diff --git a/docs/helmchart.md b/docs/helmchart.md
index 4fee529adb10d0d4f46edde25b4859c38bad4521..7bca15d926ce8d86ebc5ad2336842554ecd24eaa 100644
--- a/docs/helmchart.md
+++ b/docs/helmchart.md
@@ -28,22 +28,78 @@ This table lists the variables you are most likely to change. Take a look at the
| Parameter | Description | Default |
| ------------------------------------ | ------------------------------------------------------- | ------------------------- |
-| `consentProvider.image.repository` | Name of image repository to be used for consent provider| open.greenhost.net:4567/stackspin/single-sign-on/consent_provider |
-| `consentProvider.image.tag` | Release version of consent provider image | main |
-| `loginProvider.image.repository` | Name of image repository to be used for login provider | open.greenhost.net:4567/stackspin/single-sign-on/login_provider |
-| `loginProvider.image.tag` | Release version of login provider image | main |
-| `singleSignOnHost` | **FQDN of the openID Connect / oAuth2 server** | **sso.stackspin.example.net** |
-| `userpanel.ingress.host` | **FQDN of the userpanel** | **admin.stackspin.example.net** |
-| `userbackend.username` | Username of the admin user | admin |
-| `userbackend.password` | Password of the admin user | YouReallyNeedToChangeThis |
-| `userbackend.email` | Email address of the admin user | admin@example.net |
-| `userbackend.postgres.password` | Root pw of the psql DB | postgres |
-| `hydra.hydra.config.urls.self.issuer`| **Base URI of the oAuth server** | **https://sso.stackspin.example.net** |
-| `hydra.hydra.config.urls.login` | **URI that will be used for the login page** | **https://sso.stackspin.example.net/login** |
-| `hydra.hydra.config.urls.consent` | **URI that will be used for permission checks** | **https://sso.stackspin.example.net/consent** |
-| `hydra.hydra.config.secrets.system` | Secret that is used to generate secure tokens | YouReallyNeedToChangeThis |
+| `singleSignOnHost` | **FQDN of the openID Connect / oAuth2 server** | **sso.stackspin.example.net** |
+| `login.image.repository` | Name of image repository to be used for login provider | open.greenhost.net:4567/stackspin/single-sign-on/login |
+| `login.image.tag` | Release version of login provider image | main |
+| `login.user` | Username of user to create during installation | admin@example.com |
+| `login.password` | Password of user to create during installation | ThisIsNotASecurePassword |
+| `login.db.user` | Database user for backend | stackspin |
+| `login.db.password` | Database password for backend | stackspin |
+| `login.db.database` | Database name for backend | stackspin |
+| `login.db.user` | Database user for backend | stackspin |
+| `kratos.kratos.identitySchemas` | Tuple of filenames and JSON data to install as available schema file | See values.yaml |
+| `kratos.kratos.config.identity.default_schema_url` | Location of default schema file | file:///etc/config/identity.default.schema.json |
+| `kratos.kratos.config.dsn` | Database endpoint | postgres://kratos:kratos@single-sign-on-postgresql:5432/kratos |
+| `kratos.kratos.serve.public.base_url` | URL where to find kratos public API | **https://sso.stackspin.example.net/api/** |
+| `kratos.kratos.selfservice.default_browser_return_url` | Default URL to return to with unknown request | **https://sso.stackspin.example.net/login/login** |
+| `kratos.kratos.selfservice.flows.recovery.lifespan` | Time recovery link is valid for password reset | 15m |
+| `kratos.kratos.selfservice.flows.recovery.ui_url` | **Where to link to for recovery** | **https://sso.stackspin.example.net/login/recovery** |
+| `kratos.kratos.selfservice.flows.login.ui_url` | **Where to link to for login** | **https://sso.stackspin.example.net/login/login** |
+| `kratos.kratos.selfservice.flows.settings.ui_url` | **Where to link to for setting/profile update** | **https://sso.stackspin.example.net/login/settings** |
+| `kratos.kratos.selfservice.flows.registration.ui_url` | **Where to link to for account registration** | **https://sso.stackspin.example.net/login/registration** |
+| `kratos.kratos.secrets.session` | Array of strings for session secrets | See values.yaml |
+| `kratos.kratos.courier.smtp.connection_uri` | Config of SMTP server | smtps://username:password@smtp.example.net:456/ |
+| `kratos.kratos.courier.smtp.from_address` | From email address | no-reply@example.net |
+| `hydra.hydra.config.urls.self.issuer`| **Base URI of the oAuth server** | **https://sso.stackspin.example.net** |
+| `hydra.hydra.config.urls.login` | **URI that will be used for the login page** | **https://sso.stackspin.example.net/login** |
+| `hydra.hydra.config.urls.consent` | **URI that will be used for permission checks** | **https://sso.stackspin.example.net/consent** |
+| `hydra.hydra.config.dsn` | Database endpoint for Hydra | postgres://hydra:hydra@single-sign-on-postgresql:5432/hydra |
+| `hydra.hydra.config.secrets.system` | Secret that is used to generate secure tokens str[] | ["YouReallyNeedToChangeThis"] |
| `oAuthClients` | A list of clients that need to be registered after installation. See [Registering clients](#registering-clients) for more info | user-panel configuration (**Change the `clientSecret`**!) |
+
+### Manipulating user database
+
+Normally one would use the [Stackspin Dashboard](https://open.greenhost.net/stackspin/dashboard) to manage users. However, it is also possible to
+use the command line with `kubectl`
+
+```
+kubectl get pod -n stackspin -l 'app.kubernetes.io/name=single-sign-on-login'
+```
+
+This will get the pod which provides the login panel. The pod name looks like
+`single-sign-on-login-xxxx`, once you found the name you can interact with
+the flask app:
+
+List users:
+
+```
+# kubectl exec single-sign-on-login-xxxx -- flask user list
+[2021-12-07 12:18:37,065] INFO in app: Listing users
+"Stackspin Admin" <admin@stackspin.net>
+"Joe" <joe@stackspin.net>
+"Liao" <liao@stackspin.net>
+```
+
+For all commands, please type:
+```
+# kubectl exec single-sign-on-login-xxxx -- flask user --help
+Usage: flask user [OPTIONS] COMMAND [ARGS]...
+
+Options:
+ --help Show this message and exit.
+
+Commands:
+ create Create a user in the kratos database.
+ delete Delete an user from the database :param email: Email...
+ list Show a list of users in the database
+ recover Get recovery link for a user, to manual update the...
+ setpassword Set a password for an account :param email: email address...
+ show Show user details.
+ update Update an user object.
+```
+
+
### Registering clients
To use OpenID Connect or oAuth you need to set up an oAuth Client for every
diff --git a/helmchart/single-sign-on/templates/_helpers.tpl b/helmchart/single-sign-on/templates/_helpers.tpl
index 1f320591a4e728472b2a8caf49e0793367e356bc..684bb6efe5989487ab759093c7ce4838ea3f888b 100644
--- a/helmchart/single-sign-on/templates/_helpers.tpl
+++ b/helmchart/single-sign-on/templates/_helpers.tpl
@@ -76,4 +76,19 @@ Create a secret name which can be overridden.
{{ include "single-sign-on.fullname" . }}
{{- end -}}
{{- end -}}
-
+{{- define "flask.env" -}}
+- name: FLASK_RUN_HOST
+ value: 0.0.0.0
+- name: HYDRA_ADMIN_URL
+ value: http://{{ .Release.Name }}-hydra-admin:4445
+- name: KRATOS_ADMIN_URL
+ value: http://{{ .Release.Name }}-kratos-admin:80
+- name: KRATOS_PUBLIC_URL
+ value: https://{{ .Values.singleSignOnHost }}/api
+- name: PUBLIC_URL
+ value: https://{{ .Values.singleSignOnHost }}/login
+- name: DATABASE_URL
