plm/oc-k8s
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

oc-auth k8s integration

Browse Source
This commit is contained in:
plm 2024-12-16 14:50:39 +01:00
parent 11bdecd80d
commit 5e1503f0bc
6 changed files with 110 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
opencloud/Chart.yaml
View File

@ -5,7 +5,7 @@ type: application
version: 0.0.1 version: 0.0.1
appVersion: "0.0.1" appVersion: "0.0.1"
# TODO: ory hydra, keto # TODO: grafana, loki
dependencies: dependencies:
- name: openldap - name: openldap
repository: https://jp-gouin.github.io/helm-openldap/ repository: https://jp-gouin.github.io/helm-openldap/
@ -35,3 +35,11 @@ dependencies:
version: "0.50.2" version: "0.50.2"
repository: "https://k8s.ory.sh/helm/charts" repository: "https://k8s.ory.sh/helm/charts"
condition: keto.enabled condition: keto.enabled
- name: loki
version: "6.23.0"
repository: "https://grafana.github.io/helm-charts"
condition: loki.enabled
- name: grafana
version: "8.6.4"
repository: "https://grafana.github.io/helm-charts"
condition: grafana.enabled

66
opencloud/dev-values.yaml
View File

@ -22,10 +22,12 @@ mongodb:
architecture: standalone architecture: standalone
useStatefulSet: false useStatefulSet: false
auth: auth:
enabled: true
rootUser: root rootUser: root
rootPassword: rootpwd rootPassword: rootpwd
usernames: [] databases: ["DC_myDC"]
passwords: [] usernames: ["opencloud"]
passwords: ["opencloud"]
resourcesPreset: "small" resourcesPreset: "small"
replicaCount: 1 replicaCount: 1
persistence: persistence:
@ -110,6 +112,13 @@ openldap:
description: Records the last UID used to create a Posix account. This prevents the re-use of a UID from a deleted account. description: Records the last UID used to create a Posix account. This prevents the re-use of a UID from a deleted account.
cn: lastUID cn: lastUID
dn: cn=everybody,ou=groups,dc=example,dc=com
objectClass: top
objectClass: posixGroup
cn: everybody
memberUid: admin
gidNumber: 2003
02-ldapadmin.ldif : |- 02-ldapadmin.ldif : |-
dn: cn=ldapadmin,ou=groups,dc=example,dc=com dn: cn=ldapadmin,ou=groups,dc=example,dc=com
objectClass: top objectClass: top
@ -133,6 +142,31 @@ openldap:
loginShell: /bin/bash loginShell: /bin/bash
homeDirectory: /home/ldapadmin homeDirectory: /home/ldapadmin
03-opencloudadmin.ldif : |-
dn: cn=admin,ou=groups,dc=example,dc=com
objectClass: top
objectClass: posixGroup
cn: admin
memberUid: admin
gidNumber: 2002
dn: uid=admin,ou=users,dc=example,dc=com
givenName: John
sn: Doe
uid: admin
mail: john.doe@example.com
cn: JohnDoe
objectClass: person
objectClass: inetOrgPerson
objectClass: posixAccount
userPassword:: e0NSWVBUfSQ2JDdTZ0daU1FXJGw1ZWRTTHVDaDV6a0NvUlllZzFLd3MwUHRKQ
jJQL09CQWdoc0RkbWhzTXJPcEpCbzR3b01yNWJQcjlubi8udWdzM25LcHlKQmt2eHVJWFM0eUQ1
cnox
uidNumber: 2002
gidNumber: 2002
loginShell: /bin/bash
homeDirectory: /home/admin
# ldap user manager configuration # ldap user manager configuration
ldapUserManager: ldapUserManager:
enabled: true enabled: true
@ -189,17 +223,31 @@ hydra:
keto: keto:
enabled: true enabled: true
keto:
config:
serve:
read:
port: 4466
write:
port: 4467
metrics:
port: 4468
namespaces:
- id: 0
name: open-cloud
dsn: memory
ocAuth: ocAuth:
enabled: false enabled: true
image: oc-auth:latest image: oc/oc-auth:0.0.1
authType: hydra authType: hydra
hydra: keto:
adminRole: admin adminRole: admin
hydra:
openCloudOauth2ClientSecretName: oc-auth-got-secret openCloudOauth2ClientSecretName: oc-auth-got-secret
ldap: ldap:
bindDn: "cn=admin,dc=example,dc=com" bindDn: "cn=admin,dc=example,dc=com"
binPwd: "password" binPwd: "admin@password"
baseDn: "dc=example,dc=com" baseDn: "dc=example,dc=com"
roleBaseDn: "ou=AppRoles,dc=example,dc=com" roleBaseDn: "ou=AppRoles,dc=example,dc=com"
resources: resources:
@ -209,3 +257,9 @@ ocAuth:
requests: requests:
cpu: "128m" cpu: "128m"
memory: "256Mi" memory: "256Mi"
loki:
enabled: false
grafana:
enabled: false

