From 99cdf7982999442b221d61c958e8558ffe5b4d91 Mon Sep 17 00:00:00 2001
From: Maarten de Waard <maarten@greenhost.nl>
Date: Tue, 21 Dec 2021 17:08:11 +0100
Subject: [PATCH] Use Hydra Maester and remove old cruft that it replaces
---
docs/helmchart.md | 85 +++++++++++--------
helmchart/single-sign-on/CHANGELOG.md | 4 +
helmchart/single-sign-on/Chart.yaml | 2 +-
helmchart/single-sign-on/README.md | 2 +-
.../templates/job-create-oauth-clients.yaml | 68 ---------------
helmchart/single-sign-on/values.yaml | 35 --------
6 files changed, 57 insertions(+), 139 deletions(-)
delete mode 100644 helmchart/single-sign-on/templates/job-create-oauth-clients.yaml
diff --git a/docs/helmchart.md b/docs/helmchart.md
index 4959478..5927113 100644
--- a/docs/helmchart.md
+++ b/docs/helmchart.md
@@ -55,8 +55,6 @@ This table lists the variables you are most likely to change. Take a look at the
| `hydra.hydra.config.urls.consent` | **URI that will be used for permission checks** | **https://sso.stackspin.example.net/consent** |
| `hydra.hydra.config.dsn` | Database endpoint for Hydra | postgres://hydra:hydra@single-sign-on-postgresql:5432/hydra |
| `hydra.hydra.config.secrets.system` | Secret that is used to generate secure tokens str[] | ["YouReallyNeedToChangeThis"] |
-| `oAuthClients` | A list of clients that need to be registered after installation. See [Registering clients](#registering-clients) for more info | user-panel configuration (**Change the `clientSecret`**!) |
-
### Manipulating user database
@@ -107,43 +105,62 @@ application that needs to authenticate it's users. Setting up a client happens
in two steps: registering the client with `single-sign-on`, and configuring the
client application.
-The `oAuthClients` variable in `values.yaml` contains an array of client configurations. For
-each of these configurations, a `Job` will be created during the helm installation that will
-do the necessary Hydra API calls to create that client. Note, however, that you still need to
-[configure your application](usage#step-2--configuring-the-application) to be able to use SSO
-to log in.
+#### Step 1. Configure Hydra
-The `oAuthClients` variable is an array with objects. One object should be made for each
-application that will use the SSO server. Each client will also be shown in the user-panel
-application, so users know where to find them. This example configures the user-panel
-application:
+We use Hydra Maester to register the clients with Hydra. This means that you
+need to create a Kubernetes object that looks like this:
```yaml
-# The name of the oauth client that needs to be the same as the application name in your
-# application configuration
-clientName: user-panel
-# The secret the client uses to authenticate
-clientSecret: "YouReallyNeedToChangeThis"
-# The url the browser will be redirected to by Hydra when the authentication process is
-# completed
-redirectUri: "https://admin.stackspin.example.net/callback"
-# A list of scopes the client needs access to
-scopes: "openid profile email stackspin_roles"
-# A url that is displayed in the user-panel for the user to navigate to the application
-clientUri: "https://admin.stackspin.example.net"
-# Point to a logo for the application that will be displayed in the user-panel
-clientLogoUri: "https://admin.stackspin.example.net/favicon.ico"
-# Set the method that the oAUth client uses to authenticate agains the oAuth server i.e. to
-# retrieve tokens or userinfo
-tokenEndpointAuthMethod: "client_secret_basic"
-# Resource types the client is allowed to use to perform authentication and userinfo requests
-responseTypes:
- - "token"
-# Specifies the methods the client can use to retrieve access tokens from the oAuth server
-grantTypes:
- - "implicit"
+apiVersion: hydra.ory.sh/v1alpha1
+kind: OAuth2Client
+metadata:
+ name: dashboard-oauth-client
+ # Has to live in the same namespace as the secret mentioned below
+ namespace: default
+spec:
+ # Specifies the methods the client can use to retrieve access tokens from the
+ # oAuth server
+ grantTypes:
+ - authorization_code
+ - refresh_token
+ - client_credentials
+ - implicit
+ # Resource types the client is allowed to use to perform authentication and
+ # userinfo requests
+ responseTypes:
+ - id_token
+ - code
+ # A list of scopes the client needs access to
+ scope: "openid profile email stackspin_roles"
+ # A secret that contains `client_id` and `client_secret`, used by both Hydra
+ # and the client.
+ secretName: stackspin-dashboard-oauth-variables
+ # The url the browser will be redirected to by Hydra when the authentication
+ # process is completed
+ redirectUris:
+ - https://dashboard.${domain}/_oauth/oidc
+ # Set the method that the oAUth client uses to authenticate agains the oAuth
+ # server i.e. to retrieve tokens or userinfo
+ tokenEndpointAuthMethod: client_secret_post
```
+Refer to the [Hydra Maester
+documentation](https://github.com/ory/k8s/blob/master/docs/helm/hydra-maester.md) for more information.
+
+### Step 2. Configure client application
+
+The next step is to configure the client application. Most software that
+supports this will have a page in your documentation that describes how to do
+so. You will have to change the values given in the example oauth specification
+above according to the application's specifications.
+
+During the application configuration, you'll need to enter the "Client ID" and
+the "Client secret". You can find these in the secret referenced by the
+OAuth2Client. If the secret exists before you create the `OAuth2Client`, Maester
+will read the `client_id` and `client_secret` from it and use it. If not,
+Maester will generate a secret and use that. In both cases the secret needs to
+be in the same namespace as the `OAuth2Client` object.
+
## Installing and uninstalling the Chart
To install the chart, add our helm repository[^1] and run the installation:
diff --git a/helmchart/single-sign-on/CHANGELOG.md b/helmchart/single-sign-on/CHANGELOG.md
index bba2ad3..b6080a0 100644
--- a/helmchart/single-sign-on/CHANGELOG.md
+++ b/helmchart/single-sign-on/CHANGELOG.md
@@ -4,6 +4,10 @@ All notable changes to this helm chart will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+## [0.6.0] - 2021-12-21
+
+- Switch to using Hydra Maester instead of cronjobs for creating OAuth2 clients
+
## [0.5.1] - 2021-12-21
- Host chart on Helm Repository: https://open.greenhost.net/api/v4/projects/8/packages/helm/api/stable
diff --git a/helmchart/single-sign-on/Chart.yaml b/helmchart/single-sign-on/Chart.yaml
index f8186d3..a00a0e8 100644
--- a/helmchart/single-sign-on/Chart.yaml
+++ b/helmchart/single-sign-on/Chart.yaml
@@ -1,4 +1,4 @@
apiVersion: v1
description: A Helm chart for Stackspin's Single sign-on components
name: single-sign-on
-version: 0.5.1
+version: 0.6.0
diff --git a/helmchart/single-sign-on/README.md b/helmchart/single-sign-on/README.md
index 4a29e6f..becba2a 100644
--- a/helmchart/single-sign-on/README.md
+++ b/helmchart/single-sign-on/README.md
@@ -1 +1 @@
-Please refer to the [online documentation](../../docs//helmchart.md)
+Please refer to the [online documentation](../../docs/helmchart.md)
diff --git a/helmchart/single-sign-on/templates/job-create-oauth-clients.yaml b/helmchart/single-sign-on/templates/job-create-oauth-clients.yaml
deleted file mode 100644
index 311bf55..0000000
--- a/helmchart/single-sign-on/templates/job-create-oauth-clients.yaml
+++ /dev/null
@@ -1,68 +0,0 @@
-apiVersion: batch/v1
-kind: Job
-metadata:
- name: {{ include "single-sign-on.fullname" . }}-create-oauth2-clients
- labels:
-{{ include "single-sign-on.labels" . | indent 4 }}
- annotations:
- "helm.sh/hook": post-install,post-upgrade
- "helm.sh/hook-weight": "4"
- "helm.sh/hook-delete-policy": before-hook-creation
-spec:
- template:
- metadata:
- labels:
- app.kubernetes.io/managed-by: {{.Release.Service | quote }}
- app.kubernetes.io/instance: {{.Release.Name | quote }}
- helm.sh/chart: "{{.Chart.Name}}-{{.Chart.Version}}"
- spec:
- restartPolicy: Never
- containers:
- {{- range .Values.oAuthClients }}
- - name: {{ .clientName | quote }}
- image: {{ $.Values.login.image.repository }}:{{ $.Values.login.image.tag }}
- imagePullPolicy: {{ $.Values.login.image.pullPolicy }}
- env:
- - name: CLIENT_ID
- valueFrom:
- secretKeyRef:
- name: oauth2-clients
- key: {{ .clientName }}_client_id
- - name: CLIENT_SECRET
- valueFrom:
- secretKeyRef:
- name: oauth2-clients
- key: {{ .clientName }}_client_secret
- - name: CLIENT_NAME
- value: {{ .clientName | quote }}
- - name: REDIRECT_URI
- value: {{ .redirectUri | quote }}
- - name: SCOPES
- value: {{ .scopes | quote }}
- - name: CLIENT_URI
- value: {{ .clientUri | quote }}
- - name: CLIENT_LOGO_URI
- value: {{ .clientLogoUri | quote }}
- - name: TOKEN_ENDPOINT_AUTH_METHOD
- value: {{ .tokenEndpointAuthMethod | quote }}
- - name: RESPONSE_TYPES
- value: "{{- range .responseTypes }}\"{{ . }}\",{{- end }}"
- - name: GRANT_TYPES
- value: "{{- range .grantTypes }}\"{{ . }}\",{{- end }}"
- command: ["/bin/bash", "-c"]
- args:
- - |
- curl http://{{ $.Release.Name }}-hydra-admin:4445/clients && curl --header "Content-Type: application/json" \
- --request POST \
- --data "{\"client_id\": \"$CLIENT_ID\",
- \"client_name\": \"$CLIENT_NAME\",
- \"client_secret\": \"$CLIENT_SECRET\",
- \"client_uri\": \"$CLIENT_URI\",
- \"logo_uri\": \"$CLIENT_LOGO_URI\",
- \"redirect_uris\": [\"$REDIRECT_URI\"],
- \"scope\": \"$SCOPES\",
- \"grant_types\": [$GRANT_TYPES\"\"],
- \"response_types\": [$RESPONSE_TYPES\"\"],
- \"token_endpoint_auth_method\": \"client_secret_post\"}" \
- http://{{ $.Release.Name }}-hydra-admin:4445/clients
- {{- end }}
diff --git a/helmchart/single-sign-on/values.yaml b/helmchart/single-sign-on/values.yaml
index fe5a864..dff3fc0 100644
--- a/helmchart/single-sign-on/values.yaml
+++ b/helmchart/single-sign-on/values.yaml
@@ -149,10 +149,6 @@ hydra:
# Fix for this issue: https://github.com/ory/k8s/issues/367
image:
tag: v1.10.5-sqlite
- maester:
- # hydra.maester.enabled instal hydra-maester which is enabled by default
- # oauth client management is handled via jobs right now so there is no need to it
- enabled: false
hydra:
# hydra.hydra.dangerousForceHttp allows access to the hydra admin API over http. The
# hydra admin API is only accessible by services within the same namespace unless you
@@ -222,34 +218,3 @@ login:
# Admin user will be created once when the SSO system is installed.
user: admin@example.com
password: ThisIsNotASecurePassword
-
-# oAuthClients is a list of clients that are created during the installation process
-# for a detailed list of the options available here, refer to
-# https://www.ory.sh/docs/hydra/sdk/api#create-an-oauth-20-client
-oAuthClients:
-- clientName: user-panel
- # oauthClients[].clientSecret is the secret the client uses to authenticate
- clientSecret: "YouReallyNeedToChangeThis"
- # oAuthClients[].redirectUri is the url the user will be redirected to by hydra when the
- # authentication process is completed
- redirectUri: "https://admin.stackspin.example.net/callback"
- # oAuthClients[].scopes is a list of scopes the client need access to
- scopes: "openid profile email stackspin_roles"
- # oAuthClients[].clientUri is a url that is displayed for the user to navigate to the
- # application
- clientUri: "https://admin.stackspin.example.net"
- # oAuthClients[].clientLogoUri is a url that points to a logo that will be displayed
- # whenever refering to the application
- clientLogoUri: "https://admin.stackspin.example.net/favicon.ico"
- # oAuthClients[].tokenEndpointAuthMethod sets the method that the oAUth client uses to
- # authenticate agains the oAuth server i.e. to retrieve tokens or userinfo
- tokenEndpointAuthMethod: "client_secret_basic"
- # oAuthClients[].responseTypes specifies the type of resource an oAuth client uses to perform
- # authentication and userinfo requests
- responseTypes:
- - "token"
- # oAuthClients[].grantTypes specifies the way in which the client retrieves an access token
- # from the oAuth server
- grantTypes:
- - "implicit"
-
--
GitLab