oc-auth k8s integration
This commit is contained in:
parent
11bdecd80d
commit
5e1503f0bc
@ -5,7 +5,7 @@ type: application
|
|||||||
version: 0.0.1
|
version: 0.0.1
|
||||||
appVersion: "0.0.1"
|
appVersion: "0.0.1"
|
||||||
|
|
||||||
# TODO: ory hydra, keto
|
# TODO: grafana, loki
|
||||||
dependencies:
|
dependencies:
|
||||||
- name: openldap
|
- name: openldap
|
||||||
repository: https://jp-gouin.github.io/helm-openldap/
|
repository: https://jp-gouin.github.io/helm-openldap/
|
||||||
@ -35,3 +35,11 @@ dependencies:
|
|||||||
version: "0.50.2"
|
version: "0.50.2"
|
||||||
repository: "https://k8s.ory.sh/helm/charts"
|
repository: "https://k8s.ory.sh/helm/charts"
|
||||||
condition: keto.enabled
|
condition: keto.enabled
|
||||||
|
- name: loki
|
||||||
|
version: "6.23.0"
|
||||||
|
repository: "https://grafana.github.io/helm-charts"
|
||||||
|
condition: loki.enabled
|
||||||
|
- name: grafana
|
||||||
|
version: "8.6.4"
|
||||||
|
repository: "https://grafana.github.io/helm-charts"
|
||||||
|
condition: grafana.enabled
|
||||||
|
@ -22,10 +22,12 @@ mongodb:
|
|||||||
architecture: standalone
|
architecture: standalone
|
||||||
useStatefulSet: false
|
useStatefulSet: false
|
||||||
auth:
|
auth:
|
||||||
|
enabled: true
|
||||||
rootUser: root
|
rootUser: root
|
||||||
rootPassword: rootpwd
|
rootPassword: rootpwd
|
||||||
usernames: []
|
databases: ["DC_myDC"]
|
||||||
passwords: []
|
usernames: ["opencloud"]
|
||||||
|
passwords: ["opencloud"]
|
||||||
resourcesPreset: "small"
|
resourcesPreset: "small"
|
||||||
replicaCount: 1
|
replicaCount: 1
|
||||||
persistence:
|
persistence:
|
||||||
@ -110,6 +112,13 @@ openldap:
|
|||||||
description: Records the last UID used to create a Posix account. This prevents the re-use of a UID from a deleted account.
|
description: Records the last UID used to create a Posix account. This prevents the re-use of a UID from a deleted account.
|
||||||
cn: lastUID
|
cn: lastUID
|
||||||
|
|
||||||
|
dn: cn=everybody,ou=groups,dc=example,dc=com
|
||||||
|
objectClass: top
|
||||||
|
objectClass: posixGroup
|
||||||
|
cn: everybody
|
||||||
|
memberUid: admin
|
||||||
|
gidNumber: 2003
|
||||||
|
|
||||||
02-ldapadmin.ldif : |-
|
02-ldapadmin.ldif : |-
|
||||||
dn: cn=ldapadmin,ou=groups,dc=example,dc=com
|
dn: cn=ldapadmin,ou=groups,dc=example,dc=com
|
||||||
objectClass: top
|
objectClass: top
|
||||||
@ -133,6 +142,31 @@ openldap:
|
|||||||
loginShell: /bin/bash
|
loginShell: /bin/bash
|
||||||
homeDirectory: /home/ldapadmin
|
homeDirectory: /home/ldapadmin
|
||||||
|
|
||||||
|
03-opencloudadmin.ldif : |-
|
||||||
|
