Merge pull request 'Ajout d'opcache sur les app symfony' (#43) from opcache into unstable

Reviewed-on: #43
Reviewed-by: pcaseiro <pcaseiro@cadoles.com>

components/hydra-ldap/resources/deployment.yaml

@@ -38,7 +38,7 @@ spec:
               key: WERTHER_LDAP_BINDPW
         ports:
         - containerPort: 8080
-              name: http
+          name: hydra-ldap-http
         securityContext:
           allowPrivilegeEscalation: false
           capabilities:

components/hydra-ldap/resources/service.yaml

@@ -7,9 +7,9 @@ metadata:
 spec:
   type: ClusterIP
   ports:
-    - name: http
+    - name: hydra-ldap
       port: 8080
-      targetPort: http
+      targetPort: hydra-ldap-http
       protocol: TCP
   selector:
     app.kubernetes.io/name: hydra-ldap

components/hydra-sql/files/03_base.ini

@@ -0,0 +1,22 @@
+[opcache]
+; Determines if Zend OPCache is enabled
+opcache.enable=1
+
+; Determines if Zend OPCache is enabled for the CLI version of PHP
+opcache.enable_cli=1
+
+; The OPcache shared memory storage size.
+opcache.memory_consumption=512
+
+; The maximum number of keys (scripts) in the OPcache hash table.
+; Only numbers between 200 and 1000000 are allowed.
+opcache.max_accelerated_files=20000
+
+; When disabled, you must reset the OPcache manually or restart the
+; webserver for changes to the filesystem to take effect.
+opcache.validate_timestamps=${OPCACHE_VALIDATE_TIMESTAMP}
+
+; How often (in seconds) to check file timestamps for changes to the shared
+; memory storage allocation. ("1" means validate once per second, but only
+; once per request. "0" means always validate)
+opcache.revalidate_freq=${OPCACHE_REVALIDATE_FREQ}

components/hydra-sql/files/hydra/sql.yaml

@@ -1,30 +0,0 @@
-hydra:
-  apps:
-    - id: sql
-      title:
-        fr: Connexion SQL
-        en: Login SQL
-      description:
-        fr: Authentification avec SQL
-        en: Authentication with SQL
-      login_url: "%env(string:HYDRA_DISPATCHER_SQL_LOGIN_URL)%"
-      consent_url: "%env(string:HYDRA_DISPATCHER_SQL_CONSENT_URL)%"
-      logout_url: "%env(string:HYDRA_DISPATCHER_SQL_LOGOUT_URL)%"
-      attributes_rewrite_configuration:
-        uid:
-          rules:
-            - "property_exists(consent.session.id_token, 'uid') ? consent.session.id_token.uid : null"
-        email:
-          rules:
-            - "property_exists(consent.session.id_token, 'email') ? consent.session.id_token.email : null"
-        eduPersonAffiliation:
-          rules:
-            - "property_exists(consent.session.id_token, 'eduPersonAffiliation') ? consent.session.id_token.eduPersonAffiliation : null"
-  firewall:
-    rules:
-      email:
-        required: false
-      uid:
-        required: false
-      eduPersonAffiliation:
-        required: false

components/hydra-sql/kustomization.yaml

@@ -26,14 +26,6 @@ configMapGenerator:
 - name: sql-login-config
   files:
   - ./files/sql_login.yaml
-  - name: hydra-dispatcher-apps
+- name: hydra-sql-php-ini
-    behavior: merge
   files:
-      - ./files/hydra/sql.yaml
+  - ./files/03_base.ini
-
-patchesJson6902:
-  - target:
-      version: v1
-      kind: ConfigMap
-      name: hydra-dispatcher-env
-    path: patches/hydra-dispatcher-env.yaml

components/hydra-sql/patches/hydra-dispatcher-env.yaml

@@ -1,9 +0,0 @@
-- op: replace
-  path: "/data/HYDRA_DISPATCHER_SQL_LOGIN_URL"
-  value: http://hydra-sql/login
-- op: replace
-  path: "/data/HYDRA_DISPATCHER_SQL_CONSENT_URL"
-  value: http://hydra-sql/consent
-- op: replace
-  path: "/data/HYDRA_DISPATCHER_SQL_LOGOUT_URL"
-  value: http://hydra-sql/logout

components/hydra-sql/resources/hydra-sql-deployment.yaml

@@ -10,7 +10,10 @@ spec:
     matchLabels:
       app.kubernetes.io/name: hydra-sql
   strategy:
-    type: Recreate
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 25%
+      maxUnavailable: 25%
   template:
     metadata:
       labels:
@@ -18,7 +21,7 @@ spec:
     spec:
       containers:
       - name: hydra-sql-fpm
-          image: reg.cadoles.com/cadoles/hydra-sql-base:2024.4.2-develop.953.fc87b24
+        image: reg.cadoles.com/cadoles/hydra-sql-base:2024.7.25-develop.1026.5bfd899
         imagePullPolicy: Always
         args: ["/usr/sbin/php-fpm81", "-F", "-e"]
         readinessProbe:
@@ -52,23 +55,22 @@ spec:
           value: 128m
         - name: PHP_FPM_LOG_LEVEL
           value: warning
+        - name: OPCACHE_VALIDATE_TIMESTAMP
+          value: "0"
+        - name: OPCACHE_REVALIDATE_FREQ
+          value: "0"
         volumeMounts:
         - name: sql-login-config
           mountPath: "/app/config/sql_login_configuration/sql_login.yaml"
           subPath: "sql_login.yaml"
+        - name: hydra-sql-php-ini
+          mountPath: /etc/php81/conf.d/03_base.ini
+          subPath: 03_base.ini
 
