oc-auth k8s integration

opencloud/templates/oc-auth/deployment.yaml

@@ -26,46 +26,17 @@ spec:
       containers:
       - image: "{{ .Values.ocAuth.image }}"
         name: oc-auth
+        command: ["tail", "-f", "/dev/null"]
         volumeMounts:
           - name: public-key-volume
-            mountPath: /keys/public
+            mountPath: /keys/public/public.pem
             subPath: public.pem
           - name: private-key-volume
-            mountPath: /keys/private
+            mountPath: /keys/private/private.pem
             subPath: private.pem
-        env:
-        - name: OCAUTH_ADMIN_ROLE
-          value: "{{ .Values.ocAuth.hydra }}"
-        - name: OCAUTH_PUBLIC_KEY_PATH
-          value: /keys/public/public.pem
-        - name: OCAUTH_PRIVATE_KEY_PATH
-          value: /keys/private/private.pem
-        - name: OCAUTH_CLIENT_SECRET
-          value: "{{ .Values.ocAuth.hydra.openCloudOauth2ClientSecretName }}"
-        - name: OCAUTH_AUTH
-          value: "{{ .Values.ocAuth.authType }}"
-        - name: OCAUTH_AUTH_CONNECTOR_HOST
-          value: "{{ .Release.Name }}.hydra-admin.{{ .Release.Namespace }}"
-        - name: OCAUTH_AUTH_CONNECTOR_PORT
-          value: 4444
-        - name: OCAUTH_AUTH_CONNECTOR_ADMIN_PORT
-          value: 4445
-        - name: OCAUTH_PERMISSION_CONNECTOR_HOST
-          value: "{{ .Release.Name }}.keto-write.{{ .Release.Namespace }}"
-        - name: OCAUTH_PERMISSION_CONNECTOR_PORT
-          value: 80
-        - name: OCAUTH_PERMISSION_CONNECTOR_ADMIN_PORT
-          value: 80
-        - name: OCAUTH_LDAP_ENDPOINTS
-          value: "{{ .Release.Name }}-openldap.{{ .Release.Namespace }}.svc.cluster.local:389"
-        - name: OCAUTH_LDAP_BINDDN
-          value: "{{ index .Values.ocAuth.ldap.bindDn }}"
-        - name: OCAUTH_LDAP_BINDPW
-          value: "{{ index .Values.ocAuth.ldap.binPwd }}"
-        - name: OCAUTH_LDAP_BASEDN
-          value: "{{ index .Values.ocAuth.ldap.baseDn }}"
-        - name: OCAUTH_LDAP_ROLE_BASEDN
-          value: "{{ index .Values.ocAuth.ldap.roleBaseDn }}"
+        envFrom:
+        - configMapRef:
+            name: opencloud-config
         ports:
           - name: http
             containerPort: 80

opencloud/templates/oc-auth/openCloudOauth2.yaml

@@ -2,10 +2,8 @@
 apiVersion: hydra.ory.sh/v1alpha1
 kind: OAuth2Client
 metadata:
-  name: openCloudClient
+  name: open-cloud-client
 spec:
-  clientId:  test-client
-  clientSecret: oc-auth-got-secret
   grantTypes:
     - implicit
     - refresh_token
@@ -15,12 +13,14 @@ spec:
     - id_token
     - token
     - code
+  scope: openid profile email roles
+  secretName: oc-auth-got-secret
   redirectUris:
     - https://myapp.example.com/callback
-  scope: openid profile email roles
-  tokenEndpointAuthMethod: client_secret_post
   postLogoutRedirectUris:
-    -http://localhost:3000
+    - http://localhost:3000
+  tokenEndpointAuthMethod: client_secret_post
   allowedCorsOrigins:
     - http://localhost
-{{- end }}
+{{- end }}
+  

opencloud/templates/oc-auth/pem.yaml

@@ -1,5 +1,5 @@
 {{- if index .Values.ocAuth.enabled }}
-# public-key-secret.yaml
+# peer public key: public-key-secret.yaml
 apiVersion: v1
 kind: Secret
 metadata:
@@ -9,7 +9,7 @@ data:
   public.pem: |
     LS0tLS1CRUdJTiBSU0EgUFVCTElDIEtFWS0tLS0tCk1JSUNDZ0tDQWdFQXcycGRHNndNdHVMY1AwK2sxTEZ2SWIwRFFvL29IVzJ1TkphRUpLNzRwbFhxcDR6dHoyZFIKYitSUUhGTGVMdXFrNGkvemMzYjRLM2ZLUFhTbHduVlBKQ3d6UHJueVQ4allHT1pWbFdsRVRpVjl4ZUpodTZzLwpCaDZnMVBXejc1WGpqd1Y1MGl2L0NFaUxOQlQyM2YvM0o0NHdyUXp5Z3FOUUNpUVNBTGR4V0xBRWw0bDVrSFNhCjlvTXlWNzAvVXFsOTQvYXlNQVJac0hncDladnFRS2JrWlB3Nnl6Vk1mQ0J4UW96bE5sbzMxNU9IZXZ1ZGhuaHAKRFJqTjVJN3pXbXFZdDZyYlhKSkM3WTNJemR2em43UUk4OFJxalNSU1Q1SS83S3ozbmRDcXJPbkkrT1FVRTVOVApSRXlRZWJwaHZRZlREVEtsUlBYa2R5a3RkSzJESDI4Wmo2WkYzeWpRdk4zNVE0emhPemxxNzdkTzVJaGhvcEk3CmN0OGRaSDFUMW5Za3ZkeUNBL0VWTXRRc0FTbUJPaXRIMFkwQUNvWFFLNUtiNm5tL1RjTS85WlNKVU5pRU11eTUKZ0JaM1lLRTlvYTRjcFRwUFh3Y0ErUy9jVTdIUE5uUUFzdkQzaUppOEdUVzl1SnM4NHBuNC9XaHBRcW1YZDRydgpoS1dFQ0NOM2ZIeTAxZlVzL1UwUGFTajJqRFkva1FWZVhvaWtOTXpQVWpkWmQ5bTgxNlRJQmgzdjNhVlhDSC8wCmlUSEhBeGN0dkRnTVJiMmZwdlJKL3d3bllqRkc5UnBhbVZGRE12QzlOZmZ1WXpXQUE5SVJJWTRjcWdlcmZIclYKWjJISGlQVEREdkRBSXN2SW1YWmMvaDdtWE42bTNSQ1E0UXl3eTk5M3dkOWdVZGdnL3FueW5IY0NBd0VBQVE9PQotLS0tLUVORCBSU0EgUFVCTElDIEtFWS0tLS0tCg==
 ---
-# private-key-secret.yaml
+# peer private key: private-key-secret.yaml
 apiVersion: v1
 kind: Secret
 metadata:

opencloud/templates/openCLoudConf.yaml

@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: opencloud-config
+data:
+  OCAUTH_ADMIN_ROLE: "{{ .Values.ocAuth.keto.adminRole }}"
+  OCAUTH_PUBLIC_KEY_PATH: "/keys/public/public.pem"
+  OCAUTH_PRIVATE_KEY_PATH: "/keys/private/private.pem"
+  OCAUTH_CLIENT_SECRET: "{{ .Values.ocAuth.hydra.openCloudOauth2ClientSecretName }}"
+  OCAUTH_AUTH: "{{ .Values.ocAuth.authType }}"
+  OCAUTH_AUTH_CONNECTOR_HOST: "{{ .Release.Name }}-hydra-admin.{{ .Release.Namespace }}"
+  OCAUTH_AUTH_CONNECTOR_PORT: "4444"
+  OCAUTH_AUTH_CONNECTOR_ADMIN_PORT: "4445"
+  OCAUTH_PERMISSION_CONNECTOR_HOST: "{{ .Release.Name }}-keto-write.{{ .Release.Namespace }}"
+  OCAUTH_PERMISSION_CONNECTOR_PORT: "80"
+  OCAUTH_PERMISSION_CONNECTOR_ADMIN_PORT: "80"
+  OCAUTH_LDAP_ENDPOINTS: "{{ .Release.Name }}-openldap.{{ .Release.Namespace }}.svc.cluster.local:389"
+  OCAUTH_LDAP_BINDDN: "{{ index .Values.ocAuth.ldap.bindDn }}"
+  OCAUTH_LDAP_BINDPW: "{{ index .Values.ocAuth.ldap.binPwd }}"
+  OCAUTH_LDAP_BASEDN: "{{ index .Values.ocAuth.ldap.baseDn }}"
+  OCAUTH_LDAP_ROLE_BASEDN: "{{ index .Values.ocAuth.ldap.roleBaseDn }}"
+  OCAUTH_MONGO_URL: "mongodb://{{ index .Values.mongodb.auth.usernames 0 }}:{{ index .Values.mongodb.auth.passwords 0 }}@{{ .Release.Name }}-mongodb.{{ .Release.Namespace }}:27017/{{ index .Values.mongodb.auth.databases 0 }}"
+  OCAUTH_MONGO_DATABASE: "{{ index .Values.mongodb.auth.databases 0 }}"
+  OCAUTH_NATS_URL: "nats://dev-nats.{{ .Release.Namespace }}.svc.cluster.local:4222"
+  OCAUTH_LOKI_URL: "{{ .Values.SERVER_PATH }}"