var' (#29 ) from hydra-dispatcher-link-url into develop Reviewed-on: #29	2023-12-13 10:41:44 +01:00
Matthieu Lamalle	e333d07c14	feat(hydra-dispatcher): maj ref image hydra-dispatcher pour ajout url_link env var	2023-12-13 10:41:44 +01:00
wpetit	06f58a061d	Merge pull request 'Issue-16 : update dev image ref' (#27 ) from issue-16 into develop Reviewed-on: #27	2023-12-13 09:38:05 +01:00
Matthieu Lamalle	dd6804aa11	feat(shibboleth-sp): update dev ref image	2023-12-13 09:38:05 +01:00
Matthieu Lamalle	c7b937adaf	feat(hydra-sql): update env vars	2023-12-13 09:38:05 +01:00
Matthieu Lamalle	77eb73818f	feat(hydra-remote-user): update dev image ref	2023-12-13 09:38:05 +01:00
Matthieu Lamalle	cc3d07d654	feat(hydra-sql): update hydra-sql dev image ref	2023-12-13 09:38:05 +01:00
Laurent Gourvénec	86754cf518	cosmetic(oidc-test): rename CM oidc-test to oidc-test-env	2023-12-11 17:33:02 +01:00
wpetit	8b02e8a875	Merge pull request 'Composant "OIDC Test"' (#7 ) from oidc-test-component-2 into develop Reviewed-on: #7	2023-12-11 14:31:37 +01:00
William Petit	caa180747e	feat: add oidc-test app component	2023-12-11 14:29:30 +01:00
wpetit	4d29851350	Merge pull request 'Ajout de la tâche programmée "janitor" pour Hydra' (#8 ) from hydra-janitor into develop Reviewed-on: #8	2023-12-11 13:46:54 +01:00
William Petit	d88cc2de65	feat(hydra): add janitor cronjob	2023-12-11 11:30:50 +01:00
William Petit	435597f9f1	feat(hydra-dispatcher): update image tag	2023-12-11 10:47:56 +01:00
Matthieu Lamalle	ee2bb1ea45	update hydra-dispatcher probes and image ref	2023-12-11 10:47:56 +01:00
Matthieu Lamalle	63c5d7259c	add probes	2023-12-11 10:47:56 +01:00
Matthieu Lamalle	815917c306	add hydra-sql deployment	2023-12-11 10:47:56 +01:00
Philippe Caseiro	bc6fe46e1c	fix(saml): fixing port name longer than 15c	2023-12-11 10:47:56 +01:00
Philippe Caseiro	1b1cc27916	feat(hydra-sql): adding new hydra login app	2023-12-11 10:47:56 +01:00
Matthieu Lamalle	d37e85000f	set correct tag for hydra-oidc	2023-12-11 10:47:56 +01:00
Matthieu Lamalle	d9570ec8d0	add imagepullpolicy rule	2023-12-11 10:47:56 +01:00
Matthieu Lamalle	d56ae059a3	remove loginapp default app configmap	2023-12-11 10:47:56 +01:00
Matthieu Lamalle	5ec48c8b22	update config default apps filename	2023-12-11 10:47:56 +01:00
Matthieu Lamalle	aaae6e2f20	set default configuration	2023-12-11 10:47:56 +01:00
Matthieu Lamalle	081e854454	correciton config	2023-12-11 10:47:56 +01:00
Matthieu Lamalle	3dba6c0d69	set hydra-oidc side container	2023-12-11 10:47:56 +01:00
Matthieu Lamalle	8c6dc30bde	set hydra-dispatcher side container	2023-12-11 10:47:56 +01:00
Matthieu Lamalle	4ff0f83880	set hydra-dispatcher side container	2023-12-11 10:47:56 +01:00
Matthieu Lamalle	e93bc069d3	set correct path for hydra-dispatcher conf	2023-12-11 10:47:56 +01:00
Matthieu Lamalle	a56089efe5	Utilisation images symfony-containers	2023-12-11 10:47:56 +01:00
wpetit	c4998279d5	Merge pull request 'feat(component): adding hydra-ldap' (#6 ) from f/werther into master Reviewed-on: #6	2023-12-11 10:13:18 +01:00
William Petit	6de80b1d9c	fix(hydra-ldap): update werther secret name references	2023-12-11 10:06:37 +01:00
William Petit	2f3cf60974	fix(hydra-ldap): update werther container port name	2023-12-11 09:56:27 +01:00
William Petit	bf865b02e2	feat(hydra-ldap): rename resources from werther to hydra-ldap	2023-12-11 09:50:33 +01:00
Laurent Gourvénec	063b575117	feat(werther): update image	2023-12-06 15:38:40 +01:00
Laurent Gourvénec	38d3f1c1df	feat(werther): adding a timeout for LDAP connection	2023-12-06 14:40:24 +01:00
Laurent Gourvénec	6acda0553e	feat(component): adding werther	2023-11-29 10:22:33 +01:00
Matthieu Lamalle	6217c7b3fd	Merge pull request 'Correction de l'exemple de déploiement' (#4 ) from fix-example-app into master Reviewed-on: #4	2023-11-08 09:29:39 +01:00