+ value: postgresql://{{ .Values.login.db.user }}:{{ .Values.login.db.password }}@{{ .Release.Name }}-postgresql/{{ .Values.login.db.database }}
+- name: APP_SETTINGS
+ value: config.DevelopmentConfig
+{{- end }}
diff --git a/helmchart/single-sign-on/templates/cronjob-recreate-oauth-clients.yaml b/helmchart/single-sign-on/templates/cronjob-recreate-oauth-clients.yaml
deleted file mode 100644
index 286651b8098b551274f13526c3d31329b049183e..0000000000000000000000000000000000000000
--- a/helmchart/single-sign-on/templates/cronjob-recreate-oauth-clients.yaml
+++ /dev/null
@@ -1,91 +0,0 @@
-apiVersion: batch/v1
-kind: CronJob
-metadata:
- name: {{ include "single-sign-on.fullname" . }}-recreate-oauth2-clients
- labels:
-{{ include "single-sign-on.labels" . | indent 4 }}
-spec:
- schedule: "*/5 * * * *"
- jobTemplate:
- metadata:
- labels:
- app.kubernetes.io/managed-by: {{.Release.Service | quote }}
- app.kubernetes.io/instance: {{.Release.Name | quote }}
- helm.sh/chart: "{{.Chart.Name}}-{{.Chart.Version}}"
- spec:
- template:
- spec:
- restartPolicy: Never
- containers:
- {{- range .Values.oAuthClients }}
- - name: {{ .clientName | quote }}
- image: {{ $.Values.userbackend.image.repository }}:{{ $.Values.userbackend.image.tag }}
- imagePullPolicy: {{ $.Values.userbackend.image.pullPolicy }}
- env:
- - name: CLIENT_ID
- valueFrom:
- secretKeyRef:
- name: oauth2-clients
- key: {{ .clientName }}_client_id
- - name: CLIENT_SECRET
- valueFrom:
- secretKeyRef:
- name: oauth2-clients
- key: {{ .clientName }}_client_secret
- - name: CLIENT_NAME
- value: {{ .clientName | quote }}
- - name: REDIRECT_URI
- value: {{ .redirectUri | quote }}
- - name: SCOPES
- value: {{ .scopes | quote }}
- - name: CLIENT_URI
- value: {{ .clientUri | quote }}
- - name: CLIENT_LOGO_URI
- value: {{ .clientLogoUri | quote }}
- - name: TOKEN_ENDPOINT_AUTH_METHOD
- value: {{ .tokenEndpointAuthMethod | quote }}
- - name: RESPONSE_TYPES
- value: "{{- range .responseTypes }}\"{{ . }}\",{{- end }}"
- - name: GRANT_TYPES
- value: "{{- range .grantTypes }}\"{{ . }}\",{{- end }}"
- command: ["/bin/bash", "-c"]
- args:
- - |
- curl http://{{ $.Release.Name }}-hydra-admin:4445/health/ready \
- --silent \
- --write-out "\nCheck Hydra health: HTTP %{http_code}" \
- | tail -1 | grep 200; \
- if [ $? -eq 0 ]; then \
- echo "Hydra is ready to accept requests."; \
- curl http://{{ $.Release.Name }}-hydra-admin:4445/clients/$CLIENT_NAME \
- --silent \
- --write-out "\nRequesting oauth client $CLIENT_NAME: HTTP %{http_code}\n" \
- | tail -1 \
- | grep 401; \
- if [ $? -eq 0 ]; then \
- echo "Client doesn't exist. (Re)creating client..."; \
- curl --header "Content-Type: application/json" \
- --request POST \
- --data "{\"client_id\": \"$CLIENT_ID\",
- \"client_name\": \"$CLIENT_NAME\",
- \"client_secret\": \"$CLIENT_SECRET\",
- \"client_uri\": \"$CLIENT_URI\",
- \"logo_uri\": \"$CLIENT_LOGO_URI\",
- \"redirect_uris\": [\"$REDIRECT_URI\"],
- \"scope\": \"$SCOPES\",
- \"grant_types\": [$GRANT_TYPES\"\"],
- \"response_types\": [$RESPONSE_TYPES\"\"],
- \"token_endpoint_auth_method\": \"client_secret_post\"}" \
- http://{{ $.Release.Name }}-hydra-admin:4445/clients \
- --silent \
- --write-out "\nCreating oauth client $CLIENT_ID: HTTP(%{http_code})\n" \
- | tail -1 \
- | grep 201; \
- if [ $? -eq 0 ]; then echo "Successfully created $CLIENT_ID"; exit 0; \
- else echo "Client creation failed"; exit 1; \
- fi; \
- else echo "Client already exists"; exit 0; \
- fi; \
- else echo "Hydra API not available"; exit 1; \
- fi;
- {{- end }}
diff --git a/helmchart/single-sign-on/templates/deployment-consent.yaml b/helmchart/single-sign-on/templates/deployment-consent.yaml
deleted file mode 100644
index 51bd29d4a8b00334a54458cf8db387700bea21e7..0000000000000000000000000000000000000000
