diff --git a/opencloud/Chart.yaml b/opencloud/Chart.yaml index 8642b44..cdeba8c 100644 --- a/opencloud/Chart.yaml +++ b/opencloud/Chart.yaml @@ -28,7 +28,7 @@ dependencies: repository: "https://cowboysysop.github.io/charts/" condition: mongo-express.enabled - name: hydra - version: "0.50.2" + version: "0.50.6" repository: "https://k8s.ory.sh/helm/charts" condition: hydra.enabled - name: keto diff --git a/opencloud/charts/hydra/Chart.lock b/opencloud/charts/hydra/Chart.lock index 727300d..6f43409 100644 --- a/opencloud/charts/hydra/Chart.lock +++ b/opencloud/charts/hydra/Chart.lock @@ -4,6 +4,6 @@ dependencies: version: 0.1.0 - name: hydra-maester repository: file://../hydra-maester - version: 0.50.2 -digest: sha256:f39e4a74150060c63515886f4905dce57e1a90419e5a5c530684f1a363686cda -generated: "2024-11-28T10:30:15.53366383Z" + version: 0.50.6 +digest: sha256:0799d168b3e83ce9b85a48ef5d3abb9a99f6cb2f8436be51d91f3612e6b2b2da +generated: "2024-12-16T15:04:47.361658969Z" diff --git a/opencloud/charts/hydra/Chart.yaml b/opencloud/charts/hydra/Chart.yaml index 3d8cd8f..a390367 100644 --- a/opencloud/charts/hydra/Chart.yaml +++ b/opencloud/charts/hydra/Chart.yaml @@ -9,7 +9,7 @@ dependencies: condition: maester.enabled name: hydra-maester repository: file://../hydra-maester - version: 0.50.2 + version: 0.50.6 description: A Helm chart for deploying ORY Hydra in Kubernetes home: https://www.ory.sh/ icon: https://raw.githubusercontent.com/ory/docs/master/docs/static/img/logo-hydra.svg @@ -30,4 +30,4 @@ sources: - https://github.com/ory/hydra - https://github.com/ory/k8s type: application -version: 0.50.2 +version: 0.50.6 diff --git a/opencloud/charts/hydra/README.md b/opencloud/charts/hydra/README.md index e58e372..185340f 100644 --- a/opencloud/charts/hydra/README.md +++ b/opencloud/charts/hydra/README.md @@ -1,6 +1,6 @@ # hydra -![Version: 0.50.1](https://img.shields.io/badge/Version-0.50.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v2.2.0](https://img.shields.io/badge/AppVersion-v2.2.0-informational?style=flat-square) +![Version: 0.50.5](https://img.shields.io/badge/Version-0.50.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v2.2.0](https://img.shields.io/badge/AppVersion-v2.2.0-informational?style=flat-square) A Helm chart for deploying ORY Hydra in Kubernetes @@ -21,7 +21,7 @@ A Helm chart for deploying ORY Hydra in Kubernetes | Repository | Name | Version | |------------|------|---------| -| file://../hydra-maester | hydra-maester(hydra-maester) | 0.50.1 | +| file://../hydra-maester | hydra-maester(hydra-maester) | 0.50.5 | | file://../ory-commons | ory(ory-commons) | 0.1.0 | ## Values @@ -98,7 +98,7 @@ A Helm chart for deploying ORY Hydra in Kubernetes | deployment.serviceAccount.annotations | object | `{}` | Annotations to add to the service account | | deployment.serviceAccount.create | bool | `true` | Specifies whether a service account should be created | | deployment.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | -| deployment.startupProbe | object | `{"failureThreshold":5,"initialDelaySeconds":0,"periodSeconds":1,"successThreshold":1,"timeoutSeconds":1}` | Default probe timers | +| deployment.startupProbe | object | `{"failureThreshold":5,"initialDelaySeconds":1,"periodSeconds":1,"successThreshold":1,"timeoutSeconds":2}` | Default probe timers | | deployment.strategy.rollingUpdate.maxSurge | string | `"25%"` | | | deployment.strategy.rollingUpdate.maxUnavailable | string | `"25%"` | | | deployment.strategy.type | string | `"RollingUpdate"` | | diff --git a/opencloud/charts/hydra/charts/hydra-maester/Chart.yaml