From ce4c50491c4dd714b05f1c603412b2917d3badc2 Mon Sep 17 00:00:00 2001
From: Maarten de Waard <maarten@greenhost.nl>
Date: Mon, 20 Dec 2021 17:01:56 +0100
Subject: [PATCH] add all oidc clients with Maester
---
.../nextcloud/nextcloud-oauth-client.yaml | 1 -
flux2/apps/wekan/kustomization.yaml | 2 +-
flux2/apps/wekan/pvc.yaml | 1 +
flux2/apps/wekan/wekan-oauth-client.yaml | 23 ++++++++
flux2/apps/wekan/wekan-values-configmap.yaml | 3 +-
...oauth.yaml => wordpress-oauth-client.yaml} | 4 +-
flux2/apps/zulip/kustomization.yaml | 1 +
flux2/apps/zulip/zulip-data-pvc.yaml | 1 +
flux2/apps/zulip/zulip-oauth-client.yaml | 22 ++++++++
flux2/apps/zulip/zulip-postgres-pvc.yaml | 1 +
flux2/apps/zulip/zulip-redis-pvc.yaml | 1 +
flux2/apps/zulip/zulip-values-configmap.yaml | 3 +-
flux2/cluster/base/dashboard.yaml | 2 +-
.../cluster/optional/nextcloud/nextcloud.yaml | 1 +
flux2/cluster/optional/wekan/wekan.yaml | 3 +-
flux2/cluster/optional/zulip/zulip.yaml | 3 +-
.../dashboard/dashboard-oauth-client.yaml | 22 ++++++++
.../base/dashboard/dashboard-release.yaml | 1 +
.../dashboard/dashboard-values-configmap.yaml | 1 +
flux2/core/base/dashboard/kustomization.yaml | 6 +-
.../single-sign-on-values-configmap.yaml | 55 -------------------
21 files changed, 89 insertions(+), 68 deletions(-)
create mode 100644 flux2/apps/wekan/wekan-oauth-client.yaml
rename flux2/apps/wordpress/{wp-oauth.yaml => wordpress-oauth-client.yaml} (88%)
create mode 100644 flux2/apps/zulip/zulip-oauth-client.yaml
create mode 100644 flux2/core/base/dashboard/dashboard-oauth-client.yaml
diff --git a/flux2/apps/nextcloud/nextcloud-oauth-client.yaml b/flux2/apps/nextcloud/nextcloud-oauth-client.yaml
index a4fe2f4b4..1c81ce29b 100644
--- a/flux2/apps/nextcloud/nextcloud-oauth-client.yaml
+++ b/flux2/apps/nextcloud/nextcloud-oauth-client.yaml
@@ -18,5 +18,4 @@ spec:
# these are optional
redirectUris:
- https://files.${domain}/apps/sociallogin/custom_oidc/stackspin
- # hydraAdmin: {}
tokenEndpointAuthMethod: client_secret_post
diff --git a/flux2/apps/wekan/kustomization.yaml b/flux2/apps/wekan/kustomization.yaml
index 0cebe4f02..f97ed1d64 100644
--- a/flux2/apps/wekan/kustomization.yaml
+++ b/flux2/apps/wekan/kustomization.yaml
@@ -1,8 +1,8 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
-namespace: stackspin-apps
resources:
- pvc.yaml
- release.yaml
+ - wekan-oauth-client.yaml
- wekan-values-configmap.yaml
diff --git a/flux2/apps/wekan/pvc.yaml b/flux2/apps/wekan/pvc.yaml
index 71433b596..7114d1ec8 100644
--- a/flux2/apps/wekan/pvc.yaml
+++ b/flux2/apps/wekan/pvc.yaml
@@ -3,6 +3,7 @@ apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: wekan
+ namespace: stackspin-apps
spec:
accessModes:
- ReadWriteOnce
diff --git a/flux2/apps/wekan/wekan-oauth-client.yaml b/flux2/apps/wekan/wekan-oauth-client.yaml
new file mode 100644
index 000000000..979b74fe5
--- /dev/null
+++ b/flux2/apps/wekan/wekan-oauth-client.yaml
@@ -0,0 +1,23 @@
+apiVersion: hydra.ory.sh/v1alpha1
+kind: OAuth2Client
+metadata:
+ name: wekan-oauth-client
