OAuth2 K8S

2026-02-24 08:51:48 +01:00
parent 84b6302d87
commit 81016b83cf
9 changed files with 73 additions and 13 deletions
--- a/utils/assets/values.yaml.template
+++ b/utils/assets/values.yaml.template
@@ -1,10 +1,13 @@
 env: ${RELEASE:-prod} # For storage class provisioning
 clusterName: ${CLUSTER_NAME:-opencloud}
 hostNetwork: true
+hostAdmin: ${HOST_ADMIN:-admin.beta.opencloud.com}
 host: ${HOST:-beta.opencloud.com}
 hostPort: ${PORT:-80}
+hostPortAdmin: ${PORT_ADMIN:-80}
 registryHost: ${REGISTRY_HOST:-opencloudregistry}
 scheme: ${SCHEME:-http}
+schemeAdmin: ${SCHEME_ADMIN:-http}

 secrets:
  keys:
@@ -279,13 +282,48 @@ hydra:
    existingSecret: hydra-secret
    config:
      dsn: memory
+      oauth2:
+        expose_internal_errors: true
+      clients:
+        - client_id: ${OC_CLIENT:-test-client}
+          client_secret: ${OC_CLIENT_SECRET:-oc-client-got-secret} 
+          client_name: ${OC_CLIENT:-test-client}
+          grant_types:
+            - implicit
+            - refresh_token
+            - authorization_code
+            - client_credentials
+          response_types:
+            - id_token
+            - token
+            - code
+          scope: openid profile email roles
+          redirect_uris:
+            - "${SCHEME:-http}://${HOST:-beta.opencloud.com}:${PORT:-80}
+          token_endpoint_auth_method: client_secret_post
+        - client_id: ${OC_ADMIN_CLIENT:-test-admin-client}
+          client_secret: ${OC_ADMIN_CLIENT_SECRET:-oc-admin-client-got-secret} 
+          client_name: ${OC_ADMIN_CLIENT:-test-admin-client}
+          grant_types:
+            - implicit
+            - refresh_token
+            - authorization_code
+            - client_credentials
+          response_types:
+            - id_token
+            - token
+            - code
+          scope: openid profile email roles
+          redirect_uris:
+            - "${SCHEME_ADMIN:-http}://${HOST_ADMIN:-admin.beta.opencloud.com}:${PORT_ADMIN:-80}
+          token_endpoint_auth_method: client_secret_post
      urls:
-      #  login: https://localhost-login/authentication/login
-      #  consent: https://localhost-consent/consent/consent
-      #  logout: https://localhost-logout/authentication/logout
+        login: "http://oc-auth-svc:8080/oc/login"
+        consent: "http://oc-auth-svc:8080/oc/consent"
+        logout: "http://oc-auth-svc:8080/oc/logout"
        self:
-          issuer: "http://${RELEASE:-prod}-hydra-public.${RELEASE:-prod}:4444/"
-
+          issuer: "http://${CLUSTER_NAME:-opencloud}-hydra-public 4444"
+          public: "http://${CLUSTER_NAME:-opencloud}-hydra-public:4444"
 keto:
  enabled: ${OC_KETO_ENABLED:-true}
  keto:
@@ -467,6 +505,8 @@ ocFront:
      cpu: ${OC_FRONT_REQUESTS_CPU:-128m}
      memory: ${OC_FRONT_REQUESTS_MEMORY:-256Mi}
  replicas: 1
+  oauth2:
+    client: ${OC_CLIENT:-test-client}
  hpa:
    enabled: ${OC_FRONT_REPLICAS_ENABLED:-true}
    minReplicas: 1