diff --git a/components/hydra-cnpg-database/kustomization.yaml b/components/hydra-cnpg-database/kustomization.yaml index 4ebccef..737555f 100644 --- a/components/hydra-cnpg-database/kustomization.yaml +++ b/components/hydra-cnpg-database/kustomization.yaml @@ -7,28 +7,6 @@ configurations: resources: - ./resources/hydra-cnpg-cluster.yaml -secretGenerator: -- name: hydra-postgres-admin - type: Secret - literals: - - username=postgres - - password=NotSoSecret -- name: hydra-postgres-user - type: Secret - literals: - - username=hydra - - password=NotSoSecret - - -vars: -- name: HYDRA_DATABASE_SERVICE_NAME - objref: - name: hydra-postgres - kind: Cluster - apiVersion: postgresql.cnpg.io/v1 - fieldref: - fieldpath: metadata.name - patches: - target: group: apps diff --git a/components/hydra-cnpg-database/patches/hydra-deployment.yaml b/components/hydra-cnpg-database/patches/hydra-deployment.yaml index 6185612..db7d518 100644 --- a/components/hydra-cnpg-database/patches/hydra-deployment.yaml +++ b/components/hydra-cnpg-database/patches/hydra-deployment.yaml @@ -4,7 +4,7 @@ name: HYDRA_DATABASE_USER valueFrom: secretKeyRef: - name: hydra-postgres-user + name: hydra-postgres-app key: username - op: add path: "/spec/template/spec/containers/0/env/-" @@ -12,10 +12,18 @@ name: HYDRA_DATABASE_PASSWORD valueFrom: secretKeyRef: - name: hydra-postgres-user + name: hydra-postgres-app key: password +- op: add + path: "/spec/template/spec/containers/0/env/-" + value: + name: HYDRA_DATABASE_SERVICE_NAME + valueFrom: + secretKeyRef: + name: hydra-postgres-app + key: host - op: add path: "/spec/template/spec/containers/0/env/-" value: name: DSN - value: "postgres://$(HYDRA_DATABASE_USER):$(HYDRA_DATABASE_PASSWORD)@$(HYDRA_DATABASE_SERVICE_NAME)-rw:5432/hydra?sslmode=disable" \ No newline at end of file + value: "postgres://$(HYDRA_DATABASE_USER):$(HYDRA_DATABASE_PASSWORD)@$(HYDRA_DATABASE_SERVICE_NAME):5432/hydra?sslmode=disable&max_conns=$(HYDRA_DATABASE_MAX_CONN)" diff --git a/components/hydra-cnpg-database/patches/hydra-janitor-cronjob.yaml b/components/hydra-cnpg-database/patches/hydra-janitor-cronjob.yaml index a8f576e..467742b 100644 --- a/components/hydra-cnpg-database/patches/hydra-janitor-cronjob.yaml +++ b/components/hydra-cnpg-database/patches/hydra-janitor-cronjob.yaml @@ -4,7 +4,7 @@ name: HYDRA_DATABASE_USER valueFrom: secretKeyRef: - name: hydra-postgres-user + name: hydra-postgres-app key: username - op: add path: "/spec/jobTemplate/spec/template/spec/containers/0/env/-" @@ -12,10 +12,18 @@ name: HYDRA_DATABASE_PASSWORD valueFrom: secretKeyRef: - name: hydra-postgres-user + name: hydra-postgres-app key: password +- op: add + path: "/spec/jobTemplate/spec/template/spec/containers/0/env/-" + value: + name: HYDRA_DATABASE_SERVICE_NAME + valueFrom: + secretKeyRef: + name: hydra-postgres-app + key: host - op: add path: "/spec/jobTemplate/spec/template/spec/containers/0/env/-" value: name: DSN - value: "postgres://$(HYDRA_DATABASE_USER):$(HYDRA_DATABASE_PASSWORD)@$(HYDRA_DATABASE_SERVICE_NAME)-rw:5432/hydra?sslmode=disable" \ No newline at end of file + value: "postgres://$(HYDRA_DATABASE_USER):$(HYDRA_DATABASE_PASSWORD)@$(HYDRA_DATABASE_SERVICE_NAME):5432/hydra?sslmode=disable" diff --git a/components/hydra-cnpg-database/patches/hydra-migrate-job.yaml b/components/hydra-cnpg-database/patches/hydra-migrate-job.yaml index 6185612..c5e4447 100644 --- a/components/hydra-cnpg-database/patches/hydra-migrate-job.yaml +++ b/components/hydra-cnpg-database/patches/hydra-migrate-job.yaml @@ -4,7 +4,7 @@ name: HYDRA_DATABASE_USER valueFrom: secretKeyRef: - name: hydra-postgres-user + name: hydra-postgres-app key: username - op: add path: "/spec/template/spec/containers/0/env/-" @@ -12,10 +12,18 @@ name: HYDRA_DATABASE_PASSWORD valueFrom: secretKeyRef: - name: hydra-postgres-user + name: hydra-postgres-app key: password +- op: add + path: "/spec/template/spec/containers/0/env/-" + value: + name: HYDRA_DATABASE_SERVICE_NAME + valueFrom: + secretKeyRef: + name: hydra-postgres-app + key: host - op: add path: "/spec/template/spec/containers/0/env/-" value: name: DSN - value: "postgres://$(HYDRA_DATABASE_USER):$(HYDRA_DATABASE_PASSWORD)@$(HYDRA_DATABASE_SERVICE_NAME)-rw:5432/hydra?sslmode=disable" \ No newline at end of file + value: "postgres://$(HYDRA_DATABASE_USER):$(HYDRA_DATABASE_PASSWORD)@$(HYDRA_DATABASE_SERVICE_NAME):5432/hydra?sslmode=disable" diff --git a/components/hydra-cnpg-database/resources/hydra-cnpg-cluster.yaml b/components/hydra-cnpg-database/resources/hydra-cnpg-cluster.yaml index 7f48955..8d910f1 100644 --- a/components/hydra-cnpg-database/resources/hydra-cnpg-cluster.yaml +++ b/components/hydra-cnpg-database/resources/hydra-cnpg-cluster.yaml @@ -5,13 +5,9 @@ metadata: spec: instances: 3 primaryUpdateStrategy: unsupervised - superuserSecret: - name: hydra-postgres-admin bootstrap: initdb: database: hydra owner: hydra - secret: - name: hydra-postgres-user