OAuth2 K8S
This commit is contained in:
BIN
cmd/oc-k8s
BIN
cmd/oc-k8s
Binary file not shown.
@@ -280,9 +280,9 @@ hydra:
|
|||||||
config:
|
config:
|
||||||
dsn: memory
|
dsn: memory
|
||||||
urls:
|
urls:
|
||||||
# login: https://localhost-login/authentication/login
|
login: https://localhost-login/authentication/login
|
||||||
# consent: https://localhost-consent/consent/consent
|
consent: https://localhost-consent/consent/consent
|
||||||
# logout: https://localhost-logout/authentication/logout
|
logout: https://localhost-logout/authentication/logout
|
||||||
self:
|
self:
|
||||||
issuer: "http://test-hydra-public.test:4444/"
|
issuer: "http://test-hydra-public.test:4444/"
|
||||||
|
|
||||||
|
|||||||
@@ -15,9 +15,9 @@ spec:
|
|||||||
name: oc-auth-svc
|
name: oc-auth-svc
|
||||||
port: 8080
|
port: 8080
|
||||||
middlewares:
|
middlewares:
|
||||||
#{{- if index .Values.ocAuth.enableTraefikProxyIntegration }}
|
{{- if index .Values.ocAuth.enableTraefikProxyIntegration }}
|
||||||
#- name: forward-auth
|
- name: root-forward-auth
|
||||||
#{{- end }}
|
{{- end }}
|
||||||
- name: strip-auth-prefix
|
- name: strip-auth-prefix
|
||||||
---
|
---
|
||||||
apiVersion: traefik.io/v1alpha1
|
apiVersion: traefik.io/v1alpha1
|
||||||
|
|||||||
@@ -14,5 +14,6 @@ data:
|
|||||||
"DATACENTER_HOST": "datacenter",
|
"DATACENTER_HOST": "datacenter",
|
||||||
"COLLABORATIVE_AREA_HOST": "shared",
|
"COLLABORATIVE_AREA_HOST": "shared",
|
||||||
"HOST": "{{ .Values.scheme }}://{{ .Values.host }}:{{ .Values.hostPort }}",
|
"HOST": "{{ .Values.scheme }}://{{ .Values.host }}:{{ .Values.hostPort }}",
|
||||||
|
"CLIENT": "{{ .Values.ocFront.oauth2.client }}"
|
||||||
}
|
}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
@@ -30,4 +30,5 @@ spec:
|
|||||||
replacePathRegex:
|
replacePathRegex:
|
||||||
regex: ^/scheduler(.*)
|
regex: ^/scheduler(.*)
|
||||||
replacement: /oc$1
|
replacement: /oc$1
|
||||||
|
|
||||||
{{- end }}
|
{{- end }}
|
||||||
@@ -29,4 +29,5 @@ spec:
|
|||||||
replacePathRegex:
|
replacePathRegex:
|
||||||
regex: ^/shared(.*)
|
regex: ^/shared(.*)
|
||||||
replacement: /oc$1
|
replacement: /oc$1
|
||||||
|
|
||||||
{{- end }}
|
{{- end }}
|
||||||
@@ -16,6 +16,10 @@ data:
|
|||||||
OC_AUTH_CONNECTOR_PUBLIC_HOST: "{{ .Release.Name }}-hydra-public.{{ .Release.Namespace }}"
|
OC_AUTH_CONNECTOR_PUBLIC_HOST: "{{ .Release.Name }}-hydra-public.{{ .Release.Namespace }}"
|
||||||
OC_AUTH_CONNECTOR_PORT: "4444"
|
OC_AUTH_CONNECTOR_PORT: "4444"
|
||||||
OC_AUTH_CONNECTOR_ADMIN_PORT: "4445/admin"
|
OC_AUTH_CONNECTOR_ADMIN_PORT: "4445/admin"
|
||||||
|