+ # Has to live in the same namespace as the stackspin-wordpress-oauth-variables
+ # secret
+ namespace: flux-system
+spec:
+ # https://github.com/wekan/wekan/wiki/Keycloak
+ grantTypes:
+ - authorization_code
+ - refresh_token
+ - client_credentials
+ - implicit
+ responseTypes:
+ - id_token
+ - code
+ scope: "openid profile email stackspin_roles"
+ secretName: stackspin-wekan-oauth-variables
+ # these are optional
+ redirectUris:
+ - https://wekan.${domain}/_oauth/oidc
+ tokenEndpointAuthMethod: client_secret_post
diff --git a/flux2/apps/wekan/wekan-values-configmap.yaml b/flux2/apps/wekan/wekan-values-configmap.yaml
index 4bbe8a913..96eebee2a 100644
--- a/flux2/apps/wekan/wekan-values-configmap.yaml
+++ b/flux2/apps/wekan/wekan-values-configmap.yaml
@@ -3,6 +3,7 @@ apiVersion: v1
kind: ConfigMap
metadata:
name: stackspin-wekan-values
+ namespace: stackspin-apps
data:
values.yaml: |
# https://github.com/wekan/wekan/blob/master/helm/wekan/values.yaml
@@ -54,7 +55,7 @@ data:
- name: "MAIL_URL"
value: "smtps://${outgoing_mail_smtp_user}:${outgoing_mail_smtp_password}@${outgoing_mail_smtp_host}:${outgoing_mail_smtp_port}"
- name: "OAUTH2_SECRET"
- value: "${wekan_oauth_client_secret}"
+ value: "${client_secret}"
- name: "MONGO_URL"
value: "mongodb://wekan:${mongodb_password}@wekan-mongodb:27017/wekan"
service:
diff --git a/flux2/apps/wordpress/wp-oauth.yaml b/flux2/apps/wordpress/wordpress-oauth-client.yaml
similarity index 88%
rename from flux2/apps/wordpress/wp-oauth.yaml
rename to flux2/apps/wordpress/wordpress-oauth-client.yaml
index b4910fa08..e3081e6c6 100644
--- a/flux2/apps/wordpress/wp-oauth.yaml
+++ b/flux2/apps/wordpress/wordpress-oauth-client.yaml
@@ -1,7 +1,7 @@
apiVersion: hydra.ory.sh/v1alpha1
kind: OAuth2Client
metadata:
- name: wordpress-newsite-oauth-client
+ name: wordpress-oauth-client
# Has to live in the same namespace as the stackspin-wordpress-oauth-variables
# secret
namespace: flux-system
@@ -19,6 +19,4 @@ spec:
# these are optional
redirectUris:
- https://www.${domain}/wp-admin/admin-ajax.php?action=openid-connect-authorize
- # TODO: Dynamic URL
- # hydraAdmin: {}
tokenEndpointAuthMethod: client_secret_post
diff --git a/flux2/apps/zulip/kustomization.yaml b/flux2/apps/zulip/kustomization.yaml
index 693134038..8cc5ffa9f 100644
--- a/flux2/apps/zulip/kustomization.yaml
+++ b/flux2/apps/zulip/kustomization.yaml
@@ -4,6 +4,7 @@ namespace: stackspin-apps
resources:
- release.yaml
- zulip-data-pvc.yaml
+ - zulip-oauth-client.yaml
- zulip-postgres-pvc.yaml
- zulip-redis-pvc.yaml
- zulip-values-configmap.yaml
diff --git a/flux2/apps/zulip/zulip-data-pvc.yaml b/flux2/apps/zulip/zulip-data-pvc.yaml
index bea64b1cc..19fb676fc 100644
--- a/flux2/apps/zulip/zulip-data-pvc.yaml
+++ b/flux2/apps/zulip/zulip-data-pvc.yaml
@@ -3,6 +3,7 @@ apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: zulip-data
+ namespace: stackspin-apps
spec:
accessModes:
- ReadWriteOnce
diff --git a/flux2/apps/zulip/zulip-oauth-client.yaml b/flux2/apps/zulip/zulip-oauth-client.yaml