       - name: hydra-sql-caddy
-          image: reg.cadoles.com/cadoles/hydra-sql-base:2024.4.2-develop.953.fc87b24
+        image: reg.cadoles.com/cadoles/hydra-sql-base:2024.7.25-develop.1026.5bfd899
         imagePullPolicy: Always
-          args:
+        args: ["/usr/sbin/caddy", "run", "--adapter", "caddyfile", "--config", "/etc/caddy/Caddyfile"]
-            [
-              "/usr/sbin/caddy",
-              "run",
-              "--adapter",
-              "caddyfile",
-              "--config",
-              "/etc/caddy/Caddyfile",
-            ]
         readinessProbe:
           httpGet:
             path: /health
@@ -113,5 +115,8 @@ spec:
       - name: sql-login-config
         configMap:
           name: sql-login-config
+      - name: hydra-sql-php-ini
+        configMap:
+          name: hydra-sql-php-ini
 
       restartPolicy: Always

components/oidc-test/resources/deployment.yaml

@@ -30,10 +30,10 @@ spec:
             valueFrom:
               secretKeyRef:
                 name: oidc-test-oauth2-client
-                  key: CLIENT_ID
+                key: client_id
           - name: OIDC_CLIENT_SECRET
             valueFrom:
               secretKeyRef:
                 name: oidc-test-oauth2-client
-                  key: CLIENT_SECRET
+                key: client_secret
       restartPolicy: Always

examples/authenticated-app/README.md

@@ -24,6 +24,14 @@ L'exemple est actuellement déployé avec le composant `hydra-saml` uniquement.
     kubectl apply -k ./examples/authenticated-app
     ```
 
+   **Note** Il est possible d'avoir l'erreur suivante:
+
+   ```
+   error: resource mapping not found for name: "app-oauth2-client" namespace: "" from "./examples/authenticated-app": no matches for kind "OAuth2Client" in version "hydra.ory.sh/v1alpha1"
+   ```
+
+   Cette erreur est "normale" (voir https://github.com/kubernetes/kubectl/issues/1117). Dans ce cas, attendre la création de la CRD (voir ticket) puis relancer la commande.
+
 4. Ajouter l'entrée suivante dans votre fichier `/etc/hosts`
 
     ```
@@ -48,6 +56,6 @@ kind delete cluster -n sso-kustom-example
 #### URL utiles
 
 |URL|Description|
-| --------------------------------------------------- | ------------------------------------- |
+|---|-----------|
 |https://ssokustom/auth/saml/Shibboleth.sso/Session|Attributs de la session SP Shibboleth|
 |https://ssokustom/auth/saml/Shibboleth.sso/Metadata|Métadonnées du SP Shibboleth|

examples/authenticated-app/kustomization.yaml

@@ -8,7 +8,7 @@ resources:
   - ./resources/self-signed-issuer.yaml
   - ./resources/port-forwarder.yaml
 
-patches:
+patchesJson6902:
   - target:
       version: v1
       kind: ConfigMap
@@ -39,8 +39,3 @@ patches:
       kind: OAuth2Client
       name: oidc-test-oauth2-client
     path: patches/oidc-test-oauth2-client.yaml
-  - target:
-      version: v1
-      kind: ConfigMap
-      name: hydra-sql-env
-    path: patches/hydra-sql-env.yaml

examples/authenticated-app/patches/hydra-dispatcher-env.yaml

@@ -28,13 +28,3 @@
   path: "/data/HYDRA_DISPATCHER_SAML_LOGOUT_URL"
   value: https://ssokustom/auth/saml/logout
   
-# Hydra SQL configuration
-- op: replace
-  path: "/data/HYDRA_DISPATCHER_SQL_LOGIN_URL"
-  value: https://ssokustom/auth/sql/login
-- op: replace
-  path: "/data/HYDRA_DISPATCHER_SQL_CONSENT_URL"
-  value: https://ssokustom/auth/sql/consent
-- op: replace
-  path: "/data/HYDRA_DISPATCHER_SQL_LOGOUT_URL"
-  value: https://ssokustom/auth/sql/logout

