add all oidc clients with Maester

flux2/apps/nextcloud/nextcloud-oauth-client.yaml

@@ -18,5 +18,4 @@ spec:
   # these are optional
   redirectUris:
     - https://files.${domain}/apps/sociallogin/custom_oidc/stackspin
-  # hydraAdmin: {}
   tokenEndpointAuthMethod: client_secret_post

flux2/apps/wekan/kustomization.yaml

 ---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: stackspin-apps
 resources:
   - pvc.yaml
   - release.yaml
+  - wekan-oauth-client.yaml
   - wekan-values-configmap.yaml

flux2/apps/wekan/pvc.yaml

@@ -3,6 +3,7 @@ apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   name: wekan
+  namespace: stackspin-apps
 spec:
   accessModes:
     - ReadWriteOnce

flux2/apps/wekan/wekan-oauth-client.yaml

+apiVersion: hydra.ory.sh/v1alpha1
+kind: OAuth2Client
+metadata:
+  name: wekan-oauth-client
+  # Has to live in the same namespace as the stackspin-wordpress-oauth-variables
+  # secret
+  namespace: flux-system
+spec:
+  # https://github.com/wekan/wekan/wiki/Keycloak
+  grantTypes:
+    - authorization_code
+    - refresh_token
+    - client_credentials
+    - implicit
+  responseTypes:
+    - id_token
+    - code
+  scope: "openid profile email stackspin_roles"
+  secretName: stackspin-wekan-oauth-variables
+  # these are optional
+  redirectUris:
+    - https://wekan.${domain}/_oauth/oidc
+  tokenEndpointAuthMethod: client_secret_post

flux2/apps/wekan/wekan-values-configmap.yaml

@@ -3,6 +3,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: stackspin-wekan-values
+  namespace: stackspin-apps
 data:
   values.yaml: |
     # https://github.com/wekan/wekan/blob/master/helm/wekan/values.yaml
@@ -54,7 +55,7 @@ data:
       - name: "MAIL_URL"
         value: "smtps://${outgoing_mail_smtp_user}:${outgoing_mail_smtp_password}@${outgoing_mail_smtp_host}:${outgoing_mail_smtp_port}"
       - name: "OAUTH2_SECRET"
-        value: "${wekan_oauth_client_secret}"
+        value: "${client_secret}"
       - name: "MONGO_URL"
         value: "mongodb://wekan:${mongodb_password}@wekan-mongodb:27017/wekan"
     service:

flux2/apps/wordpress/wp-oauth.yaml → flux2/apps/wordpress/wordpress-oauth-client.yaml

 apiVersion: hydra.ory.sh/v1alpha1
 kind: OAuth2Client
 metadata:
-  name: wordpress-newsite-oauth-client
+  name: wordpress-oauth-client
   # Has to live in the same namespace as the stackspin-wordpress-oauth-variables
   # secret
   namespace: flux-system
@@ -19,6 +19,4 @@ spec:
   # these are optional
   redirectUris:
     - https://www.${domain}/wp-admin/admin-ajax.php?action=openid-connect-authorize
-    # TODO: Dynamic URL
-  # hydraAdmin: {}
   tokenEndpointAuthMethod: client_secret_post

flux2/apps/zulip/kustomization.yaml

@@ -4,6 +4,7 @@ namespace: stackspin-apps
 resources:
   - release.yaml
   - zulip-data-pvc.yaml
+  - zulip-oauth-client.yaml
   - zulip-postgres-pvc.yaml
   - zulip-redis-pvc.yaml
   - zulip-values-configmap.yaml

flux2/apps/zulip/zulip-data-pvc.yaml

@@ -3,6 +3,7 @@ apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   name: zulip-data
+  namespace: stackspin-apps
 spec:
   accessModes:
     - ReadWriteOnce

flux2/apps/zulip/zulip-oauth-client.yaml

+apiVersion: hydra.ory.sh/v1alpha1
+kind: OAuth2Client
+metadata:
+  name: zulip-oauth-client
+  # Has to live in the same namespace as the stackspin-wordpress-oauth-variables
+  # secret
+  namespace: flux-system
+spec:
+  # https://zulip.readthedocs.io/en/latest/production/authentication-methods.html#openid-connect
+  grantTypes:
+    - authorization_code
+    - refresh_token
+    - client_credentials
+  responseTypes:
+    - id_token
+    - code
+  scope: "openid profile email stackspin_roles"
+  secretName: stackspin-zulip-oauth-variables
+  # these are optional
+  redirectUris:
+    - https://zulip.${domain}/complete/oidc/
+  tokenEndpointAuthMethod: client_secret_post

