Merge branch '444-nextcloud-single-sign-on' into 27-remove-ory-repo-and-use-direct-refs-instead

helmchart/single-sign-on/templates/deployment-userfrontend.yaml

@@ -38,13 +38,13 @@ spec:
             - name: OAUTH_CLIENT_ID
               valueFrom:
                 secretKeyRef:
-                  name: userpanel-oauth2-client
-                  key: client_id
+                  name: oauth2-clients
+                  key: {{ .Values.userpanel.applicationName }}_client_id
             - name: OAUTH_CLIENT_SECRET
               valueFrom:
                 secretKeyRef:
-                  name: userpanel-oauth2-client
-                  key: client_secret
+                  name: oauth2-clients
+                  key: {{ .Values.userpanel.applicationName }}_client_secret
           ports:
             - name: userpanel
               containerPort: 3000

helmchart/single-sign-on/templates/job-create-admin-user.yaml

@@ -31,7 +31,9 @@ spec:
         command: ["/bin/bash", "-c"]
         args:
         - /bin/bash ./utils/create-user.bash "$USERNAME" "$PASSWORD" "$EMAIL" {{ include "single-sign-on.fullname" . }}-userbackend 80 &&
+          {{- range .Values.oAuthClients }}
+          /bin/bash ./utils/create-application.bash {{ .clientName }} {{ include "single-sign-on.fullname" $ }}-userbackend 80 &&
+          /bin/bash ./utils/grant-access.bash "$USERNAME" {{ .clientName }} {{ include "single-sign-on.fullname" $ }}-userbackend 80 &&
+          {{- end }}
           /bin/bash ./utils/create-role.bash admin {{ include "single-sign-on.fullname" . }}-userbackend 80 &&
-          /bin/bash ./utils/create-application.bash user-panel {{ include "single-sign-on.fullname" . }}-userbackend 80 &&
-          /bin/bash ./utils/assign-role.bash "$USERNAME" admin {{ include "single-sign-on.fullname" . }}-userbackend 80 &&
-          /bin/bash ./utils/grant-access.bash "$USERNAME" user-panel {{ include "single-sign-on.fullname" . }}-userbackend 80
+          /bin/bash ./utils/assign-role.bash "$USERNAME" admin {{ include "single-sign-on.fullname" . }}-userbackend 80

helmchart/single-sign-on/templates/job-create-oauth2-client-userpanel.yaml → helmchart/single-sign-on/templates/job-create-oauth-clients.yaml

 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: {{ include "single-sign-on.fullname" . }}-create-oauth2-client
+  name: {{ include "single-sign-on.fullname" . }}-create-oauth2-clients
   labels:
 {{ include "single-sign-on.labels" . | indent 4 }}
   annontations:
-    "helm.sh/hook": post-install
+    "helm.sh/hook": post-install,post-upgrade
     "helm.sh/hook-weight": "-4"
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
 spec:
@@ -18,40 +18,41 @@ spec:
     spec:
       restartPolicy: Never
       containers:
-      - name: user-panel
-        image: {{ .Values.userbackend.image.repository }}:{{ .Values.userbackend.image.tag }}
-        imagePullPolicy: {{ .Values.userbackend.image.pullPolicy }}
+      {{- range .Values.oAuthClients }}
+      - name: {{ .clientName | quote }}
+        image: {{ $.Values.userbackend.image.repository }}:{{ $.Values.userbackend.image.tag }}
+        imagePullPolicy: {{ $.Values.userbackend.image.pullPolicy }}
         env:
         - name: CLIENT_ID
           valueFrom:
             secretKeyRef:
-              name: userpanel-oauth2-client
-              key: client_id
+              name: oauth2-clients
+              key: {{ .clientName }}_client_id
         - name: CLIENT_SECRET
           valueFrom:
             secretKeyRef:
-              name: userpanel-oauth2-client
-              key: client_secret
+              name: oauth2-clients
+              key: {{ .clientName }}_client_secret
         - name: CLIENT_NAME
-          value: user-panel
+          value: {{ .clientName | quote }}
         - name: REDIRECT_URI
-          value: "https://{{ .Values.userpanel.ingress.host }}/callback"
+          value: {{ .redirectUri | quote }}
         - name: SCOPES
-          value: "openid profile email openappstack_roles"
+          value: {{ .scopes | quote }}
         - name: CLIENT_URI
-          value: "https://{{ .Values.userpanel.ingress.host }}"
+          value: {{ .clientUri | quote }}
         - name: CLIENT_LOGO_URI
-          value: "https://{{ .Values.userpanel.ingress.host }}/favicon.ico"
+          value: {{ .clientLogoUri | quote }}
         - name: TOKEN_ENDPOINT_AUTH_METHOD
-          value: client_secret_basic
+          value: {{ .tokenEndpointAuthMethod | quote }}
         - name: RESPONSE_TYPES
-          value: token
+          value: "{{- range .responseTypes }}\"{{ . }}\",{{- end }}"
         - name: GRANT_TYPES
-          value: implicit
+          value: "{{- range .grantTypes }}\"{{ . }}\",{{- end }}"
         command: ["/bin/bash", "-c"]
         args:
         - >
-          curl http://{{ .Release.Name }}-hydra-admin:4445/clients &&
+          curl http://{{ $.Release.Name }}-hydra-admin:4445/clients &&
           curl --header "Content-Type: application/json" \
                --request POST \
                --data "{\"client_id\": \"$CLIENT_ID\",
@@ -61,7 +62,8 @@ spec:
                         \"logo_uri\": \"$CLIENT_LOGO_URI\",
                         \"redirect_uris\": [\"$REDIRECT_URI\"],
                         \"scope\": \"$SCOPES\",
-                        \"grant_types\": [\"$GRANT_TYPES\"],
-                        \"response_types\": [\"$RESPONSE_TYPES\"],
+                        \"grant_types\": [$GRANT_TYPES\"\"],
+                        \"response_types\": [$RESPONSE_TYPES\"\"],
                         \"token_endpoint_auth_method\": \"client_secret_post\"}" \
-               http://{{ .Release.Name }}-hydra-admin:4445/clients
+               http://{{ $.Release.Name }}-hydra-admin:4445/clients
+      {{- end }}