examples/authenticated-app/patches/hydra-sql-env.yaml

@@ -1,24 +0,0 @@
-- op: replace
-  path: "/data/BASE_URL"
-  value: https://ssokustom/auth/sql
-- op: replace
-  path: "/data/ISSUER_URL"
-  value: https://ssokustom
-- op: replace
-  path: "/data/ISSUER_URL"
-  value: https://ssokustom
-- op: replace
-  path: "/data/HYDRA_ADMIN_BASE_URL"
-  value: http://hydra-dispatcher
-- op: replace
-  path: "/data/DSN_REMOTE_DATABASE"
-  value: pgsql:host='postgres';port=5432;dbname=lasql
-- op: replace
-  path: "/data/REDIS_DSN"
-  value: redis://redis:6379
-- op: replace
-  path: "/data/DB_USER"
-  value: makeMeASecret
-- op: replace
-  path: "/data/DB_PASSWORD"
-  value: rmakeMeASecret

examples/authenticated-app/resources/ingress.yaml

@@ -50,30 +50,6 @@ spec:
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
-metadata:
-  name: auth-sql
-  annotations:
-    cert-manager.io/issuer: "self-signed"
-    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
-spec:
-  ingressClassName: nginx
-  tls:
-    - hosts:
-        - ssokustom
-      secretName: ssokustom-example-tls
-  rules:
-    - http:
-        paths:
-          - path: /auth/sql(/|$)(.*)
-            pathType: Prefix
-            backend:
-              service:
-                name: hydra-sql
-                port:
-                  name: http
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
 metadata:
   name: auth-dispatcher
   annotations:
@@ -148,3 +124,8 @@ spec:
             name: saml-idp
             port:
               name: https
+
+     
+
+      
+          

examples/k8s/kind/cluster/kustomization.yaml

@@ -5,7 +5,6 @@ resources:
 - https://forge.cadoles.com/CadolesKube/c-kustom//base/cloudnative-pg-operator?ref=develop
 - https://forge.cadoles.com/CadolesKube/c-kustom//base/redis?ref=develop
 - https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml
-  - https://raw.githubusercontent.com/ory/k8s/v0.28.2/helm/charts/hydra-maester/crds/crd-oauth2clients.yaml
 
 patchesJson6902:
   - target:

resources/hydra-dispatcher/files/03_base.ini

@@ -0,0 +1,22 @@
+[opcache]
+; Determines if Zend OPCache is enabled
+opcache.enable=1
+
+; Determines if Zend OPCache is enabled for the CLI version of PHP
+opcache.enable_cli=1
+
+; The OPcache shared memory storage size.
+opcache.memory_consumption=512
+
+; The maximum number of keys (scripts) in the OPcache hash table.
+; Only numbers between 200 and 1000000 are allowed.
+opcache.max_accelerated_files=20000
+
+; When disabled, you must reset the OPcache manually or restart the
+; webserver for changes to the filesystem to take effect.
+opcache.validate_timestamps=${OPCACHE_VALIDATE_TIMESTAMP}
+
+; How often (in seconds) to check file timestamps for changes to the shared
+; memory storage allocation. ("1" means validate once per second, but only
+; once per request. "0" means always validate)
+opcache.revalidate_freq=${OPCACHE_REVALIDATE_FREQ}

resources/hydra-dispatcher/kustomization.yaml

@@ -29,3 +29,6 @@ configMapGenerator:
 - name: hydra-dispatcher-apps
   files:
   - apps.yaml=./files/hydra/default.yaml
+- name: hydra-dispatcher-php-ini
+  files:
+  - ./files/03_base.ini

resources/hydra-dispatcher/resources/hydra-dispatcher-deployment.yaml

@@ -18,7 +18,7 @@ spec:
     spec:
       containers:
       - name: hydra-dispatcher-php-fpm
-          image: reg.cadoles.com/cadoles/hydra-dispatcher-base:2024.4.2-develop.1411.74a9f16
+        image: reg.cadoles.com/cadoles/hydra-dispatcher-base:2024.7.25-develop.1034.21d6822
         args: ["/usr/sbin/php-fpm81", "-F", "-e"]
         readinessProbe:
           exec:
@@ -41,19 +41,26 @@ spec:
           value: 128m
         - name: PHP_FPM_MEMORY_LIMIT
           value: 128m
+        - name: OPCACHE_VALIDATE_TIMESTAMP
+          value: "0"
+        - name: OPCACHE_REVALIDATE_FREQ
+          value: "0"
         envFrom:
         - configMapRef:
             name: hydra-dispatcher-env
         volumeMounts:
         - mountPath: /app/config/hydra
           name: hydra-dispatcher-apps
+        - name: hydra-dispatcher-php-ini
+          mountPath: /etc/php81/conf.d/03_base.ini
+          subPath: 03_base.ini
         resources: {}
         securityContext:
           runAsNonRoot: true
           runAsGroup: 1000
           runAsUser: 1000
       - name: hydra-dispatcher-caddy
-          image: reg.cadoles.com/cadoles/hydra-dispatcher-base:2024.4.2-develop.1411.74a9f16
+        image: reg.cadoles.com/cadoles/hydra-dispatcher-base:2024.7.25-develop.1034.21d6822
         imagePullPolicy: Always
         args:
           [
@@ -105,3 +112,6 @@ spec:
       - name: hydra-dispatcher-apps
         configMap:
           name: hydra-dispatcher-apps
+      - name: hydra-dispatcher-php-ini
+        configMap:
+          name: hydra-dispatcher-php-ini