├── .deps ├── k3d.yaml ├── kubectl.yaml └── kustomize.yaml ├── .docker ├── Dockerfile-build ├── Dockerfile-kubebuilder └── Dockerfile-release ├── .github ├── CODEOWNERS ├── FUNDING.yml ├── ISSUE_TEMPLATE │ ├── BUG-REPORT.yml │ ├── DESIGN-DOC.yml │ ├── FEATURE-REQUEST.yml │ └── config.yml ├── actions │ └── deps-setup │ │ └── action.yaml ├── auto_assign.yml ├── config.yml ├── pull_request_template.md └── workflows │ ├── ci.yaml │ ├── closed_references.yml │ ├── conventional_commits.yml │ ├── cve-scan.yaml │ ├── format.yml │ ├── labels.yml │ ├── licenses.yml │ └── stale.yml ├── .gitignore ├── .goreleaser.yml ├── .prettierignore ├── .reference-ignore ├── .reports └── dep-licenses.csv ├── CHANGELOG.md ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── LICENSE ├── Makefile ├── PROJECT ├── README.md ├── SECURITY.md ├── api └── v1alpha1 │ ├── groupversion_info.go │ ├── oauth2client_types.go │ ├── oauth2client_types_test.go │ └── zz_generated.deepcopy.go ├── config ├── certmanager │ ├── certificate.yaml │ ├── kustomization.yaml │ └── kustomizeconfig.yaml ├── crd │ ├── bases │ │ └── hydra.ory.sh_oauth2clients.yaml │ ├── kustomization.yaml │ ├── kustomizeconfig.yaml │ └── patches │ │ ├── cainjection_in_oauth2clients.yaml │ │ └── webhook_in_oauth2clients.yaml ├── default │ ├── kustomization.yaml │ ├── manager_auth_proxy_patch.yaml │ ├── manager_image_patch.yaml │ ├── manager_prometheus_metrics_patch.yaml │ ├── manager_webhook_patch.yaml │ └── webhookcainjection_patch.yaml ├── manager │ ├── kustomization.yaml │ └── manager.yaml ├── rbac │ ├── auth_proxy_role.yaml │ ├── auth_proxy_role_binding.yaml │ ├── auth_proxy_service.yaml │ ├── kustomization.yaml │ ├── leader_election_role.yaml │ ├── leader_election_role_binding.yaml │ ├── role.yaml │ └── role_binding.yaml ├── samples │ ├── hydra_v1alpha1_oauth2client.yaml │ ├── hydra_v1alpha1_oauth2client_custom_namespace.yaml │ └── hydra_v1alpha1_oauth2client_user_credentials.yaml └── webhook │ ├── kustomization.yaml │ ├── kustomizeconfig.yaml │ ├── manifests.yaml │ └── service.yaml ├── controllers ├── mocks │ └── hydra │ │ └── Client.go ├── oauth2client_controller.go ├── oauth2client_controller_integration_test.go └── suite_test.go ├── docs ├── README.md └── assets │ ├── synchronization-mode.svg │ └── workflow.svg ├── go.mod ├── go.sum ├── hack └── boilerplate.go.txt ├── helpers ├── http_client.go └── http_client_test.go ├── hydra ├── client.go ├── client_test.go ├── types.go └── types_test.go ├── main.go ├── package-lock.json ├── package.json └── renovate.json /.deps/k3d.yaml: -------------------------------------------------------------------------------- 1 | version: v5.4.9 2 | url: https://github.com/rancher/k3d/releases/download/{{.Version}}/k3d-{{.Os}}-{{.Architecture}} 3 | -------------------------------------------------------------------------------- /.deps/kubectl.yaml: -------------------------------------------------------------------------------- 1 | version: v1.26.5 2 | url: https://storage.googleapis.com/kubernetes-release/release/{{.Version}}/bin/{{.Os}}/{{.Architecture}}/kubectl 3 | -------------------------------------------------------------------------------- /.deps/kustomize.yaml: -------------------------------------------------------------------------------- 1 | version: v5.0.3 2 | url: https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2F{{.Version}}/kustomize_{{.Version}}_{{.Os}}_{{.Architecture}}.tar.gz 3 | -------------------------------------------------------------------------------- /.docker/Dockerfile-build: -------------------------------------------------------------------------------- 1 | FROM golang:1.24 as builder 2 | WORKDIR /go/src/app 3 | COPY . . 4 | RUN make manager 5 | 6 | # Use distroless as minimal base image to package the manager binary 7 | # Refer to https://github.com/GoogleContainerTools/distroless for more details 8 | FROM gcr.io/distroless/static:nonroot 9 | WORKDIR / 10 | COPY --from=builder /go/src/app/manager . 11 | USER 65532:65532 12 | 13 | ENTRYPOINT ["/manager"] 14 | -------------------------------------------------------------------------------- /.docker/Dockerfile-kubebuilder: -------------------------------------------------------------------------------- 1 | FROM golang:1.24 as builder 2 | WORKDIR /go/src/app 3 | 4 | ENV PATH=$PATH:/go/src/app/.bin 5 | 6 | COPY . . 7 | RUN make test &&\ 8 | make manager 9 | 10 | # Use distroless as minimal base image to package the manager binary 11 | # Refer to https://github.com/GoogleContainerTools/distroless for more details 12 | FROM gcr.io/distroless/static:nonroot 13 | WORKDIR / 14 | COPY --from=builder /go/src/app/manager . 15 | USER 65532:65532 16 | 17 | ENTRYPOINT ["/manager"] 18 | -------------------------------------------------------------------------------- /.docker/Dockerfile-release: -------------------------------------------------------------------------------- 1 | # Use distroless as minimal base image to package the manager binary 2 | # Refer to https://github.com/GoogleContainerTools/distroless for more details 3 | FROM gcr.io/distroless/static:nonroot 4 | WORKDIR / 5 | COPY manager . 6 | USER 65532:65532 7 | 8 | ENTRYPOINT ["/manager"] 9 | -------------------------------------------------------------------------------- /.github/CODEOWNERS: -------------------------------------------------------------------------------- 1 | * @piotrmsc @Demonsthere 2 | -------------------------------------------------------------------------------- /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | # AUTO-GENERATED, DO NOT EDIT! 2 | # Please edit the original at https://github.com/ory/meta/blob/master/templates/repository/common/.github/FUNDING.yml 3 | 4 | # These are supported funding model platforms 5 | 6 | # github: 7 | patreon: _ory 8 | open_collective: ory 9 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/BUG-REPORT.yml: -------------------------------------------------------------------------------- 1 | # AUTO-GENERATED, DO NOT EDIT! 2 | # Please edit the original at https://github.com/ory/meta/blob/master/templates/repository/common/.github/ISSUE_TEMPLATE/BUG-REPORT.yml 3 | 4 | description: "Create a bug report" 5 | labels: 6 | - bug 7 | name: "Bug Report" 8 | body: 9 | - attributes: 10 | value: "Thank you for taking the time to fill out this bug report!\n" 11 | type: markdown 12 | - attributes: 13 | label: "Preflight checklist" 14 | options: 15 | - label: 16 | "I could not find a solution in the existing issues, docs, nor 17 | discussions." 18 | required: true 19 | - label: 20 | "I agree to follow this project's [Code of 21 | Conduct](https://github.com/ory/hydra-maester/blob/master/CODE_OF_CONDUCT.md)." 22 | required: true 23 | - label: 24 | "I have read and am following this repository's [Contribution 25 | Guidelines](https://github.com/ory/hydra-maester/blob/master/CONTRIBUTING.md)." 26 | required: true 27 | - label: 28 | "I have joined the [Ory Community Slack](https://slack.ory.sh)." 29 | - label: 30 | "I am signed up to the [Ory Security Patch 31 | Newsletter](https://www.ory.sh/l/sign-up-newsletter)." 32 | id: checklist 33 | type: checkboxes 34 | - attributes: 35 | description: 36 | "Enter the slug or API URL of the affected Ory Network project. Leave 37 | empty when you are self-hosting." 38 | label: "Ory Network Project" 39 | placeholder: "https://.projects.oryapis.com" 40 | id: ory-network-project 41 | type: input 42 | - attributes: 43 | description: "A clear and concise description of what the bug is." 44 | label: "Describe the bug" 45 | placeholder: "Tell us what you see!" 46 | id: describe-bug 47 | type: textarea 48 | validations: 49 | required: true 50 | - attributes: 51 | description: | 52 | Clear, formatted, and easy to follow steps to reproduce the behavior: 53 | placeholder: | 54 | Steps to reproduce the behavior: 55 | 56 | 1. Run `docker run ....` 57 | 2. Make API Request to with `curl ...