From bfe6a97fd3998358f54f06ba1f364c408e65a865 Mon Sep 17 00:00:00 2001
From: Maarten de Waard <maarten@greenhost.nl>
Date: Mon, 20 Dec 2021 12:31:40 +0100
Subject: [PATCH] enable maester and try to use it with wordpress
---
flux2/apps/wordpress/kustomization.yaml | 1 +
.../wordpress/wordpress-values-configmap.yaml | 2 +-
flux2/apps/wordpress/wp-oauth.yaml | 22 +++++++++++++++++++
.../cluster/optional/wordpress/wordpress.yaml | 2 ++
.../single-sign-on-values-configmap.yaml | 15 -------------
install/generate_secrets.py | 16 ++++++++------
6 files changed, 35 insertions(+), 23 deletions(-)
create mode 100644 flux2/apps/wordpress/wp-oauth.yaml
diff --git a/flux2/apps/wordpress/kustomization.yaml b/flux2/apps/wordpress/kustomization.yaml
index 5080ac0cd..108aa04c1 100644
--- a/flux2/apps/wordpress/kustomization.yaml
+++ b/flux2/apps/wordpress/kustomization.yaml
@@ -6,3 +6,4 @@ resources:
- pvc.yaml
- release.yaml
- wordpress-values-configmap.yaml
+ - wp-oauth.yaml
diff --git a/flux2/apps/wordpress/wordpress-values-configmap.yaml b/flux2/apps/wordpress/wordpress-values-configmap.yaml
index a8f426cab..40dc509be 100644
--- a/flux2/apps/wordpress/wordpress-values-configmap.yaml
+++ b/flux2/apps/wordpress/wordpress-values-configmap.yaml
@@ -25,7 +25,7 @@ data:
openid_connect_settings:
enabled: true
- client_secret: ${wordpress_oauth_client_secret}
+ client_secret: ${client_secret}
endpoint_login: https://sso.${domain}/oauth2/auth
endpoint_userinfo: https://sso.${domain}/userinfo
endpoint_token: https://sso.${domain}/oauth2/token
diff --git a/flux2/apps/wordpress/wp-oauth.yaml b/flux2/apps/wordpress/wp-oauth.yaml
new file mode 100644
index 000000000..54c55ef08
--- /dev/null
+++ b/flux2/apps/wordpress/wp-oauth.yaml
@@ -0,0 +1,22 @@
+apiVersion: hydra.ory.sh/v1alpha1
+kind: OAuth2Client
+metadata:
+ name: wordpress-newsite-oauth-client
+ namespace: stackspin-apps
+spec:
+ grantTypes:
+ - authorization_code
+ - refresh_token
+ - client_credentials
+ - implicit
+ responseTypes:
+ - id_token
+ - code
+ scope: "openid profile email stackspin_roles offline_access"
+ secretName: stackspin-wordpress-oauth-variables
+ # these are optional
+ redirectUris:
+ - https://www.${domain}/wp-admin/admin-ajax.php?action=openid-connect-authorize
+ # TODO: Dynamic URL
+ # hydraAdmin: {}
+ tokenEndpointAuthMethod: client_secret_post
diff --git a/flux2/cluster/optional/wordpress/wordpress.yaml b/flux2/cluster/optional/wordpress/wordpress.yaml
index 8b5fc60ee..ac7114163 100644
--- a/flux2/cluster/optional/wordpress/wordpress.yaml
+++ b/flux2/cluster/optional/wordpress/wordpress.yaml
@@ -28,6 +28,8 @@ spec:
substituteFrom:
- kind: Secret
name: stackspin-wordpress-variables
+ - kind: Secret
+ name: stackspin-wordpress-oauth-variables
- kind: Secret
name: stackspin-oauth-variables
- kind: Secret
diff --git a/flux2/core/base/single-sign-on/single-sign-on-values-configmap.yaml b/flux2/core/base/single-sign-on/single-sign-on-values-configmap.yaml
index 41c3719e4..e0568faa4 100644
--- a/flux2/core/base/single-sign-on/single-sign-on-values-configmap.yaml
+++ b/flux2/core/base/single-sign-on/single-sign-on-values-configmap.yaml
@@ -104,21 +104,6 @@ data:
- "authorization_code"
- "refresh_token"
- "client_credentials"
- - clientName: wordpress
- clientSecret: "${wordpress_oauth_client_secret}"
- redirectUri: "https://www.${domain}/wp-admin/admin-ajax.php?action=openid-connect-authorize"
- scopes: "openid profile email stackspin_roles offline_access"
- clientUri: "https://www.${domain}"
- clientLogoUri: "https://www.${domain}/wp-admin/images/wordpress-logo.svg"
- tokenEndpointAuthMethod: "client_secret_post"
- responseTypes:
- - "code"
- - "id_token"
- grantTypes:
- - "authorization_code"
- - "refresh_token"
- - "client_credentials"
- - "implicit"
- clientName: grafana
clientSecret: "${grafana_oauth_client_secret}"
redirectUri: "https://grafana.${domain}/login/generic_oauth"
diff --git a/install/generate_secrets.py b/install/generate_secrets.py
index 56666eaf2..04a1896f2 100644
--- a/install/generate_secrets.py
+++ b/install/generate_secrets.py
@@ -37,7 +37,9 @@ def main():
sys.exit(1)
app_name = sys.argv[1]
- create_variables_secret(app_name, env)
+ # Create app variables secret and oauth variables secret
+ for secret in [app_name, f"{app_name}-oauth"]:
+ create_variables_secret(f"stackspin-{secret}-variables.yaml.jinja", env)
create_basic_auth_secret(app_name, env)
@@ -47,13 +49,13 @@ def get_templates_dir():
return os.path.join(os.path.dirname(os.path.realpath(__file__)), 'templates')
-def create_variables_secret(app_name, env):
+def create_variables_secret(variables_filename, env):
"""Checks if a variables secret for app_name already exists, generates it if necessary"""
- variables_filename = \
- os.path.join(get_templates_dir(), f"stackspin-{app_name}-variables.yaml.jinja")
- if os.path.exists(variables_filename):
+ variables_filepath = \
+ os.path.join(get_templates_dir(), variables_filename)
+ if os.path.exists(variables_filepath):
# Check if k8s secret already exists, if not, generate it
- with open(variables_filename) as template_file:
+ with open(variables_filepath) as template_file:
lines = template_file.read()
secret_name, secret_namespace = get_secret_metadata(lines)
new_secret_dict = yaml.safe_load(env.from_string(lines).render())
@@ -79,7 +81,7 @@ def create_variables_secret(app_name, env):
store_kubernetes_secret(new_secret_dict, secret_namespace,
update=update_secret)
else:
- print(f'File {variables_filename} does not exist, no action needed')
+ print(f'Template {variables_filename} does not exist, no action needed')
def create_basic_auth_secret(app_name, env):
--
GitLab