diff --git a/components/hydra-saml/files/hydra/saml.yaml b/components/hydra-saml/files/hydra/saml.yaml
index 198d33f..905b3d5 100644
--- a/components/hydra-saml/files/hydra/saml.yaml
+++ b/components/hydra-saml/files/hydra/saml.yaml
@@ -10,4 +10,21 @@ hydra:
login_url: "%env(string:HYDRA_DISPATCHER_SAML_LOGIN_URL)%"
consent_url: "%env(string:HYDRA_DISPATCHER_SAML_CONSENT_URL)%"
logout_url: "%env(string:HYDRA_DISPATCHER_SAML_LOGOUT_URL)%"
- attributes_rewrite_rules: []
\ No newline at end of file
+ attributes_rewrite_configuration:
+ uid:
+ rules:
+ - "property_exists(consent.session.id_token, 'uid') ? consent.session.id_token.uid : null"
+ email:
+ rules:
+ - "property_exists(consent.session.id_token, 'email') ? consent.session.id_token.email : null"
+ eduPersonAffiliation:
+ rules:
+ - "property_exists(consent.session.id_token, 'eduPersonAffiliation') ? consent.session.id_token.eduPersonAffiliation : null"
+ firewall:
+ rules:
+ email:
+ required: false
+ uid:
+ required: false
+ eduPersonAffiliation:
+ required: false
\ No newline at end of file
diff --git a/components/hydra-saml/files/shibboleth-sp/attribute-map.inc.xml b/components/hydra-saml/files/shibboleth-sp/attribute-map.inc.xml
new file mode 100644
index 0000000..5c96df7
--- /dev/null
+++ b/components/hydra-saml/files/shibboleth-sp/attribute-map.inc.xml
@@ -0,0 +1,3 @@
+
+
+
\ No newline at end of file
diff --git a/components/hydra-saml/kustomization.yaml b/components/hydra-saml/kustomization.yaml
index ce570f8..50a858f 100644
--- a/components/hydra-saml/kustomization.yaml
+++ b/components/hydra-saml/kustomization.yaml
@@ -2,10 +2,8 @@ apiVersion: kustomize.config.k8s.io/v1alpha1
kind: Component
resources:
- - ./resources/hydra-saml-service.yaml
- - ./resources/hydra-saml-shibboleth-sp-deployment.yaml
- - ./resources/hydra-saml-remote-user-deployment.yaml
- - ./resources/hydra-saml-remote-user-service.yaml
+ - ./resources/hydra-saml-shibboleth-sp.yaml
+ - ./resources/hydra-saml-remote-user.yaml
configMapGenerator:
- name: hydra-saml-env
@@ -18,6 +16,7 @@ configMapGenerator:
- HYDRA_ADMIN_BASE_URL=http://hydra:4445/admin
- TRUSTED_PROXIES=127.0.0.1,REMOTE_ADDR
- LOGOUT_REDIRECT_URL_PATTERN=http://hydra-saml/Shibboleth.sso/Logout?return=%s'
+ - PATH_PREFIX=
# Shibboleth SP environment variables
- SP_ENTITY_ID=http://hydra-saml-shibboleth-sp
- IDP_ENTITY_ID=http://saml-idp
@@ -29,6 +28,9 @@ configMapGenerator:
behavior: merge
files:
- ./files/hydra/saml.yaml
+ - name: hydra-saml-shibboleth-sp
+ files:
+ - ./files/shibboleth-sp/attribute-map.inc.xml
patchesJson6902:
- target:
diff --git a/components/hydra-saml/resources/hydra-saml-remote-user-service.yaml b/components/hydra-saml/resources/hydra-saml-remote-user-service.yaml
deleted file mode 100644
index 960ecea..0000000
--- a/components/hydra-saml/resources/hydra-saml-remote-user-service.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
- labels:
- io.kompose.service: hydra-saml-remote-user
- name: hydra-saml-remote-user
-spec:
- ports:
- - name: hydra-saml-remote-user
- port: 80
- selector:
- io.kompose.service: hydra-saml-remote-user
-status:
- loadBalancer: {}
diff --git a/components/hydra-saml/resources/hydra-saml-remote-user-deployment.yaml b/components/hydra-saml/resources/hydra-saml-remote-user.yaml
similarity index 70%
rename from components/hydra-saml/resources/hydra-saml-remote-user-deployment.yaml
rename to components/hydra-saml/resources/hydra-saml-remote-user.yaml
index 24502cc..fc4d66e 100644
--- a/components/hydra-saml/resources/hydra-saml-remote-user-deployment.yaml
+++ b/components/hydra-saml/resources/hydra-saml-remote-user.yaml
@@ -18,7 +18,7 @@ spec:
spec:
containers:
- name: hydra-saml-remote-user
- image: reg.cadoles.com/cadoles/hydra-remote-user-v1:v0.0.0-170-g485b138
