Resolve "Enable hydra maester and clean up old cronjobs"

Closes #110 (closed)

docs/helmchart.md

@@ -55,8 +55,6 @@ This table lists the variables you are most likely to change. Take a look at the
 | `hydra.hydra.config.urls.consent`    | **URI that will be used for permission checks**         | **https://sso.stackspin.example.net/consent**               |
 | `hydra.hydra.config.dsn`             | Database endpoint for Hydra                             | postgres://hydra:hydra@single-sign-on-postgresql:5432/hydra |
 | `hydra.hydra.config.secrets.system`  | Secret that is used to generate secure tokens str[]     | ["YouReallyNeedToChangeThis"]                               |
-| `oAuthClients`                       | A list of clients that need to be registered after installation. See [Registering clients](#registering-clients) for more info | user-panel configuration (**Change the `clientSecret`**!) |
-
 
 ### Manipulating user database
 
@@ -107,43 +105,62 @@ application that needs to authenticate it's users. Setting up a client happens
 in two steps: registering the client with `single-sign-on`, and configuring the
 client application.
 
-The `oAuthClients` variable in `values.yaml` contains an array of client configurations. For
-each of these configurations, a `Job` will be created during the helm installation that will
-do the necessary Hydra API calls to create that client. Note, however, that you still need to
-[configure your application](usage#step-2--configuring-the-application) to be able to use SSO
-to log in.
+#### Step 1. Configure Hydra
 
-The `oAuthClients` variable is an array with objects. One object should be made for each
-application that will use the SSO server. Each client will also be shown in the user-panel
-application, so users know where to find them. This example configures the user-panel
-application:
+We use Hydra Maester to register the clients with Hydra. This means that you
+need to create a Kubernetes object that looks like this:
 
 ```yaml
-# The name of the oauth client that needs to be the same as the application name in your 
-# application configuration
-clientName: user-panel
-# The secret the client uses to authenticate
-clientSecret: "YouReallyNeedToChangeThis"
-# The url the browser will be redirected to by Hydra when the authentication process is 
-# completed
-redirectUri: "https://admin.stackspin.example.net/callback"
-# A list of scopes the client needs access to
-scopes: "openid profile email stackspin_roles"
-# A url that is displayed in the user-panel for the user to navigate to the application
-clientUri: "https://admin.stackspin.example.net"
-# Point to a logo for the application that will be displayed in the user-panel
-clientLogoUri: "https://admin.stackspin.example.net/favicon.ico"
-# Set the method that the oAUth client uses to authenticate agains the oAuth server i.e. to
-# retrieve tokens or userinfo
-tokenEndpointAuthMethod: "client_secret_basic"
-# Resource types the client is allowed to use to perform authentication and userinfo requests
-responseTypes:
-  - "token"
-# Specifies the methods the client can use to retrieve access tokens from the oAuth server
-grantTypes:
-  - "implicit"
+apiVersion: hydra.ory.sh/v1alpha1
+kind: OAuth2Client
+metadata:
+  name: dashboard-oauth-client
+  # Has to live in the same namespace as the secret mentioned below
+  namespace: default
+spec:
+  # Specifies the methods the client can use to retrieve access tokens from the
+  # oAuth server
+  grantTypes:
+    - authorization_code
+    - refresh_token
+    - client_credentials
+    - implicit
+  # Resource types the client is allowed to use to perform authentication and
+  # userinfo requests
+  responseTypes:
+    - id_token
+    - code
+  # A list of scopes the client needs access to
+  scope: "openid profile email stackspin_roles"
+  # A secret that contains `client_id` and `client_secret`, used by both Hydra
+  # and the client.
+  secretName: stackspin-dashboard-oauth-variables
+  # The url the browser will be redirected to by Hydra when the authentication
+  # process is completed
+  redirectUris:
+    - https://dashboard.${domain}/_oauth/oidc
+  # Set the method that the oAUth client uses to authenticate agains the oAuth
+  # server i.e. to retrieve tokens or userinfo
+  tokenEndpointAuthMethod: client_secret_post
 ```
 
+Refer to the [Hydra Maester
+documentation](https://github.com/ory/k8s/blob/master/docs/helm/hydra-maester.md) for more information.
+
+### Step 2. Configure client application
+
+The next step is to configure the client application. Most software that
+supports this will have a page in your documentation that describes how to do
+so. You will have to change the values given in the example oauth specification
+above according to the application's specifications.
+
+During the application configuration, you'll need to enter the "Client ID" and
+the "Client secret". You can find these in the secret referenced by the
+OAuth2Client. If the secret exists before you create the `OAuth2Client`, Maester
+will read the `client_id` and `client_secret` from it and use it. If not,
+Maester will generate a secret and use that. In both cases the secret needs to
+be in the same namespace as the `OAuth2Client` object.
+
 ## Installing and uninstalling the Chart
 
 To install the chart, add our helm repository[^1] and run the installation: