enable maester and try to use it with wordpress

flux2/apps/wordpress/kustomization.yaml

@@ -6,3 +6,4 @@ resources:
   - pvc.yaml
   - release.yaml
   - wordpress-values-configmap.yaml
+  - wp-oauth.yaml

flux2/apps/wordpress/wordpress-values-configmap.yaml

@@ -25,7 +25,7 @@ data:
 
     openid_connect_settings:
       enabled: true
-      client_secret: ${wordpress_oauth_client_secret}
+      client_secret: ${client_secret}
       endpoint_login: https://sso.${domain}/oauth2/auth
       endpoint_userinfo: https://sso.${domain}/userinfo
       endpoint_token: https://sso.${domain}/oauth2/token

flux2/apps/wordpress/wp-oauth.yaml

+apiVersion: hydra.ory.sh/v1alpha1
+kind: OAuth2Client
+metadata:
+  name: wordpress-newsite-oauth-client
+  namespace: stackspin-apps
+spec:
+  grantTypes:
+    - authorization_code
+    - refresh_token
+    - client_credentials
+    - implicit
+  responseTypes:
+    - id_token
+    - code
+  scope: "openid profile email stackspin_roles offline_access"
+  secretName: stackspin-wordpress-oauth-variables
+  # these are optional
+  redirectUris:
+    - https://www.${domain}/wp-admin/admin-ajax.php?action=openid-connect-authorize
+    # TODO: Dynamic URL
+  # hydraAdmin: {}
+  tokenEndpointAuthMethod: client_secret_post

flux2/cluster/optional/wordpress/wordpress.yaml

@@ -28,6 +28,8 @@ spec:
     substituteFrom:
       - kind: Secret
         name: stackspin-wordpress-variables
+      - kind: Secret
+        name: stackspin-wordpress-oauth-variables
       - kind: Secret
         name: stackspin-oauth-variables
       - kind: Secret

flux2/core/base/single-sign-on/single-sign-on-values-configmap.yaml

@@ -104,21 +104,6 @@ data:
         - "authorization_code"
         - "refresh_token"
         - "client_credentials"
-    - clientName: wordpress
-      clientSecret: "${wordpress_oauth_client_secret}"
-      redirectUri: "https://www.${domain}/wp-admin/admin-ajax.php?action=openid-connect-authorize"
-      scopes: "openid profile email stackspin_roles offline_access"
-      clientUri: "https://www.${domain}"
-      clientLogoUri: "https://www.${domain}/wp-admin/images/wordpress-logo.svg"
-      tokenEndpointAuthMethod: "client_secret_post"
-      responseTypes:
-        - "code"
-        - "id_token"
-      grantTypes:
-        - "authorization_code"
-        - "refresh_token"
-        - "client_credentials"
-        - "implicit"
     - clientName: grafana
       clientSecret: "${grafana_oauth_client_secret}"
       redirectUri: "https://grafana.${domain}/login/generic_oauth"

install/generate_secrets.py

@@ -37,7 +37,9 @@ def main():
         sys.exit(1)
     app_name = sys.argv[1]
 
-    create_variables_secret(app_name, env)
+    # Create app variables secret and oauth variables secret
+    for secret in [app_name, f"{app_name}-oauth"]:
+        create_variables_secret(f"stackspin-{secret}-variables.yaml.jinja", env)
     create_basic_auth_secret(app_name, env)
 
 
@@ -47,13 +49,13 @@ def get_templates_dir():
     return os.path.join(os.path.dirname(os.path.realpath(__file__)), 'templates')
 
 
-def create_variables_secret(app_name, env):
+def create_variables_secret(variables_filename, env):
     """Checks if a variables secret for app_name already exists, generates it if necessary"""
-    variables_filename = \
-        os.path.join(get_templates_dir(), f"stackspin-{app_name}-variables.yaml.jinja")
-    if os.path.exists(variables_filename):
+    variables_filepath = \
+        os.path.join(get_templates_dir(), variables_filename)
+    if os.path.exists(variables_filepath):
         # Check if k8s secret already exists, if not, generate it
-        with open(variables_filename) as template_file:
+        with open(variables_filepath) as template_file:
             lines = template_file.read()
             secret_name, secret_namespace = get_secret_metadata(lines)
             new_secret_dict = yaml.safe_load(env.from_string(lines).render())
@@ -79,7 +81,7 @@ def create_variables_secret(app_name, env):
             store_kubernetes_secret(new_secret_dict, secret_namespace,
                                     update=update_secret)
     else:
-        print(f'File {variables_filename} does not exist, no action needed')
+        print(f'Template {variables_filename} does not exist, no action needed')
 
 
 def create_basic_auth_secret(app_name, env):