feat(hydra-oidc): update ref fix logout url

Reviewed-on: #2

components/hydra-cnpg-database/kustomization.yaml

@@ -29,7 +29,7 @@ vars:
   fieldref:
     fieldpath: metadata.name
 
-patches:
+patchesJson6902:
 - target:
     group: apps
     version: v1
@@ -42,9 +42,3 @@ patches:
     kind: Job
     name: hydra-migrate
   path: patches/hydra-migrate-job.yaml
-- target:
-    group: batch
-    version: v1
-    kind: CronJob
-    name: hydra-janitor
-  path: patches/hydra-janitor-cronjob.yaml

components/hydra-cnpg-database/patches/hydra-janitor-cronjob.yaml

@@ -1,21 +0,0 @@
-- op: add
-  path: "/spec/jobTemplate/spec/template/spec/containers/0/env/-"
-  value:
-    name: HYDRA_DATABASE_USER
-    valueFrom:
-      secretKeyRef:
-        name: hydra-postgres-user
-        key: username
-- op: add
-  path: "/spec/jobTemplate/spec/template/spec/containers/0/env/-"
-  value:
-    name: HYDRA_DATABASE_PASSWORD
-    valueFrom:
-      secretKeyRef:
-        name: hydra-postgres-user
-        key: password
-- op: add
-  path: "/spec/jobTemplate/spec/template/spec/containers/0/env/-"
-  value:
-    name: DSN
-    value: "postgres://$(HYDRA_DATABASE_USER):$(HYDRA_DATABASE_PASSWORD)@$(HYDRA_DATABASE_SERVICE_NAME)-rw:5432/hydra?sslmode=disable"

components/hydra-ldap/kustomization.yaml

@@ -1,26 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1alpha1
-kind: Component
-
-resources:
-  - ./resources/deployment.yaml
-  - ./resources/service.yaml
-
-configMapGenerator:
-  - name: hydra-ldap-env
-    literals:
-      - WERTHER_DEV_MODE=false
-      - WERTHER_LDAP_ROLE_CLAIM="https://hydra/claims/roles"
-      - WERTHER_SKIP_SSL_VERIFICATIONS=false
-      - WERTHER_IDENTP_CLAIM_SCOPES="name:profile,family_name:profile,given_name:profile,email:email,https%3A%2F%2Fhydra%2Fclaims%2Froles:roles"
-      - WERTHER_IDENTP_HYDRA_URL="http://hydra:4444"
-      - WERTHER_LDAP_ENDPOINTS="ldap.test.fr:636"
-      - WERTHER_LDAP_IS_TLS=true
-      - WERTHER_LDAP_BASEDN="o=test,c=fr"
-      - WERTHER_LDAP_ROLE_BASEDN="ou=groups,o=test,c=fr"
-      - WERTHER_LDAP_CONNECTION_TIMEOUT="10s"
-
-secretGenerator:
-  - name: hydra-ldap-sc
-    literals:
-      - WERTHER_LDAP_BINDDN="cn=reader,o=test,c=fr"
-      - WERTHER_LDAP_BINDPW=ThisMustBeAbsolutelyChanged

components/hydra-ldap/resources/deployment.yaml

@@ -1,51 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: hydra-ldap
-  namespace: default
-  labels:
-    app.kubernetes.io/name: hydra-ldap
-    app.kubernetes.io/version: "v1.2.2"
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: hydra-ldap
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: hydra-ldap
-        app.kubernetes.io/version: "v1.2.2"
-    spec:
-      containers:
-        - name: werther
-          image: reg.cadoles.com/cadoles/hydra-werther:2023.12.6-stable.1421.15a4717
-          imagePullPolicy: IfNotPresent
-          envFrom:
-            - configMapRef:
-                name: hydra-ldap-env
-          env:
-            - name: WERTHER_WEB_DIR
-              value: "/usr/share/werther/login/"
-            - name: WERTHER_LDAP_BINDDN
-              valueFrom:
-                secretKeyRef:
-                  name: hydra-ldap-sc
-                  key: WERTHER_LDAP_BINDDN
-            - name: WERTHER_LDAP_BINDPW
-              valueFrom:
-                secretKeyRef:
-                  name: hydra-ldap-sc
-                  key: WERTHER_LDAP_BINDPW
-          ports:
-            - containerPort: 8080
-              name: hydra-ldap-http
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-                - ALL
-            privileged: false
-            readOnlyRootFilesystem: true
-            runAsNonRoot: true
-            runAsUser: 100

