Skip to content
Snippets Groups Projects
Commit 3d0e2e63 authored by Maarten de Waard's avatar Maarten de Waard :angel:
Browse files

Merge branch '444-nextcloud-single-sign-on' into 'master'

444 nextcloud single sign on

See merge request openappstack/single-sign-on!9
parents 44d32b95 8c3c4f0a
No related branches found
No related tags found
1 merge request!9444 nextcloud single sign on
Pipeline #2378 failed with stages
in 6 minutes and 12 seconds
dependencies:
- name: hydra
version: 0.0.47
version: 0.0.48
repository: "https://k8s.ory.sh/helm/charts"
tags:
- single-sign-on
......@@ -38,13 +38,13 @@ spec:
- name: OAUTH_CLIENT_ID
valueFrom:
secretKeyRef:
name: userpanel-oauth2-client
key: client_id
name: oauth2-clients
key: {{ .Values.userpanel.applicationName }}_client_id
- name: OAUTH_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: userpanel-oauth2-client
key: client_secret
name: oauth2-clients
key: {{ .Values.userpanel.applicationName }}_client_secret
ports:
- name: userpanel
containerPort: 3000
......
......@@ -5,7 +5,7 @@ metadata:
labels:
{{ include "single-sign-on.labels" . | indent 4 }}
annontations:
"helm.sh/hook": post-install
"helm.sh/hook": post-install,post-upgrade
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
spec:
......@@ -30,8 +30,10 @@ spec:
value: {{ .Values.userbackend.email }}
command: ["/bin/bash", "-c"]
args:
- /bin/bash ./utils/create-user.bash "$USERNAME" "$PASSWORD" "$EMAIL" {{ include "single-sign-on.fullname" . }}-userbackend 80 &&
/bin/bash ./utils/create-role.bash admin {{ include "single-sign-on.fullname" . }}-userbackend 80 &&
/bin/bash ./utils/create-application.bash user-panel {{ include "single-sign-on.fullname" . }}-userbackend 80 &&
/bin/bash ./utils/assign-role.bash "$USERNAME" admin {{ include "single-sign-on.fullname" . }}-userbackend 80 &&
/bin/bash ./utils/grant-access.bash "$USERNAME" user-panel {{ include "single-sign-on.fullname" . }}-userbackend 80
- /bin/bash ./utils/create-user.bash "$USERNAME" "$PASSWORD" "$EMAIL" http://{{ include "single-sign-on.fullname" . }}-userbackend:80 &&
{{- range .Values.userbackend.applications }}
/bin/bash ./utils/create-application.bash {{ .name }} '{{ .description | default " " }}' http://{{ include "single-sign-on.fullname" $ }}-userbackend:80 &&
/bin/bash ./utils/grant-access.bash "$USERNAME" {{ .name }} http://{{ include "single-sign-on.fullname" $ }}-userbackend:80 &&
{{- end }}
/bin/bash ./utils/create-role.bash admin http://{{ include "single-sign-on.fullname" . }}-userbackend:80 &&
/bin/bash ./utils/assign-role.bash "$USERNAME" admin http://{{ include "single-sign-on.fullname" . }}-userbackend:80
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "single-sign-on.fullname" . }}-create-oauth2-client
name: {{ include "single-sign-on.fullname" . }}-create-oauth2-clients
labels:
{{ include "single-sign-on.labels" . | indent 4 }}
annontations:
"helm.sh/hook": post-install
"helm.sh/hook": post-install,post-upgrade
"helm.sh/hook-weight": "-4"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
spec:
......@@ -18,40 +18,41 @@ spec:
spec:
restartPolicy: Never
containers:
- name: user-panel
image: {{ .Values.userbackend.image.repository }}:{{ .Values.userbackend.image.tag }}
imagePullPolicy: {{ .Values.userbackend.image.pullPolicy }}
{{- range .Values.oAuthClients }}
- name: {{ .clientName | quote }}
image: {{ $.Values.userbackend.image.repository }}:{{ $.Values.userbackend.image.tag }}
imagePullPolicy: {{ $.Values.userbackend.image.pullPolicy }}
env:
- name: CLIENT_ID
valueFrom:
secretKeyRef:
name: userpanel-oauth2-client
key: client_id
name: oauth2-clients
key: {{ .clientName }}_client_id
- name: CLIENT_SECRET
valueFrom:
secretKeyRef:
name: userpanel-oauth2-client
key: client_secret
name: oauth2-clients
key: {{ .clientName }}_client_secret
- name: CLIENT_NAME
value: user-panel
value: {{ .clientName | quote }}
- name: REDIRECT_URI
value: "https://{{ .Values.userpanel.ingress.host }}/callback"
value: {{ .redirectUri | quote }}
- name: SCOPES
value: "openid profile email openappstack_roles"
value: {{ .scopes | quote }}
- name: CLIENT_URI
value: "https://{{ .Values.userpanel.ingress.host }}"
value: {{ .clientUri | quote }}
- name: CLIENT_LOGO_URI
value: "https://{{ .Values.userpanel.ingress.host }}/favicon.ico"
value: {{ .clientLogoUri | quote }}
- name: TOKEN_ENDPOINT_AUTH_METHOD
value: client_secret_basic
value: {{ .tokenEndpointAuthMethod | quote }}
- name: RESPONSE_TYPES
value: token
value: "{{- range .responseTypes }}\"{{ . }}\",{{- end }}"
- name: GRANT_TYPES
value: implicit
value: "{{- range .grantTypes }}\"{{ . }}\",{{- end }}"
command: ["/bin/bash", "-c"]
args:
- >
curl http://{{ .Release.Name }}-hydra-admin:4445/clients &&
curl http://{{ $.Release.Name }}-hydra-admin:4445/clients &&