--- a/helmchart/single-sign-on/templates/deployment-consent.yaml
+++ /dev/null
@@ -1,31 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: {{ include "single-sign-on.fullname" . }}-consent
- labels:
- {{- include "single-sign-on.labels" . | nindent 4 }}
-spec:
- replicas: 1
- selector:
- matchLabels:
- app.kubernetes.io/name: {{ include "single-sign-on.name" . }}-consent
- template:
- metadata:
- labels:
- app.kubernetes.io/name: {{ include "single-sign-on.name" . }}-consent
- annotations:
- {{- toYaml .Values.consentProvider.podAnnotations | nindent 8 }}
- spec:
- containers:
- - name: {{ .Chart.Name }}-consent
- image: {{ .Values.consentProvider.image.repository }}:{{ .Values.consentProvider.image.tag }}
- imagePullPolicy: {{ .Values.consentProvider.image.pullPolicy }}
- env:
- - name: HYDRA_ADMIN_URL
- value: http://{{ .Release.Name }}-hydra-admin:4445
- - name: GRAPHQL_URL
- value: http://{{ include "single-sign-on.fullname" . }}-userbackend/graphql
- ports:
- - name: consent-http
- containerPort: 5001
- protocol: TCP
diff --git a/helmchart/single-sign-on/templates/deployment-login.yaml b/helmchart/single-sign-on/templates/deployment-login.yaml
index 4776bf36f53023eaf374884f66699cb5cffccc55..6926e96c03a6077457debb191f0422620f67cee4 100644
--- a/helmchart/single-sign-on/templates/deployment-login.yaml
+++ b/helmchart/single-sign-on/templates/deployment-login.yaml
@@ -14,17 +14,14 @@ spec:
labels:
app.kubernetes.io/name: {{ include "single-sign-on.name" . }}-login
annotations:
- {{- toYaml .Values.loginProvider.podAnnotations | nindent 8 }}
+ {{- toYaml .Values.login.podAnnotations | nindent 8 }}
spec:
containers:
- name: {{ .Chart.Name }}-login
- image: {{ .Values.loginProvider.image.repository }}:{{ .Values.loginProvider.image.tag }}
- imagePullPolicy: {{ .Values.loginProvider.image.pullPolicy }}
+ image: {{ .Values.login.image.repository }}:{{ .Values.login.image.tag }}
+ imagePullPolicy: {{ .Values.login.image.pullPolicy }}
env:
- - name: HYDRA_ADMIN_URL
- value: http://{{ .Release.Name }}-hydra-admin:4445
- - name: GRAPHQL_URL
- value: http://{{ include "single-sign-on.fullname" . }}-userbackend/graphql
+ {{ include "flask.env" . | nindent 12 }}
ports:
- name: login-http
containerPort: 5000
diff --git a/helmchart/single-sign-on/templates/deployment-userbackend.yaml b/helmchart/single-sign-on/templates/deployment-userbackend.yaml
deleted file mode 100644
index 46a555eadc58d09060a16197b14626a2bb6fb062..0000000000000000000000000000000000000000
--- a/helmchart/single-sign-on/templates/deployment-userbackend.yaml
+++ /dev/null
@@ -1,60 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: {{ include "single-sign-on.fullname" . }}-userbackend
- labels:
- {{- include "single-sign-on.labels" . | nindent 4 }}
- {{- if .Values.userbackend.deploymentLabels }}
- {{- toYaml .Values.userbackend.deploymentLabels | nindent 4 }}
- {{- end }}
-spec:
- replicas: 1
- selector:
- matchLabels:
- app.kubernetes.io/name: {{ include "single-sign-on.name" . }}-userbackend
- template:
- metadata:
- labels:
- app.kubernetes.io/name: {{ include "single-sign-on.name" . }}-userbackend
- {{- if .Values.userbackend.podLabels }}
- {{- toYaml .Values.userbackend.podLabels | nindent 8 }}
- {{- end }}
- annotations:
- {{- toYaml .Values.userbackend.podAnnotations | nindent 8 }}
- spec:
- containers:
- - name: {{ .Chart.Name }}-userbackend-db
- image: {{ .Values.userbackend.postgres.image.repository }}:{{ .Values.userbackend.postgres.image.tag }}
- imagePullPolicy: {{ .Values.userbackend.postgres.image.pullPolicy }}
- env:
- - name: POSTGRES_PASSWORD
- value: {{ .Values.userbackend.postgres.password }}
- volumeMounts:
- - name: database
- mountPath: /var/lib/postgresql/data
- - name: {{ .Chart.Name }}-userbackend-api