storage: - size: 2Gi \ No newline at end of file + size: 2Gi diff --git a/components/hydra-ldap/resources/deployment.yaml b/components/hydra-ldap/resources/deployment.yaml index d330365..0a8bb20 100644 --- a/components/hydra-ldap/resources/deployment.yaml +++ b/components/hydra-ldap/resources/deployment.yaml @@ -2,7 +2,6 @@ apiVersion: apps/v1 kind: Deployment metadata: name: hydra-ldap - namespace: default labels: app.kubernetes.io/name: hydra-ldap app.kubernetes.io/version: "v1.2.2" @@ -18,34 +17,34 @@ spec: app.kubernetes.io/version: "v1.2.2" spec: containers: - - name: werther - image: reg.cadoles.com/cadoles/hydra-werther:2023.12.6-stable.1421.15a4717 - imagePullPolicy: IfNotPresent - envFrom: - - configMapRef: - name: hydra-ldap-env - env: - - name: WERTHER_WEB_DIR - value: "/usr/share/werther/login/" - - name: WERTHER_LDAP_BINDDN - valueFrom: - secretKeyRef: - name: hydra-ldap-sc - key: WERTHER_LDAP_BINDDN - - name: WERTHER_LDAP_BINDPW - valueFrom: - secretKeyRef: - name: hydra-ldap-sc - key: WERTHER_LDAP_BINDPW - ports: - - containerPort: 8080 - name: hydra-ldap-http - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 100 + - name: werther + image: reg.cadoles.com/cadoles/hydra-werther:2023.12.6-stable.1421.15a4717 + imagePullPolicy: IfNotPresent + envFrom: + - configMapRef: + name: hydra-ldap-env + env: + - name: WERTHER_WEB_DIR + value: "/usr/share/werther/login/" + - name: WERTHER_LDAP_BINDDN + valueFrom: + secretKeyRef: + name: hydra-ldap-sc + key: WERTHER_LDAP_BINDDN + - name: WERTHER_LDAP_BINDPW + valueFrom: + secretKeyRef: + name: hydra-ldap-sc + key: WERTHER_LDAP_BINDPW + ports: + - containerPort: 8080 + name: hydra-ldap-http + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 100 diff --git a/components/hydra-ldap/resources/service.yaml b/components/hydra-ldap/resources/service.yaml index 4adbddb..29db7ec 100644 --- a/components/hydra-ldap/resources/service.yaml +++ b/components/hydra-ldap/resources/service.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: Service metadata: labels: - io.kompose.service: hydra-ldap + app.kubernetes.io/name: hydra-ldap name: hydra-ldap spec: type: ClusterIP diff --git a/components/hydra-oidc/kustomization.yaml b/components/hydra-oidc/kustomization.yaml index 88288e0..624818f 100644 --- a/components/hydra-oidc/kustomization.yaml +++ b/components/hydra-oidc/kustomization.yaml @@ -2,38 +2,36 @@ apiVersion: kustomize.config.k8s.io/v1alpha1 kind: Component resources: - - ./resources/hydra-oidc-deployment.yaml - - ./resources/hydra-oidc-service.yaml +- ./resources/hydra-oidc-deployment.yaml +- ./resources/hydra-oidc-service.yaml + +generatorOptions: + labels: + com.cadoles.forge.sso-kustom/session: redis configMapGenerator: - - name: hydra-oidc-env - literals: - - APP_ENV=prod - - APP_DEBUG=false - - PHP_FPM_MEMORY_LIMIT=256m - - NGINX_APP_SERVER_LISTEN=80 - - HYDRA_ADMIN_BASE_URL=http://hydra-dispatcher - - OIC_AUTHORIZE_ENDPOINT=https://oidc-idp/api/v1/authorize - - OIDC_TOKEN_ENDPOINT=https://oidc-idp/api/v1/token - - OIDC_USERINFO_ENDPOINT=https://oidc-idp/api/v1/userinfo - - POST_LOGOUT_REDIRECT_URL=http://oidc-sp/logout - - OIDC_LOGOUT_ENDPOINT=https://oidc-idp/api/v1/logout?%s - - BASE_URL=http://hydra-oidc - - PARAMS_TO_DELETE=[] - - PARAMS_TO_INSERT={} - - OIDC_SCOPE=openid email - - CLIENT_ID_FC=MyClientID - - CLIENT_SECRET_FC=MyClientSecret - - COOKIE_PATH=/ - - TRUSTED_PROXIES=127.0.0.1,REMOTE_ADDR - # - name: hydra-dispatcher-apps - # behavior: merge - # files: - # - apps.yaml=./files/hydra/oidc.yaml - -patchesJson6902: - - target: - version: v1 - kind: ConfigMap - name: hydra-dispatcher-env - path: patches/hydra-dispatcher-env.yaml +- name: hydra-oidc-env + behavior: create + literals: + - APP_ENV=prod + - APP_DEBUG=false + - PHP_FPM_MEMORY_LIMIT=256m + - NGINX_APP_SERVER_LISTEN=80 + - HYDRA_ADMIN_BASE_URL=http://hydra-dispatcher + - OIC_AUTHORIZE_ENDPOINT=https://oidc-idp/api/v1/authorize + - OIDC_TOKEN_ENDPOINT=https://oidc-idp/api/v1/token + - OIDC_USERINFO_ENDPOINT=https://oidc-idp/api/v1/userinfo + - POST_LOGOUT_REDIRECT_URL=http://oidc-sp/logout + - OIDC_LOGOUT_ENDPOINT=https://oidc-idp/api/v1/logout?%s + - BASE_URL=http://hydra-oidc + - PARAMS_TO_DELETE=[] + - PARAMS_TO_INSERT={} + - OIDC_SCOPE=openid email + - CLIENT_ID_FC=MyClientID + - CLIENT_SECRET_FC=MyClientSecret + - COOKIE_PATH=/ + - TRUSTED_PROXIES=127.0.0.1,REMOTE_ADDR + - REDIS_DSN="redis://redis:6379" + - HYDRA_DISPATCHER_OIDC_LOGIN_URL="http://hydra-oidc/login" + - HYDRA_DISPATCHER_OIDC_CONSENT_URL="http://hydra-oidc/consent" + - HYDRA_DISPATCHER_OIDC_LOGOUT_URL="http://hydra-oidc/logout" diff --git a/components/hydra-oidc/patches/hydra-dispatcher-env.yaml b/components/hydra-oidc/patches/hydra-dispatcher-env.yaml deleted file mode 100644 index 0b56c86..0000000 --- a/components/hydra-oidc/patches/hydra-dispatcher-env.yaml +++ /dev/null @@ -1,9 +0,0 @@ -- op: replace - path: "/data/HYDRA_DISPATCHER_OIDC_LOGIN_URL" - value: http://hydra-oidc/login -- op: replace - path: "/data/HYDRA_DISPATCHER_OIDC_CONSENT_URL" - value: http://hydra-oidc/consent -- op: replace - path: "/data/HYDRA_DISPATCHER_OIDC_LOGOUT_URL" - value: http://hydra-oidc/logout \ No newline at end of file diff --git a/components/hydra-oidc/resources/hydra-oidc-deployment.yaml b/components/hydra-oidc/resources/hydra-oidc-deployment.yaml index dd62f7e..022806e 100644 --- a/components/hydra-oidc/resources/hydra-oidc-deployment.yaml +++ b/components/hydra-oidc/resources/hydra-oidc-deployment.yaml @@ -2,85 +2,101 @@ apiVersion: apps/v1 kind: Deployment metadata: labels: - io.kompose.service: hydra-oidc + app.kubernetes.io/name: hydra-oidc name: hydra-oidc spec: replicas: 1 selector: matchLabels: - io.kompose.service: hydra-oidc + app.kubernetes.io/name: hydra-oidc strategy: type: Recreate template: metadata: labels: - io.kompose.service: hydra-oidc + app.kubernetes.io/name: hydra-oidc spec: containers: - - name: hydra-oidc-php-fpm - image: reg.cadoles.com/cadoles/hydra-oidc-base:2023.11.17-develop.1657.761e035 - imagePullPolicy: Always - args: ["/usr/sbin/php-fpm81", "-F", "-e"] - readinessProbe: - exec: - command: + - name: hydra-oidc-php-fpm + image: reg.cadoles.com/cadoles/hydra-oidc-base:2024.4.2-develop.1349.c4711f6 + imagePullPolicy: Always + args: ["/usr/sbin/php-fpm81", "-F", "-e"] + readinessProbe: + exec: + command: - sh - -c - test -f /etc/php81/php-fpm.d/www.conf - livenessProbe: - exec: - command: + livenessProbe: + exec: + command: - php - bin/console - -V - initialDelaySeconds: 10 - periodSeconds: 30 - env: + initialDelaySeconds: 10 + periodSeconds: 30 + env: - name: PHP_FPM_LISTEN value: 127.0.0.1:9000 - name: PHP_MEMORY_LIMIT value: 128m - name: PHP_FPM_MEMORY_LIMIT value: 128m - envFrom: - - configMapRef: - name: hydra-oidc-env - resources: {} + envFrom: + - configMapRef: + name: hydra-oidc-env + resources: {} + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 1000 - - image: reg.cadoles.com/cadoles/hydra-oidc-base:2023.11.17-develop.1657.761e035 - imagePullPolicy: Always - name: hydra-oidc-nginx - args: ["/usr/sbin/nginx"] - readinessProbe: - httpGet: - path: /healthy - port: 80 - initialDelaySeconds: 5 - timeoutSeconds: 5 - periodSeconds: 10 - livenessProbe: - httpGet: - path: /healthy - port: 80 - initialDelaySeconds: 15 - timeoutSeconds: 5 - periodSeconds: 15 - envFrom: - - configMapRef: - name: hydra-oidc-env - env: - - name: NGINX_APP_UPSTREAM_BACKEND_SERVER - value: 127.0.0.1:9000 - - name: NGINX_APP_ROOT - value: "/public/" - - name: NGINX_APP_PHP_INDEX - value: "/index.php" - - name: NGINX_ERROR_LOG_LEVEL - value: "warn" - - name: NGINX_APP_PHP_NON_FILE_PATTERN - value: "^/index\\.php(/|$)" - ports: + - name: hydra-oidc-caddy + image: reg.cadoles.com/cadoles/hydra-oidc-base:2024.4.2-develop.1349.c4711f6 + imagePullPolicy: Always + args: + [ + "/usr/sbin/caddy", + "run", + "--adapter", + "caddyfile", + "--config", + "/etc/caddy/Caddyfile", + ] + readinessProbe: + httpGet: + path: /healthy + port: 8080 + initialDelaySeconds: 5 + timeoutSeconds: 5 + periodSeconds: 10 + livenessProbe: + httpGet: + path: /healthy + port: 8080 + initialDelaySeconds: 15 + timeoutSeconds: 5 + periodSeconds: 15 + ports: - containerPort: 8080 - resources: {} + name: http + envFrom: + - configMapRef: + name: hydra-oidc-env + env: + - name: CADDY_APP_UPSTREAM_BACKEND_SERVER + value: 127.0.0.1:9000 + - name: CADDY_HTTPS_PORT + value: "8443" + - name: CADDY_HTTP_PORT + value: "8080" + - name: CADDY_DATA_FS + value: "/tmp/caddy" + - name: CADDY_APP_ROOT_PUBLIC + value: "/app/public/" + resources: {} + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 1000 restartPolicy: Always - diff --git a/components/hydra-oidc/resources/hydra-oidc-service.yaml b/components/hydra-oidc/resources/hydra-oidc-service.yaml index 0398b45..3cc9f8c 100644 --- a/components/hydra-oidc/resources/hydra-oidc-service.yaml +++ b/components/hydra-oidc/resources/hydra-oidc-service.yaml @@ -2,13 +2,14 @@ apiVersion: v1 kind: Service metadata: labels: - io.kompose.service: hydra-oidc + app.kubernetes.io/name: hydra-oidc name: hydra-oidc spec: ports: - - name: hydra-oidc - port: 80 + - name: http + port: 80 + targetPort: http selector: - io.kompose.service: hydra-oidc + app.kubernetes.io/name: hydra-oidc status: loadBalancer: {} diff --git a/components/hydra-saml/resources/hydra-saml-remote-user.yaml b/components/hydra-saml/resources/hydra-saml-remote-user.yaml index fc4d66e..580dc75 100644 --- a/components/hydra-saml/resources/hydra-saml-remote-user.yaml +++ b/components/hydra-saml/resources/hydra-saml-remote-user.yaml @@ -2,28 +2,28 @@ apiVersion: apps/v1 kind: Deployment metadata: labels: - io.kompose.service: hydra-saml-remote-user + app.kubernetes.io/name: hydra-saml-remote-user name: hydra-saml-remote-user spec: replicas: 1 selector: matchLabels: - io.kompose.service: hydra-saml-remote-user + app.kubernetes.io/name: hydra-saml-remote-user strategy: type: Recreate template: metadata: labels: - io.kompose.service: hydra-saml-remote-user + app.kubernetes.io/name: hydra-saml-remote-user spec: containers: - name: hydra-saml-remote-user - image: reg.cadoles.com/cadoles/hydra-remote-user-v1:v0.0.0-233-g64fcacc + image: reg.cadoles.com/cadoles/hydra-remote-user-base:2023.12.11-develop.1523.5f14595 envFrom: - configMapRef: name: hydra-saml-env ports: - - containerPort: 80 + - containerPort: 8080 resources: {} restartPolicy: Always --- @@ -31,13 +31,14 @@ apiVersion: v1 kind: Service metadata: labels: - io.kompose.service: hydra-saml-remote-user + app.kubernetes.io/name: hydra-saml-remote-user name: hydra-saml-remote-user spec: ports: - name: http port: 80 + targetPort: 8080 selector: - io.kompose.service: hydra-saml-remote-user + app.kubernetes.io/name: hydra-saml-remote-user status: loadBalancer: {} diff --git a/components/hydra-saml/resources/hydra-saml-shibboleth-sp.yaml b/components/hydra-saml/resources/hydra-saml-shibboleth-sp.yaml index 677a02e..555a73a 100644 --- a/components/hydra-saml/resources/hydra-saml-shibboleth-sp.yaml +++ b/components/hydra-saml/resources/hydra-saml-shibboleth-sp.yaml @@ -2,25 +2,25 @@ apiVersion: apps/v1 kind: Deployment metadata: labels: - io.kompose.service: hydra-saml-shibboleth-sp + app.kubernetes.io/name: hydra-saml-shibboleth-sp name: hydra-saml-shibboleth-sp spec: replicas: 1 selector: matchLabels: - io.kompose.service: hydra-saml-shibboleth-sp + app.kubernetes.io/name: hydra-saml-shibboleth-sp strategy: type: Recreate template: metadata: labels: - io.kompose.service: hydra-saml-shibboleth-sp + app.kubernetes.io/name: hydra-saml-shibboleth-sp spec: securityContext: fsGroup: 102 containers: - name: hydra-saml-shibboleth-sp - image: reg.cadoles.com/cadoles/shibboleth-sp-v3:v0.0.0-233-g64fcacc + image: reg.cadoles.com/cadoles/shibboleth-sp-v3:2023.12.12-develop.1039.49b85e1 envFrom: - configMapRef: name: hydra-saml-env @@ -41,14 +41,14 @@ apiVersion: v1 kind: Service metadata: labels: - io.kompose.service: hydra-saml + app.kubernetes.io/name: hydra-saml name: hydra-saml spec: ports: - name: http port: 80 selector: - io.kompose.service: hydra-saml-shibboleth-sp + app.kubernetes.io/name: hydra-saml-shibboleth-sp status: loadBalancer: {} diff --git a/components/hydra-sql/files/03_base.ini b/components/hydra-sql/files/03_base.ini new file mode 100644 index 0000000..c416de0 --- /dev/null +++ b/components/hydra-sql/files/03_base.ini @@ -0,0 +1,22 @@ +[opcache] +; Determines if Zend OPCache is enabled +opcache.enable=1 + +; Determines if Zend OPCache is enabled for the CLI version of PHP +opcache.enable_cli=1 + +; The OPcache shared memory storage size. +opcache.memory_consumption=512 + +; The maximum number of keys (scripts) in the OPcache hash table. +; Only numbers between 200 and 1000000 are allowed. +opcache.max_accelerated_files=20000 + +; When disabled, you must reset the OPcache manually or restart the +; webserver for changes to the filesystem to take effect. +opcache.validate_timestamps=${OPCACHE_VALIDATE_TIMESTAMP} + +; How often (in seconds) to check file timestamps for changes to the shared +; memory storage allocation. ("1" means validate once per second, but only +; once per request. "0" means always validate) +opcache.revalidate_freq=${OPCACHE_REVALIDATE_FREQ} \ No newline at end of file diff --git a/components/hydra-sql/kustomization.yaml b/components/hydra-sql/kustomization.yaml index f305b11..0504eb2 100644 --- a/components/hydra-sql/kustomization.yaml +++ b/components/hydra-sql/kustomization.yaml @@ -5,8 +5,13 @@ resources: - ./resources/hydra-sql-service.yaml - ./resources/hydra-sql-deployment.yaml +generatorOptions: + labels: + com.cadoles.forge.sso-kustom/session: redis + configMapGenerator: - name: hydra-sql-env + behavior: create literals: - ISSUER_URL="http://localhost:8000" - BASE_URL='http://localhost:8080' @@ -17,7 +22,11 @@ configMapGenerator: - DSN_REMOTE_DATABASE="pgsql:host='postgres';port=5432;dbname=lasql" - DB_USER="makeMeASecret" - DB_PASSWORD="makeMeASecret" + - REDIS_DSN="redis://redis:6379" - PEPPER="MakeMeABigSecret" - name: sql-login-config files: - ./files/sql_login.yaml +- name: hydra-sql-php-ini + files: + - ./files/03_base.ini diff --git a/components/hydra-sql/resources/hydra-sql-deployment.yaml b/components/hydra-sql/resources/hydra-sql-deployment.yaml index ee84ac4..bf688de 100644 --- a/components/hydra-sql/resources/hydra-sql-deployment.yaml +++ b/components/hydra-sql/resources/hydra-sql-deployment.yaml @@ -2,23 +2,26 @@ apiVersion: apps/v1 kind: Deployment metadata: labels: - io.kompose.service: hydra-sql + app.kubernetes.io/name: hydra-sql name: hydra-sql spec: replicas: 1 selector: matchLabels: - io.kompose.service: hydra-sql + app.kubernetes.io/name: hydra-sql strategy: - type: Recreate + type: RollingUpdate + rollingUpdate: + maxSurge: 25% + maxUnavailable: 25% template: metadata: labels: - io.kompose.service: hydra-sql + app.kubernetes.io/name: hydra-sql spec: containers: - name: hydra-sql-fpm - image: reg.cadoles.com/cadoles/hydra-sql-base:0.0.1 + image: reg.cadoles.com/cadoles/hydra-sql-base:2024.11.6-develop.1113.075be9b imagePullPolicy: Always args: ["/usr/sbin/php-fpm81", "-F", "-e"] readinessProbe: @@ -36,6 +39,10 @@ spec: initialDelaySeconds: 10 periodSeconds: 30 resources: {} + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 1000 envFrom: - configMapRef: name: hydra-sql-env @@ -48,15 +55,22 @@ spec: value: 128m - name: PHP_FPM_LOG_LEVEL value: warning + - name: OPCACHE_VALIDATE_TIMESTAMP + value: "0" + - name: OPCACHE_REVALIDATE_FREQ + value: "0" volumeMounts: - name: sql-login-config mountPath: "/app/config/sql_login_configuration/sql_login.yaml" subPath: "sql_login.yaml" + - name: hydra-sql-php-ini + mountPath: /etc/php81/conf.d/03_base.ini + subPath: 03_base.ini - - name: hydra-sql-nginx - image: reg.cadoles.com/cadoles/hydra-sql-base:0.0.1 + - name: hydra-sql-caddy + image: reg.cadoles.com/cadoles/hydra-sql-base:2024.11.6-develop.1113.075be9b imagePullPolicy: Always - args: ["/usr/sbin/nginx"] + args: ["/usr/sbin/caddy", "run", "--adapter", "caddyfile", "--config", "/etc/caddy/Caddyfile"] readinessProbe: httpGet: path: /health @@ -75,19 +89,24 @@ spec: - configMapRef: name: hydra-sql-env env: - - name: NGINX_APP_UPSTREAM_BACKEND_SERVER + - name: CADDY_APP_UPSTREAM_BACKEND_SERVER value: 127.0.0.1:9000 - - name: NGINX_APP_ROOT - value: "/public" - - name: NGINX_APP_PHP_INDEX - value: "/index.php" - - name: NGINX_ERROR_LOG_LEVEL - value: "warn" - - name: NGINX_APP_PHP_NON_FILE_PATTERN - value: "^/index\\.php(/|$)" + - name: CADDY_HTTPS_PORT + value: "8443" + - name: CADDY_HTTP_PORT + value: "8080" + - name: CADDY_DATA_FS + value: "/tmp/caddy" + - name: CADDY_APP_ROOT_PUBLIC + value: "/app/public/" resources: {} + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 1000 ports: - containerPort: 8080 + name: http volumeMounts: - name: sql-login-config mountPath: "/app/config/sql_login_configuration/sql_login.yaml" @@ -96,5 +115,8 @@ spec: - name: sql-login-config configMap: name: sql-login-config + - name: hydra-sql-php-ini + configMap: + name: hydra-sql-php-ini restartPolicy: Always diff --git a/components/hydra-sql/resources/hydra-sql-service.yaml b/components/hydra-sql/resources/hydra-sql-service.yaml index 2941999..d47ff69 100644 --- a/components/hydra-sql/resources/hydra-sql-service.yaml +++ b/components/hydra-sql/resources/hydra-sql-service.yaml @@ -2,13 +2,14 @@ apiVersion: v1 kind: Service metadata: labels: - io.kompose.service: hydra-sql + app.kubernetes.io/name: hydra-sql name: hydra-sql spec: ports: - - name: hydra-sql - port: 8080 + - name: http + port: 80 + targetPort: http selector: - io.kompose.service: hydra-sql + app.kubernetes.io/name: hydra-sql status: loadBalancer: {} diff --git a/components/redis/README.md b/components/redis/README.md new file mode 100644 index 0000000..072c605 --- /dev/null +++ b/components/redis/README.md @@ -0,0 +1,22 @@ +# Composant `redis` + +### Description + +Les applications `hydra-dispatcher`, `hydra-sql` et `hydra-oidc` stockent dorénavant le cache et les sessions utilisateur sur un serveur Redis. +Le DSN du serveur est défini dans leur variable d'environnement respective `REDIS_DSN`. +Les applications peuvent utiliser le mode `sentinel` de redis +Il est donc nécessaire donc nécessaire de disposer d'un serveur Redis pour utiliser ces applications. + +### Principe général de fonctionnement + +Un `RedisFailOver` crée un cluster redis en mode sentinel avec 3 réplicats chacun. + + +### Personnalisation + +Via des `patches` sur la ressource `ConfigMap` via un label selector `com.cadoles.forge.sso-kustom/session=redis` il est possible de modifier la valeur du `REDIS_DSN`. + + +|Clé|Description|Exemple| +|---|-----------|-------| +|`REDIS_DSN`| DSN du cluster Redis | `redis://rfs-sso-redis:26379?&redis_sentinel=mymaster` diff --git a/components/redis/kustomization.yaml b/components/redis/kustomization.yaml new file mode 100644 index 0000000..609cf30 --- /dev/null +++ b/components/redis/kustomization.yaml @@ -0,0 +1,11 @@ +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component + +resources: + - ./resources/redis-failover.yaml + +patches: +- path: ./patches/hydra-apps.yaml + target: + kind: ConfigMap + labelSelector: "com.cadoles.forge.sso-kustom/session=redis" diff --git a/components/redis/patches/hydra-apps.yaml b/components/redis/patches/hydra-apps.yaml new file mode 100644 index 0000000..6ab436a --- /dev/null +++ b/components/redis/patches/hydra-apps.yaml @@ -0,0 +1,3 @@ +- op: replace + path: "/data/REDIS_DSN" + value: "redis://rfs-sso-redis:26379?