Merge branch '444-nextcloud-single-sign-on' into 'master'

444 nextcloud single sign on See merge request openappstack/single-sign-on!9

Merge branch '444-nextcloud-single-sign-on' into 'master'
444 nextcloud single sign on See merge request openappstack/single-sign-on!9
3d0e2e63 · Maarten de Waard · 44d32b95 · 8c3c4f0a · 3d0e2e63 · 3d0e2e63
Commit 3d0e2e63 authored 5 years ago by Maarten de Waard
--- a/helmchart/single-sign-on/requirements.yaml
+++ b/helmchart/single-sign-on/requirements.yaml
 dependencies:
  - name: hydra
-    version: 0.0.47
+    version: 0.0.48
    repository: "https://k8s.ory.sh/helm/charts"
    tags:
      - single-sign-on
--- a/helmchart/single-sign-on/templates/deployment-userfrontend.yaml
+++ b/helmchart/single-sign-on/templates/deployment-userfrontend.yaml
@@ -38,13 +38,13 @@ spec:
            - name: OAUTH_CLIENT_ID
              valueFrom:
                secretKeyRef:
-                  name: userpanel-oauth2-client
-                  key: client_id
+                  name: oauth2-clients
+                  key: {{ .Values.userpanel.applicationName }}_client_id
            - name: OAUTH_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
-                  name: userpanel-oauth2-client
-                  key: client_secret
+                  name: oauth2-clients
+                  key: {{ .Values.userpanel.applicationName }}_client_secret
          ports:
            - name: userpanel
              containerPort: 3000

