Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,6 @@ oauth-proxy-plugin.yaml
*.p12
*.csr
*.pkcs8
*.sql
*.zip
*.pem
*.srl
5 changes: 2 additions & 3 deletions resources/api-gateway/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,11 +1,10 @@
###################################################################################################
# A custom Docker image for advanced deployments that use the OAuth Proxy and Phantom Token plugins
###################################################################################################
FROM kong/kong:3.9
FROM kong/kong:3.9-ubuntu

USER root
RUN apt-get update
RUN apt-get install -y git unzip
RUN apt-get update && apt-get install -y git unzip wget

#
# Install luarocks, and set git options if required
Expand Down
10 changes: 2 additions & 8 deletions resources/curity/idsvr-final/database/postgres.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -33,11 +33,8 @@ spec:
spec:
containers:
- name: postgres
image: postgres:17.2
image: postgres:18.4
volumeMounts:
- name: init-script
mountPath: /docker-entrypoint-initdb.d
readOnly: true
- name: postgres-persistent-storage
mountPath: /var/lib/postgresql/data
env:
Expand All @@ -48,17 +45,14 @@ spec:
- name: POSTGRES_PASSWORD
value: Password1
- name: PGDATA
value: /var/lib/postgresql/data/pgdata
value: /var/lib/postgresql/pgdata
ports:
- containerPort: 5432
name: postgres
volumes:
- name: postgres-persistent-storage
persistentVolumeClaim:
claimName: idsvr-pv-claim
- name: init-script
configMap:
name: sql-init-script
---
apiVersion: v1
kind: PersistentVolumeClaim
Expand Down
14 changes: 3 additions & 11 deletions resources/curity/idsvr-final/deploy.sh
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ fi
kubectl create namespace curity 2>/dev/null
kubectl -n curity create serviceaccount curity-idsvr-admin 2>/dev/null
kubectl -n curity create serviceaccount curity-idsvr-runtime 2>/dev/null
kubectl -n curity create serviceaccount curity-idsvr-dbinit 2>/dev/null

#
# Protect parameters and do other preprocessing
Expand All @@ -48,16 +49,8 @@ if [ $? -ne 0 ]; then
fi

#
# Create a database script configmap
#
kubectl -n curity delete configmap sql-init-script 2>/dev/null
kubectl -n curity create configmap sql-init-script --from-file='database/dbinit.sql'
if [ $? -ne 0 ]; then
exit 1
fi

#
# Deploy the SQL database and use external storage for a development computer
# Deploy the Curity Identity Server's SQL database and use external storage for a development computer
# The schema for the database is created by a job container that the Helm chart creates
#
kubectl -n curity apply -f database/postgres.yaml
if [ $? -ne 0 ]; then
Expand All @@ -79,4 +72,3 @@ kubectl -n curity apply -f gateway-routes.yaml
if [ $? -ne 0 ]; then
exit 1
fi

24 changes: 14 additions & 10 deletions resources/curity/idsvr-final/parameters/create-parameters.sh
Original file line number Diff line number Diff line change
Expand Up @@ -83,15 +83,6 @@ while [ "$(curl -k -s -o /dev/null -w ''%{http_code}'' "https://localhost:6749/a
sleep 2
done

#
# Get the SQL init script from the running container, which the database deployment uses
#
docker cp curity:/opt/idsvr/etc/postgres-create_database.sql ../database/dbinit.sql
if [ $? -ne 0 ]; then
echo "*** Problem encountered copying the database script"
exit 1
fi

#
# Copy the encryption script to the container
#
Expand Down Expand Up @@ -153,7 +144,6 @@ kubectl -n curity create configmap idsvr-parameters \
--from-literal="RUNTIME_BASE_URL=$RUNTIME_BASE_URL" \
--from-literal="ADMIN_BASE_URL=$ADMIN_BASE_URL" \
--from-literal="SPA_BASE_URL=$SPA_BASE_URL" \
--from-literal="DB_USER=$DB_USER" \
--from-literal="DB_DRIVER=$DB_DRIVER"
if [ $? -ne 0 ]; then
echo "Problem encountered creating the Kubernetes configmap containing unprotected environment variables"
Expand All @@ -168,6 +158,7 @@ kubectl -n curity create secret generic idsvr-protected-parameters \
--from-literal="ADMIN_PASSWORD=$ADMIN_PASSWORD" \
--from-literal="SPA_CLIENT_SECRET=$SPA_CLIENT_SECRET" \
--from-literal="INTROSPECTION_CLIENT_SECRET=$INTROSPECTION_CLIENT_SECRET" \
--from-literal="DB_USER=$DB_USER" \
--from-literal="DB_PASSWORD=$DB_PASSWORD" \
--from-literal="DB_CONNECTION=$DB_CONNECTION" \
--from-literal="SYMMETRIC_KEY=$SYMMETRIC_KEY" \
Expand All @@ -178,3 +169,16 @@ if [ $? -ne 0 ]; then
echo "Problem encountered creating the Kubernetes secret containing protected environment variables"
exit 1
fi

#
# Create parameters for the job container that initializes or upgrades the database schema
#
kubectl -n curity delete secret idsvr-dbinit-protected-parameters 2>/dev/null
kubectl -n curity create secret generic idsvr-dbinit-protected-parameters \
--from-literal="JDBC_USERNAME=$DB_USER" \
--from-literal="JDBC_PASSWORD=$DB_PASSWORD_RAW" \
--from-literal="JDBC_URL=$DB_CONNECTION_RAW"
if [ $? -ne 0 ]; then
echo "Problem encountered creating the Kubernetes secret for the job init container"
exit 1
fi
7 changes: 7 additions & 0 deletions resources/curity/idsvr-final/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,13 @@ curity:
environmentVariableSecrets:
- idsvr-protected-parameters

dbSchemaManagementJob:
enabled: true
environmentVariableSecrets:
- idsvr-dbinit-protected-parameters
serviceAccount:
name: curity-idsvr-dbinit

networkpolicy:
enabled: true
apigatewayNamespace: 'apigateway'
3 changes: 2 additions & 1 deletion resources/spa-and-api/config/demoapi-config.json
Original file line number Diff line number Diff line change
Expand Up @@ -2,5 +2,6 @@
"port": 8000,
"jwksUri": "http://curity-idsvr-runtime-svc.curity.svc:8443/oauth/v2/oauth-anonymous/jwks",
"issuer": "https://login.testcluster.example/oauth/v2/oauth-anonymous",
"audience": "api.example.com"
"audience": "api.example.com",
"algorithm": "RS256"
}