Use Hydra Maester and remove old cruft that it replaces

docs/helmchart.md

@@ -55,8 +55,6 @@ This table lists the variables you are most likely to change. Take a look at the
 | `hydra.hydra.config.urls.consent`    | **URI that will be used for permission checks**         | **https://sso.stackspin.example.net/consent**               |
 | `hydra.hydra.config.dsn`             | Database endpoint for Hydra                             | postgres://hydra:hydra@single-sign-on-postgresql:5432/hydra |
 | `hydra.hydra.config.secrets.system`  | Secret that is used to generate secure tokens str[]     | ["YouReallyNeedToChangeThis"]                               |
-| `oAuthClients`                       | A list of clients that need to be registered after installation. See [Registering clients](#registering-clients) for more info | user-panel configuration (**Change the `clientSecret`**!) |
-
 
 ### Manipulating user database
 
@@ -107,43 +105,62 @@ application that needs to authenticate it's users. Setting up a client happens
 in two steps: registering the client with `single-sign-on`, and configuring the
 client application.
 
-The `oAuthClients` variable in `values.yaml` contains an array of client configurations. For
-each of these configurations, a `Job` will be created during the helm installation that will
-do the necessary Hydra API calls to create that client. Note, however, that you still need to
-[configure your application](usage#step-2--configuring-the-application) to be able to use SSO
-to log in.
+#### Step 1. Configure Hydra
 
-The `oAuthClients` variable is an array with objects. One object should be made for each
-application that will use the SSO server. Each client will also be shown in the user-panel
-application, so users know where to find them. This example configures the user-panel
-application:
+We use Hydra Maester to register the clients with Hydra. This means that you
+need to create a Kubernetes object that looks like this:
 
 ```yaml
-# The name of the oauth client that needs to be the same as the application name in your 
-# application configuration
-clientName: user-panel
-# The secret the client uses to authenticate
-clientSecret: "YouReallyNeedToChangeThis"
-# The url the browser will be redirected to by Hydra when the authentication process is 
-# completed
-redirectUri: "https://admin.stackspin.example.net/callback"
-# A list of scopes the client needs access to
-scopes: "openid profile email stackspin_roles"
-# A url that is displayed in the user-panel for the user to navigate to the application
-clientUri: "https://admin.stackspin.example.net"
-# Point to a logo for the application that will be displayed in the user-panel
-clientLogoUri: "https://admin.stackspin.example.net/favicon.ico"
-# Set the method that the oAUth client uses to authenticate agains the oAuth server i.e. to
-# retrieve tokens or userinfo
-tokenEndpointAuthMethod: "client_secret_basic"
-# Resource types the client is allowed to use to perform authentication and userinfo requests
-responseTypes:
-  - "token"
-# Specifies the methods the client can use to retrieve access tokens from the oAuth server
-grantTypes:
-  - "implicit"
+apiVersion: hydra.ory.sh/v1alpha1
+kind: OAuth2Client
+metadata:
+  name: dashboard-oauth-client
+  # Has to live in the same namespace as the secret mentioned below
+  namespace: default
+spec:
+  # Specifies the methods the client can use to retrieve access tokens from the
+  # oAuth server
+  grantTypes:
+    - authorization_code
+    - refresh_token
+    - client_credentials
+    - implicit
+  # Resource types the client is allowed to use to perform authentication and
+  # userinfo requests
+  responseTypes:
+    - id_token
+    - code
+  # A list of scopes the client needs access to
+  scope: "openid profile email stackspin_roles"
+  # A secret that contains `client_id` and `client_secret`, used by both Hydra
+  # and the client.
+  secretName: stackspin-dashboard-oauth-variables
+  # The url the browser will be redirected to by Hydra when the authentication
+  # process is completed
+  redirectUris:
+    - https://dashboard.${domain}/_oauth/oidc
+  # Set the method that the oAUth client uses to authenticate agains the oAuth
+  # server i.e. to retrieve tokens or userinfo
+  tokenEndpointAuthMethod: client_secret_post
 ```
 
+Refer to the [Hydra Maester
+documentation](https://github.com/ory/k8s/blob/master/docs/helm/hydra-maester.md) for more information.
+
+### Step 2. Configure client application
+
+The next step is to configure the client application. Most software that
+supports this will have a page in your documentation that describes how to do
+so. You will have to change the values given in the example oauth specification
+above according to the application's specifications.
+
+During the application configuration, you'll need to enter the "Client ID" and
+the "Client secret". You can find these in the secret referenced by the
+OAuth2Client. If the secret exists before you create the `OAuth2Client`, Maester
+will read the `client_id` and `client_secret` from it and use it. If not,
+Maester will generate a secret and use that. In both cases the secret needs to
+be in the same namespace as the `OAuth2Client` object.
+
 ## Installing and uninstalling the Chart
 
 To install the chart, add our helm repository[^1] and run the installation:

helmchart/single-sign-on/CHANGELOG.md

@@ -4,6 +4,10 @@ All notable changes to this helm chart will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.6.0] - 2021-12-21
+
+- Switch to using Hydra Maester instead of cronjobs for creating OAuth2 clients
+
 ## [0.5.1] - 2021-12-21
 
 - Host chart on Helm Repository: https://open.greenhost.net/api/v4/projects/8/packages/helm/api/stable

helmchart/single-sign-on/Chart.yaml

 apiVersion: v1
 description: A Helm chart for Stackspin's Single sign-on components
 name: single-sign-on
-version: 0.5.1
+version: 0.6.0

helmchart/single-sign-on/README.md

-Please refer to the [online documentation](../../docs//helmchart.md)
+Please refer to the [online documentation](../../docs/helmchart.md)

helmchart/single-sign-on/templates/job-create-oauth-clients.yaml

-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: {{ include "single-sign-on.fullname" . }}-create-oauth2-clients
-  labels:
-{{ include "single-sign-on.labels" . | indent 4 }}
-  annotations:
-    "helm.sh/hook": post-install,post-upgrade
-    "helm.sh/hook-weight": "4"
-    "helm.sh/hook-delete-policy": before-hook-creation
-spec:
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/managed-by: {{.Release.Service | quote }}
-        app.kubernetes.io/instance: {{.Release.Name | quote }}
-        helm.sh/chart: "{{.Chart.Name}}-{{.Chart.Version}}"
-    spec:
-      restartPolicy: Never
-      containers:
-      {{- range .Values.oAuthClients }}
-      - name: {{ .clientName | quote }}
-        image: {{ $.Values.login.image.repository }}:{{ $.Values.login.image.tag }}
-        imagePullPolicy: {{ $.Values.login.image.pullPolicy }}
-        env:
-        - name: CLIENT_ID
-          valueFrom:
-            secretKeyRef:
-              name: oauth2-clients
-              key: {{ .clientName }}_client_id
-        - name: CLIENT_SECRET
-          valueFrom:
-            secretKeyRef:
-              name: oauth2-clients
-              key: {{ .clientName }}_client_secret
-        - name: CLIENT_NAME
-          value: {{ .clientName | quote }}
-        - name: REDIRECT_URI
-          value: {{ .redirectUri | quote }}
-        - name: SCOPES
-          value: {{ .scopes | quote }}
-        - name: CLIENT_URI
-          value: {{ .clientUri | quote }}
-        - name: CLIENT_LOGO_URI
-          value: {{ .clientLogoUri | quote }}
-        - name: TOKEN_ENDPOINT_AUTH_METHOD
-          value: {{ .tokenEndpointAuthMethod | quote }}
-        - name: RESPONSE_TYPES
-          value: "{{- range .responseTypes }}\"{{ . }}\",{{- end }}"
-        - name: GRANT_TYPES
-          value: "{{- range .grantTypes }}\"{{ . }}\",{{- end }}"
-        command: ["/bin/bash", "-c"]
-        args:
-        - |
-          curl http://{{ $.Release.Name }}-hydra-admin:4445/clients && curl --header "Content-Type: application/json" \
-               --request POST \
-               --data "{\"client_id\": \"$CLIENT_ID\",
-                        \"client_name\": \"$CLIENT_NAME\",
-                        \"client_secret\": \"$CLIENT_SECRET\",
-                        \"client_uri\": \"$CLIENT_URI\",
-                        \"logo_uri\": \"$CLIENT_LOGO_URI\",
-                        \"redirect_uris\": [\"$REDIRECT_URI\"],
-                        \"scope\": \"$SCOPES\",
-                        \"grant_types\": [$GRANT_TYPES\"\"],
-                        \"response_types\": [$RESPONSE_TYPES\"\"],
-                        \"token_endpoint_auth_method\": \"client_secret_post\"}" \
-               http://{{ $.Release.Name }}-hydra-admin:4445/clients
-      {{- end }}

helmchart/single-sign-on/values.yaml

@@ -149,10 +149,6 @@ hydra:
   # Fix for this issue: https://github.com/ory/k8s/issues/367
   image:
     tag: v1.10.5-sqlite
-  maester:
-    # hydra.maester.enabled instal hydra-maester which is enabled by default
-    # oauth client management is handled via jobs right now so there is no need to it
-    enabled: false
   hydra:
     # hydra.hydra.dangerousForceHttp allows access to the hydra admin API over http. The
     # hydra admin API is only accessible by services within the same namespace unless you
@@ -222,34 +218,3 @@ login:
   # Admin user will be created once when the SSO system is installed.
   user: admin@example.com
   password: ThisIsNotASecurePassword
-
-# oAuthClients is a list of clients that are created during the installation process
-# for a detailed list of the options available here, refer to
-# https://www.ory.sh/docs/hydra/sdk/api#create-an-oauth-20-client
-oAuthClients:
-- clientName: user-panel
-  # oauthClients[].clientSecret is the secret the client uses to authenticate
-  clientSecret: "YouReallyNeedToChangeThis"
-  # oAuthClients[].redirectUri is the url the user will be redirected to by hydra when the
-  # authentication process is completed
-  redirectUri: "https://admin.stackspin.example.net/callback"
-  # oAuthClients[].scopes is a list of scopes the client need access to
-  scopes: "openid profile email stackspin_roles"
-  # oAuthClients[].clientUri is a url that is displayed for the user to navigate to the
-  # application
-  clientUri: "https://admin.stackspin.example.net"
-  # oAuthClients[].clientLogoUri is a url that points to a logo that will be displayed
-  # whenever refering to the application
-  clientLogoUri: "https://admin.stackspin.example.net/favicon.ico"
-  # oAuthClients[].tokenEndpointAuthMethod sets the method that the oAUth client uses to
-  # authenticate agains the oAuth server i.e. to retrieve tokens or userinfo
-  tokenEndpointAuthMethod: "client_secret_basic"
-  # oAuthClients[].responseTypes specifies the type of resource an oAuth client uses to perform
-  # authentication and userinfo requests
-  responseTypes:
-    - "token"
-  # oAuthClients[].grantTypes specifies the way in which the client retrieves an access token
-  # from the oAuth server
-  grantTypes:
-    - "implicit"
-