- image: {{ .Values.userbackend.image.repository }}:{{ .Values.userbackend.image.tag }}
- imagePullPolicy: {{ .Values.userbackend.image.pullPolicy }}
- env:
- - name: HYDRA_ADMIN_URL
- value: http://{{ include "single-sign-on.name" . }}-hydra-admin:4445
- - name: DATABASE_USER
- value: "postgres"
- - name: DATABASE_PASSWORD
- value: {{ default .Values.userbackend.postgres.password }}
- - name: DATABASE_NAME
- value: "postgres"
- - name: DATABASE_HOST
- value: "localhost"
- ports:
- - name: userbackend
- containerPort: 5000
- protocol: TCP
- volumes:
- - name: database
- {{- if .Values.userbackend.persistence.enabled }}
- persistentVolumeClaim:
- claimName: {{ if .Values.userbackend.persistence.existingClaim }}{{ .Values.userbackend.persistence.existingClaim }}{{- else }}{{ include "single-sign-on.fullname" . }}-userbackend{{- end }}
- {{- else }}
- emptyDir: {}
- {{- end }}
diff --git a/helmchart/single-sign-on/templates/deployment-userfrontend.yaml b/helmchart/single-sign-on/templates/deployment-userfrontend.yaml
deleted file mode 100644
index 1bb6a9c6d241706db6f68495dedaaec961466c2a..0000000000000000000000000000000000000000
--- a/helmchart/single-sign-on/templates/deployment-userfrontend.yaml
+++ /dev/null
@@ -1,53 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: {{ include "single-sign-on.fullname" . }}-userpanel
- labels:
-{{ include "single-sign-on.labels" . | indent 4 }}
-spec:
- replicas: 1
- selector:
- matchLabels:
- app.kubernetes.io/name: {{ include "single-sign-on.name" . }}-userpanel
- template:
- metadata:
- labels:
- app.kubernetes.io/name: {{ include "single-sign-on.name" . }}-userpanel
- annotations:
- {{- toYaml .Values.userpanel.podAnnotations | nindent 8 }}
- spec:
- containers:
- - name: {{ .Chart.Name }}-userpanel
- image: {{ .Values.userpanel.image.repository }}:{{ .Values.userpanel.image.tag }}
- imagePullPolicy: {{ .Values.userpanel.image.pullPolicy }}
- env:
- - name: HOST
- value: 0.0.0.0
- - name: BASE_URL
- value: https://{{ .Values.userpanel.ingress.host }}
- - name: REDIRECT_URL
- value: https://{{ .Values.userpanel.ingress.host }}/callback
- - name: HYDRA_BASE_URL
- value: {{ .Values.hydra.hydra.config.urls.self.issuer }}
- - name: AUTHORIZE_URL
- value: {{ .Values.hydra.hydra.config.urls.self.issuer }}/oauth2/auth
- - name: USERINFO_URL
- value: {{ .Values.hydra.hydra.config.urls.self.issuer }}/userinfo
- - name: ACCESS_TOKEN
- value: {{ .Values.hydra.hydra.config.urls.self.issuer }}/oauth2/token
- - name: BACKEND_API_URL
- value: http://{{ include "single-sign-on.fullname" . }}-userbackend/graphql
- - name: OAUTH_CLIENT_ID
- valueFrom:
- secretKeyRef:
- name: oauth2-clients
- key: {{ .Values.userpanel.applicationName }}_client_id
- - name: OAUTH_CLIENT_SECRET
- valueFrom:
- secretKeyRef:
- name: oauth2-clients
- key: {{ .Values.userpanel.applicationName }}_client_secret
- ports:
- - name: userpanel
- containerPort: 3000
- protocol: TCP
diff --git a/helmchart/single-sign-on/templates/ingress.yaml b/helmchart/single-sign-on/templates/ingress.yaml
index 47d81b46639d060d4b965bf3bc3e5187e42fb62a..bd0c92b0a64acbb2db73db5fa5bc105bd85b8ab8 100644
--- a/helmchart/single-sign-on/templates/ingress.yaml
+++ b/helmchart/single-sign-on/templates/ingress.yaml
@@ -1,4 +1,4 @@
-apiVersion: extensions/v1beta1
+apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ include "single-sign-on.fullname" . }}
@@ -6,30 +6,30 @@ metadata:
{{ include "single-sign-on.labels" . | indent 4 }}
annotations:
kubernetes.io/tls-acme: "true"
+ nginx.ingress.kubernetes.io/rewrite-target: /$1
spec:
rules:
- host: {{ .Values.singleSignOnHost }}
http:
paths:
- - path: /consent
+ - path: /api/(.*)
+ pathType: Prefix
+ backend:
+ service:
+ name: {{ include "single-sign-on.fullname" . }}-kratos-public
+ port:
+ number: 80
