Fixing oc-auth service, and hydra and keto integration

opencloud/Chart.yaml

@@ -28,7 +28,7 @@ dependencies:
   repository: "https://cowboysysop.github.io/charts/"
   condition: mongo-express.enabled
 - name: hydra
-  version: "0.50.2"
+  version: "0.50.6"
   repository: "https://k8s.ory.sh/helm/charts"
   condition: hydra.enabled
 - name: keto

opencloud/charts/hydra/Chart.lock

@@ -4,6 +4,6 @@ dependencies:
   version: 0.1.0
 - name: hydra-maester
   repository: file://../hydra-maester
-  version: 0.50.2
-digest: sha256:f39e4a74150060c63515886f4905dce57e1a90419e5a5c530684f1a363686cda
-generated: "2024-11-28T10:30:15.53366383Z"
+  version: 0.50.6
+digest: sha256:0799d168b3e83ce9b85a48ef5d3abb9a99f6cb2f8436be51d91f3612e6b2b2da
+generated: "2024-12-16T15:04:47.361658969Z"

opencloud/charts/hydra/Chart.yaml

@@ -9,7 +9,7 @@ dependencies:
   condition: maester.enabled
   name: hydra-maester
   repository: file://../hydra-maester
-  version: 0.50.2
+  version: 0.50.6
 description: A Helm chart for deploying ORY Hydra in Kubernetes
 home: https://www.ory.sh/
 icon: https://raw.githubusercontent.com/ory/docs/master/docs/static/img/logo-hydra.svg
@@ -30,4 +30,4 @@ sources:
 - https://github.com/ory/hydra
 - https://github.com/ory/k8s
 type: application
-version: 0.50.2
+version: 0.50.6

opencloud/charts/hydra/README.md

@@ -1,6 +1,6 @@
 # hydra
 
-![Version: 0.50.1](https://img.shields.io/badge/Version-0.50.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v2.2.0](https://img.shields.io/badge/AppVersion-v2.2.0-informational?style=flat-square)
+![Version: 0.50.5](https://img.shields.io/badge/Version-0.50.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v2.2.0](https://img.shields.io/badge/AppVersion-v2.2.0-informational?style=flat-square)
 
 A Helm chart for deploying ORY Hydra in Kubernetes
 
@@ -21,7 +21,7 @@ A Helm chart for deploying ORY Hydra in Kubernetes
 
 | Repository | Name | Version |
 |------------|------|---------|
-| file://../hydra-maester | hydra-maester(hydra-maester) | 0.50.1 |
+| file://../hydra-maester | hydra-maester(hydra-maester) | 0.50.5 |
 | file://../ory-commons | ory(ory-commons) | 0.1.0 |
 
 ## Values
@@ -98,7 +98,7 @@ A Helm chart for deploying ORY Hydra in Kubernetes
 | deployment.serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
 | deployment.serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
 | deployment.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template |
-| deployment.startupProbe | object | `{"failureThreshold":5,"initialDelaySeconds":0,"periodSeconds":1,"successThreshold":1,"timeoutSeconds":1}` | Default probe timers |
+| deployment.startupProbe | object | `{"failureThreshold":5,"initialDelaySeconds":1,"periodSeconds":1,"successThreshold":1,"timeoutSeconds":2}` | Default probe timers |
 | deployment.strategy.rollingUpdate.maxSurge | string | `"25%"` |  |
 | deployment.strategy.rollingUpdate.maxUnavailable | string | `"25%"` |  |
 | deployment.strategy.type | string | `"RollingUpdate"` |  |

opencloud/charts/hydra/charts/hydra-maester/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
-appVersion: v0.0.34
+appVersion: v0.0.36
 description: A Helm chart for Kubernetes
 icon: https://raw.githubusercontent.com/ory/docs/master/docs/static/img/logo-hydra.svg
 name: hydra-maester
 type: application
-version: 0.50.2
+version: 0.50.6

opencloud/charts/hydra/charts/hydra-maester/README.md

@@ -1,6 +1,6 @@
 # hydra-maester
 
-![Version: 0.50.1](https://img.shields.io/badge/Version-0.50.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.0.34](https://img.shields.io/badge/AppVersion-v0.0.34-informational?style=flat-square)
+![Version: 0.50.5](https://img.shields.io/badge/Version-0.50.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.0.36](https://img.shields.io/badge/AppVersion-v0.0.36-informational?style=flat-square)
 
