oauth2-client: migrate apps to use oauth2-client helm chart (#90)
* headscale: use oauth2-client helm chart
* pihole: use oauth2-client helm chart
* matrix: use oauth2-client helm chart
* oauth2: pass issuer address to pihole, headscale and matrix apps
* pihole: fix secret name
* matrix: fix version to v1.98.0
* headscale: make oauth2-client depend on auth release
---------
Co-authored-by: Giorgi Lekveishvili <lekva@gl-mbp-m1-max.local>
diff --git a/charts/headscale/templates/config.yaml b/charts/headscale/templates/config.yaml
index 85d8b79..7c007ba 100644
--- a/charts/headscale/templates/config.yaml
+++ b/charts/headscale/templates/config.yaml
@@ -273,7 +273,7 @@
# OpenID Connect
oidc:
only_start_if_oidc_is_available: true
- issuer: {{ .Values.oauth2.hydraPublic }}
+ issuer: {{ .Values.oauth2.issuer }}
client_id: {{`{{ .client_id }}`}}
client_secret: {{`{{ .client_secret }}`}}
scope: ["openid", "profile", "email"]
diff --git a/charts/headscale/templates/oauth2-client.yaml b/charts/headscale/templates/oauth2-client.yaml
deleted file mode 100644
index 0bd797a..0000000
--- a/charts/headscale/templates/oauth2-client.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
-apiVersion: hydra.ory.sh/v1alpha1
-kind: OAuth2Client
-metadata:
- name: headscale
- namespace: {{ .Release.Namespace }}
-spec:
- grantTypes:
- - authorization_code
- responseTypes:
- - code
- scope: "openid profile email"
- secretName: {{ .Values.oauth2.secretName }}
- redirectUris:
- - https://{{ .Values.domain }}/oidc/callback
- hydraAdmin:
- url: {{ .Values.oauth2.hydraAdmin }}
- port: 80
- endpoint: /admin/clients
- forwardedProto: https
diff --git a/charts/headscale/values.yaml b/charts/headscale/values.yaml
index 6152794..18d7b57 100644
--- a/charts/headscale/values.yaml
+++ b/charts/headscale/values.yaml
@@ -8,11 +8,10 @@
certificateIssuer: lekva-public
domain: headscale.example.com
publicBaseDomain: example.com
-oauth2:
- hydraAdmin: http://hydra-admin
- hydraPublic: https://hydra.example.com
- secretName: oauth2-client-headscale
ipAddressPool: example-headscale
+oauth2:
+ secretName: oauth2-client
+ issuer: https://oidc-issuer.example.com
api:
port: 8585
ipSubnet: 10.1.0.0/24
diff --git a/charts/matrix/templates/config-to-merge.yaml b/charts/matrix/templates/config-to-merge.yaml
index c34a2c7..eefe3e3 100644
--- a/charts/matrix/templates/config-to-merge.yaml
+++ b/charts/matrix/templates/config-to-merge.yaml
@@ -33,7 +33,7 @@
- idp_id: pcloud
idp_name: "PCloud"
skip_verification: true
- issuer: {{ .Values.oauth2.hydraPublic }}
+ issuer: {{ .Values.oauth2.issuer }}
client_id: "{{`{{ .client_id }}`}}"
client_secret: "{{`{{ .client_secret }}`}}"
scopes: ["openid", "profile"]
diff --git a/charts/matrix/templates/oauth2-client.yaml b/charts/matrix/templates/oauth2-client.yaml
deleted file mode 100644
index ffe6936..0000000
--- a/charts/matrix/templates/oauth2-client.yaml
+++ /dev/null
@@ -1,22 +0,0 @@
-apiVersion: hydra.ory.sh/v1alpha1
-kind: OAuth2Client
-metadata:
- name: matrix
- namespace: {{ .Release.Namespace }}
- annotations:
- helm.sh/hook: pre-install
- helm.sh/hook-weight: "-10"
-spec:
- grantTypes:
- - authorization_code
- responseTypes:
- - code
- scope: "openid profile"
- secretName: {{ .Values.oauth2.secretName }}
- redirectUris:
- - https://{{ .Values.subdomain }}.{{ .Values.domain }}/_synapse/client/oidc/callback
- hydraAdmin:
- url: {{ .Values.oauth2.hydraAdmin }}
