oc-auth k8s integration

2024-12-16 14:50:39 +01:00 · 2024-12-16 14:50:39 +01:00 · 5e1503f0bc
commit 5e1503f0bc
parent 11bdecd80d
6 changed files with 110 additions and 52 deletions
--- a/opencloud/Chart.yaml
+++ b/opencloud/Chart.yaml
@ -5,7 +5,7 @@ type: application
 version: 0.0.1
 appVersion: "0.0.1"

-# TODO: ory hydra, keto
+# TODO: grafana, loki
 dependencies:
 - name: openldap
  repository: https://jp-gouin.github.io/helm-openldap/
@ -34,4 +34,12 @@ dependencies:
 - name: keto
  version: "0.50.2"
  repository: "https://k8s.ory.sh/helm/charts"
-  condition: keto.enabled
+  condition: keto.enabled
+- name: loki
+  version: "6.23.0"
+  repository: "https://grafana.github.io/helm-charts"
+  condition: loki.enabled
+- name: grafana
+  version: "8.6.4"
+  repository: "https://grafana.github.io/helm-charts"
+  condition: grafana.enabled
--- a/opencloud/dev-values.yaml
+++ b/opencloud/dev-values.yaml
@ -22,10 +22,12 @@ mongodb:
  architecture: standalone
  useStatefulSet: false
  auth:
+    enabled: true
    rootUser: root
    rootPassword: rootpwd
-    usernames: []
-    passwords: []
+    databases: ["DC_myDC"]
+    usernames: ["opencloud"]
+    passwords: ["opencloud"]
  resourcesPreset: "small"
  replicaCount: 1
  persistence:
@ -110,6 +112,13 @@ openldap:
      description: Records the last UID used to create a Posix account. This prevents the re-use of a UID from a deleted account.
      cn: lastUID

+      dn: cn=everybody,ou=groups,dc=example,dc=com
+      objectClass: top
+      objectClass: posixGroup
+      cn: everybody
+      memberUid: admin
+      gidNumber: 2003
+
    02-ldapadmin.ldif : |-
      dn: cn=ldapadmin,ou=groups,dc=example,dc=com
      objectClass: top
@ -133,6 +142,31 @@ openldap:
      loginShell: /bin/bash
      homeDirectory: /home/ldapadmin

+    03-opencloudadmin.ldif : |-
+      dn: cn=admin,ou=groups,dc=example,dc=com
+      objectClass: top
+      objectClass: posixGroup
+      cn: admin
+      memberUid: admin
+      gidNumber: 2002
+
+      dn: uid=admin,ou=users,dc=example,dc=com
+      givenName: John
+      sn: Doe
+      uid: admin
+      mail: john.doe@example.com
+      cn: JohnDoe
+      objectClass: person
+      objectClass: inetOrgPerson
+      objectClass: posixAccount
+      userPassword:: e0NSWVBUfSQ2JDdTZ0daU1FXJGw1ZWRTTHVDaDV6a0NvUlllZzFLd3MwUHRKQ
+      jJQL09CQWdoc0RkbWhzTXJPcEpCbzR3b01yNWJQcjlubi8udWdzM25LcHlKQmt2eHVJWFM0eUQ1
+      cnox
+      uidNumber: 2002
+      gidNumber: 2002
+      loginShell: /bin/bash
+      homeDirectory: /home/admin
+
 # ldap user manager configuration
 ldapUserManager:
  enabled: true
@ -189,17 +223,31 @@ hydra:

 keto:
  enabled: true
+  keto:
+    config:
+      serve:
+        read:
+          port: 4466
+        write:
+          port: 4467
+        metrics:
+          port: 4468
+      namespaces:
+        - id: 0
+          name: open-cloud
+      dsn: memory