 A Helm chart for Kubernetes
 
@@ -20,6 +20,7 @@ A Helm chart for Kubernetes
 | deployment.automountServiceAccountToken | bool | `true` | This applications connects to the k8s API and requires the permissions |
 | deployment.dnsConfig | object | `{}` | Configure pod dnsConfig. |
 | deployment.extraAnnotations | object | `{}` | Deployment level extra annotations |
+| deployment.extraEnv | list | `[]` | To set extra env vars for the container. |
 | deployment.extraLabels | object | `{}` | Deployment level extra labels |
 | deployment.extraVolumeMounts | list | `[]` |  |
 | deployment.extraVolumes | list | `[]` | If you want to mount external volume |
@@ -52,7 +53,7 @@ A Helm chart for Kubernetes
 | forwardedProto | string | `nil` |  |
 | image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
 | image.repository | string | `"oryd/hydra-maester"` | Ory Hydra-maester image |
-| image.tag | string | `"v0.0.35-amd64"` | Ory Hydra-maester version |
+| image.tag | string | `"v0.0.36"` | Ory Hydra-maester version |
 | imagePullSecrets | list | `[]` | Image pull secrets |
 | pdb.enabled | bool | `false` |  |
 | pdb.spec.maxUnavailable | string | `""` |  |

opencloud/charts/hydra/charts/hydra-maester/crds/crd-oauth2clients.yaml

@@ -78,6 +78,13 @@ spec:
                     ClientName is the human-readable string name of the client
                     to be presented to the end-user during authorization.
                   type: string
+                deletionPolicy:
+                  description:
+                    Indicates if a deleted OAuth2Client custom resource should
+                    delete the database row or not. Value 1 means deletion of
+                    the OAuth2 client, value 2 means keep an orphan oauth2
+                    client.
+                  type: integer
                 frontChannelLogoutSessionRequired:
                   default: false
                   description:

opencloud/charts/hydra/charts/hydra-maester/templates/deployment.yaml

@@ -80,6 +80,10 @@ spec:
             {{- if .Values.deployment.extraVolumeMounts }}
               {{- toYaml .Values.deployment.extraVolumeMounts | nindent 12 }}
             {{- end }}
+          {{- if .Values.deployment.extraEnv }}
+          env:
+            {{- tpl (toYaml .Values.deployment.extraEnv) . | nindent 12 }}
+          {{- end }}
           resources:
             {{- toYaml .Values.deployment.resources | nindent 12 }}
           terminationMessagePath: /dev/termination-log

opencloud/charts/hydra/charts/hydra-maester/values.yaml

@@ -12,7 +12,7 @@ image:
   # -- Ory Hydra-maester image
   repository: oryd/hydra-maester
   # -- Ory Hydra-maester version
-  tag: v0.0.35-amd64
+  tag: v0.0.36
   # -- Image pull policy
   pullPolicy: IfNotPresent
 
@@ -56,6 +56,9 @@ deployment:
     #   cpu: 100m
     #   memory: 20Mi
 
+  # -- To set extra env vars for the container.
+  extraEnv: []
+
   # -- If you want to mount external volume
   extraVolumes: []
   # - name: my-volume

opencloud/charts/hydra/values.yaml

@@ -345,8 +345,8 @@ deployment:
     failureThreshold: 5
     successThreshold: 1
     periodSeconds: 1
-    timeoutSeconds: 1
-    initialDelaySeconds: 0
+    timeoutSeconds: 2
+    initialDelaySeconds: 1
 
   automountServiceAccountToken: false
 

opencloud/dev-values.yaml

@@ -211,16 +211,21 @@ hydra:
   enabled: true
   maester:
     enabled: true
+  secret:
+    enabled: false
+    nameOverride: hydra-secret
+    hashSumEnabled: false
   hydra:
     dev: true
+    existingSecret: hydra-secret
     config:
       dsn: memory
       urls:
-        login: http://localhost/authentication/login
-        consent: http://localhost/consent/consent
-        logout: http://localhost/authentication/logout
+        login: https://localhost-login/authentication/login
+        consent: https://localhost-consent/consent/consent
+        logout: https://localhost-logout/authentication/logout
         self:
-          issuer: http://localhost/idp
+          issuer: http://dev-hydra-public:4444/
 
 keto:
   enabled: true
@@ -357,12 +362,13 @@ argo-workflows:
 