- port: 80
- endpoint: /admin/clients
- forwardedProto: https
diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml
index 64d2e90..5d57ae0 100644
--- a/charts/matrix/values.yaml
+++ b/charts/matrix/values.yaml
@@ -5,8 +5,7 @@
domain: example.com
subdomain: matrix
oauth2:
- hydraAdmin: http://hydra-admin
- hydraPublic: https://hydra.example.com
+ issuer: https://oidc-issuer.example.com
secretName: oauth2-client
postgresql:
host: postgresql
diff --git a/charts/pihole/templates/oauth2-client.yaml b/charts/pihole/templates/oauth2-client.yaml
deleted file mode 100644
index f178ea0..0000000
--- a/charts/pihole/templates/oauth2-client.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
-apiVersion: hydra.ory.sh/v1alpha1
-kind: OAuth2Client
-metadata:
- name: oauth2-client
- namespace: {{ .Release.Namespace }}
-spec:
- grantTypes:
- - authorization_code
- responseTypes:
- - code
- scope: "openid email profile"
- secretName: {{ .Values.oauth2.secretName }}
- redirectUris:
- - https://{{ .Values.domain }}/oauth2/callback
- hydraAdmin:
- url: {{ .Values.oauth2.hydraAdmin }}
- port: 80
- endpoint: /admin/clients
- forwardedProto: https
diff --git a/charts/pihole/templates/oauth2-proxy-config.yaml b/charts/pihole/templates/oauth2-proxy-config.yaml
index 2141bce..5aebbb0 100644
--- a/charts/pihole/templates/oauth2-proxy-config.yaml
+++ b/charts/pihole/templates/oauth2-proxy-config.yaml
@@ -9,7 +9,7 @@
apiVersion: v1
kind: ConfigMap
metadata:
- name: {{ .Values.oauth2.configName }}
+ name: {{ .Values.configName }}
namespace: {{ .Release.Namespace }}
data:
oauth2-proxy.cfg: |
@@ -53,6 +53,6 @@
cookie_httponly = true
provider = "oidc"
- oidc_issuer_url = "{{ .Values.hydraPublic }}"
+ oidc_issuer_url = "{{ .Values.oauth2.issuer }}"
provider_display_name = "PCloud"
profile_url = "{{ .Values.profileUrl }}"
diff --git a/charts/pihole/templates/oauth2-proxy.yaml b/charts/pihole/templates/oauth2-proxy.yaml
index 51f88d4..2d62f7b 100644
--- a/charts/pihole/templates/oauth2-proxy.yaml
+++ b/charts/pihole/templates/oauth2-proxy.yaml
@@ -54,7 +54,7 @@
volumes:
- name: config
configMap:
- name: {{ .Values.oauth2.configName }}
+ name: {{ .Values.configName }}
containers:
- name: pihole-oauth2-proxy
image: quay.io/oauth2-proxy/oauth2-proxy:v7.2.0
diff --git a/charts/pihole/values.yaml b/charts/pihole/values.yaml
index 070be1e..542fcd3 100644
--- a/charts/pihole/values.yaml
+++ b/charts/pihole/values.yaml
@@ -1,10 +1,10 @@
pihole: {}
oauth2:
cookieSecret: "1234123443214321"
- secretName: oauth2-secret
- configName: oauth2-proxy
+ secretName: oauth2-client
+ issuer: https://oidc-issuer.example.com
+configName: oauth2-proxy
domain: pihole.p.example.com
-hydraPublic: https://hydra.example.com
profileUrl: https://profile.example.com
ingressClassName: private
diff --git a/core/headscale/Makefile b/core/headscale/Makefile
index 75f860f..9468ad6 100644
--- a/core/headscale/Makefile
+++ b/core/headscale/Makefile
@@ -1,3 +1,9 @@
+repo_name ?= giolekva
+podman ?= docker
+ifeq ($(podman), podman)
+manifest_dest=docker://docker.io/$(repo_name)/headscale-api:latest
+endif
+
clean:
rm -f server_*
@@ -16,15 +22,15 @@
go build -o server_amd64 *.go
push_arm64: clean build_arm64
- podman build --platform linux/arm64 --tag=giolekva/headscale-api:arm64 .
- podman push giolekva/headscale-api:arm64
+ $(podman) build --platform linux/arm64 --tag=$(repo_name)/headscale-api:arm64 .