41
opencloud/templates/oc-auth/deployment.yaml
View File

@ -26,46 +26,17 @@ spec:
containers: containers:
- image: "{{ .Values.ocAuth.image }}" - image: "{{ .Values.ocAuth.image }}"
name: oc-auth name: oc-auth
command: ["tail", "-f", "/dev/null"]
volumeMounts: volumeMounts:
- name: public-key-volume - name: public-key-volume
mountPath: /keys/public mountPath: /keys/public/public.pem
subPath: public.pem subPath: public.pem
- name: private-key-volume - name: private-key-volume
mountPath: /keys/private mountPath: /keys/private/private.pem
subPath: private.pem subPath: private.pem
env: envFrom:
- name: OCAUTH_ADMIN_ROLE - configMapRef:
value: "{{ .Values.ocAuth.hydra }}" name: opencloud-config
- name: OCAUTH_PUBLIC_KEY_PATH
value: /keys/public/public.pem
- name: OCAUTH_PRIVATE_KEY_PATH
value: /keys/private/private.pem
- name: OCAUTH_CLIENT_SECRET
value: "{{ .Values.ocAuth.hydra.openCloudOauth2ClientSecretName }}"
- name: OCAUTH_AUTH
value: "{{ .Values.ocAuth.authType }}"
- name: OCAUTH_AUTH_CONNECTOR_HOST
value: "{{ .Release.Name }}.hydra-admin.{{ .Release.Namespace }}"
- name: OCAUTH_AUTH_CONNECTOR_PORT
value: 4444
- name: OCAUTH_AUTH_CONNECTOR_ADMIN_PORT
value: 4445
- name: OCAUTH_PERMISSION_CONNECTOR_HOST
value: "{{ .Release.Name }}.keto-write.{{ .Release.Namespace }}"
- name: OCAUTH_PERMISSION_CONNECTOR_PORT
value: 80
- name: OCAUTH_PERMISSION_CONNECTOR_ADMIN_PORT
value: 80
- name: OCAUTH_LDAP_ENDPOINTS
value: "{{ .Release.Name }}-openldap.{{ .Release.Namespace }}.svc.cluster.local:389"
- name: OCAUTH_LDAP_BINDDN
value: "{{ index .Values.ocAuth.ldap.bindDn }}"
- name: OCAUTH_LDAP_BINDPW
value: "{{ index .Values.ocAuth.ldap.binPwd }}"
- name: OCAUTH_LDAP_BASEDN
value: "{{ index .Values.ocAuth.ldap.baseDn }}"
- name: OCAUTH_LDAP_ROLE_BASEDN
value: "{{ index .Values.ocAuth.ldap.roleBaseDn }}"
ports: ports:
- name: http - name: http
containerPort: 80 containerPort: 80

10
opencloud/templates/oc-auth/openCloudOauth2.yaml
View File

@ -2,10 +2,8 @@
apiVersion: hydra.ory.sh/v1alpha1 apiVersion: hydra.ory.sh/v1alpha1
kind: OAuth2Client kind: OAuth2Client
metadata: metadata:
name: openCloudClient name: open-cloud-client
spec: spec:
clientId: test-client
clientSecret: oc-auth-got-secret
grantTypes: grantTypes:
- implicit - implicit
- refresh_token - refresh_token
@ -15,12 +13,14 @@ spec:
- id_token - id_token
- token - token
- code - code
scope: openid profile email roles
secretName: oc-auth-got-secret
redirectUris: redirectUris:
- https://myapp.example.com/callback - https://myapp.example.com/callback
scope: openid profile email roles
tokenEndpointAuthMethod: client_secret_post
postLogoutRedirectUris: postLogoutRedirectUris:
- http://localhost:3000 - http://localhost:3000
tokenEndpointAuthMethod: client_secret_post
allowedCorsOrigins: allowedCorsOrigins:
- http://localhost - http://localhost
{{- end }} {{- end }}