--- a/helmchart/single-sign-on/templates/job-create-admin-user.yaml
+++ b/helmchart/single-sign-on/templates/job-create-admin-user.yaml
@@ -5,7 +5,7 @@ metadata:
  labels:
 {{ include "single-sign-on.labels" . | indent 4 }}
  annontations:
-    "helm.sh/hook": post-install
+    "helm.sh/hook": post-install,post-upgrade
    "helm.sh/hook-weight": "-5"
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
 spec:
@@ -30,8 +30,10 @@ spec:
          value: {{ .Values.userbackend.email }}
        command: ["/bin/bash", "-c"]
        args:
-        - /bin/bash ./utils/create-user.bash "$USERNAME" "$PASSWORD" "$EMAIL" {{ include "single-sign-on.fullname" . }}-userbackend 80 &&
-          /bin/bash ./utils/create-role.bash admin {{ include "single-sign-on.fullname" . }}-userbackend 80 &&
-          /bin/bash ./utils/create-application.bash user-panel {{ include "single-sign-on.fullname" . }}-userbackend 80 &&
-          /bin/bash ./utils/assign-role.bash "$USERNAME" admin {{ include "single-sign-on.fullname" . }}-userbackend 80 &&
-          /bin/bash ./utils/grant-access.bash "$USERNAME" user-panel {{ include "single-sign-on.fullname" . }}-userbackend 80
+        - /bin/bash ./utils/create-user.bash "$USERNAME" "$PASSWORD" "$EMAIL" http://{{ include "single-sign-on.fullname" . }}-userbackend:80 &&
+          {{- range .Values.userbackend.applications }}
+          /bin/bash ./utils/create-application.bash {{ .name }} '{{ .description | default " " }}' http://{{ include "single-sign-on.fullname" $ }}-userbackend:80 &&
+          /bin/bash ./utils/grant-access.bash "$USERNAME" {{ .name }} http://{{ include "single-sign-on.fullname" $ }}-userbackend:80 &&
+          {{- end }}
+          /bin/bash ./utils/create-role.bash admin http://{{ include "single-sign-on.fullname" . }}-userbackend:80 &&
+          /bin/bash ./utils/assign-role.bash "$USERNAME" admin http://{{ include "single-sign-on.fullname" . }}-userbackend:80
--- a/helmchart/single-sign-on/templates/job-create-oauth2-client-userpanel.yaml
+++ b/helmchart/single-sign-on/templates/job-create-oauth2-client-userpanel.yaml
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: {{ include "single-sign-on.fullname" . }}-create-oauth2-client
+  name: {{ include "single-sign-on.fullname" . }}-create-oauth2-clients
  labels:
 {{ include "single-sign-on.labels" . | indent 4 }}
  annontations:
-    "helm.sh/hook": post-install
+    "helm.sh/hook": post-install,post-upgrade
    "helm.sh/hook-weight": "-4"
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
 spec:
@@ -18,40 +18,41 @@ spec:
    spec:
      restartPolicy: Never
      containers:
-      - name: user-panel
-        image: {{ .Values.userbackend.image.repository }}:{{ .Values.userbackend.image.tag }}
-        imagePullPolicy: {{ .Values.userbackend.image.pullPolicy }}
+      {{- range .Values.oAuthClients }}
+      - name: {{ .clientName | quote }}
+        image: {{ $.Values.userbackend.image.repository }}:{{ $.Values.userbackend.image.tag }}
+        imagePullPolicy: {{ $.Values.userbackend.image.pullPolicy }}
        env:
        - name: CLIENT_ID
          valueFrom:
            secretKeyRef:
-              name: userpanel-oauth2-client
-              key: client_id
+              name: oauth2-clients
+              key: {{ .clientName }}_client_id
        - name: CLIENT_SECRET
          valueFrom:
            secretKeyRef:
-              name: userpanel-oauth2-client
-              key: client_secret
+              name: oauth2-clients
+              key: {{ .clientName }}_client_secret
        - name: CLIENT_NAME
-          value: user-panel
+          value: {{ .clientName | quote }}
        - name: REDIRECT_URI
-          value: "https://{{ .Values.userpanel.ingress.host }}/callback"
+          value: {{ .redirectUri | quote }}
        - name: SCOPES
-          value: "openid profile email openappstack_roles"
+          value: {{ .scopes | quote }}
        - name: CLIENT_URI
-          value: "https://{{ .Values.userpanel.ingress.host }}"
+          value: {{ .clientUri | quote }}
        - name: CLIENT_LOGO_URI
-          value: "https://{{ .Values.userpanel.ingress.host }}/favicon.ico"
+          value: {{ .clientLogoUri | quote }}
        - name: TOKEN_ENDPOINT_AUTH_METHOD
-          value: client_secret_basic
+          value: {{ .tokenEndpointAuthMethod | quote }}
        - name: RESPONSE_TYPES
-          value: token
+          value: "{{- range .responseTypes }}\"{{ . }}\",{{- end }}"
        - name: GRANT_TYPES
-          value: implicit
+          value: "{{- range .grantTypes }}\"{{ . }}\",{{- end }}"
        command: ["/bin/bash", "-c"]
        args:
        - >
-          curl http://{{ .Release.Name }}-hydra-admin:4445/clients &&
+          curl http://{{ $.Release.Name }}-hydra-admin:4445/clients &&
          curl --header "Content-Type: application/json" \
               --request POST \
               --data "{\"client_id\": \"$CLIENT_ID\",
@@ -61,7 +62,8 @@ spec:
                        \"logo_uri\": \"$CLIENT_LOGO_URI\",
                        \"redirect_uris\": [\"$REDIRECT_URI\"],
                        \"scope\": \"$SCOPES\",
-                        \"grant_types\": [\"$GRANT_TYPES\"],
-                        \"response_types\": [\"$RESPONSE_TYPES\"],
+                        \"grant_types\": [$GRANT_TYPES\"\"],
+                        \"response_types\": [$RESPONSE_TYPES\"\"],
                        \"token_endpoint_auth_method\": \"client_secret_post\"}" \
-               http://{{ .Release.Name }}-hydra-admin:4445/clients
+               http://{{ $.Release.Name }}-hydra-admin:4445/clients
+      {{- end }}
--- a/helmchart/single-sign-on/templates/secret-oauth2-client-userpanel.yaml
+++ b/helmchart/single-sign-on/templates/secret-oauth2-client-userpanel.yaml
-apiVersion: v1
-kind: Secret
-metadata:
-    name: userpanel-oauth2-client
-type: Opaque
-data:
-  client_id: {{ "user-panel" | b64enc }}
-  client_secret: {{ .Values.userpanel.oAuthClientSecret |  b64enc }}
--- a/helmchart/single-sign-on/templates/secret-oauth2-clients.yaml
+++ b/helmchart/single-sign-on/templates/secret-oauth2-clients.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+    name: oauth2-clients
+type: Opaque
+data:
+  {{- range .Values.oAuthClients }}
+  {{ .clientName }}_client_id: {{ .clientName | b64enc }}
+  {{ .clientName }}_client_secret: {{ .clientSecret |  b64enc }}
+  {{- end }}
--- a/helmchart/single-sign-on/values.yaml
+++ b/helmchart/single-sign-on/values.yaml
 replicaCount: 1