+ image: reg.cadoles.com/cadoles/hydra-remote-user-v1:v0.0.0-233-g64fcacc
envFrom:
- configMapRef:
name: hydra-saml-env
@@ -26,4 +26,18 @@ spec:
- containerPort: 80
resources: {}
restartPolicy: Always
-
+---
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ io.kompose.service: hydra-saml-remote-user
+ name: hydra-saml-remote-user
+spec:
+ ports:
+ - name: http
+ port: 80
+ selector:
+ io.kompose.service: hydra-saml-remote-user
+status:
+ loadBalancer: {}
diff --git a/components/hydra-saml/resources/hydra-saml-service.yaml b/components/hydra-saml/resources/hydra-saml-service.yaml
deleted file mode 100644
index c85bbc1..0000000
--- a/components/hydra-saml/resources/hydra-saml-service.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
- labels:
- io.kompose.service: hydra-saml
- name: hydra-saml
-spec:
- ports:
- - name: hydra-saml-shibboleth-sp
- port: 80
- selector:
- io.kompose.service: hydra-saml-shibboleth-sp
-status:
- loadBalancer: {}
diff --git a/components/hydra-saml/resources/hydra-saml-shibboleth-sp-deployment.yaml b/components/hydra-saml/resources/hydra-saml-shibboleth-sp.yaml
similarity index 54%
rename from components/hydra-saml/resources/hydra-saml-shibboleth-sp-deployment.yaml
rename to components/hydra-saml/resources/hydra-saml-shibboleth-sp.yaml
index 80a793b..a99bec7 100644
--- a/components/hydra-saml/resources/hydra-saml-shibboleth-sp-deployment.yaml
+++ b/components/hydra-saml/resources/hydra-saml-shibboleth-sp.yaml
@@ -16,14 +16,39 @@ spec:
labels:
io.kompose.service: hydra-saml-shibboleth-sp
spec:
+ securityContext:
+ fsGroup: 102
containers:
- name: hydra-saml-shibboleth-sp
- image: reg.cadoles.com/cadoles/shibboleth-sp-v3:v0.0.0-172-g0f44679
+ image: reg.cadoles.com/cadoles/shibboleth-sp-v3:v0.0.0-233-g64fcacc
envFrom:
- configMapRef:
name: hydra-saml-env
+ volumeMounts:
+ - name: attributes-map-inc
+ mountPath: /etc/shibboleth/attribute-map.inc.xml
+ subPath: attribute-map.inc.xml
ports:
- containerPort: 80
resources: {}
restartPolicy: Always
+ volumes:
+ - name: attributes-map-inc
+ configMap:
+ name: hydra-saml-shibboleth-sp
+---
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ io.kompose.service: hydra-saml
+ name: hydra-saml
+spec:
+ ports:
+ - name: http
+ port: 80
+ selector:
+ io.kompose.service: hydra-saml-shibboleth-sp
+status:
+ loadBalancer: {}
diff --git a/examples/authenticated-app/README.md b/examples/authenticated-app/README.md
index 126a15e..d3fa32b 100644
--- a/examples/authenticated-app/README.md
+++ b/examples/authenticated-app/README.md
@@ -1,19 +1,21 @@
# Exemple: Déploiement d'une application authentifiée avec la stack SSO
+L'exemple est actuellement déployé avec le composant `hydra-saml` uniquement.
+
## Procédure
-### Avec `k3d`
+### Avec `kind`
-1. Créer un cluster avec `k3d`
+1. Créer un cluster avec `kind`
```
- k3d cluster create -c ./examples/k8s/k3d/k3d/cluster-config.yaml
+ kind create cluster --config ./examples/k8s/kind/cluster-config.yaml
```
2. Déployer les opérateurs nécessaires au déploiement
```
- kubectl apply -k ./examples/k8s/k3d/cluster
+ kubectl kustomize --enable-helm ./examples/k8s/kind/cluster | kubectl apply -f -
```
3. Déployer l'application
@@ -22,4 +24,38 @@
kubectl apply -k ./examples/authenticated-app
```
-Après stabilisation du déploiement, l'application devrait être accessible à l'adresse http://localhost:8080/
\ No newline at end of file
+ **Note** Il est possible d'avoir l'erreur suivante:
+
+ ```
+ error: resource mapping not found for name: "app-oauth2-client" namespace: "" from "./examples/authenticated-app": no matches for kind "OAuth2Client" in version "hydra.ory.sh/v1alpha1"
+ ```
+
+ Cette erreur est "normale" (voir https://github.com/kubernetes/kubectl/issues/1117). Dans ce cas, attendre la création de la CRD (voir ticket) puis relancer la commande.
+
+4. Ajouter l'entrée suivante dans votre fichier `/etc/hosts`
+
+ ```
+ 127.0.0.1 ssokustom
+ ```
+
+5. Après stabilisation du déploiement, l'application devrait être accessible à l'adresse https://ssokustom
+
+#### Supprimer le cluster
+
+```
+kind delete cluster -n sso-kustom-example
+```
+
+## Authentification
+
+### SAML
+
+- Utilisateur: `user1`
+- Mot de passe `user1pass`
+
+#### URL utiles
+
+|URL|Description|
+|---|-----------|
+|https://ssokustom/auth/saml/Shibboleth.sso/Session|Attributs de la session SP Shibboleth|
+|https://ssokustom/auth/saml/Shibboleth.sso/Metadata|Métadonnées du SP Shibboleth|
diff --git a/examples/authenticated-app/kustomization.yaml b/examples/authenticated-app/kustomization.yaml
index 926224c..80aba5f 100644
--- a/examples/authenticated-app/kustomization.yaml
+++ b/examples/authenticated-app/kustomization.yaml
@@ -4,12 +4,12 @@ kind: Kustomization
resources:
- ../../resources/hydra
- ../../resources/hydra-dispatcher
- - ./resources/app-deployment.yaml
- - ./resources/app-service.yaml
+ - ./resources/app.yaml
- ./resources/ingress.yaml
- - ./resources/ingress-prefix-traefik-middleware.yaml
- - ./resources/port-forwarder-deployment.yaml
- - ./resources/port-forwarder-service.yaml
+ - ./resources/oauth2-client.yaml
+ - ./resources/saml-idp.yaml
+ - ./resources/self-signed-issuer.yaml
+ - ./resources/port-forwarder.yaml
components:
- ../../components/hydra-cnpg-database
diff --git a/examples/authenticated-app/patches/hydra-dispatcher-env.yaml b/examples/authenticated-app/patches/hydra-dispatcher-env.yaml
index be7c1dc..464288a 100644
--- a/examples/authenticated-app/patches/hydra-dispatcher-env.yaml
+++ b/examples/authenticated-app/patches/hydra-dispatcher-env.yaml
@@ -1,18 +1,30 @@
- op: replace
path: "/data/HYDRA_BASE_URL"
- value: http://ssokustom:8080/auth
+ value: http://hydra:4444
- op: replace
path: "/data/HYDRA_ADMIN_BASE_URL"
value: http://hydra:4445/admin
- op: replace
path: "/data/HYDRA_ORIGINAL_ISSUER"
- value: http://ssokustom:8080/auth
+ value: http://hydra:4444
- op: replace
path: "/data/HYDRA_NEW_ISSUER"
- value: http://ssokustom:8080/auth/dispatcher/
+ value: https://ssokustom/auth/dispatcher
- op: replace
path: "/data/BASE_URL"
- value: http://ssokustom:8080/auth/dispatcher
+ value: https://ssokustom/auth/dispatcher
- op: replace
path: "/data/COOKIE_PATH"
- value: /auth/dispatcher
\ No newline at end of file
+ value: /auth/dispatcher
+
+# Hydra SAML configuration
+- op: replace
+ path: "/data/HYDRA_DISPATCHER_SAML_LOGIN_URL"
+ value: https://ssokustom/auth/saml/login
+- op: replace
+ path: "/data/HYDRA_DISPATCHER_SAML_CONSENT_URL"
+ value: https://ssokustom/auth/saml/consent
+- op: replace
+ path: "/data/HYDRA_DISPATCHER_SAML_LOGOUT_URL"
+ value: https://ssokustom/auth/saml/logout
+
\ No newline at end of file
diff --git a/examples/authenticated-app/patches/hydra-env.yaml b/examples/authenticated-app/patches/hydra-env.yaml
index 8b9286f..1b45696 100644
--- a/examples/authenticated-app/patches/hydra-env.yaml
+++ b/examples/authenticated-app/patches/hydra-env.yaml
@@ -1,15 +1,15 @@
- op: replace
path: "/data/URLS_SELF_ISSUER"
- value: http://ssokustom:8080/auth
+ value: https://ssokustom/auth
- op: replace
path: "/data/URLS_LOGIN"
- value: http://ssokustom:8080/auth/dispatcher/login
+ value: https://ssokustom/auth/dispatcher/login
- op: replace
path: "/data/URLS_LOGOUT"
- value: http://ssokustom:8080/auth/dispatcher/logout
+ value: https://ssokustom/auth/dispatcher/logout
- op: replace
path: "/data/URLS_CONSENT"
- value: http://ssokustom:8080/auth/dispatcher/consent
+ value: https://ssokustom/auth/dispatcher/consent
- op: replace
path: "/data/HYDRA_SERVE_ALL_ARGS"
value: "--dev"
\ No newline at end of file
diff --git a/examples/authenticated-app/patches/hydra-saml-env.yaml b/examples/authenticated-app/patches/hydra-saml-env.yaml
index f340556..8d9aa8a 100644
--- a/examples/authenticated-app/patches/hydra-saml-env.yaml
+++ b/examples/authenticated-app/patches/hydra-saml-env.yaml
@@ -1,6 +1,6 @@
- op: replace
path: "/data/HTTP_BASE_URL"
- value: http://ssokustom:8080/auth/saml
+ value: https://ssokustom/auth/saml
- op: replace
path: "/data/COOKIE_PATH"
value: /auth/saml
@@ -9,23 +9,35 @@
value: http://hydra-dispatcher
- op: replace
path: "/data/LOGOUT_REDIRECT_URL_PATTERN"
- value: http://ssokustom:8080/auth/saml/Shibboleth.sso/Logout?return=%s
+ value: https://ssokustom/auth/saml/Shibboleth.sso/Logout?return=%s
+- op: replace
+ path: "/data/PATH_PREFIX"
+ value: "/auth/saml"
- op: replace
path: "/data/SP_ENTITY_ID"
- value: http://ssokustom:8080/auth/saml
+ value: https://ssokustom/auth/saml
- op: replace
path: "/data/IDP_ENTITY_ID"
- value: http://ssokustom:8080/idp
+ value: https://ssokustom/simplesaml/saml2/idp/metadata.php
- op: replace
path: "/data/IDP_METADATA_URL"
- value: http://ssokustom:8080/idp/metadata
-- op: replace
- path: "/data/APACHE_BACKEND_URL"
- value: http://hydra-remote-user
+ value: https://ssokustom/simplesaml/saml2/idp/metadata.php
- op: replace
path: "/data/APACHE_FORCE_HTTPS"
- value: "false"
+ value: "true"
- op: replace
path: "/data/SP_HANDLER_BASE_PATH"
- value: /auth/saml
\ No newline at end of file
+ value: "/auth/saml"
+- op: replace
+ path: "/data/SP_LOG_LEVEL"
+ value: DEBUG
+- op: replace
+ path: "/data/SP_SESSIONS_REDIRECT_LIMIT"
+ value: none
+- op: replace
+ path: "/data/SP_SESSIONS_REDIRECT_ALLOW"
+ value: https://ssokustom
+- op: replace
+ path: "/data/SP_SESSIONS_COOKIE_PROPS"
+ value: https
\ No newline at end of file
diff --git a/examples/authenticated-app/resources/app-deployment.yaml b/examples/authenticated-app/resources/app-deployment.yaml
deleted file mode 100644
index fc31c7c..0000000
--- a/examples/authenticated-app/resources/app-deployment.yaml
+++ /dev/null
@@ -1,40 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- labels:
- io.kompose.service: app
- name: app
-spec:
- replicas: 1
- selector:
- matchLabels:
- io.kompose.service: app
- strategy:
- type: Recreate
- template:
- metadata:
- labels:
- io.kompose.service: app
- spec:
- containers:
- - image: bornholm/oidc-test:v0.0.0-1-g936a77e
- name: app
- ports:
- - containerPort: 8080
- resources: {}
- env:
- - name: LOG_LEVEL
- value: "0"
- - name: HTTP_ADDRESS
- value: 0.0.0.0:8080
- - name: OIDC_CLIENT_ID
- value: oidc-test
- - name: OIDC_CLIENT_SECRET
- value: oidc-test-123456
- - name: OIDC_ISSUER_URL
- value: http://ssokustom:8080/auth
- - name: OIDC_REDIRECT_URL
- value: http://ssokustom:8080
- - name: OIDC_POST_LOGOUT_REDIRECT_URL
- value: http://ssokustom:8080
- restartPolicy: Always
diff --git a/examples/authenticated-app/resources/app-service.yaml b/examples/authenticated-app/resources/app-service.yaml
deleted file mode 100644
index 19e7784..0000000
--- a/examples/authenticated-app/resources/app-service.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
- labels:
- io.kompose.service: app
- name: app
-spec:
- ports:
- - name: http
- port: 8080
- targetPort: 8080
- selector:
- io.kompose.service: app
-status:
- loadBalancer: {}
diff --git a/examples/authenticated-app/resources/app.yaml b/examples/authenticated-app/resources/app.yaml
new file mode 100644
index 0000000..1da36c9
--- /dev/null
+++ b/examples/authenticated-app/resources/app.yaml
@@ -0,0 +1,66 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ labels:
+ io.kompose.service: app
+ name: app
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ io.kompose.service: app
+ strategy:
+ type: Recreate
+ template:
+ metadata:
+ labels:
+ io.kompose.service: app
+ spec:
+ containers:
+ - image: reg.cadoles.com/cadoles/oidc-test:2023.11.6-stable.1557.e16b905
+ name: app
+ ports:
+ - containerPort: 8080
+ resources: {}
+ env:
+ - name: LOG_LEVEL
+ value: "0"
+ - name: HTTP_ADDRESS
+ value: 0.0.0.0:8080
+ - name: OIDC_CLIENT_ID
+ valueFrom:
+ secretKeyRef:
+ name: app-oidc-secret
+ key: client_id
+ - name: OIDC_CLIENT_SECRET
+ valueFrom:
+ secretKeyRef:
+ name: app-oidc-secret
+ key: client_secret
+ - name: OIDC_ISSUER_URL
+ value: http://hydra:4444
+ - name: OIDC_REDIRECT_URL
+ value: https://ssokustom/oauth2/callback
+ - name: OIDC_POST_LOGOUT_REDIRECT_URL
+ value: https://ssokustom
+ - name: OIDC_SKIP_ISSUER_VERIFICATION
+ value: "true"
+ - name: OIDC_INSECURE_SKIP_VERIFY
+ value: "true"
+ restartPolicy: Always
+---
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ io.kompose.service: app
+ name: app
+spec:
+ ports:
+ - name: http
+ port: 8080
+ targetPort: 8080
+ selector:
+ io.kompose.service: app
+status:
+ loadBalancer: {}
diff --git a/examples/authenticated-app/resources/ingress-prefix-traefik-middleware.yaml b/examples/authenticated-app/resources/ingress-prefix-traefik-middleware.yaml
deleted file mode 100644
index 07f8e81..0000000
--- a/examples/authenticated-app/resources/ingress-prefix-traefik-middleware.yaml
+++ /dev/null
@@ -1,10 +0,0 @@
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
- name: ingress-prefix
-spec:
- stripPrefixRegex:
- regex:
- - ^/auth/dispatcher
- - ^/auth/saml
- - ^/auth
\ No newline at end of file
diff --git a/examples/authenticated-app/resources/ingress.yaml b/examples/authenticated-app/resources/ingress.yaml
index 28ecffa..1ab37dc 100644
--- a/examples/authenticated-app/resources/ingress.yaml
+++ b/examples/authenticated-app/resources/ingress.yaml
@@ -1,11 +1,18 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
- name: portal
+ name: app
annotations:
- ingress.kubernetes.io/ssl-redirect: "false"
- traefik.ingress.kubernetes.io/router.middlewares: default-ingress-prefix@kubernetescrd
+ nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+ cert-manager.io/issuer: "self-signed"
+ # nginx.ingress.kubernetes.io/configuration-snippet: |
+ # more_set_headers "X-Forwarded-Proto: https";
spec:
+ ingressClassName: nginx
+ tls:
+ - hosts:
+ - ssokustom
+ secretName: ssokustom-example-tls
rules:
- http:
paths:
@@ -16,28 +23,109 @@ spec:
name: app
port:
name: http
-
- - path: /auth/dispatcher
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: auth-saml
+ annotations:
+ cert-manager.io/issuer: "self-signed"
+ nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+spec:
+ ingressClassName: nginx
+ tls:
+ - hosts:
+ - ssokustom
+ secretName: ssokustom-example-tls
+ rules:
+ - http:
+ paths:
+ - path: /auth/saml(/|$)(.*)
+ pathType: Prefix
+ backend:
+ service:
+ name: hydra-saml
+ port:
+ name: http
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: auth-dispatcher
+ annotations:
+ cert-manager.io/issuer: "self-signed"
+ nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+ nginx.ingress.kubernetes.io/rewrite-target: /$2
+ nginx.ingress.kubernetes.io/x-forwarded-prefix: /auth/dispatcher
+spec:
+ ingressClassName: nginx
+ tls:
+ - hosts:
+ - ssokustom
+ secretName: ssokustom-example-tls
+ rules:
+ - http:
+ paths:
+ - path: /auth/dispatcher(/|$)(.*)
pathType: Prefix
backend:
service:
name: hydra-dispatcher
port:
name: http
-
- - path: /auth
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: auth
+ annotations:
+ cert-manager.io/issuer: "self-signed"
+ nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+ nginx.ingress.kubernetes.io/rewrite-target: /$2
+spec:
+ ingressClassName: nginx
+ tls:
+ - hosts:
+ - ssokustom
+ secretName: ssokustom-example-tls
+ rules:
+ - http:
+ paths:
+ - path: /auth(/|$)(.*)
pathType: Prefix
backend:
service:
name: hydra
port:
name: hydra-public
-
- # - path: /auth/passwordless/?(.*)
- # pathType: Prefix
- # backend:
- # service:
- # name: hydra
- # port:
- # name: http-public
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: saml-idp
+ annotations:
+ cert-manager.io/issuer: "self-signed"
+ nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+ nginx.ingress.kubernetes.io/rewrite-target: /simplesaml/$2
+ nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+spec:
+ ingressClassName: nginx
+ tls:
+ - hosts:
+ - ssokustom
+ secretName: ssokustom-example-tls
+ rules:
+ - http:
+ paths:
+ - path: /simplesaml(/|$)(.*)
+ pathType: Prefix
+ backend:
+ service:
+ name: saml-idp
+ port:
+ name: https
+
+
+
+
\ No newline at end of file
diff --git a/examples/authenticated-app/resources/oauth2-client.yaml b/examples/authenticated-app/resources/oauth2-client.yaml
new file mode 100644
index 0000000..7b786c5
--- /dev/null
+++ b/examples/authenticated-app/resources/oauth2-client.yaml
@@ -0,0 +1,18 @@
+apiVersion: hydra.ory.sh/v1alpha1
+kind: OAuth2Client
+metadata:
+ name: app-oauth2-client
+spec:
+ clientName: "app"
+ tokenEndpointAuthMethod: "client_secret_basic"
+ grantTypes:
+ - authorization_code
+ - refresh_token
+ responseTypes:
+ - code
+ scope: "openid email"
+ secretName: app-oidc-secret
+ redirectUris:
+ - https://ssokustom/oauth2/callback
+ postLogoutRedirectUris:
+ - https://ssokustom
diff --git a/examples/authenticated-app/resources/port-forwarder-deployment.yaml b/examples/authenticated-app/resources/port-forwarder-deployment.yaml
deleted file mode 100644
index 9ff0268..0000000
--- a/examples/authenticated-app/resources/port-forwarder-deployment.yaml
+++ /dev/null
@@ -1,29 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- labels:
- io.kompose.service: port-forwarder
- name: port-forwarder
-spec:
- replicas: 1
- selector:
- matchLabels:
- io.kompose.service: port-forwarder
- strategy:
- type: Recreate
- template:
- metadata:
- labels:
- io.kompose.service: port-forwarder
- spec:
- containers:
- - image: hpello/tcp-proxy:latest
- name: port-forwarder
- env:
- - name: LISTEN_PORT
- value: "8080"
- ports:
- - containerPort: 8080
- resources: {}
- args: ["traefik.kube-system.svc.cluster.local", "80"]
- restartPolicy: Always
diff --git a/examples/authenticated-app/resources/port-forwarder-service.yaml b/examples/authenticated-app/resources/port-forwarder-service.yaml
deleted file mode 100644
index a360fdf..0000000
--- a/examples/authenticated-app/resources/port-forwarder-service.yaml
+++ /dev/null
@@ -1,12 +0,0 @@
-kind: Service
-apiVersion: v1
-metadata:
- name: ssokustom
- labels:
- io.kompose.service: port-forwarder
-spec:
- ports:
- - port: 8080
- targetPort: 8080
- selector:
- io.kompose.service: port-forwarder
\ No newline at end of file
diff --git a/examples/authenticated-app/resources/port-forwarder.yaml b/examples/authenticated-app/resources/port-forwarder.yaml
new file mode 100644
index 0000000..7db316a
--- /dev/null
+++ b/examples/authenticated-app/resources/port-forwarder.yaml
@@ -0,0 +1,55 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ labels:
+ io.kompose.service: port-forwarder
+ name: port-forwarder
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ io.kompose.service: port-forwarder
+ strategy:
+ type: Recreate
+ template:
+ metadata:
+ labels:
+ io.kompose.service: port-forwarder
+ spec:
+ containers:
+ - image: hpello/tcp-proxy:latest
+ name: port-forwarder-https
+ env:
+ - name: LISTEN_PORT
+ value: "443"
+ ports:
+ - containerPort: 443
+ resources: {}
+ args: ["ingress-nginx-controller.ingress-nginx.svc.cluster.local", "443"]
+ - image: hpello/tcp-proxy:latest
+ name: port-forwarder-http
+ env:
+ - name: LISTEN_PORT
+ value: "80"
+ ports:
+ - containerPort: 80
+ resources: {}
+ args: ["ingress-nginx-controller.ingress-nginx.svc.cluster.local", "80"]
+ restartPolicy: Always
+---
+kind: Service
+apiVersion: v1
+metadata:
+ name: ssokustom
+ labels:
+ io.kompose.service: port-forwarder
+spec:
+ ports:
+ - name: https
+ port: 443
+ targetPort: 443
+ - name: http
+ port: 80
+ targetPort: 80
+ selector:
+ io.kompose.service: port-forwarder
\ No newline at end of file
diff --git a/examples/authenticated-app/resources/saml-idp.yaml b/examples/authenticated-app/resources/saml-idp.yaml
new file mode 100644
index 0000000..d89cdbf
--- /dev/null
+++ b/examples/authenticated-app/resources/saml-idp.yaml
@@ -0,0 +1,51 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ labels:
+ io.kompose.service: saml-idp
+ name: saml-idp
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ io.kompose.service: saml-idp
+ strategy:
+ type: Recreate
+ template:
+ metadata:
+ labels:
+ io.kompose.service: saml-idp
+ spec:
+ containers:
+ - image: kristophjunge/test-saml-idp:1.15
+ name: saml-idp
+ ports:
+ - containerPort: 8443
+ resources: {}
+ env:
+ - name: SIMPLESAMLPHP_SP_ENTITY_ID
+ value: https://ssokustom/auth/saml
+ - name: SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE
+ value: https://ssokustom/auth/saml/Shibboleth.sso/SAML2/POST
+ - name: SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE
+ value: https://ssokustom/auth/saml/Shibboleth.sso/Logout?return=https://ssokustom
+ restartPolicy: Always
+---
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ io.kompose.service: saml-idp
+ name: saml-idp
+spec:
+ ports:
+ - name: http
+ port: 8080
+ targetPort: 8080
+ - name: https
+ port: 8443
+ targetPort: 8443
+ selector:
+ io.kompose.service: saml-idp
+status:
+ loadBalancer: {}
\ No newline at end of file
diff --git a/examples/authenticated-app/resources/self-signed-issuer.yaml b/examples/authenticated-app/resources/self-signed-issuer.yaml
new file mode 100644
index 0000000..69ec201
--- /dev/null
+++ b/examples/authenticated-app/resources/self-signed-issuer.yaml
@@ -0,0 +1,6 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+ name: self-signed
+spec:
+ selfSigned: {}
\ No newline at end of file
diff --git a/examples/k8s/k3d/cluster-config.yaml b/examples/k8s/k3d/cluster-config.yaml
deleted file mode 100644
index 04831c8..0000000
--- a/examples/k8s/k3d/cluster-config.yaml
+++ /dev/null
@@ -1,11 +0,0 @@
----
-apiVersion: k3d.io/v1alpha4
-kind: Simple
-metadata:
- name: sso-kustom
-servers: 1
-agents: 2
-ports:
- - port: 8080:80
- nodeFilters:
- - loadbalancer
diff --git a/examples/k8s/k3d/cluster/kustomization.yaml b/examples/k8s/k3d/cluster/kustomization.yaml
deleted file mode 100644
index 6e2bd83..0000000
--- a/examples/k8s/k3d/cluster/kustomization.yaml
+++ /dev/null
@@ -1,4 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- https://forge.cadoles.com/CadolesKube/c-kustom//base/cloudnative-pg-operator?ref=develop
\ No newline at end of file
diff --git a/examples/k8s/kind/cluster-config.yaml b/examples/k8s/kind/cluster-config.yaml
new file mode 100644
index 0000000..4cb24d2
--- /dev/null
+++ b/examples/k8s/kind/cluster-config.yaml
@@ -0,0 +1,45 @@
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+name: sso-kustom-example
+nodes:
+- role: control-plane
+ image: kindest/node:v1.27.2
+ kubeadmConfigPatches:
+ - |
+ kind: InitConfiguration
+ nodeRegistration:
+ kubeletExtraArgs:
+ node-labels: "ingress-ready=true"
+ extraPortMappings:
+ - containerPort: 80
+ hostPort: 80