+ - path: /login/(.*)
+ pathType: Prefix
backend:
- serviceName: {{ include "single-sign-on.fullname" . }}-consent
- servicePort: 5001
- - path: /login
- backend:
- serviceName: {{ include "single-sign-on.fullname" . }}-login
- servicePort: 5000
- - host: {{ .Values.userpanel.ingress.host }}
- http:
- paths:
- - path: /
- backend:
- serviceName: {{ include "single-sign-on.fullname" . }}-userpanel
- servicePort: 3000
- tls:
- - hosts:
- - {{ .Values.userpanel.ingress.host }}
- secretName: {{ include "single-sign-on.fullname" . }}-userpanel.tls
+ service:
+ name: {{ include "single-sign-on.fullname" . }}-login
+ port:
+ number: 5000
+ tls:
+ - hosts:
+ - {{ .Values.singleSignOnHost }}
+ secretName: {{ include "single-sign-on.fullname" . }}-sso.tls
status:
loadBalancer:
ingress:
diff --git a/helmchart/single-sign-on/templates/job-create-admin-user.yaml b/helmchart/single-sign-on/templates/job-create-admin-user.yaml
deleted file mode 100644
index ccaec5f91106300399f0d6c0f63d28ee3fe1632e..0000000000000000000000000000000000000000
--- a/helmchart/single-sign-on/templates/job-create-admin-user.yaml
+++ /dev/null
@@ -1,39 +0,0 @@
-apiVersion: batch/v1
-kind: Job
-metadata:
- name: {{ include "single-sign-on.fullname" . }}-create-admin-user
- labels:
-{{ include "single-sign-on.labels" . | indent 4 }}
- annotations:
- "helm.sh/hook": post-install,post-upgrade
- "helm.sh/hook-weight": "-5"
- "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
-spec:
- template:
- metadata:
- labels:
- app.kubernetes.io/managed-by: {{.Release.Service | quote }}
- app.kubernetes.io/instance: {{.Release.Name | quote }}
- helm.sh/chart: "{{.Chart.Name}}-{{.Chart.Version}}"
- spec:
- restartPolicy: Never
- containers:
- - name: create-admin-user
- image: {{ .Values.userbackend.image.repository }}:{{ .Values.userbackend.image.tag }}
- imagePullPolicy: {{ .Values.userbackend.image.pullPolicy }}
- env:
- - name: USERNAME
- value: {{ .Values.userbackend.username }}
- - name: PASSWORD
- value: {{ .Values.userbackend.password }}
- - name: EMAIL
- value: {{ .Values.userbackend.email }}
- command: ["/bin/bash", "-c"]
- args:
- - /bin/bash ./utils/create-user.bash "$USERNAME" "$PASSWORD" "$EMAIL" http://{{ include "single-sign-on.fullname" . }}-userbackend:80 &&
- {{- range .Values.userbackend.applications }}
- /bin/bash ./utils/create-application.bash {{ .name }} '{{ .description | default " " }}' http://{{ include "single-sign-on.fullname" $ }}-userbackend:80 &&
- /bin/bash ./utils/grant-access.bash "$USERNAME" {{ .name }} http://{{ include "single-sign-on.fullname" $ }}-userbackend:80 &&
- {{- end }}
- /bin/bash ./utils/create-role.bash admin http://{{ include "single-sign-on.fullname" . }}-userbackend:80 &&
- /bin/bash ./utils/assign-role.bash "$USERNAME" admin http://{{ include "single-sign-on.fullname" . }}-userbackend:80
diff --git a/helmchart/single-sign-on/templates/job-create-admin.yaml b/helmchart/single-sign-on/templates/job-create-admin.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..d1bbf42b34d760929f0e93555a267e9ad21d1ba4
--- /dev/null
+++ b/helmchart/single-sign-on/templates/job-create-admin.yaml
@@ -0,0 +1,34 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ include "single-sign-on.fullname" . }}-create-admin
+ labels:
+{{ include "single-sign-on.labels" . | indent 4 }}
+ annotations:
+ "helm.sh/hook": post-install,post-upgrade
+ "helm.sh/hook-weight": "-5"
+ "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+ template:
+ metadata:
+ labels:
+ app.kubernetes.io/managed-by: {{.Release.Service | quote }}
+ app.kubernetes.io/instance: {{.Release.Name | quote }}
+ helm.sh/chart: "{{.Chart.Name}}-{{.Chart.Version}}"
+ spec:
+ restartPolicy: Never
+ containers:
+ - name: {{ .Chart.Name }}-login-create-admin
+ image: {{ .Values.login.image.repository }}:{{ .Values.login.image.tag }}
+ imagePullPolicy: {{ .Values.login.image.pullPolicy }}
+ env:
+ {{ include "flask.env" . | nindent 10 }}
+ - name: SETUP_USER
+ value: {{ .Values.login.user }}
+ - name: SETUP_PASSWORD
+ value: {{ .Values.login.password }}
+ command: ["/bin/bash", "-c"]
+ args:
+ - flask user create $SETUP_USER;
+ flask user setpassword $SETUP_USER $SETUP_PASSWORD ;
+
diff --git a/helmchart/single-sign-on/templates/job-create-oauth-clients.yaml b/helmchart/single-sign-on/templates/job-create-oauth-clients.yaml
index b5dd17b77e4d8ae906c6d33e866f6592357e1c10..311bf55a9abf037928c62a8bd35c4f49cbadee20 100644
--- a/helmchart/single-sign-on/templates/job-create-oauth-clients.yaml
+++ b/helmchart/single-sign-on/templates/job-create-oauth-clients.yaml
@@ -7,7 +7,7 @@ metadata:
annotations:
"helm.sh/hook": post-install,post-upgrade
"helm.sh/hook-weight": "4"
- "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+ "helm.sh/hook-delete-policy": before-hook-creation
spec:
template:
metadata:
@@ -20,8 +20,8 @@ spec:
containers:
{{- range .Values.oAuthClients }}
- name: {{ .clientName | quote }}
- image: {{ $.Values.userbackend.image.repository }}:{{ $.Values.userbackend.image.tag }}
- imagePullPolicy: {{ $.Values.userbackend.image.pullPolicy }}
+ image: {{ $.Values.login.image.repository }}:{{ $.Values.login.image.tag }}
+ imagePullPolicy: {{ $.Values.login.image.pullPolicy }}
env:
- name: CLIENT_ID
valueFrom:
diff --git a/helmchart/single-sign-on/templates/service-consent.yaml b/helmchart/single-sign-on/templates/service-consent.yaml
deleted file mode 100644
index 74bb0ca254a4d0f1fd02aa7f2216d7f0ffac3db6..0000000000000000000000000000000000000000
--- a/helmchart/single-sign-on/templates/service-consent.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
- name: {{ include "single-sign-on.fullname" . }}-consent
- labels:
-{{ include "single-sign-on.labels" . | indent 4 }}
-spec:
- ports:
- - port: 5001
- targetPort: consent-http
- protocol: TCP
- name: consent-http
- selector:
- app.kubernetes.io/name: {{ include "single-sign-on.name" . }}-consent
diff --git a/helmchart/single-sign-on/templates/service-userbackend.yaml b/helmchart/single-sign-on/templates/service-userbackend.yaml
deleted file mode 100644
index 1401afd9ef46b60b4c08e1b572f99cd314f65ca4..0000000000000000000000000000000000000000
--- a/helmchart/single-sign-on/templates/service-userbackend.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
- name: {{ include "single-sign-on.fullname" . }}-userbackend
- labels:
-{{ include "single-sign-on.labels" . | indent 4 }}
-spec:
- ports:
- - port: 80
- targetPort: userbackend
- protocol: TCP
- name: userbackend
- selector:
- app.kubernetes.io/name: {{ include "single-sign-on.name" . }}-userbackend
diff --git a/helmchart/single-sign-on/templates/service-userfrontend.yaml b/helmchart/single-sign-on/templates/service-userfrontend.yaml
deleted file mode 100644
index 0dc90890884bddf613807a0964e0c3eda21ee20d..0000000000000000000000000000000000000000
--- a/helmchart/single-sign-on/templates/service-userfrontend.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
- name: {{ include "single-sign-on.fullname" . }}-userpanel
- labels:
-{{ include "single-sign-on.labels" . | indent 4 }}
-spec:
- ports:
- - port: 3000
- targetPort: userpanel
- protocol: TCP
- name: userpanel
- selector:
- app.kubernetes.io/name: {{ include "single-sign-on.name" . }}-userpanel
diff --git a/helmchart/single-sign-on/values.yaml b/helmchart/single-sign-on/values.yaml
index 38378ce7054572135be01cb529d77237262bf24d..33f9a5b50dd2eba547c23feb9e2b092a981bf3c5 100644
--- a/helmchart/single-sign-on/values.yaml
+++ b/helmchart/single-sign-on/values.yaml
@@ -99,11 +99,11 @@ kratos:
public:
# TODO: This is the development URL and needs to be replaced by
# something sensable by Flux.
- base_url: http://localhost/api/
+ base_url: https://sso.stackspin.example.net/api/
selfservice:
# Bu default got ot the loing page
- default_browser_return_url: http://localhost/login/login
+ default_browser_return_url: https://sso.stackspin.example.net/login/login
methods:
link:
@@ -116,16 +116,16 @@ kratos:
# TODO: Those UI URLS need to be changed once the final location
# is determined. Also they need to be configured by flux
- ui_url: http://localhost/login/recovery
+ ui_url: https://sso.stackspin.example.net/login/recovery
login:
- ui_url: http://localhost/login/login
+ ui_url: https://sso.stackspin.example.net/login/login
settings:
- ui_url: http://localhost/login/settings
+ ui_url: https://sso.stackspin.example.net/login/settings
registration:
- ui_url: http://localhost/login/registration
+ ui_url: https://sso.stackspin.example.net/login/registration
secrets:
session:
@@ -136,7 +136,8 @@ kratos:
courier:
smtp:
- connection_uri: smtps://username:password@smtp.example.com:456/
+ connection_uri: smtps://username:password@smtp.example.net:456/
+ from_address: no-reply@example.net
hydra:
# Fix for this issue: https://github.com/ory/k8s/issues/367
@@ -201,6 +202,19 @@ hydra:
admin:
enabled: false
+# Install login panel
+login:
+ image:
+ << : &IMAGE_DEFAULTS_SSO { tag: "main", pullPolicy: "Always" }
+ repository: "open.greenhost.net:4567/stackspin/single-sign-on/login"
+ podAnnotations: {}
+ db:
+ user: stackspin
+ passowrd: stackspin
+ database: stackspin
+ user: admin@example.com
+ password: ThisIsNotASecurePassword
+
# oAuthClients is a list of clients that are created during the installation process
# for a detailed list of the options available here, refer to
# https://www.ory.sh/docs/hydra/sdk/api#create-an-oauth-20-client
diff --git a/login/Dockerfile b/login/Dockerfile
index 8733db43087b416b41fe6ef89479cdf96978d78a..f8b8e0b2acfc9c2de2c2294a0c09b213817dadf2 100644
--- a/login/Dockerfile
+++ b/login/Dockerfile
@@ -1,6 +1,6 @@
FROM python:3.9-alpine
-RUN apk add gcc libc-dev libffi-dev g++ postgresql-dev
+RUN apk add gcc libc-dev libffi-dev g++ postgresql-dev bash curl
WORKDIR /usr/src/app
diff --git a/login/app.py b/login/app.py
index 74e8af4971d61dddb1d860d7a4942587ee54a42f..c07dadf8c8a10f6397c7b835d2dcd76defa8e40f 100644
--- a/login/app.py
+++ b/login/app.py
@@ -226,6 +226,11 @@ def create_user(email):
app.logger.info(f"Creating user with email: ({email})")
# Create a user
+ user = KratosUser.find_by_email(KRATOS_ADMIN, email)
+ if user:
+ app.logger.info("User already exists. Not recreating")
+ return
+
user = KratosUser(KRATOS_ADMIN)
user.email = email
user.save()
@@ -242,7 +247,7 @@ def setpassword_user(email, password):
:raise: exception if unexepted error happens
"""
- app.logger.info(f"Creating user with email: ({email})")
+ app.logger.info(f"Setting password for: ({email})")
# Kratos does not provide an interface to set a password directly. However
# we still want to be able to set a password. So we have to hack our way