-
 consentProviderImage:
    # consentProviderImage.tag and consentProviderImage.pullPolicy should be the same as
    # loginProviderImage.tag and loginProviderImage.pullPolicy as the images are released
@@ -17,6 +16,10 @@ loginProviderImage:
 singleSignOnHost: &SSO_HOST sso.oas.example.net

 userpanel:
+  # userpanel.applicationName is the name of the application. This is a duplicate of
+  # userbackend.applications[0].name but helm < 3.0 doesn't supprt direct references to
+  # list items in template files so we need to keep it for now
+  applicationName: &USER_PANEL user-panel
  image:
    # userpanel.image.tag and userpanel.image.pullPolicy should be the same as
    # userbackend.image.tag and userpanel.image.pullPolicy as the images are released
@@ -26,9 +29,6 @@ userpanel:
  ingress:
    # userpanel.ingress.host is the FQDN of the userpanel application
    host: admin.oas.example.net
-  # userpanel.oauthClientSecret is the secret the userpanel application will use to make
-  # oauth requests to the hydra service.
-  oAuthClientSecret: "YouReallyNeedToChangeThis"

 userbackend:
  image:
@@ -37,6 +37,9 @@ userbackend:
  # userbackend.username is the username of the admin user that will be create
  # after the installation of the user backend.
  username: "admin"
+  applications:
+    - name: *USER_PANEL
+      description: Administration interface to manage user accounts
  # username.password is the password of the admin user
  password: "YouReallyNeedToChangeThis"
  # username.email is email address of the admin user
@@ -54,6 +57,10 @@ userbackend:
    annotations: {}

 hydra:
+  maester:
+    # hydra.maester.enabled instal hydra-maester which is enabled by default
+    # oauth client management is handled via jobs right now so there is no need to it
+    enabled: false
  hydra:
    # hydra.hydra.dangerousForceHttp allows access to the hydra admin API over http. The
    # hydra admin API is only accessible by services within the same namespace unless you
@@ -100,3 +107,36 @@ hydra:
    # hydra.ingress.public using a different FQDN
    admin:
      enabled: false
+
+# oAuthClients is a list of clients that are created during the installation process
+# for a detailed list of the options available here, refer to
+# https://www.ory.sh/docs/hydra/sdk/api#create-an-oauth-20-client
+oAuthClients:
+  # oauthClients[].clientName is the name of the oauth client that needs to be the same as
+  # the application name in userbackend.applications[].name
+- clientName: *USER_PANEL
+  # oauthClients[].clientSecret is the secret the client uses to authenticate
+  clientSecret: "YouReallyNeedToChangeThis"
+  # oAuthClients[].redirectUri is the url the user will be redirected to by hydra when the
+  # authentication process is completed
+  redirectUri: "https://admin.oas.example.net/callback"
+  # oAuthClients[].scopes is a list of scopes the client need access to
+  scopes: "openid profile email openappstack_roles"
+  # oAuthClients[].clientUri is a url that is displayed for the user to navigate to the
+  # application
+  clientUri: "https://admin.oas.example.net"
+  # oAuthClients[].clientLogoUri is a url that points to a logo that will be displayed
+  # whenever refering to the application
+  clientLogoUri: "https://admin.oas.example.net/favicon.ico"
+  # oAuthClients[].tokenEndpointAuthMethod sets the method that the oAUth client uses to
+  # authenticate agains the oAuth server i.e. to retrieve tokens or userinfo
+  tokenEndpointAuthMethod: "client_secret_basic"
+  # oAuthClients[].responseTypes specifies the type of ressource an oAuth client uses to perform
+  # authentication and userinfo requests
+  responseTypes:
+    - "token"
+  # oAuthClients[].grantTypes specifies the way in which the client retrieves an access token
+  # from the oAuth server
+  grantTypes:
+    - "implicit"
+