 ocAuth:
   enabled: true
+  enableTraefikProxyIntegration: true
   image: oc/oc-auth:0.0.1
   authType: hydra
   keto:
     adminRole: admin
   hydra:
-    openCloudOauth2ClientSecretName: oc-auth-got-secret
+    openCloudOauth2ClientSecretName: oc-oauth2-client-secret
   ldap:
     bindDn: "cn=admin,dc=example,dc=com"
     binPwd: "admin@password"

opencloud/templates/hydra.yaml

@@ -15,4 +15,17 @@ spec:
         name: {{ .Release.Name }}-hydra-public.{{ .Release.Namespace }}
         passHostHeader: true
         port: 4444
+---
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: hydra-secret
+data:
+  dsn: bWVtb3J5
+  secretsCookie: U0prcFlUeDFZZWhPMFEyc3UweWlwcDdmZ1BaRmc2ajA=
+  secretsSystem: M3FwWnlpemIzbXc2cE80Q1l3Q1MyUVFmbXdOeVFpRzE=
+
+
+
 {{- end }}

opencloud/templates/oc-aggregator/ingress.yaml

@@ -16,6 +16,9 @@ spec:
         port: 8080
       middlewares:
       - name: strip-aggregator-prefix
+      {{- if index .Values.ocAuth.enableTraefikProxyIntegration }}
+      - name: forward-auth
+      {{- end }}
 
 ---
 apiVersion:  traefik.io/v1alpha1

opencloud/templates/oc-auth/ingress.yaml

@@ -14,6 +14,11 @@ spec:
       - kind: Service
         name: oc-auth-svc
         port: 8094
+      middlewares:
+      {{- if index .Values.ocAuth.enableTraefikProxyIntegration }}
+      - name: forward-auth
+      {{- end }}
+      - name: strip-auth-prefix
 ---
 apiVersion:  traefik.io/v1alpha1
 kind: Middleware
@@ -23,5 +28,4 @@ spec:
   stripPrefix:
     prefixes:
       - "/auth"
-
-{{- end }}
+{{- end }}      

opencloud/templates/oc-auth/openCloudOauth2.yaml

@@ -5,22 +5,32 @@ metadata:
   name: open-cloud-client
 spec:
   grantTypes:
-    - implicit
     - refresh_token
     - authorization_code
     - client_credentials
+    - implicit
   responseTypes:
     - id_token
     - token
     - code
   scope: openid profile email roles
-  secretName: oc-auth-got-secret
+  secretName: oc-oauth2-client-secret
   redirectUris:
-    - https://myapp.example.com/callback
+    - https://{{ .Values.host }}/auth/callback
   postLogoutRedirectUris:
-    - http://localhost:3000
+    - https://{{ .Values.host }}/auth/logout/
   tokenEndpointAuthMethod: client_secret_post
   allowedCorsOrigins:
-    - http://localhost
+    -  "http://0.0.0.0"
+#---
+#apiVersion: v1
+#kind: Secret
+#metadata:
+#  name: oc-auth-got-secret
+#  namespace: dev
+#stringData:
+#  CLIENT_ID: {{ .Values.ocAuth.hydra.clientId }}
+#  CLIENT_SECRET: {{ .Values.ocAuth.hydra.clientSecret }}
+
 {{- end }}
   

opencloud/templates/oc-auth/rbac.yaml

@@ -0,0 +1,31 @@
+{{- if .Values.ocAuth.enabled }}
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: secret-reader-role
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: secret-reader-binding
+  namespace: default
+subjects:
+  - kind: ServiceAccount
+    name: ocauth-sa
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: Role
+  name: secret-reader-role
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: ocauth-sa
+{{- end }}
+

opencloud/templates/oc-catalog/ingress.yaml

@@ -15,6 +15,9 @@ spec:
         name: oc-catalog-svc
         port: 8080
       middlewares:
+      {{- if index .Values.ocAuth.enableTraefikProxyIntegration }}
+      - name: forward-auth
+      {{- end }}
       - name: strip-catalog-prefix
 
 ---

opencloud/templates/oc-datacenter/ingress.yaml

@@ -16,6 +16,7 @@ spec:
         port: 8080
       middlewares:
       - name: strip-datacenter-prefix
+      - name:  forward-auth
 