new file mode 100644
index 000000000..299a2a598
--- /dev/null
+++ b/flux2/apps/zulip/zulip-oauth-client.yaml
@@ -0,0 +1,22 @@
+apiVersion: hydra.ory.sh/v1alpha1
+kind: OAuth2Client
+metadata:
+ name: zulip-oauth-client
+ # Has to live in the same namespace as the stackspin-wordpress-oauth-variables
+ # secret
+ namespace: flux-system
+spec:
+ # https://zulip.readthedocs.io/en/latest/production/authentication-methods.html#openid-connect
+ grantTypes:
+ - authorization_code
+ - refresh_token
+ - client_credentials
+ responseTypes:
+ - id_token
+ - code
+ scope: "openid profile email stackspin_roles"
+ secretName: stackspin-zulip-oauth-variables
+ # these are optional
+ redirectUris:
+ - https://zulip.${domain}/complete/oidc/
+ tokenEndpointAuthMethod: client_secret_post
diff --git a/flux2/apps/zulip/zulip-postgres-pvc.yaml b/flux2/apps/zulip/zulip-postgres-pvc.yaml
index c09487820..34e569369 100644
--- a/flux2/apps/zulip/zulip-postgres-pvc.yaml
+++ b/flux2/apps/zulip/zulip-postgres-pvc.yaml
@@ -3,6 +3,7 @@ apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: zulip-postgres
+ namespace: stackspin-apps
spec:
accessModes:
- ReadWriteOnce
diff --git a/flux2/apps/zulip/zulip-redis-pvc.yaml b/flux2/apps/zulip/zulip-redis-pvc.yaml
index 6890704a4..edf0bad90 100644
--- a/flux2/apps/zulip/zulip-redis-pvc.yaml
+++ b/flux2/apps/zulip/zulip-redis-pvc.yaml
@@ -3,6 +3,7 @@ apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: zulip-redis
+ namespace: stackspin-apps
spec:
accessModes:
- ReadWriteOnce
diff --git a/flux2/apps/zulip/zulip-values-configmap.yaml b/flux2/apps/zulip/zulip-values-configmap.yaml
index 95fbff7ec..85576acdb 100644
--- a/flux2/apps/zulip/zulip-values-configmap.yaml
+++ b/flux2/apps/zulip/zulip-values-configmap.yaml
@@ -3,6 +3,7 @@ apiVersion: v1
kind: ConfigMap
metadata:
name: stackspin-zulip-values
+ namespace: stackspin-apps
data:
values.yaml: |
image:
@@ -85,7 +86,7 @@ data:
# (https://github.com/greenhost/docker-zulip/commit/d583a2d28707a3b77bf610bedc2c2bb81f2a5f88)
# NOTE: This is a Python object, not JSON
SETTING_SOCIAL_AUTH_OIDC_ENABLED_IDPS: '{"stackspin": { "oidc_url": "https://sso.${domain}/", "display_name": "Stackspin", "display_icon": None, "client_id": "zulip", "secret": get_secret("social_auth_oidc_secret"), "auto_signup": True }}'
- SECRETS_social_auth_oidc_secret: "${zulip_oauth_client_secret}"
+ SECRETS_social_auth_oidc_secret: "${client_secret}"
# Enable "low memory mode", queue workers run 1 multithreaded process
QUEUE_WORKERS_MULTIPROCESS: 'False'
resources:
diff --git a/flux2/cluster/base/dashboard.yaml b/flux2/cluster/base/dashboard.yaml
index eb0aebbc4..f7bf842aa 100644
--- a/flux2/cluster/base/dashboard.yaml
+++ b/flux2/cluster/base/dashboard.yaml
@@ -20,7 +20,7 @@ spec:
- kind: Secret
name: stackspin-dashboard-variables
- kind: Secret
- name: stackspin-oauth-variables
+ name: stackspin-dashboard-oauth-variables
- kind: Secret
name: stackspin-cluster-variables
healthChecks:
diff --git a/flux2/cluster/optional/nextcloud/nextcloud.yaml b/flux2/cluster/optional/nextcloud/nextcloud.yaml
index 109299b61..a0aecb83d 100644
--- a/flux2/cluster/optional/nextcloud/nextcloud.yaml
+++ b/flux2/cluster/optional/nextcloud/nextcloud.yaml
@@ -10,6 +10,7 @@ spec:
dependsOn:
- name: nginx
- name: local-path-provisioner
+ - name: single-sign-on
sourceRef:
kind: GitRepository
name: stackspin
diff --git a/flux2/cluster/optional/wekan/wekan.yaml b/flux2/cluster/optional/wekan/wekan.yaml
index d4b13714a..76150ba75 100644
--- a/flux2/cluster/optional/wekan/wekan.yaml
+++ b/flux2/cluster/optional/wekan/wekan.yaml
@@ -10,6 +10,7 @@ spec:
dependsOn:
- name: nginx
- name: local-path-provisioner
+ - name: single-sign-on
sourceRef:
kind: GitRepository
name: stackspin
@@ -29,6 +30,6 @@ spec:
- kind: Secret
name: stackspin-wekan-variables
- kind: Secret
- name: stackspin-oauth-variables
+ name: stackspin-wekan-oauth-variables
- kind: Secret
name: stackspin-cluster-variables
diff --git a/flux2/cluster/optional/zulip/zulip.yaml b/flux2/cluster/optional/zulip/zulip.yaml
index c72a56244..4cb36eccd 100644
--- a/flux2/cluster/optional/zulip/zulip.yaml
+++ b/flux2/cluster/optional/zulip/zulip.yaml
@@ -10,6 +10,7 @@ spec:
dependsOn:
- name: nginx
- name: local-path-provisioner
+ - name: single-sign-on
sourceRef:
kind: GitRepository
name: stackspin
@@ -45,6 +46,6 @@ spec:
- kind: Secret
name: stackspin-zulip-variables
- kind: Secret
- name: stackspin-oauth-variables
+ name: stackspin-zulip-oauth-variables
- kind: Secret
name: stackspin-cluster-variables
diff --git a/flux2/core/base/dashboard/dashboard-oauth-client.yaml b/flux2/core/base/dashboard/dashboard-oauth-client.yaml
new file mode 100644
index 000000000..f77c62097
--- /dev/null
+++ b/flux2/core/base/dashboard/dashboard-oauth-client.yaml
@@ -0,0 +1,22 @@
+apiVersion: hydra.ory.sh/v1alpha1
+kind: OAuth2Client
+metadata:
+ name: dashboard-oauth-client
+ # Has to live in the same namespace as the stackspin-wordpress-oauth-variables
+ # secret
+ namespace: flux-system
+spec:
+ grantTypes:
+ - authorization_code
+ - refresh_token
+ - client_credentials
+ - implicit
+ responseTypes:
+ - id_token
+ - code
+ scope: "openid profile email stackspin_roles"
+ secretName: stackspin-dashboard-oauth-variables
+ # these are optional
+ redirectUris:
+ - https://dashboard.${domain}/_oauth/oidc
+ tokenEndpointAuthMethod: client_secret_post
diff --git a/flux2/core/base/dashboard/dashboard-release.yaml b/flux2/core/base/dashboard/dashboard-release.yaml
index 0f1e34474..3dadb255f 100644
--- a/flux2/core/base/dashboard/dashboard-release.yaml
+++ b/flux2/core/base/dashboard/dashboard-release.yaml
@@ -3,6 +3,7 @@ apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: dashboard
+ namespace: stackspin
spec:
releaseName: dashboard
dependsOn:
diff --git a/flux2/core/base/dashboard/dashboard-values-configmap.yaml b/flux2/core/base/dashboard/dashboard-values-configmap.yaml
index 1948aa445..df6443515 100644
--- a/flux2/core/base/dashboard/dashboard-values-configmap.yaml