flux2/apps/zulip/zulip-postgres-pvc.yaml

@@ -3,6 +3,7 @@ apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   name: zulip-postgres
+  namespace: stackspin-apps
 spec:
   accessModes:
     - ReadWriteOnce

flux2/apps/zulip/zulip-redis-pvc.yaml

@@ -3,6 +3,7 @@ apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   name: zulip-redis
+  namespace: stackspin-apps
 spec:
   accessModes:
     - ReadWriteOnce

flux2/apps/zulip/zulip-values-configmap.yaml

@@ -3,6 +3,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: stackspin-zulip-values
+  namespace: stackspin-apps
 data:
   values.yaml: |
     image:
@@ -85,7 +86,7 @@ data:
         # (https://github.com/greenhost/docker-zulip/commit/d583a2d28707a3b77bf610bedc2c2bb81f2a5f88)
         # NOTE: This is a Python object, not JSON
         SETTING_SOCIAL_AUTH_OIDC_ENABLED_IDPS: '{"stackspin": { "oidc_url": "https://sso.${domain}/", "display_name": "Stackspin", "display_icon": None, "client_id": "zulip", "secret": get_secret("social_auth_oidc_secret"), "auto_signup": True }}'
-        SECRETS_social_auth_oidc_secret: "${zulip_oauth_client_secret}"
+        SECRETS_social_auth_oidc_secret: "${client_secret}"
         # Enable "low memory mode", queue workers run 1 multithreaded process
         QUEUE_WORKERS_MULTIPROCESS: 'False'
       resources:

flux2/cluster/base/dashboard.yaml

@@ -20,7 +20,7 @@ spec:
       - kind: Secret
         name: stackspin-dashboard-variables
       - kind: Secret
-        name: stackspin-oauth-variables
+        name: stackspin-dashboard-oauth-variables
       - kind: Secret
         name: stackspin-cluster-variables
   healthChecks:

flux2/cluster/optional/nextcloud/nextcloud.yaml

@@ -10,6 +10,7 @@ spec:
   dependsOn:
     - name: nginx
     - name: local-path-provisioner
+    - name: single-sign-on
   sourceRef:
     kind: GitRepository
     name: stackspin

flux2/cluster/optional/wekan/wekan.yaml

@@ -10,6 +10,7 @@ spec:
   dependsOn:
     - name: nginx
     - name: local-path-provisioner
+    - name: single-sign-on
   sourceRef:
     kind: GitRepository
     name: stackspin
@@ -29,6 +30,6 @@ spec:
       - kind: Secret
         name: stackspin-wekan-variables
       - kind: Secret
-        name: stackspin-oauth-variables
+        name: stackspin-wekan-oauth-variables
       - kind: Secret
         name: stackspin-cluster-variables

flux2/cluster/optional/zulip/zulip.yaml

@@ -10,6 +10,7 @@ spec:
   dependsOn:
     - name: nginx
     - name: local-path-provisioner
+    - name: single-sign-on
   sourceRef:
     kind: GitRepository
     name: stackspin
@@ -45,6 +46,6 @@ spec:
       - kind: Secret
         name: stackspin-zulip-variables
       - kind: Secret
-        name: stackspin-oauth-variables
+        name: stackspin-zulip-oauth-variables
       - kind: Secret
         name: stackspin-cluster-variables

flux2/core/base/dashboard/dashboard-oauth-client.yaml

+apiVersion: hydra.ory.sh/v1alpha1
+kind: OAuth2Client
+metadata:
+  name: dashboard-oauth-client
+  # Has to live in the same namespace as the stackspin-wordpress-oauth-variables
+  # secret
+  namespace: flux-system
+spec:
+  grantTypes:
+    - authorization_code
+    - refresh_token
+    - client_credentials
+    - implicit
+  responseTypes:
+    - id_token
+    - code
+  scope: "openid profile email stackspin_roles"
+  secretName: stackspin-dashboard-oauth-variables
+  # these are optional
+  redirectUris:
+    - https://dashboard.${domain}/_oauth/oidc
+  tokenEndpointAuthMethod: client_secret_post

flux2/core/base/dashboard/dashboard-release.yaml

@@ -3,6 +3,7 @@ apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
   name: dashboard
+  namespace: stackspin
 spec:
   releaseName: dashboard
   dependsOn:

flux2/core/base/dashboard/dashboard-values-configmap.yaml

@@ -3,6 +3,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: stackspin-dashboard-values
+  namespace: stackspin
 data:
   values.yaml: |
     fullnameOverride: dashboard

flux2/core/base/dashboard/kustomization.yaml

 ---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: stackspin
 resources:
-  - ./dashboard-release.yaml
-  - ./dashboard-values-configmap.yaml
+  - dashboard-oauth-client.yaml
+  - dashboard-release.yaml
+  - dashboard-values-configmap.yaml