curl --header "Content-Type: application/json" \
--request POST \
--data "{\"client_id\": \"$CLIENT_ID\",
......@@ -61,7 +62,8 @@ spec:
\"logo_uri\": \"$CLIENT_LOGO_URI\",
\"redirect_uris\": [\"$REDIRECT_URI\"],
\"scope\": \"$SCOPES\",
\"grant_types\": [\"$GRANT_TYPES\"],
\"response_types\": [\"$RESPONSE_TYPES\"],
\"grant_types\": [$GRANT_TYPES\"\"],
\"response_types\": [$RESPONSE_TYPES\"\"],
\"token_endpoint_auth_method\": \"client_secret_post\"}" \
http://{{ .Release.Name }}-hydra-admin:4445/clients
http://{{ $.Release.Name }}-hydra-admin:4445/clients
{{- end }}
apiVersion: v1
kind: Secret
metadata:
name: userpanel-oauth2-client
type: Opaque
data:
client_id: {{ "user-panel" | b64enc }}
client_secret: {{ .Values.userpanel.oAuthClientSecret | b64enc }}
apiVersion: v1
kind: Secret
metadata:
name: oauth2-clients
type: Opaque
data:
{{- range .Values.oAuthClients }}
{{ .clientName }}_client_id: {{ .clientName | b64enc }}
{{ .clientName }}_client_secret: {{ .clientSecret | b64enc }}
{{- end }}
replicaCount: 1
consentProviderImage:
# consentProviderImage.tag and consentProviderImage.pullPolicy should be the same as
# loginProviderImage.tag and loginProviderImage.pullPolicy as the images are released
......@@ -17,6 +16,10 @@ loginProviderImage:
singleSignOnHost: &SSO_HOST sso.oas.example.net
userpanel:
# userpanel.applicationName is the name of the application. This is a duplicate of
# userbackend.applications[0].name but helm < 3.0 doesn't supprt direct references to
# list items in template files so we need to keep it for now
applicationName: &USER_PANEL user-panel
image:
# userpanel.image.tag and userpanel.image.pullPolicy should be the same as
# userbackend.image.tag and userpanel.image.pullPolicy as the images are released
......@@ -26,9 +29,6 @@ userpanel:
ingress:
# userpanel.ingress.host is the FQDN of the userpanel application
host: admin.oas.example.net
# userpanel.oauthClientSecret is the secret the userpanel application will use to make
# oauth requests to the hydra service.
oAuthClientSecret: "YouReallyNeedToChangeThis"
userbackend:
image:
......@@ -37,6 +37,9 @@ userbackend:
# userbackend.username is the username of the admin user that will be create
# after the installation of the user backend.
username: "admin"
applications:
- name: *USER_PANEL
description: Administration interface to manage user accounts
# username.password is the password of the admin user
password: "YouReallyNeedToChangeThis"
# username.email is email address of the admin user
......@@ -54,6 +57,10 @@ userbackend:
annotations: {}
hydra:
maester:
# hydra.maester.enabled instal hydra-maester which is enabled by default
# oauth client management is handled via jobs right now so there is no need to it
enabled: false
hydra:
# hydra.hydra.dangerousForceHttp allows access to the hydra admin API over http. The
# hydra admin API is only accessible by services within the same namespace unless you
......@@ -100,3 +107,36 @@ hydra:
# hydra.ingress.public using a different FQDN
admin:
enabled: false
# oAuthClients is a list of clients that are created during the installation process
# for a detailed list of the options available here, refer to
# https://www.ory.sh/docs/hydra/sdk/api#create-an-oauth-20-client
oAuthClients:
# oauthClients[].clientName is the name of the oauth client that needs to be the same as
# the application name in userbackend.applications[].name
- clientName: *USER_PANEL
# oauthClients[].clientSecret is the secret the client uses to authenticate
clientSecret: "YouReallyNeedToChangeThis"
# oAuthClients[].redirectUri is the url the user will be redirected to by hydra when the
# authentication process is completed
redirectUri: "https://admin.oas.example.net/callback"
# oAuthClients[].scopes is a list of scopes the client need access to
scopes: "openid profile email openappstack_roles"
# oAuthClients[].clientUri is a url that is displayed for the user to navigate to the
# application
clientUri: "https://admin.oas.example.net"
# oAuthClients[].clientLogoUri is a url that points to a logo that will be displayed
# whenever refering to the application
clientLogoUri: "https://admin.oas.example.net/favicon.ico"
# oAuthClients[].tokenEndpointAuthMethod sets the method that the oAUth client uses to
# authenticate agains the oAuth server i.e. to retrieve tokens or userinfo
tokenEndpointAuthMethod: "client_secret_basic"
# oAuthClients[].responseTypes specifies the type of ressource an oAuth client uses to perform
# authentication and userinfo requests
responseTypes:
- "token"
# oAuthClients[].grantTypes specifies the way in which the client retrieves an access token
# from the oAuth server
grantTypes:
- "implicit"
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment