oauth2-client: migrate apps to use oauth2-client helm chart (#90)
* headscale: use oauth2-client helm chart
* pihole: use oauth2-client helm chart
* matrix: use oauth2-client helm chart
* oauth2: pass issuer address to pihole, headscale and matrix apps
* pihole: fix secret name
* matrix: fix version to v1.98.0
* headscale: make oauth2-client depend on auth release
---------
Co-authored-by: Giorgi Lekveishvili <lekva@gl-mbp-m1-max.local>
diff --git a/core/headscale/Makefile b/core/headscale/Makefile
index 75f860f..9468ad6 100644
--- a/core/headscale/Makefile
+++ b/core/headscale/Makefile
@@ -1,3 +1,9 @@
+repo_name ?= giolekva
+podman ?= docker
+ifeq ($(podman), podman)
+manifest_dest=docker://docker.io/$(repo_name)/headscale-api:latest
+endif
+
clean:
rm -f server_*
@@ -16,15 +22,15 @@
go build -o server_amd64 *.go
push_arm64: clean build_arm64
- podman build --platform linux/arm64 --tag=giolekva/headscale-api:arm64 .
- podman push giolekva/headscale-api:arm64
+ $(podman) build --platform linux/arm64 --tag=$(repo_name)/headscale-api:arm64 .
+ $(podman) push $(repo_name)/headscale-api:arm64
push_amd64: clean build_amd64
- podman build --platform linux/amd64 --tag=giolekva/headscale-api:amd64 .
- podman push giolekva/headscale-api:amd64
+ $(podman) build --platform linux/amd64 --tag=$(repo_name)/headscale-api:amd64 .
+ $(podman) push $(repo_name)/headscale-api:amd64
push: push_arm64 push_amd64
- podman manifest create giolekva/headscale-api:latest giolekva/headscale-api:arm64 giolekva/headscale-api:amd64
- podman manifest push giolekva/headscale-api:latest docker://docker.io/giolekva/headscale-api:latest
- podman manifest rm giolekva/headscale-api:latest
+ $(podman) manifest create $(repo_name)/headscale-api:latest $(repo_name)/headscale-api:arm64 $(repo_name)/headscale-api:amd64
+ $(podman) manifest push $(repo_name)/headscale-api:latest $(manifest_dest)
+ $(podman) manifest rm $(repo_name)/headscale-api:latest
diff --git a/core/installer/Makefile b/core/installer/Makefile
index acc96c9..1c83138 100644
--- a/core/installer/Makefile
+++ b/core/installer/Makefile
@@ -1,5 +1,8 @@
repo_name ?= dtabidze
podman ?= docker
+ifeq ($(podman), podman)
+manifest_dest=docker://docker.io/$(repo_name)/pcloud-installer:latest
+endif
clean:
rm -rf tmp
@@ -70,5 +73,5 @@
push: push_arm64 push_amd64
$(podman) manifest create $(repo_name)/pcloud-installer:latest $(repo_name)/pcloud-installer:arm64 $(repo_name)/pcloud-installer:amd64
- $(podman) manifest push $(repo_name)/pcloud-installer:latest
+ $(podman) manifest push $(repo_name)/pcloud-installer:latest $(manifest_dest)
$(podman) manifest rm $(repo_name)/pcloud-installer:latest
diff --git a/core/installer/cmd/bootstrap.go b/core/installer/cmd/bootstrap.go
index 6e0b247..9b68529 100644
--- a/core/installer/cmd/bootstrap.go
+++ b/core/installer/cmd/bootstrap.go
@@ -79,7 +79,8 @@
}
func bootstrapCmdRun(cmd *cobra.Command, args []string) error {
- // TODO(gio): remove installer.CreateAllApps()
+ // TODO(gio): remove
+ installer.CreateAllApps()
adminPubKey, err := os.ReadFile(bootstrapFlags.adminPubKey)
if err != nil {
return err
diff --git a/core/installer/values-tmpl/headscale.cue b/core/installer/values-tmpl/headscale.cue
index e3453ba..1db5eb8 100644
--- a/core/installer/values-tmpl/headscale.cue
+++ b/core/installer/values-tmpl/headscale.cue
@@ -22,6 +22,14 @@
}
charts: {
+ oauth2Client: {
+ chart: "charts/oauth2-client"
+ sourceRef: {
+ kind: "GitRepository"
+ name: "pcloud"
+ namespace: global.id
+ }
+ }
headscale: {
chart: "charts/headscale"
sourceRef: {
@@ -32,7 +40,27 @@
}
}
+_domain: "\(input.subdomain).\(global.domain)"
+_oauth2ClientSecretName: "oauth2-client"
+
helm: {
+ "oauth2-client": {
+ chart: charts.oauth2Client
+ // TODO(gio): remove once hydra maester is installed as part of dodo itself
+ dependsOnExternal: [{