 ---
 apiVersion:  traefik.io/v1alpha1

opencloud/templates/oc-peer/ingress.yaml

@@ -15,7 +15,11 @@ spec:
         name: oc-peer-svc
         port: 8080
       middlewares:
+      {{- if index .Values.ocAuth.enableTraefikProxyIntegration }}
+      - name: forward-auth
+      {{- end }}
       - name: strip-peer-prefix
+      
 
 ---
 apiVersion:  traefik.io/v1alpha1

opencloud/templates/oc-scheduler/ingress.yaml

@@ -16,6 +16,10 @@ spec:
         port: 8080
       middlewares:
       - name: strip-scheduler-prefix
+      {{- if index .Values.ocAuth.enableTraefikProxyIntegration }}
+      - name: forward-auth
+      {{- end }}
+
 
 ---
 apiVersion:  traefik.io/v1alpha1

opencloud/templates/oc-shared/ingress.yaml

@@ -16,6 +16,9 @@ spec:
         port: 8080
       middlewares:
       - name: strip-shared-prefix
+      {{- if index .Values.ocAuth.enableTraefikProxyIntegration }}
+      - name: forward-auth
+      {{- end }}
 
 ---
 apiVersion:  traefik.io/v1alpha1

opencloud/templates/oc-workflow/ingress.yaml

@@ -16,6 +16,10 @@ spec:
         port: 8080
       middlewares:
       - name: strip-workflow-prefix
+      {{- if index .Values.ocAuth.enableTraefikProxyIntegration }}
+      - name: forward-auth
+      {{- end }}
+
 
 ---
 apiVersion:  traefik.io/v1alpha1

opencloud/templates/oc-workspace/ingress.yaml

@@ -16,6 +16,9 @@ spec:
         port: 8080
       middlewares:
       - name: strip-workspace-prefix
+      {{- if index .Values.ocAuth.enableTraefikProxyIntegration }}
+      - name: forward-auth
+      {{- end }}
 
 ---
 apiVersion:  traefik.io/v1alpha1

opencloud/templates/openCloudConf.yaml

@@ -2,16 +2,22 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: opencloud-config
+  annotations:
+    "helm.sh/hook": post-install
+    "helm.sh/hook-weight": "1"  # Lower number runs first
+    "helm.sh/hook-delete-policy": hook-succeeded  
 data:
+  OC_NAMESPACE: "{{ .Release.Namespace }}"
   OC_ADMIN_ROLE: "{{ .Values.ocAuth.keto.adminRole }}"
   OC_PUBLIC_KEY_PATH: "/keys/public/public.pem"
   OC_PRIVATE_KEY_PATH: "/keys/private/private.pem"
-  OC_CLIENT_SECRET: "{{ .Values.ocAuth.hydra.openCloudOauth2ClientSecretName }}"
+  OC_OAUTH2_CLIENT_SECRET_NAME: "{{ .Values.ocAuth.hydra.openCloudOauth2ClientSecretName }}"
   OC_AUTH: "{{ .Values.ocAuth.authType }}"
   OC_AUTH_CONNECTOR_HOST: "{{ .Release.Name }}-hydra-admin.{{ .Release.Namespace }}"
+  OC_AUTH_CONNECTOR_PUBLIC_HOST: "{{ .Release.Name }}-hydra-public.{{ .Release.Namespace }}"
   OC_AUTH_CONNECTOR_PORT: "4444"
   OC_AUTH_CONNECTOR_ADMIN_PORT: "4445"
-  OC_PERMISSION_CONNECTOR_HOST: "{{ .Release.Name }}-keto-write.{{ .Release.Namespace }}"
+  OC_PERMISSION_CONNECTOR_HOST: "{{ .Release.Name }}-keto-read.{{ .Release.Namespace }}"
   OC_PERMISSION_CONNECTOR_PORT: "80"
   OC_PERMISSION_CONNECTOR_ADMIN_PORT: "80"
   OC_LDAP_ENDPOINTS: "{{ .Release.Name }}-openldap.{{ .Release.Namespace }}.svc.cluster.local:389"

opencloud/templates/traefik.yaml

@@ -4,5 +4,5 @@ metadata:
   name: forward-auth
 spec:
   forwardAuth:
-    address: "http://oc-auth-svc.{{ .Release.Namespace }}:8080/oc/forward"
+    address: "http://oc-auth-svc.{{ .Release.Namespace }}:8094/oc/forward"
     trustForwardHeader: true