OAuth2 K8S

2026-02-24 08:51:48 +01:00
parent 84b6302d87
commit 81016b83cf
9 changed files with 73 additions and 13 deletions
--- a/utils/assets/templates/oc-auth/ingress.yaml
+++ b/utils/assets/templates/oc-auth/ingress.yaml
@@ -15,9 +15,9 @@ spec:
        name: oc-auth-svc
        port: 8080
      middlewares:
-      #{{- if index .Values.ocAuth.enableTraefikProxyIntegration }}
-      #- name: forward-auth
-      #{{- end }}
+      {{- if index .Values.ocAuth.enableTraefikProxyIntegration }}
+      - name: root-forward-auth
+      {{- end }}
      - name: strip-auth-prefix
 ---
 apiVersion:  traefik.io/v1alpha1
--- a/utils/assets/templates/oc-front/config.yaml
+++ b/utils/assets/templates/oc-front/config.yaml
@@ -14,5 +14,6 @@ data:
      "DATACENTER_HOST": "datacenter",
      "COLLABORATIVE_AREA_HOST": "shared",
      "HOST": "{{ .Values.scheme }}://{{ .Values.host }}:{{ .Values.hostPort }}",
+      "CLIENT": "{{ .Values.ocFront.oauth2.client }}"
    }
 {{- end }}
--- a/utils/assets/templates/oc-scheduler/ingress.yaml
+++ b/utils/assets/templates/oc-scheduler/ingress.yaml
@@ -30,4 +30,5 @@ spec:
  replacePathRegex:
    regex: ^/scheduler(.*)
    replacement: /oc$1
+
 {{- end }}
--- a/utils/assets/templates/oc-shared/ingress.yaml
+++ b/utils/assets/templates/oc-shared/ingress.yaml
@@ -29,4 +29,5 @@ spec:
  replacePathRegex:
    regex: ^/shared(.*)
    replacement: /oc$1
+
 {{- end }}
--- a/utils/assets/templates/openCloudConf.yaml
+++ b/utils/assets/templates/openCloudConf.yaml
@@ -16,6 +16,10 @@ data:
  OC_AUTH_CONNECTOR_PUBLIC_HOST: "{{ .Release.Name }}-hydra-public.{{ .Release.Namespace }}"
  OC_AUTH_CONNECTOR_PORT: "4444"
  OC_AUTH_CONNECTOR_ADMIN_PORT: "4445/admin"
+  OC_CLIENT_ID: "{{ (index .Values.hydra.hydra.config.clients 0).client_id }}"
+  OC_CLIENT_ADMIN_ID: "{{ (index .Values.hydra.hydra.config.clients 1).client_id }}"
+  OC_OAUTH_REDIRECT_URI: "{{ .Values.scheme }}://{{ .Values.host }}:{{ .Values.hostPort }}"
+  OC_ADMIN_OAUTH_REDIRECT_URI: "{{ .Values.schemeAdmin }}://{{ .Values.hostAdmin }}:{{ .Values.hostPortAdmin }}"
  OC_PERMISSION_CONNECTOR_READ_HOST: "{{ .Release.Name }}-keto-read.{{ .Release.Namespace }}"
  OC_PERMISSION_CONNECTOR_WRITE_HOST: "{{ .Release.Name }}-keto-write.{{ .Release.Namespace }}"
  OC_PERMISSION_CONNECTOR_PORT: "80"
--- a/utils/assets/templates/traefik/traefik.yaml
+++ b/utils/assets/templates/traefik/traefik.yaml
@@ -5,6 +5,19 @@ metadata:
  name: forward-auth
 spec:
  forwardAuth:
-    address: "http://oc-auth-svc.{{ .Release.Namespace }}:8080/oc/forward"
+    address: "http://oc-auth-svc:8080/oc/forward"
    trustForwardHeader: true
-{{- end }}
+    authResponseHeaders: X-Auth-Request-User,X-Auth-Request-Email
+    
+---
+
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: root-forward-auth
+spec:
+  forwardAuth:
+    address: "http://{{ .Release.Name }}-hydra-public.{{ .Release.Namespace }}:4444/oauth2/auth"
+    trustForwardHeader: true
+    authResponseHeaders: X-Auth-Request-User,X-Auth-Request-Email
+{{- end }}
--- a/utils/assets/values.yaml.template
+++ b/utils/assets/values.yaml.template
@@ -1,10 +1,13 @@
 env: ${RELEASE:-prod} # For storage class provisioning
 clusterName: ${CLUSTER_NAME:-opencloud}
 hostNetwork: true
+hostAdmin: ${HOST_ADMIN:-admin.beta.opencloud.com}
 host: ${HOST:-beta.opencloud.com}
 hostPort: ${PORT:-80}
+hostPortAdmin: ${PORT_ADMIN:-80}
 registryHost: ${REGISTRY_HOST:-opencloudregistry}
 scheme: ${SCHEME:-http}
+schemeAdmin: ${SCHEME_ADMIN:-http}

 secrets:
  keys:
@@ -279,13 +282,48 @@ hydra:
    existingSecret: hydra-secret
    config:
      dsn: memory
+      oauth2:
+        expose_internal_errors: true
+      clients:
+        - client_id: ${OC_CLIENT:-test-client}
+          client_secret: ${OC_CLIENT_SECRET:-oc-client-got-secret} 
+          client_name: ${OC_CLIENT:-test-client}
+          grant_types:
+            - implicit
+            - refresh_token
+            - authorization_code
+            - client_credentials
+          response_types:
+            - id_token
+            - token
+            - code
+          scope: openid profile email roles
+          redirect_uris:
+            - "${SCHEME:-http}://${HOST:-beta.opencloud.com}:${PORT:-80}
+          token_endpoint_auth_method: client_secret_post
+        - client_id: ${OC_ADMIN_CLIENT:-test-admin-client}
+          client_secret: ${OC_ADMIN_CLIENT_SECRET:-oc-admin-client-got-secret} 
+          client_name: ${OC_ADMIN_CLIENT:-test-admin-client}
+          grant_types:
+            - implicit
+            - refresh_token
+            - authorization_code
+            - client_credentials
+          response_types:
+            - id_token
+            - token
+            - code
+          scope: openid profile email roles
+          redirect_uris:
+            - "${SCHEME_ADMIN:-http}://${HOST_ADMIN:-admin.beta.opencloud.com}:${PORT_ADMIN:-80}
+          token_endpoint_auth_method: client_secret_post
      urls:
-      #  login: https://localhost-login/authentication/login
-      #  consent: https://localhost-consent/consent/consent
-      #  logout: https://localhost-logout/authentication/logout
+        login: "http://oc-auth-svc:8080/oc/login"
+        consent: "http://oc-auth-svc:8080/oc/consent"
+        logout: "http://oc-auth-svc:8080/oc/logout"
        self:
-          issuer: "http://${RELEASE:-prod}-hydra-public.${RELEASE:-prod}:4444/"
-
+          issuer: "http://${CLUSTER_NAME:-opencloud}-hydra-public 4444"
+          public: "http://${CLUSTER_NAME:-opencloud}-hydra-public:4444"
 keto:
  enabled: ${OC_KETO_ENABLED:-true}
  keto:
@@ -467,6 +505,8 @@ ocFront:
      cpu: ${OC_FRONT_REQUESTS_CPU:-128m}
      memory: ${OC_FRONT_REQUESTS_MEMORY:-256Mi}
  replicas: 1
+  oauth2:
+    client: ${OC_CLIENT:-test-client}
  hpa:
    enabled: ${OC_FRONT_REPLICAS_ENABLED:-true}
    minReplicas: 1