dn: cn=admin,ou=groups,dc=example,dc=com
|
||||||
|
objectClass: top
|
||||||
|
objectClass: posixGroup
|
||||||
|
cn: admin
|
||||||
|
memberUid: admin
|
||||||
|
gidNumber: 2002
|
||||||
|
|
||||||
|
dn: uid=admin,ou=users,dc=example,dc=com
|
||||||
|
givenName: John
|
||||||
|
sn: Doe
|
||||||
|
uid: admin
|
||||||
|
mail: john.doe@example.com
|
||||||
|
cn: JohnDoe
|
||||||
|
objectClass: person
|
||||||
|
objectClass: inetOrgPerson
|
||||||
|
objectClass: posixAccount
|
||||||
|
userPassword:: e0NSWVBUfSQ2JDdTZ0daU1FXJGw1ZWRTTHVDaDV6a0NvUlllZzFLd3MwUHRKQ
|
||||||
|
jJQL09CQWdoc0RkbWhzTXJPcEpCbzR3b01yNWJQcjlubi8udWdzM25LcHlKQmt2eHVJWFM0eUQ1
|
||||||
|
cnox
|
||||||
|
uidNumber: 2002
|
||||||
|
gidNumber: 2002
|
||||||
|
loginShell: /bin/bash
|
||||||
|
homeDirectory: /home/admin
|
||||||
|
|
||||||
# ldap user manager configuration
|
# ldap user manager configuration
|
||||||
ldapUserManager:
|
ldapUserManager:
|
||||||
enabled: true
|
enabled: true
|
||||||
@ -189,17 +223,31 @@ hydra:
|
|||||||
|
|
||||||
keto:
|
keto:
|
||||||
enabled: true
|
enabled: true
|
||||||
|
keto:
|
||||||
|
config:
|
||||||
|
serve:
|
||||||
|
read:
|
||||||
|
port: 4466
|
||||||
|
write:
|
||||||
|
port: 4467
|
||||||
|
metrics:
|
||||||
|
port: 4468
|
||||||
|
namespaces:
|
||||||
|
- id: 0
|
||||||
|
name: open-cloud
|
||||||
|
dsn: memory
|
||||||
|
|
||||||
ocAuth:
|
ocAuth:
|
||||||
enabled: false
|
enabled: true
|
||||||
image: oc-auth:latest
|
image: oc/oc-auth:0.0.1
|
||||||
authType: hydra
|
authType: hydra
|
||||||
hydra:
|
keto:
|
||||||
adminRole: admin
|
adminRole: admin
|
||||||
|
hydra:
|
||||||
openCloudOauth2ClientSecretName: oc-auth-got-secret
|
openCloudOauth2ClientSecretName: oc-auth-got-secret
|
||||||
ldap:
|
ldap:
|
||||||
bindDn: "cn=admin,dc=example,dc=com"
|
bindDn: "cn=admin,dc=example,dc=com"
|
||||||
binPwd: "password"
|
binPwd: "admin@password"
|
||||||
baseDn: "dc=example,dc=com"
|
baseDn: "dc=example,dc=com"
|
||||||
roleBaseDn: "ou=AppRoles,dc=example,dc=com"
|
roleBaseDn: "ou=AppRoles,dc=example,dc=com"
|
||||||
resources:
|
resources:
|
||||||
@ -209,3 +257,9 @@ ocAuth:
|
|||||||
requests:
|
requests:
|
||||||
cpu: "128m"
|
cpu: "128m"
|
||||||
memory: "256Mi"
|
memory: "256Mi"
|
||||||
|
|
||||||
|
loki:
|
||||||
|
enabled: false
|
||||||
|
|
||||||
|
grafana:
|
||||||
|
enabled: false
|
@ -26,46 +26,17 @@ spec:
|
|||||||
containers:
|
containers:
|
||||||
- image: "{{ .Values.ocAuth.image }}"
|
- image: "{{ .Values.ocAuth.image }}"
|
||||||
name: oc-auth
|
name: oc-auth
|
||||||
|
command: ["tail", "-f", "/dev/null"]
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: public-key-volume