b/opencloud/charts/hydra/charts/hydra-maester/Chart.yaml index fa0762f..15b8787 100644 --- a/opencloud/charts/hydra/charts/hydra-maester/Chart.yaml +++ b/opencloud/charts/hydra/charts/hydra-maester/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 -appVersion: v0.0.34 +appVersion: v0.0.36 description: A Helm chart for Kubernetes icon: https://raw.githubusercontent.com/ory/docs/master/docs/static/img/logo-hydra.svg name: hydra-maester type: application -version: 0.50.2 +version: 0.50.6 diff --git a/opencloud/charts/hydra/charts/hydra-maester/README.md b/opencloud/charts/hydra/charts/hydra-maester/README.md index 696596b..38b05b6 100644 --- a/opencloud/charts/hydra/charts/hydra-maester/README.md +++ b/opencloud/charts/hydra/charts/hydra-maester/README.md @@ -1,6 +1,6 @@ # hydra-maester -![Version: 0.50.1](https://img.shields.io/badge/Version-0.50.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.0.34](https://img.shields.io/badge/AppVersion-v0.0.34-informational?style=flat-square) +![Version: 0.50.5](https://img.shields.io/badge/Version-0.50.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.0.36](https://img.shields.io/badge/AppVersion-v0.0.36-informational?style=flat-square) A Helm chart for Kubernetes @@ -20,6 +20,7 @@ A Helm chart for Kubernetes | deployment.automountServiceAccountToken | bool | `true` | This applications connects to the k8s API and requires the permissions | | deployment.dnsConfig | object | `{}` | Configure pod dnsConfig. | | deployment.extraAnnotations | object | `{}` | Deployment level extra annotations | +| deployment.extraEnv | list | `[]` | To set extra env vars for the container. | | deployment.extraLabels | object | `{}` | Deployment level extra labels | | deployment.extraVolumeMounts | list | `[]` | | | deployment.extraVolumes | list | `[]` | If you want to mount external volume | @@ -52,7 +53,7 @@ A Helm chart for Kubernetes | forwardedProto | string | `nil` | | | image.pullPolicy | string | `"IfNotPresent"` | Image pull policy | | image.repository | string | `"oryd/hydra-maester"` | Ory Hydra-maester image | -| image.tag | string | `"v0.0.35-amd64"` | Ory Hydra-maester version | +| image.tag | string | `"v0.0.36"` | Ory Hydra-maester version | | imagePullSecrets | list | `[]` | Image pull secrets | | pdb.enabled | bool | `false` | | | pdb.spec.maxUnavailable | string | `""` | | diff --git a/opencloud/charts/hydra/charts/hydra-maester/crds/crd-oauth2clients.yaml b/opencloud/charts/hydra/charts/hydra-maester/crds/crd-oauth2clients.yaml index 305135c..ac3ad46 100644 --- a/opencloud/charts/hydra/charts/hydra-maester/crds/crd-oauth2clients.yaml +++ b/opencloud/charts/hydra/charts/hydra-maester/crds/crd-oauth2clients.yaml @@ -78,6 +78,13 @@ spec: ClientName is the human-readable string name of the client to be presented to the end-user during authorization. type: string + deletionPolicy: + description: + Indicates if a deleted OAuth2Client custom resource should + delete the database row or not. Value 1 means deletion of + the OAuth2 client, value 2 means keep an orphan oauth2 + client. + type: integer frontChannelLogoutSessionRequired: default: false description: diff --git a/opencloud/charts/hydra/charts/hydra-maester/templates/deployment.yaml b/opencloud/charts/hydra/charts/hydra-maester/templates/deployment.yaml index c313f2e..290f4a3 100644 --- a/opencloud/charts/hydra/charts/hydra-maester/templates/deployment.yaml +++ b/opencloud/charts/hydra/charts/hydra-maester/templates/deployment.yaml @@ -80,6 +80,10 @@ spec: {{- if .Values.deployment.extraVolumeMounts }} {{- toYaml .Values.deployment.extraVolumeMounts | nindent 