+++ b/flux2/core/base/dashboard/dashboard-values-configmap.yaml
@@ -3,6 +3,7 @@ apiVersion: v1
kind: ConfigMap
metadata:
name: stackspin-dashboard-values
+ namespace: stackspin
data:
values.yaml: |
fullnameOverride: dashboard
diff --git a/flux2/core/base/dashboard/kustomization.yaml b/flux2/core/base/dashboard/kustomization.yaml
index 93dd50962..9989b257f 100644
--- a/flux2/core/base/dashboard/kustomization.yaml
+++ b/flux2/core/base/dashboard/kustomization.yaml
@@ -1,7 +1,7 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
-namespace: stackspin
resources:
- - ./dashboard-release.yaml
- - ./dashboard-values-configmap.yaml
+ - dashboard-oauth-client.yaml
+ - dashboard-release.yaml
+ - dashboard-values-configmap.yaml
diff --git a/flux2/core/base/single-sign-on/single-sign-on-values-configmap.yaml b/flux2/core/base/single-sign-on/single-sign-on-values-configmap.yaml
index da3623061..2556b1ffc 100644
--- a/flux2/core/base/single-sign-on/single-sign-on-values-configmap.yaml
+++ b/flux2/core/base/single-sign-on/single-sign-on-values-configmap.yaml
@@ -92,58 +92,3 @@ data:
# be on this link:
registration:
ui_url: https://sso.${domain}/login/registration
-
-
- oAuthClients:
- - clientName: nextcloud
- clientSecret: "${nextcloud_oauth_client_secret}"
- redirectUri: "https://files.${domain}/apps/sociallogin/custom_oidc/stackspin"
- scopes: "openid profile email stackspin_roles"
- clientUri: "https://files.${domain}"
- clientLogoUri: "https://files.${domain}/core/img/favicon-touch.png"
- tokenEndpointAuthMethod: "client_secret_post"
- responseTypes:
- - "code"
- - "id_token"
- grantTypes:
- - "authorization_code"
- - "refresh_token"
- - "client_credentials"
- # https://github.com/wekan/wekan/wiki/Keycloak
- - clientName: wekan
- clientSecret: "${wekan_oauth_client_secret}"
- redirectUri: "https://wekan.${domain}/_oauth/oidc"
- scopes: "openid profile email"
- clientUri: "https://wekan.${domain}"
- clientLogoUri: "https://wekan.${domain}/wekan-logo.svg"
- tokenEndpointAuthMethod: "client_secret_post"
- responseTypes:
- - "code"
- - "id_token"
- grantTypes:
- - "authorization_code"
- - "refresh_token"
- - "client_credentials"
- - "implicit"
- # https://zulip.readthedocs.io/en/latest/production/authentication-methods.html#openid-connect
- - clientName: zulip
- clientSecret: "${zulip_oauth_client_secret}"
- redirectUri: "https://zulip.${domain}/complete/oidc/"
- scopes: "openid profile email"
- clientUri: "https://zulip.${domain}"
- clientLogoUri: "https://zulip.${domain}/static/images/zulip-logo.svg"
- - clientName: dashboard
- clientSecret: "${dashboard_oauth_client_secret}"
- redirectUri: "https://dashboard.${domain}/_oauth/oidc"
- scopes: "openid profile email"
- clientUri: "https://dashboard.${domain}"
- clientLogoUri: "https://dashboard.${domain}/assets/logo.svg"
- tokenEndpointAuthMethod: "client_secret_post"
- responseTypes:
- - "code"
- - "id_token"
- grantTypes:
- - "authorization_code"
- - "refresh_token"
- - "client_credentials"
- - "implicit"
--
GitLab