+ $(podman) push $(repo_name)/headscale-api:arm64
push_amd64: clean build_amd64
- podman build --platform linux/amd64 --tag=giolekva/headscale-api:amd64 .
- podman push giolekva/headscale-api:amd64
+ $(podman) build --platform linux/amd64 --tag=$(repo_name)/headscale-api:amd64 .
+ $(podman) push $(repo_name)/headscale-api:amd64
push: push_arm64 push_amd64
- podman manifest create giolekva/headscale-api:latest giolekva/headscale-api:arm64 giolekva/headscale-api:amd64
- podman manifest push giolekva/headscale-api:latest docker://docker.io/giolekva/headscale-api:latest
- podman manifest rm giolekva/headscale-api:latest
+ $(podman) manifest create $(repo_name)/headscale-api:latest $(repo_name)/headscale-api:arm64 $(repo_name)/headscale-api:amd64
+ $(podman) manifest push $(repo_name)/headscale-api:latest $(manifest_dest)
+ $(podman) manifest rm $(repo_name)/headscale-api:latest
diff --git a/core/installer/Makefile b/core/installer/Makefile
index acc96c9..1c83138 100644
--- a/core/installer/Makefile
+++ b/core/installer/Makefile
@@ -1,5 +1,8 @@
repo_name ?= dtabidze
podman ?= docker
+ifeq ($(podman), podman)
+manifest_dest=docker://docker.io/$(repo_name)/pcloud-installer:latest
+endif
clean:
rm -rf tmp
@@ -70,5 +73,5 @@
push: push_arm64 push_amd64
$(podman) manifest create $(repo_name)/pcloud-installer:latest $(repo_name)/pcloud-installer:arm64 $(repo_name)/pcloud-installer:amd64
- $(podman) manifest push $(repo_name)/pcloud-installer:latest
+ $(podman) manifest push $(repo_name)/pcloud-installer:latest $(manifest_dest)
$(podman) manifest rm $(repo_name)/pcloud-installer:latest
diff --git a/core/installer/cmd/bootstrap.go b/core/installer/cmd/bootstrap.go
index 6e0b247..9b68529 100644
--- a/core/installer/cmd/bootstrap.go
+++ b/core/installer/cmd/bootstrap.go
@@ -79,7 +79,8 @@
}
func bootstrapCmdRun(cmd *cobra.Command, args []string) error {
- // TODO(gio): remove installer.CreateAllApps()
+ // TODO(gio): remove
+ installer.CreateAllApps()
adminPubKey, err := os.ReadFile(bootstrapFlags.adminPubKey)
if err != nil {
return err
diff --git a/core/installer/values-tmpl/headscale.cue b/core/installer/values-tmpl/headscale.cue
index e3453ba..1db5eb8 100644
--- a/core/installer/values-tmpl/headscale.cue
+++ b/core/installer/values-tmpl/headscale.cue
@@ -22,6 +22,14 @@
}
charts: {
+ oauth2Client: {
+ chart: "charts/oauth2-client"
+ sourceRef: {
+ kind: "GitRepository"
+ name: "pcloud"
+ namespace: global.id
+ }
+ }
headscale: {
chart: "charts/headscale"
sourceRef: {
@@ -32,7 +40,27 @@
}
}
+_domain: "\(input.subdomain).\(global.domain)"
+_oauth2ClientSecretName: "oauth2-client"
+
helm: {
+ "oauth2-client": {
+ chart: charts.oauth2Client
+ // TODO(gio): remove once hydra maester is installed as part of dodo itself
+ dependsOnExternal: [{
+ name: "auth"
+ namespace: "\(global.namespacePrefix)core-auth"
+ }]
+ values: {
+ name: "oauth2-client"
+ secretName: _oauth2ClientSecretName
+ grantTypes: ["authorization_code"]
+ responseTypes: ["code"]
+ scope: "openid profile email"
+ redirectUris: ["https://\(_domain)/oidc/callback"]
+ hydraAdmin: "http://hydra-admin.\(global.namespacePrefix)core-auth.svc.cluster.local"
+ }
+ }
headscale: {
chart: charts.headscale
dependsOnExternal: [{
@@ -48,15 +76,13 @@
storage: size: "5Gi"
ingressClassName: _ingressPublic