OC_CLIENT_ID: "{{ (index .Values.hydra.hydra.config.clients 0).client_id }}"
|
||||||
|
OC_CLIENT_ADMIN_ID: "{{ (index .Values.hydra.hydra.config.clients 1).client_id }}"
|
||||||
|
OC_OAUTH_REDIRECT_URI: "{{ .Values.scheme }}://{{ .Values.host }}:{{ .Values.hostPort }}"
|
||||||
|
OC_ADMIN_OAUTH_REDIRECT_URI: "{{ .Values.schemeAdmin }}://{{ .Values.hostAdmin }}:{{ .Values.hostPortAdmin }}"
|
||||||
OC_PERMISSION_CONNECTOR_READ_HOST: "{{ .Release.Name }}-keto-read.{{ .Release.Namespace }}"
|
OC_PERMISSION_CONNECTOR_READ_HOST: "{{ .Release.Name }}-keto-read.{{ .Release.Namespace }}"
|
||||||
OC_PERMISSION_CONNECTOR_WRITE_HOST: "{{ .Release.Name }}-keto-write.{{ .Release.Namespace }}"
|
OC_PERMISSION_CONNECTOR_WRITE_HOST: "{{ .Release.Name }}-keto-write.{{ .Release.Namespace }}"
|
||||||
OC_PERMISSION_CONNECTOR_PORT: "80"
|
OC_PERMISSION_CONNECTOR_PORT: "80"
|
||||||
|
|||||||
@@ -5,6 +5,19 @@ metadata:
|
|||||||
name: forward-auth
|
name: forward-auth
|
||||||
spec:
|
spec:
|
||||||
forwardAuth:
|
forwardAuth:
|
||||||
address: "http://oc-auth-svc.{{ .Release.Namespace }}:8080/oc/forward"
|
address: "http://oc-auth-svc:8080/oc/forward"
|
||||||
trustForwardHeader: true
|
trustForwardHeader: true
|
||||||
|
authResponseHeaders: X-Auth-Request-User,X-Auth-Request-Email
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
apiVersion: traefik.io/v1alpha1
|
||||||
|
kind: Middleware
|
||||||
|
metadata:
|
||||||
|
name: root-forward-auth
|
||||||
|
spec:
|
||||||
|
forwardAuth:
|
||||||
|
address: "http://{{ .Release.Name }}-hydra-public.{{ .Release.Namespace }}:4444/oauth2/auth"
|
||||||
|
trustForwardHeader: true
|
||||||
|
authResponseHeaders: X-Auth-Request-User,X-Auth-Request-Email
|
||||||
{{- end }}
|
{{- end }}
|
||||||
@@ -1,10 +1,13 @@
|
|||||||
env: ${RELEASE:-prod} # For storage class provisioning
|
env: ${RELEASE:-prod} # For storage class provisioning
|
||||||
clusterName: ${CLUSTER_NAME:-opencloud}
|
clusterName: ${CLUSTER_NAME:-opencloud}
|
||||||
hostNetwork: true
|
hostNetwork: true
|
||||||
|
hostAdmin: ${HOST_ADMIN:-admin.beta.opencloud.com}
|
||||||
host: ${HOST:-beta.opencloud.com}
|
host: ${HOST:-beta.opencloud.com}
|
||||||
hostPort: ${PORT:-80}
|
hostPort: ${PORT:-80}
|
||||||
|
hostPortAdmin: ${PORT_ADMIN:-80}
|
||||||
registryHost: ${REGISTRY_HOST:-opencloudregistry}
|
registryHost: ${REGISTRY_HOST:-opencloudregistry}
|
||||||
scheme: ${SCHEME:-http}
|
scheme: ${SCHEME:-http}
|
||||||
|
schemeAdmin: ${SCHEME_ADMIN:-http}
|
||||||
|
|
||||||
secrets:
|
secrets:
|
||||||
keys:
|
keys:
|
||||||
@@ -279,13 +282,48 @@ hydra:
|
|||||||
existingSecret: hydra-secret
|
existingSecret: hydra-secret
|