4
opencloud/templates/oc-auth/pem.yaml
View File

@ -1,5 +1,5 @@
{{- if index .Values.ocAuth.enabled }} {{- if index .Values.ocAuth.enabled }}
# public-key-secret.yaml # peer public key: public-key-secret.yaml
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
metadata: metadata:
@ -9,7 +9,7 @@ data:
public.pem: | public.pem: |
LS0tLS1CRUdJTiBSU0EgUFVCTElDIEtFWS0tLS0tCk1JSUNDZ0tDQWdFQXcycGRHNndNdHVMY1AwK2sxTEZ2SWIwRFFvL29IVzJ1TkphRUpLNzRwbFhxcDR6dHoyZFIKYitSUUhGTGVMdXFrNGkvemMzYjRLM2ZLUFhTbHduVlBKQ3d6UHJueVQ4allHT1pWbFdsRVRpVjl4ZUpodTZzLwpCaDZnMVBXejc1WGpqd1Y1MGl2L0NFaUxOQlQyM2YvM0o0NHdyUXp5Z3FOUUNpUVNBTGR4V0xBRWw0bDVrSFNhCjlvTXlWNzAvVXFsOTQvYXlNQVJac0hncDladnFRS2JrWlB3Nnl6Vk1mQ0J4UW96bE5sbzMxNU9IZXZ1ZGhuaHAKRFJqTjVJN3pXbXFZdDZyYlhKSkM3WTNJemR2em43UUk4OFJxalNSU1Q1SS83S3ozbmRDcXJPbkkrT1FVRTVOVApSRXlRZWJwaHZRZlREVEtsUlBYa2R5a3RkSzJESDI4Wmo2WkYzeWpRdk4zNVE0emhPemxxNzdkTzVJaGhvcEk3CmN0OGRaSDFUMW5Za3ZkeUNBL0VWTXRRc0FTbUJPaXRIMFkwQUNvWFFLNUtiNm5tL1RjTS85WlNKVU5pRU11eTUKZ0JaM1lLRTlvYTRjcFRwUFh3Y0ErUy9jVTdIUE5uUUFzdkQzaUppOEdUVzl1SnM4NHBuNC9XaHBRcW1YZDRydgpoS1dFQ0NOM2ZIeTAxZlVzL1UwUGFTajJqRFkva1FWZVhvaWtOTXpQVWpkWmQ5bTgxNlRJQmgzdjNhVlhDSC8wCmlUSEhBeGN0dkRnTVJiMmZwdlJKL3d3bllqRkc5UnBhbVZGRE12QzlOZmZ1WXpXQUE5SVJJWTRjcWdlcmZIclYKWjJISGlQVEREdkRBSXN2SW1YWmMvaDdtWE42bTNSQ1E0UXl3eTk5M3dkOWdVZGdnL3FueW5IY0NBd0VBQVE9PQotLS0tLUVORCBSU0EgUFVCTElDIEtFWS0tLS0tCg== LS0tLS1CRUdJTiBSU0EgUFVCTElDIEtFWS0tLS0tCk1JSUNDZ0tDQWdFQXcycGRHNndNdHVMY1AwK2sxTEZ2SWIwRFFvL29IVzJ1TkphRUpLNzRwbFhxcDR6dHoyZFIKYitSUUhGTGVMdXFrNGkvemMzYjRLM2ZLUFhTbHduVlBKQ3d6UHJueVQ4allHT1pWbFdsRVRpVjl4ZUpodTZzLwpCaDZnMVBXejc1WGpqd1Y1MGl2L0NFaUxOQlQyM2YvM0o0NHdyUXp5Z3FOUUNpUVNBTGR4V0xBRWw0bDVrSFNhCjlvTXlWNzAvVXFsOTQvYXlNQVJac0hncDladnFRS2JrWlB3Nnl6Vk1mQ0J4UW96bE5sbzMxNU9IZXZ1ZGhuaHAKRFJqTjVJN3pXbXFZdDZyYlhKSkM3WTNJemR2em43UUk4OFJxalNSU1Q1SS83S3ozbmRDcXJPbkkrT1FVRTVOVApSRXlRZWJwaHZRZlREVEtsUlBYa2R5a3RkSzJESDI4Wmo2WkYzeWpRdk4zNVE0emhPemxxNzdkTzVJaGhvcEk3CmN0OGRaSDFUMW5Za3ZkeUNBL0VWTXRRc0FTbUJPaXRIMFkwQUNvWFFLNUtiNm5tL1RjTS85WlNKVU5pRU11eTUKZ0JaM1lLRTlvYTRjcFRwUFh3Y0ErUy9jVTdIUE5uUUFzdkQzaUppOEdUVzl1SnM4NHBuNC9XaHBRcW1YZDRydgpoS1dFQ0NOM2ZIeTAxZlVzL1UwUGFTajJqRFkva1FWZVhvaWtOTXpQVWpkWmQ5bTgxNlRJQmgzdjNhVlhDSC8wCmlUSEhBeGN0dkRnTVJiMmZwdlJKL3d3bllqRkc5UnBhbVZGRE12QzlOZmZ1WXpXQUE5SVJJWTRjcWdlcmZIclYKWjJISGlQVEREdkRBSXN2SW1YWmMvaDdtWE42bTNSQ1E0UXl3eTk5M3dkOWdVZGdnL3FueW5IY0NBd0VBQVE9PQotLS0tLUVORCBSU0EgUFVCTElDIEtFWS0tLS0tCg==
--- ---
# private-key-secret.yaml # peer private key: private-key-secret.yaml
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
metadata: metadata:

25
opencloud/templates/openCLoudConf.yaml Normal file
View File

@ -0,0 +1,25 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: opencloud-config
data:
OCAUTH_ADMIN_ROLE: "{{ .Values.ocAuth.keto.adminRole }}"
OCAUTH_PUBLIC_KEY_PATH: "/keys/public/public.pem"
OCAUTH_PRIVATE_KEY_PATH: "/keys/private/private.pem"
OCAUTH_CLIENT_SECRET: "{{ .Values.ocAuth.hydra.openCloudOauth2ClientSecretName }}"
OCAUTH_AUTH: "{{ .Values.ocAuth.authType }}"
OCAUTH_AUTH_CONNECTOR_HOST: "{{ .Release.Name }}-hydra-admin.{{ .Release.Namespace }}"
OCAUTH_AUTH_CONNECTOR_PORT: "4444"
OCAUTH_AUTH_CONNECTOR_ADMIN_PORT: "4445"
OCAUTH_PERMISSION_CONNECTOR_HOST: "{{ .Release.Name }}-keto-write.{{ .Release.Namespace }}"
OCAUTH_PERMISSION_CONNECTOR_PORT: "80"
OCAUTH_PERMISSION_CONNECTOR_ADMIN_PORT: "80"
OCAUTH_LDAP_ENDPOINTS: "{{ .Release.Name }}-openldap.{{ .Release.Namespace }}.svc.cluster.local:389"
OCAUTH_LDAP_BINDDN: "{{ index .Values.ocAuth.ldap.bindDn }}"
OCAUTH_LDAP_BINDPW: "{{ index .Values.ocAuth.ldap.binPwd }}"
OCAUTH_LDAP_BASEDN: "{{ index .Values.ocAuth.ldap.baseDn }}"
OCAUTH_LDAP_ROLE_BASEDN: "{{ index .Values.ocAuth.ldap.roleBaseDn }}"
OCAUTH_MONGO_URL: "mongodb://{{ index .Values.mongodb.auth.usernames 0 }}:{{ index .Values.mongodb.auth.passwords 0 }}@{{ .Release.Name }}-mongodb.{{ .Release.Namespace }}:27017/{{ index .Values.mongodb.auth.databases 0 }}"
OCAUTH_MONGO_DATABASE: "{{ index .Values.mongodb.auth.databases 0 }}"
OCAUTH_NATS_URL: "nats://dev-nats.{{ .Release.Namespace }}.svc.cluster.local:4222"
OCAUTH_LOKI_URL: "{{ .Values.SERVER_PATH }}"