components/hydra-ldap/resources/service.yaml

@@ -1,17 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    io.kompose.service: hydra-ldap
-  name: hydra-ldap
-spec:
-  type: ClusterIP
-  ports:
-    - name: hydra-ldap
-      port: 8080
-      targetPort: hydra-ldap-http
-      protocol: TCP
-  selector:
-    app.kubernetes.io/name: hydra-ldap
-status:
-  loadBalancer: {}

components/hydra-oidc/resources/hydra-oidc-deployment.yaml

@@ -18,7 +18,7 @@ spec:
     spec:
       containers:
         - name: hydra-oidc-php-fpm
-          image: reg.cadoles.com/cadoles/hydra-oidc-base:2023.11.17-develop.1657.761e035
+          image: reg.cadoles.com/cadoles/hydra-oidc-base:2023.11.22-develop.1410.027411d
           imagePullPolicy: Always
           args: ["/usr/sbin/php-fpm81", "-F", "-e"]
           readinessProbe:
@@ -47,7 +47,7 @@ spec:
                 name: hydra-oidc-env
           resources: {}
 
-        - image: reg.cadoles.com/cadoles/hydra-oidc-base:2023.11.17-develop.1657.761e035
+        - image: reg.cadoles.com/cadoles/hydra-oidc-base:2023.11.22-develop.1410.027411d
           imagePullPolicy: Always
           name: hydra-oidc-nginx
           args: ["/usr/sbin/nginx"]

components/oidc-test/kustomization.yaml

@@ -1,20 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1alpha1
-kind: Component
-
-resources:
-  - ./resources/deployment.yaml
-  - ./resources/service.yaml
-  - ./resources/oauth2-client.yaml
-
-configMapGenerator:
-  - name: oidc-test
-    literals:
-      - LOG_LEVEL=0
-      - HTTP_ADDRESS=0.0.0.0:8080
-      - OIDC_CLIENT_ID=oidc-test
-      - OIDC_CLIENT_SECRET=NotSoSecret
-      - OIDC_ISSUER_URL=http://hydra:4444
-      - OIDC_REDIRECT_URL=https://example.net/oauth2/callback
-      - OIDC_POST_LOGOUT_REDIRECT_URL=https://example.net
-      - OIDC_SKIP_ISSUER_VERIFICATION="true"
-      - OIDC_INSECURE_SKIP_VERIFY="true"

components/oidc-test/resources/deployment.yaml

@@ -1,39 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels:
-    app.kubernetes.io/name: oidc-test
-  name: oidc-test
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: oidc-test
-  strategy:
-    type: Recreate
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: oidc-test
-    spec:
-      containers:
-        - image: reg.cadoles.com/cadoles/oidc-test:2023.12.6-stable.1502.ebfd504
-          name: oidc-test
-          ports:
-            - containerPort: 8080
-          resources: {}
-          envFrom:
-          - configMapRef:
-              name: oidc-test
-          env:
-          - name: OIDC_CLIENT_ID
-            valueFrom:
-              secretKeyRef:
-                name: oidc-test-oauth2-client
-                key: client_id
-          - name: OIDC_CLIENT_SECRET
-            valueFrom:
-              secretKeyRef:
-                name: oidc-test-oauth2-client
-                key: client_secret
-      restartPolicy: Always

components/oidc-test/resources/service.yaml

@@ -1,15 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app.kubernetes.io/name: oidc-test
-  name: oidc-test
-spec:
-  ports:
-    - name: http
-      port: 8080
-      targetPort: 8080
-  selector:
-    app.kubernetes.io/name: oidc-test
-status:
-  loadBalancer: {}

examples/authenticated-app/kustomization.yaml

@@ -2,12 +2,20 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
-  - ../../overlays/full
+  - ../../resources/hydra
+  - ../../resources/hydra-dispatcher
+  - ./resources/app.yaml
   - ./resources/ingress.yaml
+  - ./resources/oauth2-client.yaml
   - ./resources/saml-idp.yaml
   - ./resources/self-signed-issuer.yaml
   - ./resources/port-forwarder.yaml
 
+components:
+  - ../../components/hydra-cnpg-database
+  #- ../../components/hydra-oidc
+  - ../../components/hydra-saml
+
 patchesJson6902:
   - target:
       version: v1
@@ -28,14 +36,4 @@ patchesJson6902:
       version: v1
       kind: Secret
       name: hydra-secret
-    path: patches/hydra-secret.yaml
-  - target:
-      version: v1
-      kind: ConfigMap
-      name: oidc-test
-    path: patches/oidc-test.yaml
-  - target:
-      version: v1alpha1
-      kind: OAuth2Client
-      name: oidc-test-oauth2-client
-    path: patches/oidc-test-oauth2-client.yaml
+    path: patches/hydra-secret.yaml

examples/authenticated-app/patches/oidc-test-oauth2-client.yaml

@@ -1,6 +0,0 @@
-- op: replace
-  path: "/spec/redirectUris/0"
-  value: https://ssokustom/oauth2/callback
-- op: replace
-  path: "/spec/postLogoutRedirectUris/0"
-  value: https://ssokustom

examples/authenticated-app/patches/oidc-test.yaml

@@ -1,6 +0,0 @@
-- op: replace
-  path: "/data/OIDC_REDIRECT_URL"
-  value: https://ssokustom/oauth2/callback
-- op: replace
-  path: "/data/OIDC_POST_LOGOUT_REDIRECT_URL"
-  value: https://ssokustom

examples/authenticated-app/resources/app.yaml

@@ -0,0 +1,66 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    io.kompose.service: app
+  name: app
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      io.kompose.service: app
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        io.kompose.service: app
+    spec:
+      containers:
+        - image: reg.cadoles.com/cadoles/oidc-test:2023.11.6-stable.1557.e16b905
+          name: app
+          ports:
+            - containerPort: 8080
+          resources: {}
+          env:
+            - name: LOG_LEVEL
+              value: "0"
+            - name: HTTP_ADDRESS
+              value: 0.0.0.0:8080
+            - name: OIDC_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: app-oidc-secret
+                  key: client_id
+            - name: OIDC_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: app-oidc-secret
+                  key: client_secret
+            - name: OIDC_ISSUER_URL
+              value: http://hydra:4444
+            - name: OIDC_REDIRECT_URL
+              value: https://ssokustom/oauth2/callback
+            - name: OIDC_POST_LOGOUT_REDIRECT_URL
+              value: https://ssokustom
+            - name: OIDC_SKIP_ISSUER_VERIFICATION
+              value: "true"
+            - name: OIDC_INSECURE_SKIP_VERIFY
+              value: "true"
+      restartPolicy: Always
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    io.kompose.service: app
+  name: app
+spec:
+  ports:
+    - name: http
+      port: 8080
+      targetPort: 8080
+  selector:
+    io.kompose.service: app
+status:
+  loadBalancer: {}

examples/authenticated-app/resources/ingress.yaml

@@ -20,7 +20,7 @@ spec:
         pathType: Prefix
         backend:
           service:
-            name: oidc-test
+            name: app
             port:
               name: http
 ---