` 58 | 3. Request fails with response: `{"some": "error"}` 59 | label: "Reproducing the bug" 60 | id: reproduce-bug 61 | type: textarea 62 | validations: 63 | required: true 64 | - attributes: 65 | description: 66 | "Please copy and paste any relevant log output. This will be 67 | automatically formatted into code, so no need for backticks. Please 68 | redact any sensitive information" 69 | label: "Relevant log output" 70 | render: shell 71 | placeholder: | 72 | log=error .... 73 | id: logs 74 | type: textarea 75 | - attributes: 76 | description: 77 | "Please copy and paste any relevant configuration. This will be 78 | automatically formatted into code, so no need for backticks. Please 79 | redact any sensitive information!" 80 | label: "Relevant configuration" 81 | render: yml 82 | placeholder: | 83 | server: 84 | admin: 85 | port: 1234 86 | id: config 87 | type: textarea 88 | - attributes: 89 | description: "What version of our software are you running?" 90 | label: Version 91 | id: version 92 | type: input 93 | validations: 94 | required: true 95 | - attributes: 96 | label: "On which operating system are you observing this issue?" 97 | options: 98 | - Ory Network 99 | - macOS 100 | - Linux 101 | - Windows 102 | - FreeBSD 103 | - Other 104 | id: operating-system 105 | type: dropdown 106 | - attributes: 107 | label: "In which environment are you deploying?" 108 | options: 109 | - Ory Network 110 | - Docker 111 | - "Docker Compose" 112 | - "Kubernetes with Helm" 113 | - Kubernetes 114 | - Binary 115 | - Other 116 | id: deployment 117 | type: dropdown 118 | - attributes: 119 | description: "Add any other context about the problem here." 120 | label: Additional Context 121 | id: additional 122 | type: textarea 123 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/DESIGN-DOC.yml: -------------------------------------------------------------------------------- 1 | # AUTO-GENERATED, DO NOT EDIT! 2 | # Please edit the original at https://github.com/ory/meta/blob/master/templates/repository/common/.github/ISSUE_TEMPLATE/DESIGN-DOC.yml 3 | 4 | description: 5 | "A design document is needed for non-trivial changes to the code base." 6 | labels: 7 | - rfc 8 | name: "Design Document" 9 | body: 10 | - attributes: 11 | value: | 12 | Thank you for writing this design document. 13 | 14 | One of the key elements of Ory's software engineering culture is the use of defining software designs through design docs. These are relatively informal documents that the primary author or authors of a software system or application create before they embark on the coding project. The design doc documents the high level implementation strategy and key design decisions with emphasis on the trade-offs that were considered during those decisions. 15 | 16 | Ory is leaning heavily on [Google's design docs process](https://www.industrialempathy.com/posts/design-docs-at-google/) 17 | and [Golang Proposals](https://github.com/golang/proposal). 18 | 19 | Writing a design doc before contributing your change ensures that your ideas are checked with 20 | the community and maintainers. It will save you a lot of time developing things that might need to be changed 21 | after code reviews, and your pull requests will be merged faster. 22 | type: markdown 23 | - attributes: 24 | label: "Preflight checklist" 25 | options: 26 | - label: 27 | "I could not find a solution in the existing issues, docs, nor 28 | discussions." 29 | required: true 30 | - label: 31 | "I agree to follow this project's [Code of 32 | Conduct](https://github.com/ory/hydra-maester/blob/master/CODE_OF_CONDUCT.md)." 33 | required: true 34 | - label: 35 | "I have read and am following this repository's [Contribution 36 | Guidelines](https://github.com/ory/hydra-maester/blob/master/CONTRIBUTING.md)." 37 | required: true 38 | - label: 39 | "I have joined the [Ory Community Slack](https://slack.ory.sh)." 40 | - label: 41 | "I am signed up to the [Ory Security Patch 42 | Newsletter](https://www.ory.sh/l/sign-up-newsletter)." 43 | id: checklist 44 | type: checkboxes 45 | - attributes: 46 | description: 47 | "Enter the slug or API URL of the affected Ory Network project. Leave 48 | empty when you are self-hosting." 49 | label: "Ory Network Project" 50 | placeholder: "https://.projects.oryapis.com" 51 | id: ory-network-project 52 | type: input 53 | - attributes: 54 | description: | 55 | This section gives the reader a very rough overview of the landscape in which the new system is being built and what is actually being built. This isn’t a requirements doc. Keep it succinct! The goal is that readers are brought up to speed but some previous knowledge can be assumed and detailed info can be linked to. This section should be entirely focused on objective background facts. 56 | label: "Context and scope" 57 | id: scope 58 | type: textarea 59 | validations: 60 | required: true 61 | 62 | - attributes: 63 | description: | 64 | A short list of bullet points of what the goals of the system are, and, sometimes more importantly, what non-goals are. Note, that non-goals aren’t negated goals like “The system shouldn’t crash”, but rather things that could reasonably be goals, but are explicitly chosen not to be goals. A good example would be “ACID compliance”; when designing a database, you’d certainly want to know whether that is a goal or non-goal. And if it is a non-goal you might still select a solution that provides it, if it doesn’t introduce trade-offs that prevent achieving the goals. 65 | label: "Goals and non-goals" 66 | id: goals 67 | type: textarea 68 | validations: 69 | required: true 70 | 71 | - attributes: 72 | description: | 73 | This section should start with an overview and then go into details. 74 | The design doc is the place to write down the trade-offs you made in designing your software. Focus on those trade-offs to produce a useful document with long-term value. That is, given the context (facts), goals and non-goals (requirements), the design doc is the place to suggest solutions and show why a particular solution best satisfies those goals. 75 | 76 | The point of writing a document over a more formal medium is to provide the flexibility to express the problem at hand in an appropriate manner. Because of this, there is no explicit guidance on how to actually describe the design. 77 | label: "The design" 78 | id: design 79 | type: textarea 80 | validations: 81 | required: true 82 | 83 | - attributes: 84 | description: | 85 | If the system under design exposes an API, then sketching out that API is usually a good idea. In most cases, however, one should withstand the temptation to copy-paste formal interface or data definitions into the doc as these are often verbose, contain unnecessary detail and quickly get out of date. Instead, focus on the parts that are relevant to the design and its trade-offs. 86 | label: "APIs" 87 | id: apis 88 | type: textarea 89 | 90 | - attributes: 91 | description: | 92 | Systems that store data should likely discuss how and in what rough form this happens. Similar to the advice on APIs, and for the same reasons, copy-pasting complete schema definitions should be avoided. Instead, focus on the parts that are relevant to the design and its trade-offs. 93 | label: "Data storage" 94 | id: persistence 95 | type: textarea 96 | 97 | - attributes: 98 | description: | 99 | Design docs should rarely contain code, or pseudo-code except in situations where novel algorithms are described. As appropriate, link to prototypes that show the feasibility of the design. 100 | label: "Code and pseudo-code" 101 | id: pseudocode 102 | type: textarea 103 | 104 | - attributes: 105 | description: | 106 | One of the primary factors that would influence the shape of a software design and hence the design doc, is the degree of constraint of the solution space. 107 | 108 | On one end of the extreme is the “greenfield software project”, where all we know are the goals, and the solution can be whatever makes the most sense. Such a document may be wide-ranging, but it also needs to quickly define a set of rules that allow zooming in on a manageable set of solutions. 