|
- name: public-key-volume
|
||||||
mountPath: /keys/public
|
mountPath: /keys/public/public.pem
|
||||||
subPath: public.pem
|
subPath: public.pem
|
||||||
- name: private-key-volume
|
- name: private-key-volume
|
||||||
mountPath: /keys/private
|
mountPath: /keys/private/private.pem
|
||||||
subPath: private.pem
|
subPath: private.pem
|
||||||
env:
|
envFrom:
|
||||||
- name: OCAUTH_ADMIN_ROLE
|
- configMapRef:
|
||||||
value: "{{ .Values.ocAuth.hydra }}"
|
name: opencloud-config
|
||||||
- name: OCAUTH_PUBLIC_KEY_PATH
|
|
||||||
value: /keys/public/public.pem
|
|
||||||
- name: OCAUTH_PRIVATE_KEY_PATH
|
|
||||||
value: /keys/private/private.pem
|
|
||||||
- name: OCAUTH_CLIENT_SECRET
|
|
||||||
value: "{{ .Values.ocAuth.hydra.openCloudOauth2ClientSecretName }}"
|
|
||||||
- name: OCAUTH_AUTH
|
|
||||||
value: "{{ .Values.ocAuth.authType }}"
|
|
||||||
- name: OCAUTH_AUTH_CONNECTOR_HOST
|
|
||||||
value: "{{ .Release.Name }}.hydra-admin.{{ .Release.Namespace }}"
|
|
||||||
- name: OCAUTH_AUTH_CONNECTOR_PORT
|
|
||||||
value: 4444
|
|
||||||
- name: OCAUTH_AUTH_CONNECTOR_ADMIN_PORT
|
|
||||||
value: 4445
|
|
||||||
- name: OCAUTH_PERMISSION_CONNECTOR_HOST
|
|
||||||
value: "{{ .Release.Name }}.keto-write.{{ .Release.Namespace }}"
|
|
||||||
- name: OCAUTH_PERMISSION_CONNECTOR_PORT
|
|
||||||
value: 80
|
|
||||||
- name: OCAUTH_PERMISSION_CONNECTOR_ADMIN_PORT
|
|
||||||
value: 80
|
|
||||||
- name: OCAUTH_LDAP_ENDPOINTS
|
|
||||||
value: "{{ .Release.Name }}-openldap.{{ .Release.Namespace }}.svc.cluster.local:389"
|
|
||||||
- name: OCAUTH_LDAP_BINDDN
|
|
||||||
value: "{{ index .Values.ocAuth.ldap.bindDn }}"
|
|
||||||
- name: OCAUTH_LDAP_BINDPW
|
|
||||||
value: "{{ index .Values.ocAuth.ldap.binPwd }}"
|
|
||||||
- name: OCAUTH_LDAP_BASEDN
|
|
||||||
value: "{{ index .Values.ocAuth.ldap.baseDn }}"
|
|
||||||
- name: OCAUTH_LDAP_ROLE_BASEDN
|
|
||||||
value: "{{ index .Values.ocAuth.ldap.roleBaseDn }}"
|
|
||||||
ports:
|
ports:
|
||||||
- name: http
|
- name: http
|
||||||
containerPort: 80
|
containerPort: 80
|
||||||
|
@ -2,10 +2,8 @@
|
|||||||
apiVersion: hydra.ory.sh/v1alpha1
|
apiVersion: hydra.ory.sh/v1alpha1
|
||||||
kind: OAuth2Client
|
kind: OAuth2Client
|
||||||
metadata:
|
metadata:
|
||||||
name: openCloudClient
|
name: open-cloud-client
|
||||||
spec:
|
spec:
|
||||||
clientId: test-client
|
|
||||||
clientSecret: oc-auth-got-secret
|
|
||||||
grantTypes:
|
grantTypes:
|
||||||
- implicit
|
- implicit
|
||||||
- refresh_token
|
- refresh_token
|
||||||
@ -15,12 +13,14 @@ spec:
|
|||||||
- id_token
|
- id_token
|
||||||