&redis_sentinel=mymaster" diff --git a/components/redis/resources/redis-failover.yaml b/components/redis/resources/redis-failover.yaml new file mode 100644 index 0000000..01f1e3a --- /dev/null +++ b/components/redis/resources/redis-failover.yaml @@ -0,0 +1,21 @@ +apiVersion: databases.spotahome.com/v1 +kind: RedisFailover +metadata: + name: sso-redis +spec: + sentinel: + replicas: 3 + resources: + requests: + cpu: 100m + limits: + memory: 100Mi + redis: + replicas: 3 + resources: + requests: + cpu: 100m + memory: 100Mi + limits: + cpu: 400m + memory: 500Mi diff --git a/doc/README.md b/doc/README.md deleted file mode 100644 index 7d8b3af..0000000 --- a/doc/README.md +++ /dev/null @@ -1 +0,0 @@ -# Documentation \ No newline at end of file diff --git a/examples/authenticated-app/README.md b/examples/authenticated-app/README.md index d3fa32b..1619333 100644 --- a/examples/authenticated-app/README.md +++ b/examples/authenticated-app/README.md @@ -15,7 +15,7 @@ L'exemple est actuellement déployé avec le composant `hydra-saml` uniquement. 2. Déployer les opérateurs nécessaires au déploiement ``` - kubectl kustomize --enable-helm ./examples/k8s/kind/cluster | kubectl apply -f - + kubectl apply -k ./examples/k8s/kind/cluster --server-side ``` 3. Déployer l'application diff --git a/examples/authenticated-app/resources/port-forwarder.yaml b/examples/authenticated-app/resources/port-forwarder.yaml index 7db316a..d55ccf8 100644 --- a/examples/authenticated-app/resources/port-forwarder.yaml +++ b/examples/authenticated-app/resources/port-forwarder.yaml @@ -2,19 +2,19 @@ apiVersion: apps/v1 kind: Deployment metadata: labels: - io.kompose.service: port-forwarder + app.kubernetes.io/name: port-forwarder name: port-forwarder spec: replicas: 1 selector: matchLabels: - io.kompose.service: port-forwarder + app.kubernetes.io/name: port-forwarder strategy: type: Recreate template: metadata: labels: - io.kompose.service: port-forwarder + app.kubernetes.io/name: port-forwarder spec: containers: - image: hpello/tcp-proxy:latest @@ -42,7 +42,7 @@ apiVersion: v1 metadata: name: ssokustom labels: - io.kompose.service: port-forwarder + app.kubernetes.io/name: port-forwarder spec: ports: - name: https @@ -52,4 +52,4 @@ spec: port: 80 targetPort: 80 selector: - io.kompose.service: port-forwarder \ No newline at end of file + app.kubernetes.io/name: port-forwarder \ No newline at end of file diff --git a/examples/authenticated-app/resources/saml-idp.yaml b/examples/authenticated-app/resources/saml-idp.yaml index d89cdbf..20146d2 100644 --- a/examples/authenticated-app/resources/saml-idp.yaml +++ b/examples/authenticated-app/resources/saml-idp.yaml @@ -2,19 +2,19 @@ apiVersion: apps/v1 kind: Deployment metadata: labels: - io.kompose.service: saml-idp + app.kubernetes.io/name: saml-idp name: saml-idp spec: replicas: 1 selector: matchLabels: - io.kompose.service: saml-idp + app.kubernetes.io/name: saml-idp strategy: type: Recreate template: metadata: labels: - io.kompose.service: saml-idp + app.kubernetes.io/name: saml-idp spec: containers: - image: kristophjunge/test-saml-idp:1.15 @@ -35,7 +35,7 @@ apiVersion: v1 kind: Service metadata: labels: - io.kompose.service: saml-idp + app.kubernetes.io/name: saml-idp name: saml-idp spec: ports: @@ -46,6 +46,6 @@ spec: port: 8443 targetPort: 8443 selector: - io.kompose.service: saml-idp + app.kubernetes.io/name: saml-idp status: loadBalancer: {} \ No newline at end of file diff --git a/examples/k8s/kind/cluster/kustomization.yaml b/examples/k8s/kind/cluster/kustomization.yaml index 760eb72..af48eba 100644 --- a/examples/k8s/kind/cluster/kustomization.yaml +++ b/examples/k8s/kind/cluster/kustomization.yaml @@ -3,6 +3,7 @@ kind: Kustomization resources: - https://github.com/jetstack/cert-manager/releases/download/v1.13.2/cert-manager.yaml - https://forge.cadoles.com/CadolesKube/c-kustom//base/cloudnative-pg-operator?ref=develop +- https://forge.cadoles.com/CadolesKube/c-kustom//base/redis?ref=develop - https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml patchesJson6902: @@ -11,4 +12,4 @@ patchesJson6902: kind: ConfigMap name: ingress-nginx-controller namespace: ingress-nginx - path: patches/nginx-controller.yaml \ No newline at end of file + path: patches/nginx-controller.yaml diff --git a/overlays/full/kustomization.yaml b/overlays/full/kustomization.yaml index da68867..e9a6eac 100644 --- a/overlays/full/kustomization.yaml +++ b/overlays/full/kustomization.yaml @@ -14,4 +14,5 @@ components: - ../../components/hydra-oidc - ../../components/hydra-saml - ../../components/hydra-sql -- ../../components/oidc-test \ No newline at end of file +- ../../components/oidc-test +- ../../components/redis diff --git a/resources/hydra-dispatcher/files/03_base.ini b/resources/hydra-dispatcher/files/03_base.ini new file mode 100644 index 0000000..c416de0 --- /dev/null +++ b/resources/hydra-dispatcher/files/03_base.ini @@ -0,0 +1,22 @@ +[opcache] +; Determines if Zend OPCache is enabled +opcache.enable=1 + +; Determines if Zend OPCache is enabled for the CLI version of PHP +opcache.enable_cli=1 + +; The OPcache shared memory storage size. +opcache.memory_consumption=512 + +; The