 ocAuth:
-  enabled: false
-  image: oc-auth:latest
+  enabled: true
+  image: oc/oc-auth:0.0.1
  authType: hydra
-  hydra:
+  keto:
    adminRole: admin
+  hydra:
    openCloudOauth2ClientSecretName: oc-auth-got-secret
  ldap:
    bindDn: "cn=admin,dc=example,dc=com"
-    binPwd: "password"
+    binPwd: "admin@password"
    baseDn: "dc=example,dc=com"
    roleBaseDn: "ou=AppRoles,dc=example,dc=com"
  resources:
@ -209,3 +257,9 @@ ocAuth:
    requests:
      cpu: "128m"
      memory: "256Mi"
+      
+loki:
+  enabled: false
+
+grafana:
+  enabled: false
--- a/opencloud/templates/oc-auth/deployment.yaml
+++ b/opencloud/templates/oc-auth/deployment.yaml
@ -26,46 +26,17 @@ spec:
      containers:
      - image: "{{ .Values.ocAuth.image }}"
        name: oc-auth
+        command: ["tail", "-f", "/dev/null"]
        volumeMounts:
          - name: public-key-volume
-            mountPath: /keys/public
+            mountPath: /keys/public/public.pem
            subPath: public.pem
          - name: private-key-volume
-            mountPath: /keys/private
+            mountPath: /keys/private/private.pem
            subPath: private.pem
-        env:
-        - name: OCAUTH_ADMIN_ROLE
-          value: "{{ .Values.ocAuth.hydra }}"
-        - name: OCAUTH_PUBLIC_KEY_PATH
-          value: /keys/public/public.pem
-        - name: OCAUTH_PRIVATE_KEY_PATH
-          value: /keys/private/private.pem
-        - name: OCAUTH_CLIENT_SECRET
-          value: "{{ .Values.ocAuth.hydra.openCloudOauth2ClientSecretName }}"
-        - name: OCAUTH_AUTH
-          value: "{{ .Values.ocAuth.authType }}"
-        - name: OCAUTH_AUTH_CONNECTOR_HOST
-          value: "{{ .Release.Name }}.hydra-admin.{{ .Release.Namespace }}"
-        - name: OCAUTH_AUTH_CONNECTOR_PORT
-          value: 4444
-        - name: OCAUTH_AUTH_CONNECTOR_ADMIN_PORT
-          value: 4445
-        - name: OCAUTH_PERMISSION_CONNECTOR_HOST
-          value: "{{ .Release.Name }}.keto-write.{{ .Release.Namespace }}"
-        - name: OCAUTH_PERMISSION_CONNECTOR_PORT
-          value: 80
-        - name: OCAUTH_PERMISSION_CONNECTOR_ADMIN_PORT
-          value: 80
-        - name: OCAUTH_LDAP_ENDPOINTS
-          value: "{{ .Release.Name }}-openldap.{{ .Release.Namespace }}.svc.cluster.local:389"
-        - name: OCAUTH_LDAP_BINDDN
-          value: "{{ index .Values.ocAuth.ldap.bindDn }}"
-        - name: OCAUTH_LDAP_BINDPW
-          value: "{{ index .Values.ocAuth.ldap.binPwd }}"
-        - name: OCAUTH_LDAP_BASEDN
-          value: "{{ index .Values.ocAuth.ldap.baseDn }}"
-        - name: OCAUTH_LDAP_ROLE_BASEDN
-          value: "{{ index .Values.ocAuth.ldap.roleBaseDn }}"
+        envFrom:
+        - configMapRef:
+            name: opencloud-config
        ports:
          - name: http
            containerPort: 80
--- a/opencloud/templates/oc-auth/openCloudOauth2.yaml
+++ b/opencloud/templates/oc-auth/openCloudOauth2.yaml
@ -2,10 +2,8 @@
 apiVersion: hydra.ory.sh/v1alpha1
 kind: OAuth2Client
 metadata:
-  name: openCloudClient
+  name: open-cloud-client
 spec:
-  clientId:  test-client
-  clientSecret: oc-auth-got-secret
  grantTypes:
    - implicit
    - refresh_token
@ -15,12 +13,14 @@ spec:
    - id_token
    - token
    - code
+  scope: openid profile email roles
+  secretName: oc-auth-got-secret
  redirectUris:
    - https://myapp.example.com/callback