- token
|
- token
|
||||||
- code
|
- code
|
||||||
|
scope: openid profile email roles
|
||||||
|
secretName: oc-auth-got-secret
|
||||||
redirectUris:
|
redirectUris:
|
||||||
- https://myapp.example.com/callback
|
- https://myapp.example.com/callback
|
||||||
scope: openid profile email roles
|
|
||||||
tokenEndpointAuthMethod: client_secret_post
|
|
||||||
postLogoutRedirectUris:
|
postLogoutRedirectUris:
|
||||||
-http://localhost:3000
|
- http://localhost:3000
|
||||||
|
tokenEndpointAuthMethod: client_secret_post
|
||||||
allowedCorsOrigins:
|
allowedCorsOrigins:
|
||||||
- http://localhost
|
- http://localhost
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
@ -1,5 +1,5 @@
|
|||||||
{{- if index .Values.ocAuth.enabled }}
|
{{- if index .Values.ocAuth.enabled }}
|
||||||
# public-key-secret.yaml
|
# peer public key: public-key-secret.yaml
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: Secret
|
kind: Secret
|
||||||
metadata:
|
metadata:
|
||||||
@ -9,7 +9,7 @@ data:
|
|||||||
public.pem: |
|
public.pem: |
|
||||||
LS0tLS1CRUdJTiBSU0EgUFVCTElDIEtFWS0tLS0tCk1JSUNDZ0tDQWdFQXcycGRHNndNdHVMY1AwK2sxTEZ2SWIwRFFvL29IVzJ1TkphRUpLNzRwbFhxcDR6dHoyZFIKYitSUUhGTGVMdXFrNGkvemMzYjRLM2ZLUFhTbHduVlBKQ3d6UHJueVQ4allHT1pWbFdsRVRpVjl4ZUpodTZzLwpCaDZnMVBXejc1WGpqd1Y1MGl2L0NFaUxOQlQyM2YvM0o0NHdyUXp5Z3FOUUNpUVNBTGR4V0xBRWw0bDVrSFNhCjlvTXlWNzAvVXFsOTQvYXlNQVJac0hncDladnFRS2JrWlB3Nnl6Vk1mQ0J4UW96bE5sbzMxNU9IZXZ1ZGhuaHAKRFJqTjVJN3pXbXFZdDZyYlhKSkM3WTNJemR2em43UUk4OFJxalNSU1Q1SS83S3ozbmRDcXJPbkkrT1FVRTVOVApSRXlRZWJwaHZRZlREVEtsUlBYa2R5a3RkSzJESDI4Wmo2WkYzeWpRdk4zNVE0emhPemxxNzdkTzVJaGhvcEk3CmN0OGRaSDFUMW5Za3ZkeUNBL0VWTXRRc0FTbUJPaXRIMFkwQUNvWFFLNUtiNm5tL1RjTS85WlNKVU5pRU11eTUKZ0JaM1lLRTlvYTRjcFRwUFh3Y0ErUy9jVTdIUE5uUUFzdkQzaUppOEdUVzl1SnM4NHBuNC9XaHBRcW1YZDRydgpoS1dFQ0NOM2ZIeTAxZlVzL1UwUGFTajJqRFkva1FWZVhvaWtOTXpQVWpkWmQ5bTgxNlRJQmgzdjNhVlhDSC8wCmlUSEhBeGN0dkRnTVJiMmZwdlJKL3d3bllqRkc5UnBhbVZGRE12QzlOZmZ1WXpXQUE5SVJJWTRjcWdlcmZIclYKWjJISGlQVEREdkRBSXN2SW1YWmMvaDdtWE42bTNSQ1E0UXl3eTk5M3dkOWdVZGdnL3FueW5IY0NBd0VBQVE9PQotLS0tLUVORCBSU0EgUFVCTElDIEtFWS0tLS0tCg==
|
LS0tLS1CRUdJTiBSU0EgUFVCTElDIEtFWS0tLS0tCk1JSUNDZ0tDQWdFQXcycGRHNndNdHVMY1AwK2sxTEZ2SWIwRFFvL29IVzJ1TkphRUpLNzRwbFhxcDR6dHoyZFIKYitSUUhGTGVMdXFrNGkvemMzYjRLM2ZLUFhTbHduVlBKQ3d6UHJueVQ4allHT1pWbFdsRVRpVjl4ZUpodTZzLwpCaDZnMVBXejc1WGpqd1Y1MGl2L0NFaUxOQlQyM2YvM0o0NHdyUXp5Z3FOUUNpUVNBTGR4V0xBRWw0bDVrSFNhCjlvTXlWNzAvVXFsOTQvYXlNQVJac0hncDladnFRS2JrWlB3Nnl6Vk1mQ0J4UW96bE5sbzMxNU9IZXZ1ZGhuaHAKRFJqTjVJN3pXbXFZdDZyYlhKSkM3WTNJemR2em43UUk4OFJxalNSU1Q1SS83S3ozbmRDcXJPbkkrT1FVRTVOVApSRXlRZWJwaHZRZlREVEtsUlBYa2R5a3RkSzJESDI4Wmo2WkYzeWpRdk4zNVE0emhPemxxNzdkTzVJaGhvcEk3CmN0OGRaSDFUMW5Za3ZkeUNBL0VWTXRRc0FTbUJPaXRIMFkwQUNvWFFLNUtiNm5tL1RjTS85WlNKVU5pRU11eTUKZ0JaM1lLRTlvYTRjcFRwUFh3Y0ErUy9jVTdIUE5uUUFzdkQzaUppOEdUVzl1SnM4NHBuNC9XaHBRcW1YZDRydgpoS1dFQ0NOM2ZIeTAxZlVzL1UwUGFTajJqRFkva1FWZVhvaWtOTXpQVWpkWmQ5bTgxNlRJQmgzdjNhVlhDSC8wCmlUSEhBeGN0dkRnTVJiMmZwdlJKL3d3bllqRkc5UnBhbVZGRE12QzlOZmZ1WXpXQUE5SVJJWTRjcWdlcmZIclYKWjJISGlQVEREdkRBSXN2SW1YWmMvaDdtWE42bTNSQ1E0UXl3eTk5M3dkOWdVZGdnL3FueW5IY0NBd0VBQVE9PQotLS0tLUVORCBSU0EgUFVCTElDIEtFWS0tLS0tCg==
|
||||||
---
|
---
|
||||||
# private-key-secret.yaml
|
# peer private key: private-key-secret.yaml
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: Secret
|
kind: Secret
|
||||||
metadata:
|
metadata:
|
||||||
|
25
opencloud/templates/openCLoudConf.yaml
Normal file
25
opencloud/templates/openCLoudConf.yaml
Normal file
@ -0,0 +1,25 @@
|
|||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: opencloud-config
|
||||||
|
data:
|
||||||
|
OCAUTH_ADMIN_ROLE: "{{ .Values.ocAuth.keto.adminRole }}"
|
||||||
|
OCAUTH_PUBLIC_KEY_PATH: "/keys/public/public.pem"
|
||||||
|
OCAUTH_PRIVATE_KEY_PATH: "/keys/private/private.pem"
|
||||||
|
OCAUTH_CLIENT_SECRET: "{{ .Values.ocAuth.hydra.openCloudOauth2ClientSecretName }}"
|
||||||
|
OCAUTH_AUTH: "{{ .Values.ocAuth.authType }}"
|
||||||
|
OCAUTH_AUTH_CONNECTOR_HOST: "{{ .Release.Name }}-hydra-admin.{{ .Release.Namespace }}"
|
||||||
|
OCAUTH_AUTH_CONNECTOR_PORT: "4444"
|
||||||
|
OCAUTH_AUTH_CONNECTOR_ADMIN_PORT: "4445"
|
||||||
|
OCAUTH_PERMISSION_CONNECTOR_HOST: "{{ .Release.Name }}-keto-write.{{ .Release.Namespace }}"
|
||||||
|
OCAUTH_PERMISSION_CONNECTOR_PORT: "80"
|
||||||
|
OCAUTH_PERMISSION_CONNECTOR_ADMIN_PORT: "80"
|
||||||
|
OCAUTH_LDAP_ENDPOINTS: "{{ .Release.Name }}-openldap.{{ .Release.Namespace }}.svc.cluster.local:389"
|
||||||
|
OCAUTH_LDAP_BINDDN: "{{ index .Values.ocAuth.ldap.bindDn }}"
|
||||||
|
OCAUTH_LDAP_BINDPW: "{{ index .Values.ocAuth.ldap.binPwd }}"
|
||||||
|
OCAUTH_LDAP_BASEDN: "{{ index .Values.ocAuth.ldap.baseDn }}"
|
||||||
|
OCAUTH_LDAP_ROLE_BASEDN: "{{ index .Values.ocAuth.ldap.roleBaseDn }}"
|
||||||
|
OCAUTH_MONGO_URL: "mongodb://{{ index .Values.mongodb.auth.usernames 0 }}:{{ index .Values.mongodb.auth.passwords 0 }}@{{ .Release.Name }}-mongodb.{{ .Release.Namespace }}:27017/{{ index .Values.mongodb.auth.databases 0 }}"
|
||||||
|
OCAUTH_MONGO_DATABASE: "{{ index .Values.mongodb.auth.databases 0 }}"
|
||||||
|
OCAUTH_NATS_URL: "nats://dev-nats.{{ .Release.Namespace }}.svc.cluster.local:4222"
|
||||||
|
OCAUTH_LOKI_URL: "{{ .Values.SERVER_PATH }}"
|
Loading…
Reference in New Issue
Block a user