certificateIssuer: _issuerPublic
- domain: "\(input.subdomain).\(global.domain)"
+ domain: _domain
publicBaseDomain: global.domain
- oauth2: {
- hydraAdmin: "http://hydra-admin.\(global.namespacePrefix)core-auth.svc.cluster.local"
- hydraPublic: "https://hydra.\(global.domain)"
- clientId: "headscale"
- secretName: "oauth2-client-headscale"
- }
ipAddressPool: "\(global.id)-headscale"
+ oauth2: {
+ secretName: _oauth2ClientSecretName
+ issuer: "https://hydra.\(global.domain)"
+ }
api: {
port: 8585
ipSubnet: input.ipSubnet
diff --git a/core/installer/values-tmpl/matrix.cue b/core/installer/values-tmpl/matrix.cue
index f516244..9daf2eb 100644
--- a/core/installer/values-tmpl/matrix.cue
+++ b/core/installer/values-tmpl/matrix.cue
@@ -15,7 +15,7 @@
matrix: {
repository: "matrixdotorg"
name: "synapse"
- tag: "latest"
+ tag: "v1.98.0"
pullPolicy: "IfNotPresent"
}
postgres: {
@@ -27,6 +27,14 @@
}
charts: {
+ oauth2Client: {
+ chart: "charts/oauth2-client"
+ sourceRef: {
+ kind: "GitRepository"
+ name: "pcloud"
+ namespace: global.id
+ }
+ }
matrix: {
chart: "charts/matrix"
sourceRef: {
@@ -45,7 +53,21 @@
}
}
+_oauth2ClientSecretName: "oauth2-client"
+
helm: {
+ "oauth2-client": {
+ chart: charts.oauth2Client
+ values: {
+ name: "oauth2-client"
+ secretName: _oauth2ClientSecretName
+ grantTypes: ["authorization_code"]
+ responseTypes: ["code"]
+ scope: "openid profile"
+ redirectUris: ["https://\(_domain)/_synapse/client/oidc/callback"]
+ hydraAdmin: "http://hydra-admin.\(global.namespacePrefix)core-auth.svc.cluster.local"
+ }
+ }
matrix: {
dependsOn: [
postgres
@@ -55,9 +77,8 @@
domain: global.domain
subdomain: input.subdomain
oauth2: {
- hydraAdmin: "http://hydra-admin.\(global.namespacePrefix)core-auth.svc.cluster.local"
- hydraPublic: "https://hydra.\(global.domain)"
secretName: "oauth2-client"
+ issuer: "https://hydra.\(global.domain)"
}
postgresql: {
host: "postgres"
diff --git a/core/installer/values-tmpl/pihole.cue b/core/installer/values-tmpl/pihole.cue
index c9cc61d..a1ec66a 100644
--- a/core/installer/values-tmpl/pihole.cue
+++ b/core/installer/values-tmpl/pihole.cue
@@ -21,6 +21,14 @@
}
charts: {
+ oauth2Client: {
+ chart: "charts/oauth2-client"
+ sourceRef: {
+ kind: "GitRepository"
+ name: "pcloud"
+ namespace: global.id
+ }
+ }
pihole: {
chart: "charts/pihole"
sourceRef: {
@@ -31,7 +39,21 @@
}
}
+_oauth2ClientSecretName: "oauth2-client"
+
helm: {
+ "oauth2-client": {
+ chart: charts.oauth2Client
+ values: {
+ name: "oauth2-client"
+ secretName: _oauth2ClientSecretName
+ grantTypes: ["authorization_code"]
+ responseTypes: ["code"]
+ scope: "openid profile email"
+ redirectUris: ["https://\(_domain)/oauth2/callback"]
+ hydraAdmin: "http://hydra-admin.\(global.namespacePrefix)core-auth.svc.cluster.local"
+ }
+ }
pihole: {
chart: charts.pihole
values: {
@@ -81,11 +103,11 @@
}
}
oauth2: {
- secretName: "oauth2-secret"
- configName: "oauth2-proxy"
- hydraAdmin: "http://hydra-admin.\(global.namespacePrefix)core-auth.svc"
+ cookieSecret: "1234123443214321"
+ secretName: _oauth2ClientSecretName
+ issuer: "https://hydra.\(global.domain)"
}
- hydraPublic: "https://hydra.\(global.domain)"
+ configName: "oauth2-proxy"
profileUrl: "https://accounts-ui.\(global.domain)"
ingressClassName: input.network.ingressClass
certificateIssuer: input.network.certificateIssuer