-  scope: openid profile email roles
-  tokenEndpointAuthMethod: client_secret_post
  postLogoutRedirectUris:
-    -http://localhost:3000
+    - http://localhost:3000
+  tokenEndpointAuthMethod: client_secret_post
  allowedCorsOrigins:
    - http://localhost
-{{- end }}
+{{- end }}
+  
--- a/opencloud/templates/oc-auth/pem.yaml
+++ b/opencloud/templates/oc-auth/pem.yaml
@ -1,5 +1,5 @@
 {{- if index .Values.ocAuth.enabled }}
-# public-key-secret.yaml
+# peer public key: public-key-secret.yaml
 apiVersion: v1
 kind: Secret
 metadata:
@ -9,7 +9,7 @@ data:
  public.pem: |
    LS0tLS1CRUdJTiBSU0EgUFVCTElDIEtFWS0tLS0tCk1JSUNDZ0tDQWdFQXcycGRHNndNdHVMY1AwK2sxTEZ2SWIwRFFvL29IVzJ1TkphRUpLNzRwbFhxcDR6dHoyZFIKYitSUUhGTGVMdXFrNGkvemMzYjRLM2ZLUFhTbHduVlBKQ3d6UHJueVQ4allHT1pWbFdsRVRpVjl4ZUpodTZzLwpCaDZnMVBXejc1WGpqd1Y1MGl2L0NFaUxOQlQyM2YvM0o0NHdyUXp5Z3FOUUNpUVNBTGR4V0xBRWw0bDVrSFNhCjlvTXlWNzAvVXFsOTQvYXlNQVJac0hncDladnFRS2JrWlB3Nnl6Vk1mQ0J4UW96bE5sbzMxNU9IZXZ1ZGhuaHAKRFJqTjVJN3pXbXFZdDZyYlhKSkM3WTNJemR2em43UUk4OFJxalNSU1Q1SS83S3ozbmRDcXJPbkkrT1FVRTVOVApSRXlRZWJwaHZRZlREVEtsUlBYa2R5a3RkSzJESDI4Wmo2WkYzeWpRdk4zNVE0emhPemxxNzdkTzVJaGhvcEk3CmN0OGRaSDFUMW5Za3ZkeUNBL0VWTXRRc0FTbUJPaXRIMFkwQUNvWFFLNUtiNm5tL1RjTS85WlNKVU5pRU11eTUKZ0JaM1lLRTlvYTRjcFRwUFh3Y0ErUy9jVTdIUE5uUUFzdkQzaUppOEdUVzl1SnM4NHBuNC9XaHBRcW1YZDRydgpoS1dFQ0NOM2ZIeTAxZlVzL1UwUGFTajJqRFkva1FWZVhvaWtOTXpQVWpkWmQ5bTgxNlRJQmgzdjNhVlhDSC8wCmlUSEhBeGN0dkRnTVJiMmZwdlJKL3d3bllqRkc5UnBhbVZGRE12QzlOZmZ1WXpXQUE5SVJJWTRjcWdlcmZIclYKWjJISGlQVEREdkRBSXN2SW1YWmMvaDdtWE42bTNSQ1E0UXl3eTk5M3dkOWdVZGdnL3FueW5IY0NBd0VBQVE9PQotLS0tLUVORCBSU0EgUFVCTElDIEtFWS0tLS0tCg==
 ---
-# private-key-secret.yaml
+# peer private key: private-key-secret.yaml
 apiVersion: v1
 kind: Secret
 metadata:
--- a/opencloud/templates/openCLoudConf.yaml
+++ b/opencloud/templates/openCLoudConf.yaml
@ -0,0 +1,25 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: opencloud-config
+data:
+  OCAUTH_ADMIN_ROLE: "{{ .Values.ocAuth.keto.adminRole }}"
+  OCAUTH_PUBLIC_KEY_PATH: "/keys/public/public.pem"
+  OCAUTH_PRIVATE_KEY_PATH: "/keys/private/private.pem"
+  OCAUTH_CLIENT_SECRET: "{{ .Values.ocAuth.hydra.openCloudOauth2ClientSecretName }}"
+  OCAUTH_AUTH: "{{ .Values.ocAuth.authType }}"
+  OCAUTH_AUTH_CONNECTOR_HOST: "{{ .Release.Name }}-hydra-admin.{{ .Release.Namespace }}"
+  OCAUTH_AUTH_CONNECTOR_PORT: "4444"
+  OCAUTH_AUTH_CONNECTOR_ADMIN_PORT: "4445"
+  OCAUTH_PERMISSION_CONNECTOR_HOST: "{{ .Release.Name }}-keto-write.{{ .Release.Namespace }}"
+  OCAUTH_PERMISSION_CONNECTOR_PORT: "80"
+  OCAUTH_PERMISSION_CONNECTOR_ADMIN_PORT: "80"
+  OCAUTH_LDAP_ENDPOINTS: "{{ .Release.Name }}-openldap.{{ .Release.Namespace }}.svc.cluster.local:389"
+  OCAUTH_LDAP_BINDDN: "{{ index .Values.ocAuth.ldap.bindDn }}"
+  OCAUTH_LDAP_BINDPW: "{{ index .Values.ocAuth.ldap.binPwd }}"
+  OCAUTH_LDAP_BASEDN: "{{ index .Values.ocAuth.ldap.baseDn }}"
+  OCAUTH_LDAP_ROLE_BASEDN: "{{ index .Values.ocAuth.ldap.roleBaseDn }}"
+  OCAUTH_MONGO_URL: "mongodb://{{ index .Values.mongodb.auth.usernames 0 }}:{{ index .Values.mongodb.auth.passwords 0 }}@{{ .Release.Name }}-mongodb.{{ .Release.Namespace }}:27017/{{ index .Values.mongodb.auth.databases 0 }}"
+  OCAUTH_MONGO_DATABASE: "{{ index .Values.mongodb.auth.databases 0 }}"
+  OCAUTH_NATS_URL: "nats://dev-nats.{{ .Release.Namespace }}.svc.cluster.local:4222"
+  OCAUTH_LOKI_URL: "{{ .Values.SERVER_PATH }}"