+ listenAddress: "0.0.0.0" # Optional, defaults to "0.0.0.0"
+ - containerPort: 443
+ hostPort: 443
+ listenAddress: "0.0.0.0" # Optional, defaults to "0.0.0.0"
+ labels:
+ ingress-ready: true
+- role: worker
+ image: kindest/node:v1.27.2
+ kubeadmConfigPatches:
+ - |
+ kind: JoinConfiguration
+ nodeRegistration:
+ kubeletExtraArgs:
+ system-reserved: memory=2Gi
+- role: worker
+ image: kindest/node:v1.27.2
+ kubeadmConfigPatches:
+ - |
+ kind: JoinConfiguration
+ nodeRegistration:
+ kubeletExtraArgs:
+ system-reserved: memory=2Gi
+- role: worker
+ image: kindest/node:v1.27.2
+ kubeadmConfigPatches:
+ - |
+ kind: JoinConfiguration
+ nodeRegistration:
+ kubeletExtraArgs:
+ system-reserved: memory=2Gi
\ No newline at end of file
diff --git a/examples/k8s/kind/cluster/.gitignore b/examples/k8s/kind/cluster/.gitignore
new file mode 100644
index 0000000..fbad614
--- /dev/null
+++ b/examples/k8s/kind/cluster/.gitignore
@@ -0,0 +1 @@
+/charts
\ No newline at end of file
diff --git a/examples/k8s/kind/cluster/kustomization.yaml b/examples/k8s/kind/cluster/kustomization.yaml
new file mode 100644
index 0000000..760eb72
--- /dev/null
+++ b/examples/k8s/kind/cluster/kustomization.yaml
@@ -0,0 +1,14 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- https://github.com/jetstack/cert-manager/releases/download/v1.13.2/cert-manager.yaml
+- https://forge.cadoles.com/CadolesKube/c-kustom//base/cloudnative-pg-operator?ref=develop
+- https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml
+
+patchesJson6902:
+ - target:
+ version: v1
+ kind: ConfigMap
+ name: ingress-nginx-controller
+ namespace: ingress-nginx
+ path: patches/nginx-controller.yaml
\ No newline at end of file
diff --git a/examples/k8s/kind/cluster/patches/nginx-controller.yaml b/examples/k8s/kind/cluster/patches/nginx-controller.yaml
new file mode 100644
index 0000000..799344f
--- /dev/null
+++ b/examples/k8s/kind/cluster/patches/nginx-controller.yaml
@@ -0,0 +1,6 @@
+- op: replace
+ path: "/data/allow-snippet-annotations"
+ value: "true"
+- op: replace
+ path: "/data/use-forwarded-headers"
+ value: "true"
\ No newline at end of file
diff --git a/resources/hydra-dispatcher/files/hydra/default.yaml b/resources/hydra-dispatcher/files/hydra/default.yaml
index f23203e..52e6dbb 100644
--- a/resources/hydra-dispatcher/files/hydra/default.yaml
+++ b/resources/hydra-dispatcher/files/hydra/default.yaml
@@ -1,2 +1,17 @@
+parameters:
+ env(HYDRA_DISPATCHER_WEBHOOK_ENABLED): false
+ env(HYDRA_DISPATCHER_WEBHOOK_API_URL): ""
+ env(HYDRA_DISPATCHER_WEBHOOK_API_KEY): ""
+ env(HYDRA_DISPATCHER_WEBHOOK_API_METHOD): POST
+ env(HYDRA_DISPATCHER_FIREWALL_ADDITIONAL_PROPERTIES): true
+
hydra:
- apps: []
\ No newline at end of file
+ apps: []
+ webhook:
+ enabled: "%env(bool:HYDRA_DISPATCHER_WEBHOOK_ENABLED)%"
+ api_url: "%env(string:HYDRA_DISPATCHER_WEBHOOK_API_URL)%"
+ api_key: "%env(string:HYDRA_DISPATCHER_WEBHOOK_API_KEY)%"
+ api_method: "%env(string:HYDRA_DISPATCHER_WEBHOOK_API_METHOD)%"
+ firewall:
+ additional_properties: "%env(bool:HYDRA_DISPATCHER_FIREWALL_ADDITIONAL_PROPERTIES)%"
+ rules: {}
\ No newline at end of file
diff --git a/resources/hydra-dispatcher/resources/hydra-dispatcher-deployment.yaml b/resources/hydra-dispatcher/resources/hydra-dispatcher-deployment.yaml
index 7728ce9..2a049ce 100644
--- a/resources/hydra-dispatcher/resources/hydra-dispatcher-deployment.yaml
+++ b/resources/hydra-dispatcher/resources/hydra-dispatcher-deployment.yaml
@@ -18,7 +18,7 @@ spec:
spec:
containers:
- name: hydra-dispatcher
- image: reg.cadoles.com/cadoles/hydra-dispatcher-v1:v0.0.0-218-g4b5e1d9
+ image: reg.cadoles.com/cadoles/hydra-dispatcher-v1:v0.0.0-238-g7236416
envFrom:
- configMapRef:
name: hydra-dispatcher-env