109 | 110 | On the other end are systems where the possible solutions are very well defined, but it isn't at all obvious how they could even be combined to achieve the goals. This may be a legacy system that is difficult to change and wasn't designed to do what you want it to do or a library design that needs to operate within the constraints of the host programming language. 111 | 112 | In this situation, you may be able to enumerate all the things you can do relatively easily, but you need to creatively put those things together to achieve the goals. There may be multiple solutions, and none of them are great, and hence such a document should focus on selecting the best way given all identified trade-offs. 113 | label: "Degree of constraint" 114 | id: constrait 115 | type: textarea 116 | 117 | - attributes: 118 | description: | 119 | This section lists alternative designs that would have reasonably achieved similar outcomes. The focus should be on the trade-offs that each respective design makes and how those trade-offs led to the decision to select the design that is the primary topic of the document. 120 | 121 | While it is fine to be succinct about a solution that ended up not being selected, this section is one of the most important ones as it shows very explicitly why the selected solution is the best given the project goals and how other solutions, that the reader may be wondering about, introduce trade-offs that are less desirable given the goals. 122 | 123 | label: Alternatives considered 124 | id: alternatives 125 | type: textarea 126 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/FEATURE-REQUEST.yml: -------------------------------------------------------------------------------- 1 | # AUTO-GENERATED, DO NOT EDIT! 2 | # Please edit the original at https://github.com/ory/meta/blob/master/templates/repository/common/.github/ISSUE_TEMPLATE/FEATURE-REQUEST.yml 3 | 4 | description: 5 | "Suggest an idea for this project without a plan for implementation" 6 | labels: 7 | - feat 8 | name: "Feature Request" 9 | body: 10 | - attributes: 11 | value: | 12 | Thank you for suggesting an idea for this project! 13 | 14 | If you already have a plan to implement a feature or a change, please create a [design document](https://github.com/aeneasr/gh-template-test/issues/new?assignees=&labels=rfc&template=DESIGN-DOC.yml) instead if the change is non-trivial! 15 | type: markdown 16 | - attributes: 17 | label: "Preflight checklist" 18 | options: 19 | - label: 20 | "I could not find a solution in the existing issues, docs, nor 21 | discussions." 22 | required: true 23 | - label: 24 | "I agree to follow this project's [Code of 25 | Conduct](https://github.com/ory/hydra-maester/blob/master/CODE_OF_CONDUCT.md)." 26 | required: true 27 | - label: 28 | "I have read and am following this repository's [Contribution 29 | Guidelines](https://github.com/ory/hydra-maester/blob/master/CONTRIBUTING.md)." 30 | required: true 31 | - label: 32 | "I have joined the [Ory Community Slack](https://slack.ory.sh)." 33 | - label: 34 | "I am signed up to the [Ory Security Patch 35 | Newsletter](https://www.ory.sh/l/sign-up-newsletter)." 36 | id: checklist 37 | type: checkboxes 38 | - attributes: 39 | description: 40 | "Enter the slug or API URL of the affected Ory Network project. Leave 41 | empty when you are self-hosting." 42 | label: "Ory Network Project" 43 | placeholder: "https://.projects.oryapis.com" 44 | id: ory-network-project 45 | type: input 46 | - attributes: 47 | description: 48 | "Is your feature request related to a problem? Please describe." 49 | label: "Describe your problem" 50 | placeholder: 51 | "A clear and concise description of what the problem is. Ex. I'm always 52 | frustrated when [...]" 53 | id: problem 54 | type: textarea 55 | validations: 56 | required: true 57 | - attributes: 58 | description: | 59 | Describe the solution you'd like 60 | placeholder: | 61 | A clear and concise description of what you want to happen. 62 | label: "Describe your ideal solution" 63 | id: solution 64 | type: textarea 65 | validations: 66 | required: true 67 | - attributes: 68 | description: "Describe alternatives you've considered" 69 | label: "Workarounds or alternatives" 70 | id: alternatives 71 | type: textarea 72 | validations: 73 | required: true 74 | - attributes: 75 | description: "What version of our software are you running?" 76 | label: Version 77 | id: version 78 | type: input 79 | validations: 80 | required: true 81 | - attributes: 82 | description: 83 | "Add any other context or screenshots about the feature request here." 84 | label: Additional Context 85 | id: additional 86 | type: textarea 87 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/config.yml: -------------------------------------------------------------------------------- 1 | # AUTO-GENERATED, DO NOT EDIT! 2 | # Please edit the original at https://github.com/ory/meta/blob/master/templates/repository/common/.github/ISSUE_TEMPLATE/config.yml 3 | 4 | blank_issues_enabled: false 5 | contact_links: 6 | - name: Ory Ory Hydra Maester Forum 7 | url: https://github.com/orgs/ory/discussions 8 | about: 9 | Please ask and answer questions here, show your implementations and 10 | discuss ideas. 11 | - name: Ory Chat 12 | url: https://www.ory.sh/chat 13 | about: 14 | Hang out with other Ory community members to ask and answer questions. 15 | -------------------------------------------------------------------------------- /.github/actions/deps-setup/action.yaml: -------------------------------------------------------------------------------- 1 | name: "Dependencies setup" 2 | description: "Sets up dependencies, uses cache to speedup execution" 3 | runs: 4 | using: "composite" 5 | steps: 6 | - name: Extract branch name 7 | shell: bash 8 | run: | 9 | echo "branch=$(echo ${GITHUB_REF#refs/heads/})" >> "$GITHUB_ENV" 10 | id: extract_branch 11 | 12 | - uses: actions/cache@v4 13 | id: cache-packages 14 | with: 15 | path: | 16 | ~/go/pkg/mod 17 | ~/go/bin 18 | ~/.config/helm 19 | ~/.local/share/helm 20 | ~/.cache/helm 21 | ${{ github.workspace }}/.bin 22 | key: 23 | ${{ runner.os }}-${{ steps.extract_branch.outputs.branch }}-${{ 24 | hashFiles('**/go.sum', '.deps/*') }} 25 | restore-keys: | 26 | ${{ runner.os }}-${{ steps.extract_branch.outputs.branch }}- 27 | 28 | - name: Setup dependencies 29 | if: steps.cache-packages.outputs.cache-hit != 'true' 30 | shell: bash 31 | env: 32 | HELM_INSTALL_DIR: ${{ github.workspace }}/.bin 33 | HELM_PLUGINS: ${{ github.workspace }}/.bin/plugins 34 | K3D_INSTALL_DIR: ${{ github.workspace }}/.bin 35 | run: | 36 | #Export .bin into PATH so k3d doesn't fail when installing 37 | export PATH=".bin:$PATH" 38 | echo "PATH=.bin:$PATH" >> $GITHUB_ENV 39 | make deps 40 | -------------------------------------------------------------------------------- /.github/auto_assign.yml: -------------------------------------------------------------------------------- 1 | # AUTO-GENERATED, DO NOT EDIT! 2 | # Please edit the original at https://github.com/ory/meta/blob/master/templates/repository/common/.github/auto_assign.yml 3 | 4 | # Set to true to add reviewers to pull requests 5 | addReviewers: true 6 | 7 | # Set to true to add assignees to pull requests 8 | addAssignees: true 9 | 10 | # A list of reviewers to be added to pull requests (GitHub user name) 11 | assignees: 12 | - ory/maintainers 13 | 14 | # A number of reviewers added to the pull request 15 | # Set 0 to add all the reviewers (default: 0) 16 | numberOfReviewers: 0 17 | -------------------------------------------------------------------------------- /.github/config.yml: -------------------------------------------------------------------------------- 1 | # AUTO-GENERATED, DO NOT EDIT! 2 | # Please edit the original at https://github.com/ory/meta/blob/master/templates/repository/common/.github/config.yml 3 | 4 | todo: 5 | keyword: "@todo" 6 | label: todo 7 | -------------------------------------------------------------------------------- /.github/pull_request_template.md: -------------------------------------------------------------------------------- 1 | 12 | 13 | ## Related Issue or Design Document 14 | 15 | 29 | 30 | ## Checklist 31 | 32 | 36 | 37 | - [ ] I have read the [contributing guidelines](../blob/master/CONTRIBUTING.md) and signed the CLA. 38 | - [ ] I have referenced an issue containing the design document if my change introduces a new feature. 