maximum number of keys (scripts) in the OPcache hash table. +; Only numbers between 200 and 1000000 are allowed. +opcache.max_accelerated_files=20000 + +; When disabled, you must reset the OPcache manually or restart the +; webserver for changes to the filesystem to take effect. +opcache.validate_timestamps=${OPCACHE_VALIDATE_TIMESTAMP} + +; How often (in seconds) to check file timestamps for changes to the shared +; memory storage allocation. ("1" means validate once per second, but only +; once per request. "0" means always validate) +opcache.revalidate_freq=${OPCACHE_REVALIDATE_FREQ} \ No newline at end of file diff --git a/resources/hydra-dispatcher/files/hydra/default.yaml b/resources/hydra-dispatcher/files/hydra/default.yaml index 52e6dbb..d86c656 100644 --- a/resources/hydra-dispatcher/files/hydra/default.yaml +++ b/resources/hydra-dispatcher/files/hydra/default.yaml @@ -14,4 +14,4 @@ hydra: api_method: "%env(string:HYDRA_DISPATCHER_WEBHOOK_API_METHOD)%" firewall: additional_properties: "%env(bool:HYDRA_DISPATCHER_FIREWALL_ADDITIONAL_PROPERTIES)%" - rules: {} \ No newline at end of file + rules: {} diff --git a/resources/hydra-dispatcher/kustomization.yaml b/resources/hydra-dispatcher/kustomization.yaml index 8bba48f..7ab4a1d 100644 --- a/resources/hydra-dispatcher/kustomization.yaml +++ b/resources/hydra-dispatcher/kustomization.yaml @@ -5,6 +5,10 @@ resources: - ./resources/hydra-dispatcher-deployment.yaml - ./resources/hydra-dispatcher-service.yaml +generatorOptions: + labels: + com.cadoles.forge.sso-kustom/session: redis + configMapGenerator: - name: hydra-dispatcher-env literals: @@ -21,6 +25,10 @@ configMapGenerator: - COOKIE_PATH=/ - DEFAULT_LOCALE=fr - APP_LOCALES=fr,en + - REDIS_DSN="redis://redis:6379" - name: hydra-dispatcher-apps files: - apps.yaml=./files/hydra/default.yaml +- name: hydra-dispatcher-php-ini + files: + - ./files/03_base.ini \ No newline at end of file diff --git a/resources/hydra-dispatcher/resources/hydra-dispatcher-deployment.yaml b/resources/hydra-dispatcher/resources/hydra-dispatcher-deployment.yaml index d7fb91f..5006247 100644 --- a/resources/hydra-dispatcher/resources/hydra-dispatcher-deployment.yaml +++ b/resources/hydra-dispatcher/resources/hydra-dispatcher-deployment.yaml @@ -2,23 +2,23 @@ apiVersion: apps/v1 kind: Deployment metadata: labels: - io.kompose.service: hydra-dispatcher + app.kubernetes.io/name: hydra-dispatcher name: hydra-dispatcher spec: replicas: 1 selector: matchLabels: - io.kompose.service: hydra-dispatcher + app.kubernetes.io/name: hydra-dispatcher strategy: type: Recreate template: metadata: labels: - io.kompose.service: hydra-dispatcher + app.kubernetes.io/name: hydra-dispatcher spec: containers: - name: hydra-dispatcher-php-fpm - image: reg.cadoles.com/cadoles/hydra-dispatcher-base:2023.11.17-develop.1408.ad93359 + image: reg.cadoles.com/cadoles/hydra-dispatcher-base:2024.9.24-develop.1122.f88a5eb args: ["/usr/sbin/php-fpm81", "-F", "-e"] readinessProbe: exec: @@ -41,29 +41,47 @@ spec: value: 128m - name: PHP_FPM_MEMORY_LIMIT value: 128m + - name: OPCACHE_VALIDATE_TIMESTAMP + value: "0" + - name: OPCACHE_REVALIDATE_FREQ + value: "0" envFrom: - configMapRef: name: hydra-dispatcher-env volumeMounts: - mountPath: /app/config/hydra name: hydra-dispatcher-apps + - name: hydra-dispatcher-php-ini + mountPath: /etc/php81/conf.d/03_base.ini + subPath: 03_base.ini resources: {} - - - image: reg.cadoles.com/cadoles/hydra-dispatcher-base:2023.11.17-develop.1408.ad93359 + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 1000 + - name: hydra-dispatcher-caddy + image: reg.cadoles.com/cadoles/hydra-dispatcher-base:2024.9.24-develop.1122.f88a5eb imagePullPolicy: Always - name: hydra-dispatcher-nginx - args: ["/usr/sbin/nginx"] + args: + [ + "/usr/sbin/caddy", + "run", + "--adapter", + "caddyfile", + "--config", + "/etc/caddy/Caddyfile", + ] readinessProbe: httpGet: path: /health - port: 80 + port: 8080 initialDelaySeconds: 5 timeoutSeconds: 5 periodSeconds: 10 livenessProbe: httpGet: path: /health - port: 80 + port: 8080 initialDelaySeconds: 15 timeoutSeconds: 5 periodSeconds: 15 @@ -71,21 +89,29 @@ spec: - configMapRef: name: hydra-dispatcher-env env: - - name: NGINX_APP_UPSTREAM_BACKEND_SERVER + - name: CADDY_APP_UPSTREAM_BACKEND_SERVER value: 127.0.0.1:9000 - - name: NGINX_APP_ROOT - value: "/public/" - - name: NGINX_APP_PHP_INDEX - value: "/index.php" - - name: NGINX_ERROR_LOG_LEVEL - value: "warn" - - name: NGINX_APP_PHP_NON_FILE_PATTERN - value: "^/index\\.php(/|$)" + - name: CADDY_HTTPS_PORT + value: "8443" + - name: CADDY_HTTP_PORT + value: "8080" + - name: CADDY_DATA_FS + value: "/tmp/caddy" + - name: CADDY_APP_ROOT_PUBLIC + value: "/app/public/" ports: - containerPort: 8080 + name: http resources: {} + securityContext: + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 1000 restartPolicy: Always volumes: - name: hydra-dispatcher-apps configMap: name: hydra-dispatcher-apps + - name: hydra-dispatcher-php-ini + configMap: + name: hydra-dispatcher-php-ini diff --git a/resources/hydra-dispatcher/resources/hydra-dispatcher-service.yaml b/resources/hydra-dispatcher/resources/hydra-dispatcher-service.yaml index dcbdd9f..1985e0d 100644 --- a/resources/hydra-dispatcher/resources/hydra-dispatcher-service.yaml +++ b/resources/hydra-dispatcher/resources/hydra-dispatcher-service.yaml @@ -2,13 +2,14 @@ apiVersion: v1 kind: Service metadata: labels: - io.kompose.service: hydra-dispatcher + app.kubernetes.io/name: hydra-dispatcher name: hydra-dispatcher spec: ports: - - name: http - port: 80 + - name: http + port: 80 + targetPort: http selector: - io.kompose.service: hydra-dispatcher + app.kubernetes.io/name: hydra-dispatcher status: loadBalancer: {} diff --git a/resources/hydra/kustomization.yaml b/resources/hydra/kustomization.yaml index 34b8a16..c4e4615 100644 --- a/resources/hydra/kustomization.yaml +++ b/resources/hydra/kustomization.yaml @@ -1,36 +1,43 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization +images: +- name: reg.cadoles.com/proxy_cache/oryd/hydra + newTag: v2.1.2 +- name: reg.cadoles.com/proxy_cache/oryd/hydra-maester + newTag: v0.0.32-amd64 + resources: - - ./resources/hydra-deployment.yaml - - ./resources/hydra-service.yaml - - ./resources/hydra-role.yaml - - ./resources/hydra-rolebinding.yaml - - ./resources/hydra-serviceaccount.yaml - - ./resources/hydra-migrate-job.yaml - - ./resources/hydra-maester - - ./resources/hydra-janitor-cronjob.yaml +- ./resources/hydra-deployment.yaml +- ./resources/hydra-service.yaml +- ./resources/hydra-role.yaml +- ./resources/hydra-rolebinding.yaml +- ./resources/hydra-serviceaccount.yaml +- ./resources/hydra-migrate-job.yaml +- ./resources/hydra-maester +- ./resources/hydra-janitor-cronjob.yaml secretGenerator: - - name: hydra-secret - literals: - - SECRETS_SYSTEM=ThisShouldBeAbsolutelyChanged +- name: hydra-secret + literals: + - SECRETS_SYSTEM=ThisShouldBeAbsolutelyChanged configMapGenerator: - - name: hydra-env - literals: - - URLS_SELF_ISSUER=http://localhost:4444 - - URLS_LOGIN=http://hydra-login-app/login - - URLS_CONSENT=http://hydra-consent-app/consent - - URLS_LOGOUT=http://hydra-logout-app/logout - - HYDRA_SERVE_ALL_ARGS=--dev - - LOG_LEVEL=info +- name: hydra-env + literals: + - URLS_SELF_ISSUER=http://localhost:4444 + - URLS_LOGIN=http://hydra-login-app/login + - URLS_CONSENT=http://hydra-consent-app/consent + - URLS_LOGOUT=http://hydra-logout-app/logout + - HYDRA_SERVE_ALL_ARGS=--dev + - HYDRA_DATABASE_MAX_CONN="10" + - LOG_LEVEL=info vars: - name: HYDRA_MIGRATE_JOB_NAME objref: name: hydra-migrate - kind: Job + kind: Job apiVersion: batch/v1 fieldref: - fieldpath: metadata.name \ No newline at end of file + fieldpath: metadata.name diff --git a/resources/hydra/resources/hydra-deployment.yaml b/resources/hydra/resources/hydra-deployment.yaml index bf15af4..450e10d 100644 --- a/resources/hydra/resources/hydra-deployment.yaml +++ b/resources/hydra/resources/hydra-deployment.yaml @@ -2,19 +2,19 @@ apiVersion: apps/v1 kind: Deployment metadata: labels: - io.kompose.service: hydra + app.kubernetes.io/name: hydra name: hydra spec: replicas: 1 selector: matchLabels: - io.kompose.service: hydra + app.kubernetes.io/name: hydra strategy: type: Recreate template: metadata: labels: - io.kompose.service: hydra + app.kubernetes.io/name: hydra spec: serviceAccountName: hydra-sa initContainers: diff --git a/resources/hydra/resources/hydra-maester/kustomization.yaml b/resources/hydra/resources/hydra-maester/kustomization.yaml index 42c02f6..c773693 100644 --- a/resources/hydra/resources/hydra-maester/kustomization.yaml +++ b/resources/hydra/resources/hydra-maester/kustomization.yaml @@ -2,14 +2,13 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ./resources/hydra-maester-deployment.yaml - - ./resources/hydra-maester-rbac.yaml - - https://raw.githubusercontent.com/ory/k8s/v0.28.2/helm/charts/hydra-maester/crds/crd-oauth2clients.yaml +- ./resources/hydra-maester-deployment.yaml +- ./resources/hydra-maester-rbac.yaml configMapGenerator: - - name: hydra-maester-env - literals: - - APP_ENV=prod - - APP_DEBUG=false - - HYDRA_ADMIN_BASE_URL=http://hydra - - HYDRA_ADMIN_PORT=4445 \ No newline at end of file +- name: hydra-maester-env + literals: + - APP_ENV=prod + - APP_DEBUG=false + - HYDRA_ADMIN_BASE_URL=http://hydra + - HYDRA_ADMIN_PORT=4445 diff --git a/resources/hydra/resources/hydra-service.yaml b/resources/hydra/resources/hydra-service.yaml index 642203d..31389bd 100644 --- a/resources/hydra/resources/hydra-service.yaml +++ b/resources/hydra/resources/hydra-service.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: Service metadata: labels: - io.kompose.service: hydra + app.kubernetes.io/name: hydra name: hydra spec: ports: @@ -13,6 +13,6 @@ spec: port: 4445 targetPort: hydra-admin selector: - io.kompose.service: hydra + app.kubernetes.io/name: hydra status: loadBalancer: {}