examples/authenticated-app/resources/oauth2-client.yaml

@@ -1,9 +1,9 @@
 apiVersion: hydra.ory.sh/v1alpha1
 kind: OAuth2Client
 metadata:
-  name: oidc-test-oauth2-client
+  name: app-oauth2-client
 spec:
-  clientName: "oidc-test"
+  clientName: "app"
   tokenEndpointAuthMethod: "client_secret_basic"
   grantTypes:
   - authorization_code
@@ -11,8 +11,8 @@ spec:
   responseTypes:
   - code
   scope: "openid email"
-  secretName: oidc-test-oauth2-client
+  secretName: app-oidc-secret
   redirectUris:
-  - https://example.net/oauth2/callback
+  - https://ssokustom/oauth2/callback
   postLogoutRedirectUris:
-  - https://example.net
+  - https://ssokustom

kustomization.yaml

@@ -2,4 +2,11 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
-- ./overlays/base
+- ./resources/hydra
+- ./resources/hydra-dispatcher
+
+components:
+- ./components/hydra-cnpg-database
+- ./components/hydra-oidc
+- ./components/hydra-saml
+- ./components/hydra-sql

overlays/base/kustomization.yaml

@@ -1,11 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-- ../../resources/hydra
-- ../../resources/hydra-dispatcher
-
-labels:
-  - pairs:
-      app.kubernetes.io/part-of: sso-kustom
-      app.kubernetes.io/component: auth

overlays/full/kustomization.yaml

@@ -1,17 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-- ../base
-
-labels:
-  - pairs:
-      app.kubernetes.io/part-of: sso-kustom
-      app.kubernetes.io/component: auth
-
-components:
-- ../../components/hydra-cnpg-database
-- ../../components/hydra-oidc
-- ../../components/hydra-saml
-- ../../components/hydra-sql
-- ../../components/oidc-test

resources/hydra/kustomization.yaml

@@ -9,8 +9,6 @@ resources:
   - ./resources/hydra-serviceaccount.yaml
   - ./resources/hydra-migrate-job.yaml
   - ./resources/hydra-maester
-  - ./resources/hydra-janitor-cronjob.yaml
-  - ./resources/hydra-hpa.yaml
 
 secretGenerator:
   - name: hydra-secret

resources/hydra/resources/hydra-deployment.yaml

@@ -55,9 +55,6 @@ spec:
               name: hydra-public
             - containerPort: 4445
               name: hydra-admin
-          resources:
-            requests:
-              cpu: 100m
-              memory: 128Mi
+          resources: {}
       restartPolicy: Always
   

resources/hydra/resources/hydra-hpa.yaml

@@ -1,26 +0,0 @@
-apiVersion: autoscaling/v2
-kind: HorizontalPodAutoscaler
-metadata:
-  name: hydra
-  labels:
-    io.kompose.service: hydra
-spec:
-  scaleTargetRef:
-    apiVersion: apps/v1
-    kind: Deployment
-    name: hydra
-  minReplicas: 1
-  maxReplicas: 3
-  metrics:
-  - type: Resource
-    resource:
-      name: memory
-      target:
-        type: Utilization
-        averageUtilization: 80
-  - type: Resource
-    resource:
-      name: cpu
-      target:
-        type: Utilization
-        averageUtilization: 80

resources/hydra/resources/hydra-janitor-cronjob.yaml

@@ -1,34 +0,0 @@
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: hydra-janitor
-  labels:
-    app.kubernetes.io/name: hydra-janitor
-spec:
-  concurrencyPolicy: Forbid
-  schedule: "0 */1 * * *"
-  jobTemplate:
-    spec:
-      template:
-        metadata:
-          labels:
-            app.kubernetes.io/name: hydra-janitor
-        spec:
-          restartPolicy: OnFailure
-          serviceAccountName: hydra-sa
-          containers:
-            - name: janitor
-              image: reg.cadoles.com/proxy_cache/oryd/hydra:v2.0.3
-              envFrom:
-              - configMapRef:
-                  name: hydra-env
-              imagePullPolicy: IfNotPresent
-              command: ["hydra"]
-              env: []
-              args:
-                - janitor
-                - --read-from-env
-                - --grants
-                - --requests
-                - --tokens
-              resources: {}