diff --git a/.gitignore b/.gitignore index 05f6061..abf2e99 100644 --- a/.gitignore +++ b/.gitignore @@ -10,7 +10,6 @@ oauth-proxy-plugin.yaml *.p12 *.csr *.pkcs8 -*.sql *.zip *.pem *.srl diff --git a/resources/api-gateway/Dockerfile b/resources/api-gateway/Dockerfile index b823b36..764b4c4 100644 --- a/resources/api-gateway/Dockerfile +++ b/resources/api-gateway/Dockerfile @@ -1,11 +1,10 @@ ################################################################################################### # A custom Docker image for advanced deployments that use the OAuth Proxy and Phantom Token plugins ################################################################################################### -FROM kong/kong:3.9 +FROM kong/kong:3.9-ubuntu USER root -RUN apt-get update -RUN apt-get install -y git unzip +RUN apt-get update && apt-get install -y git unzip wget # # Install luarocks, and set git options if required diff --git a/resources/curity/idsvr-final/database/postgres.yaml b/resources/curity/idsvr-final/database/postgres.yaml index 0552f1a..d2d8bd8 100644 --- a/resources/curity/idsvr-final/database/postgres.yaml +++ b/resources/curity/idsvr-final/database/postgres.yaml @@ -33,11 +33,8 @@ spec: spec: containers: - name: postgres - image: postgres:17.2 + image: postgres:18.4 volumeMounts: - - name: init-script - mountPath: /docker-entrypoint-initdb.d - readOnly: true - name: postgres-persistent-storage mountPath: /var/lib/postgresql/data env: @@ -48,7 +45,7 @@ spec: - name: POSTGRES_PASSWORD value: Password1 - name: PGDATA - value: /var/lib/postgresql/data/pgdata + value: /var/lib/postgresql/pgdata ports: - containerPort: 5432 name: postgres @@ -56,9 +53,6 @@ spec: - name: postgres-persistent-storage persistentVolumeClaim: claimName: idsvr-pv-claim - - name: init-script - configMap: - name: sql-init-script --- apiVersion: v1 kind: PersistentVolumeClaim diff --git a/resources/curity/idsvr-final/deploy.sh b/resources/curity/idsvr-final/deploy.sh index 6098376..a35ea24 100755 --- a/resources/curity/idsvr-final/deploy.sh +++ b/resources/curity/idsvr-final/deploy.sh @@ -38,6 +38,7 @@ fi kubectl create namespace curity 2>/dev/null kubectl -n curity create serviceaccount curity-idsvr-admin 2>/dev/null kubectl -n curity create serviceaccount curity-idsvr-runtime 2>/dev/null +kubectl -n curity create serviceaccount curity-idsvr-dbinit 2>/dev/null # # Protect parameters and do other preprocessing @@ -48,16 +49,8 @@ if [ $? -ne 0 ]; then fi # -# Create a database script configmap -# -kubectl -n curity delete configmap sql-init-script 2>/dev/null -kubectl -n curity create configmap sql-init-script --from-file='database/dbinit.sql' -if [ $? -ne 0 ]; then - exit 1 -fi - -# -# Deploy the SQL database and use external storage for a development computer +# Deploy the Curity Identity Server's SQL database and use external storage for a development computer +# The schema for the database is created by a job container that the Helm chart creates # kubectl -n curity apply -f database/postgres.yaml if [ $? -ne 0 ]; then @@ -79,4 +72,3 @@ kubectl -n curity apply -f gateway-routes.yaml if [ $? -ne 0 ]; then exit 1 fi - diff --git a/resources/curity/idsvr-final/parameters/create-parameters.sh b/resources/curity/idsvr-final/parameters/create-parameters.sh index b000c8f..b47e3c2 100755 --- a/resources/curity/idsvr-final/parameters/create-parameters.sh +++ b/resources/curity/idsvr-final/parameters/create-parameters.sh @@ -83,15 +83,6 @@ while [ "$(curl -k -s -o /dev/null -w ''%{http_code}'' "https://localhost:6749/a sleep 2 done -# -# Get the SQL init script from the running container, which the database deployment uses -# -docker cp curity:/opt/idsvr/etc/postgres-create_database.sql ../database/dbinit.sql -if [ $? -ne 0 ]; then - echo "*** Problem encountered copying the database script" - exit 1 -fi - # # Copy the encryption script to the container # @@ -153,7 +144,6 @@ kubectl -n curity create configmap idsvr-parameters \ --from-literal="RUNTIME_BASE_URL=$RUNTIME_BASE_URL" \ --from-literal="ADMIN_BASE_URL=$ADMIN_BASE_URL" \ --from-literal="SPA_BASE_URL=$SPA_BASE_URL" \ - --from-literal="DB_USER=$DB_USER" \ --from-literal="DB_DRIVER=$DB_DRIVER" if [ $? -ne 0 ]; then echo "Problem encountered creating the Kubernetes configmap containing unprotected environment variables" @@ -168,6 +158,7 @@ kubectl -n curity create secret generic idsvr-protected-parameters \ --from-literal="ADMIN_PASSWORD=$ADMIN_PASSWORD" \ --from-literal="SPA_CLIENT_SECRET=$SPA_CLIENT_SECRET" \ --from-literal="INTROSPECTION_CLIENT_SECRET=$INTROSPECTION_CLIENT_SECRET" \ + --from-literal="DB_USER=$DB_USER" \ --from-literal="DB_PASSWORD=$DB_PASSWORD" \ --from-literal="DB_CONNECTION=$DB_CONNECTION" \ --from-literal="SYMMETRIC_KEY=$SYMMETRIC_KEY" \ @@ -178,3 +169,16 @@ if [ $? -ne 0 ]; then echo "Problem encountered creating the Kubernetes secret containing protected environment variables" exit 1 fi + +# +# Create parameters for the job container that initializes or upgrades the database schema +# +kubectl -n curity delete secret idsvr-dbinit-protected-parameters 2>/dev/null +kubectl -n curity create secret generic idsvr-dbinit-protected-parameters \ + --from-literal="JDBC_USERNAME=$DB_USER" \ + --from-literal="JDBC_PASSWORD=$DB_PASSWORD_RAW" \ + --from-literal="JDBC_URL=$DB_CONNECTION_RAW" +if [ $? -ne 0 ]; then + echo "Problem encountered creating the Kubernetes secret for the job init container" + exit 1 +fi diff --git a/resources/curity/idsvr-final/values.yaml b/resources/curity/idsvr-final/values.yaml index 9789040..534b747 100644 --- a/resources/curity/idsvr-final/values.yaml +++ b/resources/curity/idsvr-final/values.yaml @@ -33,6 +33,13 @@ curity: environmentVariableSecrets: - idsvr-protected-parameters + dbSchemaManagementJob: + enabled: true + environmentVariableSecrets: + - idsvr-dbinit-protected-parameters + serviceAccount: + name: curity-idsvr-dbinit + networkpolicy: enabled: true apigatewayNamespace: 'apigateway' diff --git a/resources/spa-and-api/config/demoapi-config.json b/resources/spa-and-api/config/demoapi-config.json index 2f49dcd..577d77b 100644 --- a/resources/spa-and-api/config/demoapi-config.json +++ b/resources/spa-and-api/config/demoapi-config.json @@ -2,5 +2,6 @@ "port": 8000, "jwksUri": "http://curity-idsvr-runtime-svc.curity.svc:8443/oauth/v2/oauth-anonymous/jwks", "issuer": "https://login.testcluster.example/oauth/v2/oauth-anonymous", - "audience": "api.example.com" + "audience": "api.example.com", + "algorithm": "RS256" }