39 | - [ ] I have read the [security policy](../security/policy). 40 | - [ ] I confirm that this pull request does not address a security vulnerability. 41 | If this pull request addresses a security vulnerability, 42 | I confirm that I got approval (please contact [security@ory.sh](mailto:security@ory.sh)) from the maintainers to push the changes. 43 | - [ ] I have added tests that prove my fix is effective or that my feature works. 44 | - [ ] I have added the necessary documentation within the code base (if appropriate). 45 | 46 | ## Further comments 47 | 48 | 52 | -------------------------------------------------------------------------------- /.github/workflows/ci.yaml: -------------------------------------------------------------------------------- 1 | name: CI 2 | on: 3 | push: 4 | branches: 5 | - "master" 6 | tags: 7 | - "v*" 8 | pull_request: 9 | 10 | concurrency: 11 | group: ci-${{ github.ref }} 12 | cancel-in-progress: true 13 | 14 | jobs: 15 | dependencies: 16 | name: Prepare Dependencies 17 | runs-on: ubuntu-latest 18 | steps: 19 | - name: Checkout 20 | uses: actions/checkout@v4 21 | - uses: actions/setup-go@v5 22 | with: 23 | go-version: "1.24" 24 | - name: Setup dependencies 25 | uses: ./.github/actions/deps-setup 26 | 27 | detect-repo-changes: 28 | name: Detected Repo Changes 29 | runs-on: ubuntu-latest 30 | outputs: 31 | code-changed: ${{ steps.filter.outputs.code }} 32 | dockerfile-changed: ${{ steps.filter.outputs.docker }} 33 | cicd-definition-changed: ${{ steps.filter.outputs.cicd-definitions }} 34 | steps: 35 | - name: Checkout 36 | uses: actions/checkout@v4 37 | - uses: dorny/paths-filter@v3.0.2 38 | id: filter 39 | with: 40 | base: master 41 | filters: | 42 | code: 43 | - 'api/**' 44 | - 'config/**' 45 | - 'controllers/**' 46 | - 'helpers/**' 47 | - 'hydra/**' 48 | - 'go.mod' 49 | - 'go.sum' 50 | - '*.go' 51 | - 'PROJECT' 52 | docker: 53 | - '.docker/**' 54 | cicd-definitions: 55 | - '.github/workflows/**' 56 | - '.github/actions/**' 57 | 58 | gha-lint: 59 | name: Lint GithubAction files 60 | if: | 61 | needs.detect-repo-changes.outputs.cicd-definition-changed == 'true' 62 | needs: 63 | - detect-repo-changes 64 | runs-on: ubuntu-latest 65 | steps: 66 | - name: Checkout 67 | uses: actions/checkout@v4 68 | - name: actionlint 69 | id: actionlint 70 | uses: raven-actions/actionlint@v2 71 | with: 72 | fail-on-error: true 73 | 74 | test-build: 75 | name: Compile and test 76 | runs-on: ubuntu-latest 77 | if: | 78 | needs.detect-repo-changes.outputs.code-changed == 'true' || 79 | github.ref_type == 'tag' 80 | needs: 81 | - detect-repo-changes 82 | - dependencies 83 | steps: 84 | - name: Checkout 85 | uses: actions/checkout@v4 86 | - name: Checkout dependencies 87 | uses: ./.github/actions/deps-setup 88 | - name: Build 89 | run: make manager 90 | - name: Test 91 | run: make test 92 | 93 | test-integration: 94 | name: Run integration tests 95 | runs-on: ubuntu-latest 96 | if: | 97 | needs.detect-repo-changes.outputs.code-changed == 'true' || 98 | needs.detect-repo-changes.outputs.dockerfile-changed == 'true' || 99 | github.ref_type == 'tag' 100 | needs: 101 | - detect-repo-changes 102 | - dependencies 103 | steps: 104 | - name: Checkout 105 | uses: actions/checkout@v4 106 | - name: Checkout dependencies 107 | uses: ./.github/actions/deps-setup 108 | - uses: actions/setup-go@v5 109 | with: 110 | go-version: "1.24" 111 | cache: false 112 | - name: Test 113 | run: make test-integration 114 | 115 | test-docker: 116 | name: Build docker image 117 | runs-on: ubuntu-latest 118 | if: | 119 | needs.detect-repo-changes.outputs.dockerfile-changed == 'true' || 120 | github.ref_type == 'tag' 121 | needs: 122 | - detect-repo-changes 123 | - dependencies 124 | steps: 125 | - name: Checkout 126 | uses: actions/checkout@v4 127 | - name: Checkout dependencies 128 | uses: ./.github/actions/deps-setup 129 | - name: Build image 130 | run: make docker-build-notest 131 | 132 | release: 133 | if: github.ref_type == 'tag' 134 | needs: 135 | - test-build 136 | - test-integration 137 | - test-docker 138 | runs-on: ubuntu-latest 139 | steps: 140 | - name: Checkout 141 | uses: actions/checkout@v4 142 | - name: Checkout dependencies 143 | uses: ./.github/actions/deps-setup 144 | - name: Set up Go 145 | uses: actions/setup-go@v5 146 | - name: Login to Docker Hub 147 | uses: docker/login-action@v3 148 | with: 149 | username: ${{ secrets.DOCKERHUB_USERNAME }} 150 | password: ${{ secrets.DOCKERHUB_PASSWORD }} 151 | - name: Run GoReleaser 152 | uses: goreleaser/goreleaser-action@v6 153 | with: 154 | distribution: goreleaser 155 | version: latest 156 | args: release --clean 157 | env: 158 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 159 | -------------------------------------------------------------------------------- /.github/workflows/closed_references.yml: -------------------------------------------------------------------------------- 1 | # AUTO-GENERATED, DO NOT EDIT! 2 | # Please edit the original at https://github.com/ory/meta/blob/master/templates/repository/common/.github/workflows/closed_references.yml 3 | 4 | name: Closed Reference Notifier 5 | 6 | on: 7 | schedule: 8 | - cron: "0 0 * * *" 9 | workflow_dispatch: 10 | inputs: 11 | issueLimit: 12 | description: Max. number of issues to create 13 | required: true 14 | default: "5" 15 | 16 | jobs: 17 | find_closed_references: 18 | if: github.repository_owner == 'ory' 19 | runs-on: ubuntu-latest 20 | name: Find closed references 21 | steps: 22 | - uses: actions/checkout@v4 23 | - uses: actions/setup-node@v2-beta 24 | with: 25 | node-version: "22" 26 | - uses: ory/closed-reference-notifier@v1 27 | with: 28 | token: ${{ secrets.GITHUB_TOKEN }} 29 | issueLabels: upstream,good first issue,help wanted 30 | issueLimit: ${{ github.event.inputs.issueLimit || '5' }} 31 | -------------------------------------------------------------------------------- /.github/workflows/conventional_commits.yml: -------------------------------------------------------------------------------- 1 | # AUTO-GENERATED, DO NOT EDIT! 2 | # Please edit the original at https://github.com/ory/meta/blob/master/templates/repository/common/.github/workflows/conventional_commits.yml 3 | 4 | name: Conventional commits 5 | 6 | # This GitHub CI Action enforces that pull request titles follow conventional commits. 7 | # More info at https://www.conventionalcommits.org. 8 | # 9 | # The Ory-wide defaults for commit titles and scopes are below. 10 | # Your repository can add/replace elements via a configuration file at the path below. 11 | # More info at https://github.com/ory/ci/blob/master/conventional_commit_config/README.md 12 | 13 | on: 14 | pull_request_target: 15 | types: 16 | - edited 17 | - opened 18 | - ready_for_review 19 | - reopened 20 | # pull_request: # for debugging, uses config in local branch but supports only Pull Requests from this repo 21 | 22 | jobs: 23 | main: 24 | name: Validate PR title 25 | runs-on: ubuntu-latest 26 | steps: 27 | - uses: actions/checkout@v4 28 | - id: config 29 | uses: ory/ci/conventional_commit_config@master 30 | with: 31 | config_path: .github/conventional_commits.json 32 | default_types: | 33 | feat 34 | fix 35 | revert 36 | docs 37 | style 38 | refactor 39 | test 40 | build 41 | autogen 42 | security 43 | ci 44 | chore 45 | default_scopes: | 46 | deps 47 | docs 48 | default_require_scope: false 49 | - uses: amannn/action-semantic-pull-request@v5 50 | env: 51 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 52 | with: 53 | types: ${{ steps.config.outputs.types }} 54 | scopes: ${{ steps.config.outputs.scopes }} 55 | requireScope: ${{ steps.config.outputs.requireScope }} 56 | subjectPattern: ^(?![A-Z]).+$ 57 | subjectPatternError: | 58 | The subject should start with a lowercase letter, yours is uppercase: 59 | "{subject}" 60 | -------------------------------------------------------------------------------- /.github/workflows/cve-scan.yaml: -------------------------------------------------------------------------------- 1 | name: Docker Image Scan 2 | on: 3 | push: 4 | branches: 5 | - "master" 6 | tags: 7 | - "v*.*.*" 8 | pull_request: 9 | branches: 10 | - "master" 11 | 12 | jobs: 13 | docker: 14 | runs-on: ubuntu-latest 15 | steps: 16 | - name: Checkout 17 | uses: actions/checkout@v4 18 | - uses: actions/setup-go@v5 19 | name: Setup Golang 20 | with: 21 | go-version: "1.24" 22 | - name: Set up QEMU 23 | uses: docker/setup-qemu-action@v3 24 | - name: Set up Docker Buildx 25 | uses: docker/setup-buildx-action@v3 26 | - name: Build images 27 | shell: bash 28 | run: | 29 | make docker-build-notest 30 | - name: Anchore Scanner 31 | uses: anchore/scan-action@v6 32 | id: grype-scan 33 | with: 34 | image: controller:latest 35 | fail-build: true 36 | severity-cutoff: high 37 | debug: false 38 | acs-report-enable: true 39 | - name: Anchore upload scan SARIF report 40 | if: always() 41 | uses: github/codeql-action/upload-sarif@v3 42 | with: 43 | sarif_file: ${{ steps.grype-scan.outputs.sarif }} 44 | - name: Trivy Scanner 45 | uses: aquasecurity/trivy-action@master 46 | if: ${{ always() }} 47 | with: 48 | image-ref: controller:latest 49 | format: "table" 50 | exit-code: "42" 51 | ignore-unfixed: true 52 | vuln-type: "os,library" 53 | severity: "CRITICAL,HIGH" 54 | - name: Dockle Linter 55 | uses: erzz/dockle-action@v1.4.0 56 | if: ${{ always() }} 57 | with: 58 | image: controller:latest 59 | exit-code: 42 60 | failure-threshold: fatal 61 | -------------------------------------------------------------------------------- /.github/workflows/format.yml: -------------------------------------------------------------------------------- 1 | name: Format 2 | 3 | on: 4 | pull_request: 5 | push: 6 | 7 | jobs: 8 | format: 9 | runs-on: ubuntu-latest 10 | steps: 11 | - uses: actions/checkout@v4 12 | - uses: actions/setup-go@v5 13 | with: 14 | go-version: "1.24" 15 | - run: make format 16 | - name: Indicate formatting issues 17 | run: git diff HEAD --exit-code --color 18 | -------------------------------------------------------------------------------- /.github/workflows/labels.yml: -------------------------------------------------------------------------------- 1 | # AUTO-GENERATED, DO NOT EDIT! 2 | # Please edit the original at https://github.com/ory/meta/blob/master/templates/repository/common/.github/workflows/labels.yml 3 | 4 | name: Synchronize Issue Labels 5 | 6 | on: 7 | workflow_dispatch: 8 | push: 9 | branches: 10 | - master 11 | 12 | jobs: 13 | milestone: 14 | if: github.repository_owner == 'ory' 15 | name: Synchronize Issue Labels 16 | runs-on: ubuntu-latest 17 | steps: 18 | - name: Checkout 19 | uses: actions/checkout@v4 20 | - name: Synchronize Issue Labels 21 | uses: ory/label-sync-action@v0 22 | with: 23 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 24 | dry: false 25 | forced: true 26 | -------------------------------------------------------------------------------- /.github/workflows/licenses.yml: -------------------------------------------------------------------------------- 1 | # AUTO-GENERATED, DO NOT EDIT! 2 | # Please edit the original at https://github.com/ory/meta/blob/master/templates/repository/common/.github/workflows/licenses.yml 3 | 4 | name: Licenses 5 | 6 | on: 7 | pull_request: 8 | push: 9 | branches: 10 | - main 11 | - v3 12 | - master 13 | 14 | jobs: 15 | licenses: 16 | name: License compliance 17 | runs-on: ubuntu-latest 18 | steps: 19 | - name: Install script 20 | uses: ory/ci/licenses/setup@master 21 | with: 22 | token: ${{ secrets.ORY_BOT_PAT || secrets.GITHUB_TOKEN }} 23 | - name: Check licenses 24 | uses: ory/ci/licenses/check@master 25 | - name: Write, commit, push licenses 26 | uses: ory/ci/licenses/write@master 27 | if: 28 | ${{ github.ref == 'refs/heads/main' || github.ref == 29 | 'refs/heads/master' || github.ref == 'refs/heads/v3' }} 30 | with: 31 | author-email: 32 | ${{ secrets.ORY_BOT_PAT && 33 | '60093411+ory-bot@users.noreply.github.com' || 34 | format('{0}@users.noreply.github.com', github.actor) }} 35 | author-name: ${{ secrets.ORY_BOT_PAT && 'ory-bot' || github.actor }} 36 | -------------------------------------------------------------------------------- /.github/workflows/stale.yml: -------------------------------------------------------------------------------- 1 | # AUTO-GENERATED, DO NOT EDIT! 2 | # Please edit the original at https://github.com/ory/meta/blob/master/templates/repository/common/.github/workflows/stale.yml 3 | 4 | name: "Close Stale Issues" 5 | on: 6 | workflow_dispatch: 7 | schedule: 8 | - cron: "0 0 * * *" 9 | 10 | jobs: 11 | stale: 12 | if: github.repository_owner == 'ory' 13 | runs-on: ubuntu-latest 14 | steps: 15 | - uses: actions/stale@v9 16 | with: 17 | repo-token: ${{ secrets.GITHUB_TOKEN }} 18 | stale-issue-message: | 19 | Hello contributors! 20 | 21 | I am marking this issue as stale as it has not received any engagement from the community or maintainers for a year. That does not imply that the issue has no merit! If you feel strongly about this issue 22 | 23 | - open a PR referencing and resolving the issue; 24 | - leave a comment on it and discuss ideas on how you could contribute towards resolving it; 25 | - leave a comment and describe in detail why this issue is critical for your use case; 26 | - open a new issue with updated details and a plan for resolving the issue. 27 | 28 | Throughout its lifetime, Ory has received over 10.000 issues and PRs. To sustain that growth, we need to prioritize and focus on issues that are important to the community. A good indication of importance, and thus priority, is activity on a topic. 29 | 30 | Unfortunately, [burnout](https://www.jeffgeerling.com/blog/2016/why-i-close-prs-oss-project-maintainer-notes) has become a [topic](https://opensource.guide/best-practices/#its-okay-to-hit-pause) of [concern](https://docs.brew.sh/Maintainers-Avoiding-Burnout) amongst open-source projects. 31 | 32 | It can lead to severe personal and health issues as well as [opening](https://haacked.com/archive/2019/05/28/maintainer-burnout/) catastrophic [attack vectors](https://www.gradiant.org/en/blog/open-source-maintainer-burnout-as-an-attack-surface/). 33 | 34 | The motivation for this automation is to help prioritize issues in the backlog and not ignore, reject, or belittle anyone. 35 | 36 | If this issue was marked as stale erroneously you can exempt it by adding the `backlog` label, assigning someone, or setting a milestone for it. 37 | 38 | Thank you for your understanding and to anyone who participated in the conversation! And as written above, please do participate in the conversation if this topic is important to you! 39 | 40 | Thank you 🙏✌️ 41 | stale-issue-label: "stale" 42 | exempt-issue-labels: "bug,blocking,docs,backlog" 43 | days-before-stale: 365 44 | days-before-close: 30 45 | exempt-milestones: true 46 | exempt-assignees: true 47 | only-pr-labels: "stale" 48 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Binaries for programs and plugins 2 | *.exe 3 | *.exe~ 4 | *.dll 5 | *.so 6 | *.dylib 7 | .bin/ 8 | bin 9 | .bin 10 | 11 | # Test binary, build with `go test -c` 12 | *.test 13 | 14 | # Output of the go coverage tool, specifically when used with LiteIDE 15 | *.out 16 | 17 | # Kubernetes Generated files - skip generated files, except for vendored files 18 | 19 | !vendor/**/zz_generated.