+ name: "auth"
+ namespace: "\(global.namespacePrefix)core-auth"
+ }]
+ values: {
+ name: "oauth2-client"
+ secretName: _oauth2ClientSecretName
+ grantTypes: ["authorization_code"]
+ responseTypes: ["code"]
+ scope: "openid profile email"
+ redirectUris: ["https://\(_domain)/oidc/callback"]
+ hydraAdmin: "http://hydra-admin.\(global.namespacePrefix)core-auth.svc.cluster.local"
+ }
+ }
headscale: {
chart: charts.headscale
dependsOnExternal: [{
@@ -48,15 +76,13 @@
storage: size: "5Gi"
ingressClassName: _ingressPublic
certificateIssuer: _issuerPublic
- domain: "\(input.subdomain).\(global.domain)"
+ domain: _domain
publicBaseDomain: global.domain
- oauth2: {
- hydraAdmin: "http://hydra-admin.\(global.namespacePrefix)core-auth.svc.cluster.local"
- hydraPublic: "https://hydra.\(global.domain)"
- clientId: "headscale"
- secretName: "oauth2-client-headscale"
- }
ipAddressPool: "\(global.id)-headscale"
+ oauth2: {
+ secretName: _oauth2ClientSecretName
+ issuer: "https://hydra.\(global.domain)"
+ }
api: {
port: 8585
ipSubnet: input.ipSubnet
diff --git a/core/installer/values-tmpl/matrix.cue b/core/installer/values-tmpl/matrix.cue
index f516244..9daf2eb 100644
--- a/core/installer/values-tmpl/matrix.cue
+++ b/core/installer/values-tmpl/matrix.cue
@@ -15,7 +15,7 @@
matrix: {
repository: "matrixdotorg"
name: "synapse"
- tag: "latest"
+ tag: "v1.98.0"
pullPolicy: "IfNotPresent"
}
postgres: {
@@ -27,6 +27,14 @@
}
charts: {
+ oauth2Client: {
+ chart: "charts/oauth2-client"
+ sourceRef: {
+ kind: "GitRepository"
+ name: "pcloud"
+ namespace: global.id
+ }
+ }
matrix: {
chart: "charts/matrix"
sourceRef: {
@@ -45,7 +53,21 @@
}
}
+_oauth2ClientSecretName: "oauth2-client"
+
helm: {
+ "oauth2-client": {
+ chart: charts.oauth2Client
+ values: {
+ name: "oauth2-client"
+ secretName: _oauth2ClientSecretName
+ grantTypes: ["authorization_code"]
+ responseTypes: ["code"]
+ scope: "openid profile"
+ redirectUris: ["https://\(_domain)/_synapse/client/oidc/callback"]
+ hydraAdmin: "http://hydra-admin.\(global.namespacePrefix)core-auth.svc.cluster.local"
+ }
+ }
matrix: {
dependsOn: [
postgres
@@ -55,9 +77,8 @@
domain: global.domain
subdomain: input.subdomain
oauth2: {
- hydraAdmin: "http://hydra-admin.\(global.namespacePrefix)core-auth.svc.cluster.local"
- hydraPublic: "https://hydra.\(global.domain)"
secretName: "oauth2-client"
+ issuer: "https://hydra.\(global.domain)"
}
postgresql: {
host: "postgres"
diff --git a/core/installer/values-tmpl/pihole.cue b/core/installer/values-tmpl/pihole.cue
index c9cc61d..a1ec66a 100644
--- a/core/installer/values-tmpl/pihole.cue
+++ b/core/installer/values-tmpl/pihole.cue
@@ -21,6 +21,14 @@
}
charts: {
+ oauth2Client: {
+ chart: "charts/oauth2-client"
+ sourceRef: {
+ kind: "GitRepository"
+ name: "pcloud"
+ namespace: global.id
+ }
+ }
pihole: {
chart: "charts/pihole"
sourceRef: {
@@ -31,7 +39,21 @@
}
}
+_oauth2ClientSecretName: "oauth2-client"
+
helm: {
+ "oauth2-client": {
+ chart: charts.oauth2Client
+ values: {
+ name: "oauth2-client"
+ secretName: _oauth2ClientSecretName
+ grantTypes: ["authorization_code"]
+ responseTypes: ["code"]
+ scope: "openid profile email"
+ redirectUris: ["https://\(_domain)/oauth2/callback"]
+ hydraAdmin: "http://hydra-admin.\(global.namespacePrefix)core-auth.svc.cluster.local"
+ }
+ }
pihole: {
chart: charts.pihole
values: {
@@ -81,11 +103,11 @@
}
}
oauth2: {
- secretName: "oauth2-secret"
- configName: "oauth2-proxy"
- hydraAdmin: "http://hydra-admin.\(global.namespacePrefix)core-auth.svc"
+ cookieSecret: "1234123443214321"
+ secretName: _oauth2ClientSecretName
+ issuer: "https://hydra.\(global.domain)"
}
- hydraPublic: "https://hydra.\(global.domain)"
+ configName: "oauth2-proxy"
profileUrl: "https://accounts-ui.\(global.domain)"
ingressClassName: input.network.ingressClass
certificateIssuer: input.network.certificateIssuer