oauth2-client: migrate apps to use oauth2-client helm chart (#90)
* headscale: use oauth2-client helm chart
* pihole: use oauth2-client helm chart
* matrix: use oauth2-client helm chart
* oauth2: pass issuer address to pihole, headscale and matrix apps
* pihole: fix secret name
* matrix: fix version to v1.98.0
* headscale: make oauth2-client depend on auth release
---------
Co-authored-by: Giorgi Lekveishvili <lekva@gl-mbp-m1-max.local>
diff --git a/charts/headscale/templates/config.yaml b/charts/headscale/templates/config.yaml
index 85d8b79..7c007ba 100644
--- a/charts/headscale/templates/config.yaml
+++ b/charts/headscale/templates/config.yaml
@@ -273,7 +273,7 @@
# OpenID Connect
oidc:
only_start_if_oidc_is_available: true
- issuer: {{ .Values.oauth2.hydraPublic }}
+ issuer: {{ .Values.oauth2.issuer }}
client_id: {{`{{ .client_id }}`}}
client_secret: {{`{{ .client_secret }}`}}
scope: ["openid", "profile", "email"]
diff --git a/charts/headscale/templates/oauth2-client.yaml b/charts/headscale/templates/oauth2-client.yaml
deleted file mode 100644
index 0bd797a..0000000
--- a/charts/headscale/templates/oauth2-client.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
-apiVersion: hydra.ory.sh/v1alpha1
-kind: OAuth2Client
-metadata:
- name: headscale
- namespace: {{ .Release.Namespace }}
-spec:
- grantTypes:
- - authorization_code
- responseTypes:
- - code
- scope: "openid profile email"
- secretName: {{ .Values.oauth2.secretName }}
- redirectUris:
- - https://{{ .Values.domain }}/oidc/callback
- hydraAdmin:
- url: {{ .Values.oauth2.hydraAdmin }}
- port: 80
- endpoint: /admin/clients
- forwardedProto: https
diff --git a/charts/headscale/values.yaml b/charts/headscale/values.yaml
index 6152794..18d7b57 100644
--- a/charts/headscale/values.yaml
+++ b/charts/headscale/values.yaml
@@ -8,11 +8,10 @@
certificateIssuer: lekva-public
domain: headscale.example.com
publicBaseDomain: example.com
-oauth2:
- hydraAdmin: http://hydra-admin
- hydraPublic: https://hydra.example.com
- secretName: oauth2-client-headscale
ipAddressPool: example-headscale
+oauth2:
+ secretName: oauth2-client
+ issuer: https://oidc-issuer.example.com
api:
port: 8585
ipSubnet: 10.1.0.0/24
diff --git a/charts/matrix/templates/config-to-merge.yaml b/charts/matrix/templates/config-to-merge.yaml
index c34a2c7..eefe3e3 100644
--- a/charts/matrix/templates/config-to-merge.yaml
+++ b/charts/matrix/templates/config-to-merge.yaml
@@ -33,7 +33,7 @@
- idp_id: pcloud
idp_name: "PCloud"
skip_verification: true
- issuer: {{ .Values.oauth2.hydraPublic }}
+ issuer: {{ .Values.oauth2.issuer }}
client_id: "{{`{{ .client_id }}`}}"
client_secret: "{{`{{ .client_secret }}`}}"
scopes: ["openid", "profile"]
diff --git a/charts/matrix/templates/oauth2-client.yaml b/charts/matrix/templates/oauth2-client.yaml
deleted file mode 100644
index ffe6936..0000000
--- a/charts/matrix/templates/oauth2-client.yaml
+++ /dev/null
@@ -1,22 +0,0 @@
-apiVersion: hydra.ory.sh/v1alpha1
-kind: OAuth2Client
-metadata:
- name: matrix
- namespace: {{ .Release.Namespace }}
- annotations:
- helm.sh/hook: pre-install
- helm.sh/hook-weight: "-10"
-spec:
- grantTypes:
- - authorization_code
- responseTypes:
- - code
- scope: "openid profile"
- secretName: {{ .Values.oauth2.secretName }}
- redirectUris:
- - https://{{ .Values.subdomain }}.{{ .Values.domain }}/_synapse/client/oidc/callback
- hydraAdmin:
- url: {{ .Values.oauth2.hydraAdmin }}
- port: 80
- endpoint: /admin/clients
- forwardedProto: https
diff --git a/charts/matrix/values.yaml b/charts/matrix/values.yaml
index 64d2e90..5d57ae0 100644
--- a/charts/matrix/values.yaml
+++ b/charts/matrix/values.yaml
@@ -5,8 +5,7 @@
domain: example.com
subdomain: matrix
oauth2:
- hydraAdmin: http://hydra-admin
- hydraPublic: https://hydra.example.com
+ issuer: https://oidc-issuer.example.com
secretName: oauth2-client
postgresql:
host: postgresql
diff --git a/charts/pihole/templates/oauth2-client.yaml b/charts/pihole/templates/oauth2-client.yaml
deleted file mode 100644
index f178ea0..0000000
--- a/charts/pihole/templates/oauth2-client.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
-apiVersion: hydra.ory.sh/v1alpha1
-kind: OAuth2Client
-metadata:
- name: oauth2-client
- namespace: {{ .Release.Namespace }}
-spec:
- grantTypes:
- - authorization_code
- responseTypes:
- - code
- scope: "openid email profile"
- secretName: {{ .Values.oauth2.secretName }}
- redirectUris:
- - https://{{ .Values.domain }}/oauth2/callback
- hydraAdmin:
- url: {{ .Values.oauth2.hydraAdmin }}
- port: 80
- endpoint: /admin/clients
- forwardedProto: https
diff --git a/charts/pihole/templates/oauth2-proxy-config.yaml b/charts/pihole/templates/oauth2-proxy-config.yaml
index 2141bce..5aebbb0 100644
--- a/charts/pihole/templates/oauth2-proxy-config.yaml
+++ b/charts/pihole/templates/oauth2-proxy-config.yaml
@@ -9,7 +9,7 @@
apiVersion: v1
kind: ConfigMap
metadata:
- name: {{ .Values.oauth2.configName }}
+ name: {{ .Values.configName }}
namespace: {{ .Release.Namespace }}
data:
oauth2-proxy.cfg: |
@@ -53,6 +53,6 @@
cookie_httponly = true
provider = "oidc"
- oidc_issuer_url = "{{ .Values.hydraPublic }}"
+ oidc_issuer_url = "{{ .Values.oauth2.issuer }}"
provider_display_name = "PCloud"
profile_url = "{{ .Values.profileUrl }}"
diff --git a/charts/pihole/templates/oauth2-proxy.yaml b/charts/pihole/templates/oauth2-proxy.yaml
index 51f88d4..2d62f7b 100644
--- a/charts/pihole/templates/oauth2-proxy.yaml
+++ b/charts/pihole/templates/oauth2-proxy.yaml
@@ -54,7 +54,7 @@
volumes:
- name: config
configMap:
- name: {{ .Values.oauth2.configName }}
+ name: {{ .Values.configName }}
containers:
- name: pihole-oauth2-proxy
image: quay.io/oauth2-proxy/oauth2-proxy:v7.2.0
diff --git a/charts/pihole/values.yaml b/charts/pihole/values.yaml
index 070be1e..542fcd3 100644
--- a/charts/pihole/values.yaml
+++ b/charts/pihole/values.yaml
@@ -1,10 +1,10 @@
pihole: {}
oauth2:
cookieSecret: "1234123443214321"
- secretName: oauth2-secret
- configName: oauth2-proxy
+ secretName: oauth2-client
+ issuer: https://oidc-issuer.example.com
+configName: oauth2-proxy
domain: pihole.p.example.com
-hydraPublic: https://hydra.example.com
profileUrl: https://profile.example.com
ingressClassName: private