* 20 | 21 | # editor and IDE paraphernalia 22 | .idea 23 | *.swp 24 | *.swo 25 | *~ 26 | 27 | config/default/manager_image_patch.yaml-e 28 | /manager 29 | 30 | node_modules/ 31 | dist/ 32 | -------------------------------------------------------------------------------- /.goreleaser.yml: -------------------------------------------------------------------------------- 1 | # This is an example goreleaser.yaml file with some sane defaults. 2 | # Make sure to check the documentation at http://goreleaser.com 3 | project_name: hydra-maester 4 | version: 2 5 | before: 6 | hooks: 7 | - "go mod download" 8 | 9 | builds: 10 | - id: linux-amd64 11 | flags: 12 | - -a 13 | binary: manager 14 | env: 15 | - CGO_ENABLED=0 16 | goarch: 17 | - amd64 18 | goos: 19 | - linux 20 | - id: linux-arm64 21 | flags: 22 | - -a 23 | binary: manager 24 | env: 25 | - CGO_ENABLED=0 26 | goarch: 27 | - arm64 28 | goos: 29 | - linux 30 | - id: linux-i386 31 | flags: 32 | - -a 33 | binary: manager 34 | env: 35 | - CGO_ENABLED=0 36 | goarch: 37 | - 386 38 | goos: 39 | - linux 40 | - id: darwin-amd64 41 | flags: 42 | - -a 43 | binary: manager 44 | env: 45 | - CGO_ENABLED=0 46 | goarch: 47 | - amd64 48 | goos: 49 | - darwin 50 | - id: darwin-arm64 51 | flags: 52 | - -a 53 | binary: manager 54 | env: 55 | - CGO_ENABLED=0 56 | goarch: 57 | - arm64 58 | goos: 59 | - darwin 60 | 61 | snapshot: 62 | version_template: "{{ .Tag }}-next" 63 | 64 | changelog: 65 | sort: asc 66 | use: github-native 67 | 68 | dockers: 69 | - image_templates: 70 | - "oryd/hydra-maester:{{ .Tag }}-amd64" 71 | - "oryd/hydra-maester:{{ .ShortCommit }}-amd64" 72 | goarch: amd64 73 | build_flag_templates: 74 | - "--platform=linux/amd64" 75 | dockerfile: ".docker/Dockerfile-release" 76 | ids: 77 | - "linux-amd64" 78 | - image_templates: 79 | - "oryd/hydra-maester:{{ .Tag }}-arm64" 80 | - "oryd/hydra-maester:{{ .ShortCommit }}-arm64" 81 | goarch: arm64 82 | build_flag_templates: 83 | - "--platform=linux/arm64" 84 | dockerfile: ".docker/Dockerfile-release" 85 | ids: 86 | - "linux-arm64" 87 | 88 | docker_manifests: 89 | - name_template: "oryd/hydra-maester:{{ .Tag }}" 90 | id: "tag" 91 | image_templates: 92 | - "oryd/hydra-maester:{{ .Tag }}-amd64" 93 | - "oryd/hydra-maester:{{ .Tag }}-arm64" 94 | - name_template: "oryd/hydra-maester:latest" 95 | id: "latest" 96 | image_templates: 97 | - "oryd/hydra-maester:{{ .Tag }}-amd64" 98 | - "oryd/hydra-maester:{{ .Tag }}-arm64" 99 | 100 | release: 101 | prerelease: auto 102 | name_template: "{{ .Tag }}" 103 | -------------------------------------------------------------------------------- /.prettierignore: -------------------------------------------------------------------------------- 1 | api/v1alpha1/zz_generated.deepcopy.go 2 | CHANGELOG.md 3 | .github/pull_request_template.md 4 | CONTRIBUTING.md 5 | -------------------------------------------------------------------------------- /.reference-ignore: -------------------------------------------------------------------------------- 1 | **/node_modules 2 | docs 3 | CHANGELOG.md 4 | -------------------------------------------------------------------------------- /.reports/dep-licenses.csv: -------------------------------------------------------------------------------- 1 | 2 | "github.com/go-logr/logr","Apache-2.0" 3 | "github.com/asaskevich/govalidator","MIT" 4 | "github.com/go-openapi/errors","Apache-2.0" 5 | "github.com/go-openapi/runtime","Apache-2.0" 6 | "github.com/go-openapi/strfmt","Apache-2.0" 7 | "github.com/go-openapi/swag","Apache-2.0" 8 | "github.com/google/uuid","BSD-3-Clause" 9 | "github.com/josharian/intern","MIT" 10 | "github.com/mailru/easyjson","MIT" 11 | "github.com/mitchellh/mapstructure","MIT" 12 | "github.com/oklog/ulid","Apache-2.0" 13 | "go.mongodb.org/mongo-driver","Apache-2.0" 14 | "golang.org/x/sync/errgroup","BSD-3-Clause" 15 | "gopkg.in/yaml.v3","MIT" 16 | "github.com/google/uuid","BSD-3-Clause" 17 | "github.com/fsnotify/fsnotify","BSD-3-Clause" 18 | "github.com/nxadm/tail","MIT" 19 | "github.com/nxadm/tail/ratelimiter","MIT" 20 | "github.com/onsi/ginkgo","MIT" 21 | "github.com/onsi/ginkgo/reporters/stenographer/support/go-colorable","MIT" 22 | "golang.org/x/sys/unix","BSD-3-Clause" 23 | "gopkg.in/tomb.v1","BSD-3-Clause" 24 | "github.com/google/go-cmp/cmp","BSD-3-Clause" 25 | "github.com/onsi/gomega","MIT" 26 | "golang.org/x/net/html","BSD-3-Clause" 27 | "golang.org/x/text","BSD-3-Clause" 28 | "gopkg.in/yaml.v3","MIT" 29 | "github.com/asaskevich/govalidator","MIT" 30 | "github.com/beorn7/perks/quantile","MIT" 31 | "github.com/cespare/xxhash/v2","MIT" 32 | "github.com/davecgh/go-spew/spew","ISC" 33 | "github.com/emicklei/go-restful/v3","MIT" 34 | "github.com/evanphx/json-patch/v5","BSD-3-Clause" 35 | "github.com/fsnotify/fsnotify","BSD-3-Clause" 36 | "github.com/fxamacker/cbor/v2","MIT" 37 | "github.com/gabriel-vasile/mimetype","MIT" 38 | "github.com/go-logr/logr","Apache-2.0" 39 | "github.com/go-logr/stdr","Apache-2.0" 40 | "github.com/go-logr/zapr","Apache-2.0" 41 | "github.com/go-openapi/analysis","Apache-2.0" 42 | "github.com/go-openapi/errors","Apache-2.0" 43 | "github.com/go-openapi/jsonpointer","Apache-2.0" 44 | "github.com/go-openapi/jsonreference","Apache-2.0" 45 | "github.com/go-openapi/loads","Apache-2.0" 46 | "github.com/go-openapi/runtime","Apache-2.0" 47 | "github.com/go-openapi/runtime/middleware/denco","MIT" 48 | "github.com/go-openapi/spec","Apache-2.0" 49 | "github.com/go-openapi/strfmt","Apache-2.0" 50 | "github.com/go-openapi/swag","Apache-2.0" 51 | "github.com/go-openapi/validate","Apache-2.0" 52 | "github.com/go-playground/locales","MIT" 53 | "github.com/go-playground/universal-translator","MIT" 54 | "github.com/go-playground/validator/v10","MIT" 55 | "github.com/gogo/protobuf","BSD-3-Clause" 56 | "github.com/golang/protobuf","BSD-3-Clause" 57 | "github.com/google/btree","Apache-2.0" 58 | "github.com/google/gnostic-models","Apache-2.0" 59 | "github.com/google/go-cmp/cmp","BSD-3-Clause" 60 | "github.com/google/gofuzz","Apache-2.0" 61 | "github.com/google/uuid","BSD-3-Clause" 62 | "github.com/josharian/intern","MIT" 63 | "github.com/json-iterator/go","MIT" 64 | "github.com/leodido/go-urn","MIT" 65 | "github.com/mailru/easyjson","MIT" 66 | "github.com/mitchellh/mapstructure","MIT" 67 | "github.com/modern-go/concurrent","Apache-2.0" 68 | "github.com/modern-go/reflect2","Apache-2.0" 69 | "github.com/munnerz/goautoneg","BSD-3-Clause" 70 | "github.com/oklog/ulid","Apache-2.0" 71 | "github.com/opentracing/opentracing-go","Apache-2.0" 72 | "github.com/ory/hydra-maester","Apache-2.0" 73 | "github.com/pkg/errors","BSD-2-Clause" 74 | "github.com/prometheus/client_golang/prometheus","Apache-2.0" 75 | "github.com/prometheus/client_model/go","Apache-2.0" 76 | "github.com/prometheus/common","Apache-2.0" 77 | "github.com/prometheus/procfs","Apache-2.0" 78 | "github.com/spf13/pflag","BSD-3-Clause" 79 | "github.com/x448/float16","MIT" 80 | "go.mongodb.org/mongo-driver","Apache-2.0" 81 | "go.opentelemetry.io/otel","Apache-2.0" 82 | "go.opentelemetry.io/otel/metric","Apache-2.0" 83 | "go.opentelemetry.io/otel/trace","Apache-2.0" 84 | "go.uber.org/multierr","MIT" 85 | "go.uber.org/zap","MIT" 86 | "golang.org/x/crypto/sha3","BSD-3-Clause" 87 | "golang.org/x/net","BSD-3-Clause" 88 | "golang.org/x/oauth2","BSD-3-Clause" 89 | "golang.org/x/sync/errgroup","BSD-3-Clause" 90 | "golang.org/x/sys","BSD-3-Clause" 91 | "golang.org/x/term","BSD-3-Clause" 92 | "golang.org/x/text","BSD-3-Clause" 93 | "golang.org/x/time/rate","BSD-3-Clause" 94 | "gomodules.xyz/jsonpatch/v2","Apache-2.0" 95 | "google.golang.org/protobuf","BSD-3-Clause" 96 | "gopkg.in/evanphx/json-patch.v4","BSD-3-Clause" 97 | "gopkg.in/inf.v0","BSD-3-Clause" 98 | "gopkg.in/yaml.v3","MIT" 99 | "k8s.io/api","Apache-2.0" 100 | "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions","Apache-2.0" 101 | "k8s.io/apimachinery/pkg","Apache-2.0" 102 | "k8s.io/apimachinery/third_party/forked/golang","BSD-3-Clause" 103 | "k8s.io/client-go","Apache-2.0" 104 | "k8s.io/klog/v2","Apache-2.0" 105 | "k8s.io/kube-openapi/pkg","Apache-2.0" 106 | "k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json","BSD-3-Clause" 107 | "k8s.io/kube-openapi/pkg/validation/spec","Apache-2.0" 108 | "k8s.io/utils","Apache-2.0" 109 | "k8s.io/utils/internal/third_party/forked/golang","BSD-3-Clause" 110 | "sigs.k8s.io/controller-runtime","Apache-2.0" 111 | "sigs.k8s.io/json","Apache-2.0" 112 | "sigs.k8s.io/json","BSD-3-Clause" 113 | "sigs.k8s.io/structured-merge-diff/v4","Apache-2.0" 114 | "sigs.k8s.io/yaml","MIT" 115 | "sigs.k8s.io/yaml","Apache-2.0" 116 | "sigs.k8s.io/yaml","BSD-3-Clause" 117 | "sigs.k8s.io/yaml/goyaml.v2","Apache-2.0" 118 | "github.com/stretchr/testify","MIT" 119 | "k8s.io/api","Apache-2.0" 120 | "k8s.io/apimachinery","Apache-2.0" 121 | "k8s.io/client-go","Apache-2.0" 122 | "github.com/beorn7/perks/quantile","MIT" 123 | "github.com/cespare/xxhash/v2","MIT" 124 | "github.com/davecgh/go-spew/spew","ISC" 125 | "github.com/emicklei/go-restful/v3","MIT" 126 | "github.com/evanphx/json-patch/v5","BSD-3-Clause" 127 | "github.com/fsnotify/fsnotify","BSD-3-Clause" 128 | "github.com/fxamacker/cbor/v2","MIT" 129 | "github.com/go-logr/logr","Apache-2.0" 130 | "github.com/go-openapi/jsonpointer","Apache-2.0" 131 | "github.com/go-openapi/jsonreference","Apache-2.0" 132 | "github.com/go-openapi/swag","Apache-2.0" 133 | "github.com/gogo/protobuf","BSD-3-Clause" 134 | "github.com/golang/protobuf","BSD-3-Clause" 135 | "github.com/google/btree","Apache-2.0" 136 | "github.com/google/gnostic-models","Apache-2.0" 137 | "github.com/google/go-cmp/cmp","BSD-3-Clause" 138 | "github.com/google/gofuzz","Apache-2.0" 139 | "github.com/google/uuid","BSD-3-Clause" 140 | "github.com/josharian/intern","MIT" 141 | "github.com/json-iterator/go","MIT" 142 | "github.com/mailru/easyjson","MIT" 143 | "github.com/modern-go/concurrent","Apache-2.0" 144 | "github.com/modern-go/reflect2","Apache-2.0" 145 | "github.com/munnerz/goautoneg","BSD-3-Clause" 146 | "github.com/pkg/errors","BSD-2-Clause" 147 | "github.com/prometheus/client_golang/prometheus","Apache-2.0" 148 | "github.com/prometheus/client_model/go","Apache-2.0" 149 | "github.com/prometheus/common","Apache-2.0" 150 | "github.com/prometheus/procfs","Apache-2.0" 151 | "github.com/spf13/pflag","BSD-3-Clause" 152 | "github.com/x448/float16","MIT" 153 | "golang.org/x/net","BSD-3-Clause" 154 | "golang.org/x/oauth2","BSD-3-Clause" 155 | "golang.org/x/sync/errgroup","BSD-3-Clause" 156 | "golang.org/x/sys/unix","BSD-3-Clause" 157 | "golang.org/x/term","BSD-3-Clause" 158 | "golang.org/x/text","BSD-3-Clause" 159 | "golang.org/x/time/rate","BSD-3-Clause" 160 | "gomodules.xyz/jsonpatch/v2","Apache-2.0" 161 | "google.golang.org/protobuf","BSD-3-Clause" 162 | "gopkg.in/evanphx/json-patch.v4","BSD-3-Clause" 163 | "gopkg.in/inf.v0","BSD-3-Clause" 164 | "gopkg.in/yaml.v3","MIT" 165 | "k8s.io/api","Apache-2.0" 166 | "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions","Apache-2.0" 167 | "k8s.io/apimachinery/pkg","Apache-2.0" 168 | "k8s.io/apimachinery/third_party/forked/golang","BSD-3-Clause" 169 | "k8s.io/client-go","Apache-2.0" 170 | "k8s.io/klog/v2","Apache-2.0" 171 | "k8s.io/kube-openapi/pkg","Apache-2.0" 172 | "k8s.io/kube-openapi/pkg/internal/third_party/go-json-experiment/json","BSD-3-Clause" 173 | "k8s.io/kube-openapi/pkg/validation/spec","Apache-2.0" 174 | "k8s.io/utils","Apache-2.0" 175 | "k8s.io/utils/internal/third_party/forked/golang","BSD-3-Clause" 176 | "sigs.k8s.io/controller-runtime","Apache-2.0" 177 | "sigs.k8s.io/json","Apache-2.0" 178 | "sigs.k8s.io/json","BSD-3-Clause" 179 | "sigs.k8s.io/structured-merge-diff/v4","Apache-2.0" 180 | "sigs.k8s.io/yaml","MIT" 181 | "sigs.k8s.io/yaml","Apache-2.0" 182 | "sigs.k8s.io/yaml","BSD-3-Clause" 183 | "sigs.k8s.io/yaml/goyaml.v2","Apache-2.0" 184 | 185 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | # Contributor Covenant Code of Conduct 5 | 6 | ## Our Pledge 7 | 8 | We as members, contributors, and leaders pledge to make participation in our 9 | community a harassment-free experience for everyone, regardless of age, body 10 | size, visible or invisible disability, ethnicity, sex characteristics, gender 11 | identity and expression, level of experience, education, socio-economic status, 12 | nationality, personal appearance, race, caste, color, religion, or sexual 13 | identity and orientation. 14 | 15 | We pledge to act and interact in ways that contribute to an open, welcoming, 16 | diverse, inclusive, and healthy community. 17 | 18 | ## Our Standards 19 | 20 | Examples of behavior that contributes to a positive environment for our 21 | community include: 22 | 23 | - Demonstrating empathy and kindness toward other people 24 | - Being respectful of differing opinions, viewpoints, and experiences 25 | - Giving and gracefully accepting constructive feedback 26 | - Accepting responsibility and apologizing to those affected by our mistakes, 27 | and learning from the experience 28 | - Focusing on what is best not just for us as individuals, but for the overall 29 | community 30 | 31 | Examples of unacceptable behavior include: 32 | 33 | - The use of sexualized language or imagery, and sexual attention or advances of 34 | any kind 35 | - Trolling, insulting or derogatory comments, and personal or political attacks 36 | - Public or private harassment 37 | - Publishing others' private information, such as a physical or email address, 38 | without their explicit permission 39 | - Other conduct which could reasonably be considered inappropriate in a 40 | professional setting 41 | 42 | ## Open Source Community Support 43 | 44 | Ory Open source software is collaborative and based on contributions by 45 | developers in the Ory community. There is no obligation from Ory to help with 46 | individual problems. If Ory open source software is used in production in a 47 | for-profit company or enterprise environment, we mandate a paid support contract 48 | where Ory is obligated under their service level agreements (SLAs) to offer a 49 | defined level of availability and responsibility. For more information about 50 | paid support please contact us at sales@ory.sh. 51 | 52 | ## Enforcement Responsibilities 53 | 54 | Community leaders are responsible for clarifying and enforcing our standards of 55 | acceptable behavior and will take appropriate and fair corrective action in 56 | response to any behavior that they deem inappropriate, threatening, offensive, 57 | or harmful. 58 | 59 | Community leaders have the right and responsibility to remove, edit, or reject 60 | comments, commits, code, wiki edits, issues, and other contributions that are 61 | not aligned to this Code of Conduct, and will communicate reasons for moderation 62 | decisions when appropriate. 63 | 64 | ## Scope 65 | 66 | This Code of Conduct applies within all community spaces, and also applies when 67 | an individual is officially representing the community in public spaces. 68 | Examples of representing our community include using an official e-mail address, 69 | posting via an official social media account, or acting as an appointed 70 | representative at an online or offline event. 71 | 72 | ## Enforcement 73 | 74 | Instances of abusive, harassing, or otherwise unacceptable behavior may be 75 | reported to the community leaders responsible for enforcement at 76 | [office@ory.sh](mailto:office@ory.sh). All complaints will be reviewed and 77 | investigated promptly and fairly. 78 | 79 | All community leaders are obligated to respect the privacy and security of the 80 | reporter of any incident. 81 | 82 | ## Enforcement Guidelines 83 | 84 | Community leaders will follow these Community Impact Guidelines in determining 85 | the consequences for any action they deem in violation of this Code of Conduct: 86 | 87 | ### 1. Correction 88 | 89 | **Community Impact**: Use of inappropriate language or other behavior deemed 90 | unprofessional or unwelcome in the community. 91 | 92 | **Consequence**: A private, written warning from community leaders, providing 93 | clarity around the nature of the violation and an explanation of why the 94 | behavior was inappropriate. A public apology may be requested. 