||||||
config:
|
config:
|
||||||
dsn: memory
|
dsn: memory
|
||||||
|
oauth2:
|
||||||
|
expose_internal_errors: true
|
||||||
|
clients:
|
||||||
|
- client_id: ${OC_CLIENT:-test-client}
|
||||||
|
client_secret: ${OC_CLIENT_SECRET:-oc-client-got-secret}
|
||||||
|
client_name: ${OC_CLIENT:-test-client}
|
||||||
|
grant_types:
|
||||||
|
- implicit
|
||||||
|
- refresh_token
|
||||||
|
- authorization_code
|
||||||
|
- client_credentials
|
||||||
|
response_types:
|
||||||
|
- id_token
|
||||||
|
- token
|
||||||
|
- code
|
||||||
|
scope: openid profile email roles
|
||||||
|
redirect_uris:
|
||||||
|
- "${SCHEME:-http}://${HOST:-beta.opencloud.com}:${PORT:-80}
|
||||||
|
token_endpoint_auth_method: client_secret_post
|
||||||
|
- client_id: ${OC_ADMIN_CLIENT:-test-admin-client}
|
||||||
|
client_secret: ${OC_ADMIN_CLIENT_SECRET:-oc-admin-client-got-secret}
|
||||||
|
client_name: ${OC_ADMIN_CLIENT:-test-admin-client}
|
||||||
|
grant_types:
|
||||||
|
- implicit
|
||||||
|
- refresh_token
|
||||||
|
- authorization_code
|
||||||
|
- client_credentials
|
||||||
|
response_types:
|
||||||
|
- id_token
|
||||||
|
- token
|
||||||
|
- code
|
||||||
|
scope: openid profile email roles
|
||||||
|
redirect_uris:
|
||||||
|
- "${SCHEME_ADMIN:-http}://${HOST_ADMIN:-admin.beta.opencloud.com}:${PORT_ADMIN:-80}
|
||||||
|
token_endpoint_auth_method: client_secret_post
|
||||||
urls:
|
urls:
|
||||||
# login: https://localhost-login/authentication/login
|
login: "http://oc-auth-svc:8080/oc/login"
|
||||||
# consent: https://localhost-consent/consent/consent
|
consent: "http://oc-auth-svc:8080/oc/consent"
|
||||||
# logout: https://localhost-logout/authentication/logout
|
logout: "http://oc-auth-svc:8080/oc/logout"
|
||||||
self:
|
self:
|
||||||
issuer: "http://${RELEASE:-prod}-hydra-public.${RELEASE:-prod}:4444/"
|
issuer: "http://${CLUSTER_NAME:-opencloud}-hydra-public 4444"
|
||||||
|
public: "http://${CLUSTER_NAME:-opencloud}-hydra-public:4444"
|
||||||
keto:
|
keto:
|
||||||
enabled: ${OC_KETO_ENABLED:-true}
|
enabled: ${OC_KETO_ENABLED:-true}
|
||||||
keto:
|
keto:
|
||||||
@@ -467,6 +505,8 @@ ocFront:
|
|||||||
cpu: ${OC_FRONT_REQUESTS_CPU:-128m}
|
cpu: ${OC_FRONT_REQUESTS_CPU:-128m}
|
||||||
memory: ${OC_FRONT_REQUESTS_MEMORY:-256Mi}
|
memory: ${OC_FRONT_REQUESTS_MEMORY:-256Mi}
|
||||||
replicas: 1
|
replicas: 1
|
||||||
|
oauth2:
|
||||||
|
client: ${OC_CLIENT:-test-client}
|
||||||
hpa:
|
hpa:
|
||||||
enabled: ${OC_FRONT_REPLICAS_ENABLED:-true}
|
enabled: ${OC_FRONT_REPLICAS_ENABLED:-true}
|
||||||
minReplicas: 1
|
minReplicas: 1
|
||||||
|
|||||||
Reference in New Issue
Block a user