12 }} {{- end }} + {{- if .Values.deployment.extraEnv }} + env: + {{- tpl (toYaml .Values.deployment.extraEnv) . | nindent 12 }} + {{- end }} resources: {{- toYaml .Values.deployment.resources | nindent 12 }} terminationMessagePath: /dev/termination-log diff --git a/opencloud/charts/hydra/charts/hydra-maester/values.yaml b/opencloud/charts/hydra/charts/hydra-maester/values.yaml index 3053298..08bc086 100644 --- a/opencloud/charts/hydra/charts/hydra-maester/values.yaml +++ b/opencloud/charts/hydra/charts/hydra-maester/values.yaml @@ -12,7 +12,7 @@ image: # -- Ory Hydra-maester image repository: oryd/hydra-maester # -- Ory Hydra-maester version - tag: v0.0.35-amd64 + tag: v0.0.36 # -- Image pull policy pullPolicy: IfNotPresent @@ -56,6 +56,9 @@ deployment: # cpu: 100m # memory: 20Mi + # -- To set extra env vars for the container. + extraEnv: [] + # -- If you want to mount external volume extraVolumes: [] # - name: my-volume diff --git a/opencloud/charts/hydra/values.yaml b/opencloud/charts/hydra/values.yaml index 9600c16..f81ff60 100644 --- a/opencloud/charts/hydra/values.yaml +++ b/opencloud/charts/hydra/values.yaml @@ -345,8 +345,8 @@ deployment: failureThreshold: 5 successThreshold: 1 periodSeconds: 1 - timeoutSeconds: 1 - initialDelaySeconds: 0 + timeoutSeconds: 2 + initialDelaySeconds: 1 automountServiceAccountToken: false diff --git a/opencloud/dev-values.yaml b/opencloud/dev-values.yaml index b766ed5..013ae0b 100644 --- a/opencloud/dev-values.yaml +++ b/opencloud/dev-values.yaml @@ -211,16 +211,21 @@ hydra: enabled: true maester: enabled: true + secret: + enabled: false + nameOverride: hydra-secret + hashSumEnabled: false hydra: dev: true + existingSecret: hydra-secret config: dsn: memory urls: - login: http://localhost/authentication/login - consent: http://localhost/consent/consent - logout: http://localhost/authentication/logout + login: https://localhost-login/authentication/login + consent: https://localhost-consent/consent/consent + logout: https://localhost-logout/authentication/logout self: - issuer: http://localhost/idp + issuer: http://dev-hydra-public:4444/ keto: enabled: true @@ -357,12 +362,13 @@ argo-workflows: ocAuth: enabled: true + enableTraefikProxyIntegration: true image: oc/oc-auth:0.0.1 authType: hydra keto: adminRole: admin hydra: - openCloudOauth2ClientSecretName: oc-auth-got-secret + openCloudOauth2ClientSecretName: oc-oauth2-client-secret ldap: bindDn: "cn=admin,dc=example,dc=com" binPwd: "admin@password" diff --git a/opencloud/templates/hydra.yaml b/opencloud/templates/hydra.yaml index 3baaa94..463c9b0 100644 --- a/opencloud/templates/hydra.yaml +++ b/opencloud/templates/hydra.yaml @@ -15,4 +15,17 @@ spec: name: {{ .Release.Name }}-hydra-public.{{ .Release.Namespace }} passHostHeader: true port: 4444 +--- +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: hydra-secret +data: + dsn: bWVtb3J5 + secretsCookie: U0prcFlUeDFZZWhPMFEyc3UweWlwcDdmZ1BaRmc2ajA= + secretsSystem: M3FwWnlpemIzbXc2cE80Q1l3Q1MyUVFmbXdOeVFpRzE= + + + {{- end }} \ No newline at end of file diff --git a/opencloud/templates/oc-aggregator/ingress.yaml b/opencloud/templates/oc-aggregator/ingress.yaml index f287562..54cf8b2 100644 --- a/opencloud/templates/oc-aggregator/ingress.yaml +++ b/opencloud/templates/oc-aggregator/ingress.yaml @@ -16,6 +16,9 @@ spec: port: 8080 middlewares: - name: strip-aggregator-prefix + {{- if index .Values.ocAuth.enableTraefikProxyIntegration }} + - name: forward-auth + {{- end }} --- apiVersion: traefik.io/v1alpha1 diff --git a/opencloud/templates/oc-auth/ingress.yaml b/opencloud/templates/oc-auth/ingress.yaml index 0f13b04..a6956c8 100644 --- a/opencloud/templates/oc-auth/ingress.yaml +++ b/opencloud/templates/oc-auth/ingress.yaml @@ -14,6 +14,11 @@ spec: - kind: Service name: oc-auth-svc port: 8094 + middlewares: + {{- if index .Values.ocAuth.enableTraefikProxyIntegration }} + - name: forward-auth + {{- end }} + - name: strip-auth-prefix --- apiVersion: traefik.io/v1alpha1 kind: Middleware @@ -23,5 +28,4 @@ spec: stripPrefix: prefixes: - "/auth" - -{{- end }} \ No newline at end of file +{{- end }} diff --git a/opencloud/templates/oc-auth/openCloudOauth2.yaml b/opencloud/templates/oc-auth/openCloudOauth2.yaml index 57dcb72..6129a93 100644 --- a/opencloud/templates/oc-auth/openCloudOauth2.yaml +++ b/opencloud/templates/oc-auth/openCloudOauth2.yaml @@ -5,22 +5,32 @@ metadata: name: open-cloud-client spec: grantTypes: - - implicit - refresh_token - authorization_code - client_credentials + - implicit responseTypes: - id_token - token - code scope: openid profile email roles - secretName: oc-auth-got-secret + secretName: oc-oauth2-client-secret redirectUris: - - https://myapp.example.com/callback + - https://{{ .Values.host }}/auth/callback postLogoutRedirectUris: - - http://localhost:3000 + - https://{{ .Values.host }}/auth/logout/ tokenEndpointAuthMethod: client_secret_post allowedCorsOrigins: - - http://localhost + - "http://0.0.0.0" +#--- +#apiVersion: v1 +#kind: Secret +#metadata: +# name: oc-auth-got-secret +# namespace: dev +#stringData: +# CLIENT_ID: {{ .Values.ocAuth.hydra.clientId }} +# CLIENT_SECRET: {{ .Values.ocAuth.hydra.clientSecret }} + {{- end }} \ No newline at end of file diff --git a/opencloud/templates/oc-auth/rbac.yaml b/opencloud/templates/oc-auth/rbac.yaml new file mode 100644 index 0000000..400a0c9 --- /dev/null +++ b/opencloud/templates/oc-auth/rbac.yaml @@ -0,0 +1,31 @@ +{{- if .Values.ocAuth.enabled }} + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: secret-reader-role +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: secret-reader-binding + namespace: default +subjects: + - kind: ServiceAccount + name: ocauth-sa + namespace: {{ .Release.Namespace }} +roleRef: + kind: Role + name: secret-reader-role + apiGroup: rbac.authorization.k8s.io +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: ocauth-sa +{{- end }} + diff --git a/opencloud/templates/oc-catalog/ingress.yaml b/opencloud/templates/oc-catalog/ingress.yaml index 96dcde4..63dd3b4 100644 --- a/opencloud/templates/oc-catalog/ingress.yaml +++ b/opencloud/templates/oc-catalog/ingress.yaml @@ -15,6 +15,9 @@ spec: name: oc-catalog-svc port: 8080 middlewares: + {{- if index .Values.ocAuth.enableTraefikProxyIntegration }} + - name: forward-auth + {{- end }} - name: strip-catalog-prefix --- diff --git a/opencloud/templates/oc-datacenter/ingress.yaml b/opencloud/templates/oc-datacenter/ingress.yaml index 875c4b5..d2d7970 100644 --- a/opencloud/templates/oc-datacenter/ingress.yaml +++ b/opencloud/templates/oc-datacenter/ingress.yaml @@ -16,6 +16,7 @@ spec: port: 8080 middlewares: - name: strip-datacenter-prefix + - name: forward-auth --- apiVersion: traefik.io/v1alpha1 diff --git a/opencloud/templates/oc-peer/ingress.yaml b/opencloud/templates/oc-peer/ingress.yaml index 60e0c82..04ff169 100644 --- a/opencloud/templates/oc-peer/ingress.yaml +++ b/opencloud/templates/oc-peer/ingress.yaml @@ -15,7 +15,11 @@ spec: name: oc-peer-svc port: 8080 middlewares: + {{- if index .Values.ocAuth.enableTraefikProxyIntegration }} + - name: forward-auth + {{- end }} - name: strip-peer-prefix + --- apiVersion: traefik.io/v1alpha1 diff --git a/opencloud/templates/oc-scheduler/ingress.yaml b/opencloud/templates/oc-scheduler/ingress.yaml index abd4621..e5a7d10 100644 --- a/opencloud/templates/oc-scheduler/ingress.yaml +++ b/opencloud/templates/oc-scheduler/ingress.yaml @@ -16,6 +16,10 @@ spec: port: 8080 middlewares: - name: strip-scheduler-prefix + {{- if index .Values.ocAuth.enableTraefikProxyIntegration }} + - name: forward-auth + {{- end }} + --- apiVersion: traefik.io/v1alpha1 diff --git a/opencloud/templates/oc-shared/ingress.yaml b/opencloud/templates/oc-shared/ingress.yaml index 5bc1dec..391a59b 100644 --- a/opencloud/templates/oc-shared/ingress.yaml +++ b/opencloud/templates/oc-shared/ingress.yaml @@ -16,6 +16,9 @@ spec: port: 8080 middlewares: - name: strip-shared-prefix + {{- if index .Values.ocAuth.enableTraefikProxyIntegration }} + - name: forward-auth + {{- end }} --- apiVersion: traefik.io/v1alpha1 diff --git a/opencloud/templates/oc-workflow/ingress.yaml b/opencloud/templates/oc-workflow/ingress.yaml index 214c934..9aa79cc 100644 --- a/opencloud/templates/oc-workflow/ingress.yaml +++ b/opencloud/templates/oc-workflow/ingress.yaml @@ -16,6 +16,10 @@ spec: port: 8080 middlewares: - name: strip-workflow-prefix + {{- if index .Values.ocAuth.enableTraefikProxyIntegration }} + - name: forward-auth + {{- end }} + --- apiVersion: traefik.io/v1alpha1 diff --git a/opencloud/templates/oc-workspace/ingress.yaml b/opencloud/templates/oc-workspace/ingress.yaml index e66b8ae..598c5e8 100644 --- a/opencloud/templates/oc-workspace/ingress.yaml +++ b/opencloud/templates/oc-workspace/ingress.yaml @@ -16,6 +16,9 @@ spec: port: 8080 middlewares: - name: strip-workspace-prefix + {{- if index .Values.ocAuth.enableTraefikProxyIntegration }} + - name: forward-auth + {{- end }} --- apiVersion: traefik.io/v1alpha1 diff --git a/opencloud/templates/openCloudConf.yaml b/opencloud/templates/openCloudConf.yaml index fb108f4..2826ce9 100644 --- a/opencloud/templates/openCloudConf.yaml +++ b/opencloud/templates/openCloudConf.yaml @@ -2,16 +2,22 @@ apiVersion: v1 kind: ConfigMap metadata: name: opencloud-config + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-weight": "1" # Lower number runs first + "helm.sh/hook-delete-policy": hook-succeeded data: + OC_NAMESPACE: "{{ .Release.Namespace }}" OC_ADMIN_ROLE: "{{ .Values.ocAuth.keto.adminRole }}" OC_PUBLIC_KEY_PATH: "/keys/public/public.pem" OC_PRIVATE_KEY_PATH: "/keys/private/private.pem" - OC_CLIENT_SECRET: "{{ .Values.ocAuth.hydra.openCloudOauth2ClientSecretName }}" + OC_OAUTH2_CLIENT_SECRET_NAME: "{{ .Values.ocAuth.hydra.openCloudOauth2ClientSecretName }}" OC_AUTH: "{{ .Values.ocAuth.authType }}" OC_AUTH_CONNECTOR_HOST: "{{ .Release.Name }}-hydra-admin.{{ .Release.Namespace }}" + OC_AUTH_CONNECTOR_PUBLIC_HOST: "{{ .Release.Name }}-hydra-public.{{ .Release.Namespace }}" OC_AUTH_CONNECTOR_PORT: "4444" OC_AUTH_CONNECTOR_ADMIN_PORT: "4445" - OC_PERMISSION_CONNECTOR_HOST: "{{ .Release.Name }}-keto-write.{{ .Release.Namespace }}" + OC_PERMISSION_CONNECTOR_HOST: "{{ .Release.Name }}-keto-read.{{ .Release.Namespace }}" OC_PERMISSION_CONNECTOR_PORT: "80" OC_PERMISSION_CONNECTOR_ADMIN_PORT: "80" OC_LDAP_ENDPOINTS: "{{ .Release.Name }}-openldap.{{ .Release.Namespace }}.svc.cluster.local:389" diff --git a/opencloud/templates/traefik.yaml b/opencloud/templates/traefik.yaml index 24b7c92..2ed1868 100644 --- a/opencloud/templates/traefik.yaml +++ b/opencloud/templates/traefik.yaml @@ -4,5 +4,5 @@ metadata: name: forward-auth spec: forwardAuth: - address: "http://oc-auth-svc.{{ .Release.Namespace }}:8080/oc/forward" + address: "http://oc-auth-svc.{{ .Release.Namespace }}:8094/oc/forward" trustForwardHeader: true