Fixing oc-auth service, and hydra and keto integration

2025-01-21 15:25:25 +01:00
parent 2738dd614c
commit 30b04e62c0
25 changed files with 141 additions and 31 deletions
--- a/opencloud/templates/hydra.yaml
+++ b/opencloud/templates/hydra.yaml
@@ -15,4 +15,17 @@ spec:
        name: {{ .Release.Name }}-hydra-public.{{ .Release.Namespace }}
        passHostHeader: true
        port: 4444
+---
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: hydra-secret
+data:
+  dsn: bWVtb3J5
+  secretsCookie: U0prcFlUeDFZZWhPMFEyc3UweWlwcDdmZ1BaRmc2ajA=
+  secretsSystem: M3FwWnlpemIzbXc2cE80Q1l3Q1MyUVFmbXdOeVFpRzE=
+
+
+
 {{- end }}
--- a/opencloud/templates/oc-aggregator/ingress.yaml
+++ b/opencloud/templates/oc-aggregator/ingress.yaml
@@ -16,6 +16,9 @@ spec:
        port: 8080
      middlewares:
      - name: strip-aggregator-prefix
+      {{- if index .Values.ocAuth.enableTraefikProxyIntegration }}
+      - name: forward-auth
+      {{- end }}

 ---
 apiVersion:  traefik.io/v1alpha1
--- a/opencloud/templates/oc-auth/ingress.yaml
+++ b/opencloud/templates/oc-auth/ingress.yaml
@@ -14,6 +14,11 @@ spec:
      - kind: Service
        name: oc-auth-svc
        port: 8094
+      middlewares:
+      {{- if index .Values.ocAuth.enableTraefikProxyIntegration }}
+      - name: forward-auth
+      {{- end }}
+      - name: strip-auth-prefix
 ---
 apiVersion:  traefik.io/v1alpha1
 kind: Middleware
@@ -23,5 +28,4 @@ spec:
  stripPrefix:
    prefixes:
      - "/auth"
-
-{{- end }}
+{{- end }}      
--- a/opencloud/templates/oc-auth/openCloudOauth2.yaml
+++ b/opencloud/templates/oc-auth/openCloudOauth2.yaml
@@ -5,22 +5,32 @@ metadata:
  name: open-cloud-client
 spec:
  grantTypes:
-    - implicit
    - refresh_token
    - authorization_code
    - client_credentials
+    - implicit
  responseTypes:
    - id_token
    - token
    - code
  scope: openid profile email roles
-  secretName: oc-auth-got-secret
+  secretName: oc-oauth2-client-secret
  redirectUris:
-    - https://myapp.example.com/callback
+    - https://{{ .Values.host }}/auth/callback
  postLogoutRedirectUris:
-    - http://localhost:3000
+    - https://{{ .Values.host }}/auth/logout/
  tokenEndpointAuthMethod: client_secret_post
  allowedCorsOrigins:
-    - http://localhost
+    -  "http://0.0.0.0"
+#---
+#apiVersion: v1
+#kind: Secret
+#metadata:
+#  name: oc-auth-got-secret
+#  namespace: dev
+#stringData:
+#  CLIENT_ID: {{ .Values.ocAuth.hydra.clientId }}
+#  CLIENT_SECRET: {{ .Values.ocAuth.hydra.clientSecret }}
+
 {{- end }}
  
--- a/opencloud/templates/oc-auth/rbac.yaml
+++ b/opencloud/templates/oc-auth/rbac.yaml
@@ -0,0 +1,31 @@
+{{- if .Values.ocAuth.enabled }}
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: secret-reader-role
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: secret-reader-binding
+  namespace: default
+subjects:
+  - kind: ServiceAccount
+    name: ocauth-sa
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: Role
+  name: secret-reader-role
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: ocauth-sa
+{{- end }}
+
--- a/opencloud/templates/oc-catalog/ingress.yaml
+++ b/opencloud/templates/oc-catalog/ingress.yaml
@@ -15,6 +15,9 @@ spec:
        name: oc-catalog-svc
        port: 8080
      middlewares:
+      {{- if index .Values.ocAuth.enableTraefikProxyIntegration }}
+      - name: forward-auth
+      {{- end }}
      - name: strip-catalog-prefix

 ---
--- a/opencloud/templates/oc-datacenter/ingress.yaml
+++ b/opencloud/templates/oc-datacenter/ingress.yaml
@@ -16,6 +16,7 @@ spec:
        port: 8080
      middlewares:
      - name: strip-datacenter-prefix
+      - name:  forward-auth

 ---
 apiVersion:  traefik.io/v1alpha1
--- a/opencloud/templates/oc-peer/ingress.yaml
+++ b/opencloud/templates/oc-peer/ingress.yaml
@@ -15,7 +15,11 @@ spec:
        name: oc-peer-svc
        port: 8080
      middlewares:
+      {{- if index .Values.ocAuth.enableTraefikProxyIntegration }}
+      - name: forward-auth
+      {{- end }}
      - name: strip-peer-prefix
+      

 ---
 apiVersion:  traefik.io/v1alpha1
--- a/opencloud/templates/oc-scheduler/ingress.yaml
+++ b/opencloud/templates/oc-scheduler/ingress.yaml
@@ -16,6 +16,10 @@ spec:
        port: 8080
      middlewares:
      - name: strip-scheduler-prefix
+      {{- if index .Values.ocAuth.enableTraefikProxyIntegration }}
+      - name: forward-auth
+      {{- end }}
+

 ---
 apiVersion:  traefik.io/v1alpha1
--- a/opencloud/templates/oc-shared/ingress.yaml
+++ b/opencloud/templates/oc-shared/ingress.yaml
@@ -16,6 +16,9 @@ spec:
        port: 8080
      middlewares:
      - name: strip-shared-prefix
+      {{- if index .Values.ocAuth.enableTraefikProxyIntegration }}
+      - name: forward-auth
+      {{- end }}

 ---
 apiVersion:  traefik.io/v1alpha1
--- a/opencloud/templates/oc-workflow/ingress.yaml
+++ b/opencloud/templates/oc-workflow/ingress.yaml
@@ -16,6 +16,10 @@ spec:
        port: 8080
      middlewares:
      - name: strip-workflow-prefix
+      {{- if index .Values.ocAuth.enableTraefikProxyIntegration }}
+      - name: forward-auth
+      {{- end }}
+

 ---
 apiVersion:  traefik.io/v1alpha1
--- a/opencloud/templates/oc-workspace/ingress.yaml
+++ b/opencloud/templates/oc-workspace/ingress.yaml
@@ -16,6 +16,9 @@ spec:
        port: 8080
      middlewares:
      - name: strip-workspace-prefix
+      {{- if index .Values.ocAuth.enableTraefikProxyIntegration }}
+      - name: forward-auth
+      {{- end }}

 ---
 apiVersion:  traefik.io/v1alpha1
--- a/opencloud/templates/openCloudConf.yaml
+++ b/opencloud/templates/openCloudConf.yaml
@@ -2,16 +2,22 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
  name: opencloud-config
+  annotations:
+    "helm.sh/hook": post-install
+    "helm.sh/hook-weight": "1"  # Lower number runs first
+    "helm.sh/hook-delete-policy": hook-succeeded  
 data:
+  OC_NAMESPACE: "{{ .Release.Namespace }}"
  OC_ADMIN_ROLE: "{{ .Values.ocAuth.keto.adminRole }}"
  OC_PUBLIC_KEY_PATH: "/keys/public/public.pem"
  OC_PRIVATE_KEY_PATH: "/keys/private/private.pem"
-  OC_CLIENT_SECRET: "{{ .Values.ocAuth.hydra.openCloudOauth2ClientSecretName }}"
+  OC_OAUTH2_CLIENT_SECRET_NAME: "{{ .Values.ocAuth.hydra.openCloudOauth2ClientSecretName }}"
  OC_AUTH: "{{ .Values.ocAuth.authType }}"
  OC_AUTH_CONNECTOR_HOST: "{{ .Release.Name }}-hydra-admin.{{ .Release.Namespace }}"
+  OC_AUTH_CONNECTOR_PUBLIC_HOST: "{{ .Release.Name }}-hydra-public.{{ .Release.Namespace }}"
  OC_AUTH_CONNECTOR_PORT: "4444"
  OC_AUTH_CONNECTOR_ADMIN_PORT: "4445"
-  OC_PERMISSION_CONNECTOR_HOST: "{{ .Release.Name }}-keto-write.{{ .Release.Namespace }}"
+  OC_PERMISSION_CONNECTOR_HOST: "{{ .Release.Name }}-keto-read.{{ .Release.Namespace }}"
  OC_PERMISSION_CONNECTOR_PORT: "80"
  OC_PERMISSION_CONNECTOR_ADMIN_PORT: "80"
  OC_LDAP_ENDPOINTS: "{{ .Release.Name }}-openldap.{{ .Release.Namespace }}.svc.cluster.local:389"
--- a/opencloud/templates/traefik.yaml
+++ b/opencloud/templates/traefik.yaml
@@ -4,5 +4,5 @@ metadata:
  name: forward-auth
 spec:
  forwardAuth:
-    address: "http://oc-auth-svc.{{ .Release.Namespace }}:8080/oc/forward"
+    address: "http://oc-auth-svc.{{ .Release.Namespace }}:8094/oc/forward"
    trustForwardHeader: true