helmchart/single-sign-on/templates/secret-oauth2-client-userpanel.yaml

-apiVersion: v1
-kind: Secret
-metadata:
-    name: userpanel-oauth2-client
-type: Opaque
-data:
-  client_id: {{ "user-panel" | b64enc }}
-  client_secret: {{ .Values.userpanel.oAuthClientSecret |  b64enc }}

helmchart/single-sign-on/templates/secret-oauth2-clients.yaml

+apiVersion: v1
+kind: Secret
+metadata:
+    name: oauth2-clients
+type: Opaque
+data:
+  {{- range .Values.oAuthClients }}
+  {{ .clientName }}_client_id: {{ .clientName | b64enc }}
+  {{ .clientName }}_client_secret: {{ .clientSecret |  b64enc }}
+  {{- end }}

helmchart/single-sign-on/values.yaml

 replicaCount: 1
 
-
 consentProviderImage:
     # consentProviderImage.tag and consentProviderImage.pullPolicy should be the same as
     # loginProviderImage.tag and loginProviderImage.pullPolicy as the images are released
@@ -17,6 +16,10 @@ loginProviderImage:
 singleSignOnHost: &SSO_HOST sso.oas.example.net
 
 userpanel:
+  # userpanel.applicationName is the name of the application. This is a duplicate of
+  # userbackend.applications[0].name but helm < 3.0 doesn't supprt direct references to
+  # list items in template files so we need to keep it for now
+  applicationName: &USER_PANEL user-panel
   image:
     # userpanel.image.tag and userpanel.image.pullPolicy should be the same as
     # userbackend.image.tag and userpanel.image.pullPolicy as the images are released
@@ -26,9 +29,6 @@ userpanel:
   ingress:
     # userpanel.ingress.host is the FQDN of the userpanel application
     host: admin.oas.example.net
-  # userpanel.oauthClientSecret is the secret the userpanel application will use to make
-  # oauth requests to the hydra service.
-  oAuthClientSecret: "YouReallyNeedToChangeThis"
 
 userbackend:
   image:
@@ -37,6 +37,9 @@ userbackend:
   # userbackend.username is the username of the admin user that will be create
   # after the installation of the user backend.
   username: "admin"
+  applications:
+    - name: *USER_PANEL
+      desctiption: Administration interface to manage user accounts
   # username.password is the password of the admin user
   password: "YouReallyNeedToChangeThis"
   # username.email is email address of the admin user
@@ -104,3 +107,36 @@ hydra:
     # hydra.ingress.public using a different FQDN
     admin:
       enabled: false
+
+# oAuthClients is a list of clients that are created during the installation process
+# for a detailed list of the options available here, refer to
+# https://www.ory.sh/docs/hydra/sdk/api#create-an-oauth-20-client
+oAuthClients:
+  # oauthClients[].clientName is the name of the oauth client that needs to be the same as
+  # the application name in userbackend.applications[].name
+- clientName: *USER_PANEL
+  # oauthClients[].clientSecret is the secret the client uses to authenticate
+  clientSecret: "YouReallyNeedToChangeThis"
+  # oAuthClients[].redirectUri is the url the user will be redirected to by hydra when the
+  # authentication process is completed
+  redirectUri: "https://admin.oas.example.net/callback"
+  # oAuthClients[].scopes is a list of scopes the client need access to
+  scopes: "openid profile email openappstack_roles"
+  # oAuthClients[].clientUri is a url that is displayed for the user to navigate to the
+  # application
+  clientUri: "https://admin.oas.example.net"
+  # oAuthClients[].clientLogoUri is a url that points to a logo that will be displayed
+  # whenever refering to the application
+  clientLogoUri: "https://admin.oas.example.net/favicon.ico"
+  # oAuthClients[].tokenEndpointAuthMethod sets the method that the oAUth client uses to
+  # authenticate agains the oAuth server i.e. to retrieve tokens or userinfo
+  tokenEndpointAuthMethod: "client_secret_basic"
+  # oAuthClients[].responseTypes specifies the type of ressource an oAuth client uses to perform
+  # authentication and userinfo requests
+  responseTypes:
+    - "token"
+  # oAuthClients[].grantTypes specifies the way in which the client retrieves an access token
+  # from the oAuth server
+  grantTypes:
+    - "implicit"
+