95 | 96 | ### 2. Warning 97 | 98 | **Community Impact**: A violation through a single incident or series of 99 | actions. 100 | 101 | **Consequence**: A warning with consequences for continued behavior. No 102 | interaction with the people involved, including unsolicited interaction with 103 | those enforcing the Code of Conduct, for a specified period of time. This 104 | includes avoiding interactions in community spaces as well as external channels 105 | like social media. Violating these terms may lead to a temporary or permanent 106 | ban. 107 | 108 | ### 3. Temporary Ban 109 | 110 | **Community Impact**: A serious violation of community standards, including 111 | sustained inappropriate behavior. 112 | 113 | **Consequence**: A temporary ban from any sort of interaction or public 114 | communication with the community for a specified period of time. No public or 115 | private interaction with the people involved, including unsolicited interaction 116 | with those enforcing the Code of Conduct, is allowed during this period. 117 | Violating these terms may lead to a permanent ban. 118 | 119 | ### 4. Permanent Ban 120 | 121 | **Community Impact**: Demonstrating a pattern of violation of community 122 | standards, including sustained inappropriate behavior, harassment of an 123 | individual, or aggression toward or disparagement of classes of individuals. 124 | 125 | **Consequence**: A permanent ban from any sort of public interaction within the 126 | community. 127 | 128 | ## Attribution 129 | 130 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], 131 | version 2.1, available at 132 | [https://www.contributor-covenant.org/version/2/1/code_of_conduct.html][v2.1]. 133 | 134 | Community Impact Guidelines were inspired by [Mozilla's code of conduct 135 | enforcement ladder][mozilla coc]. 136 | 137 | For answers to common questions about this code of conduct, see the FAQ at 138 | [https://www.contributor-covenant.org/faq][faq]. Translations are available at 139 | [https://www.contributor-covenant.org/translations][translations]. 140 | 141 | [homepage]: https://www.contributor-covenant.org 142 | [v2.1]: https://www.contributor-covenant.org/version/2/1/code_of_conduct.html 143 | [mozilla coc]: https://github.com/mozilla/diversity 144 | [faq]: https://www.contributor-covenant.org/faq 145 | [translations]: https://www.contributor-covenant.org/translations 146 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | # Contribute to Ory Ory Hydra Maester 5 | 6 | 7 | 8 | 9 | - [Introduction](#introduction) 10 | - [FAQ](#faq) 11 | - [How can I contribute?](#how-can-i-contribute) 12 | - [Communication](#communication) 13 | - [Contribute examples or community projects](#contribute-examples-or-community-projects) 14 | - [Contribute code](#contribute-code) 15 | - [Contribute documentation](#contribute-documentation) 16 | - [Disclosing vulnerabilities](#disclosing-vulnerabilities) 17 | - [Code style](#code-style) 18 | - [Working with forks](#working-with-forks) 19 | - [Conduct](#conduct) 20 | 21 | 22 | 23 | ## Introduction 24 | 25 | _Please note_: We take Ory Ory Hydra Maester's security and our users' trust very 26 | seriously. If you believe you have found a security issue in Ory Ory Hydra Maester, 27 | please disclose it by contacting us at security@ory.sh. 28 | 29 | There are many ways in which you can contribute. The goal of this document is to 30 | provide a high-level overview of how you can get involved in Ory. 31 | 32 | As a potential contributor, your changes and ideas are welcome at any hour of 33 | the day or night, on weekdays, weekends, and holidays. Please do not ever 34 | hesitate to ask a question or send a pull request. 35 | 36 | If you are unsure, just ask or submit the issue or pull request anyways. You 37 | won't be yelled at for giving it your best effort. The worst that can happen is 38 | that you'll be politely asked to change something. We appreciate any sort of 39 | contributions and don't want a wall of rules to get in the way of that. 40 | 41 | That said, if you want to ensure that a pull request is likely to be merged, 42 | talk to us! You can find out our thoughts and ensure that your contribution 43 | won't clash with Ory 44 | Ory Hydra Maester's direction. A great way to 45 | do this is via 46 | [Ory Ory Hydra Maester Discussions](https://github.com/orgs/ory/discussions) 47 | or the [Ory Chat](https://www.ory.sh/chat). 48 | 49 | ## FAQ 50 | 51 | - I am new to the community. Where can I find the 52 | [Ory Community Code of Conduct?](https://github.com/ory/hydra-maester/blob/master/CODE_OF_CONDUCT.md) 53 | 54 | - I have a question. Where can I get 55 | [answers to questions regarding Ory Ory Hydra Maester?](#communication) 56 | 57 | - I would like to contribute but I am not sure how. Are there 58 | [easy ways to contribute?](#how-can-i-contribute) 59 | [Or good first issues?](https://github.com/search?l=&o=desc&q=label%3A%22help+wanted%22+label%3A%22good+first+issue%22+is%3Aopen+user%3Aory+user%3Aory-corp&s=updated&type=Issues) 60 | 61 | - I want to talk to other Ory Ory Hydra Maester users. 62 | [How can I become a part of the community?](#communication) 63 | 64 | - I would like to know what I am agreeing to when I contribute to Ory 65 | Ory Hydra Maester. 66 | Does Ory have 67 | [a Contributors License Agreement?](https://cla-assistant.io/ory/hydra-maester) 68 | 69 | - I would like updates about new versions of Ory Ory Hydra Maester. 70 | [How are new releases announced?](https://www.ory.sh/l/sign-up-newsletter) 71 | 72 | ## How can I contribute? 73 | 74 | If you want to start to contribute code right away, take a look at the 75 | [list of good first issues](https://github.com/ory/hydra-maester/labels/good%20first%20issue). 76 | 77 | There are many other ways you can contribute. Here are a few things you can do 78 | to help out: 79 | 80 | - **Give us a star.** It may not seem like much, but it really makes a 81 | difference. This is something that everyone can do to help out Ory Ory Hydra Maester. 82 | Github stars help the project gain visibility and stand out. 83 | 84 | - **Join the community.** Sometimes helping people can be as easy as listening 85 | to their problems and offering a different perspective. Join our Slack, have a 86 | look at discussions in the forum and take part in community events. More info 87 | on this in [Communication](#communication). 88 | 89 | - **Answer discussions.** At all times, there are several unanswered discussions 90 | on GitHub. You can see an 91 | [overview here](https://github.com/discussions?discussions_q=is%3Aunanswered+org%3Aory+sort%3Aupdated-desc). 92 | If you think you know an answer or can provide some information that might 93 | help, please share it! Bonus: You get GitHub achievements for answered 94 | discussions. 95 | 96 | - **Help with open issues.** We have a lot of open issues for Ory Ory Hydra Maester and 97 | some of them may lack necessary information, some are duplicates of older 98 | issues. You can help out by guiding people through the process of filling out 99 | the issue template, asking for clarifying information or pointing them to 100 | existing issues that match their description of the problem. 101 | 102 | - **Review documentation changes.** Most documentation just needs a review for 103 | proper spelling and grammar. If you think a document can be improved in any 104 | way, feel free to hit the `edit` button at the top of the page. More info on 105 | contributing to the documentation [here](#contribute-documentation). 106 | 107 | - **Help with tests.** Pull requests may lack proper tests or test plans. These 108 | are needed for the change to be implemented safely. 109 | 110 | ## Communication 111 | 112 | We use [Slack](https://www.ory.sh/chat). You are welcome to drop in and ask 113 | questions, discuss bugs and feature requests, talk to other users of Ory, etc. 114 | 115 | Check out [Ory Ory Hydra Maester Discussions](https://github.com/orgs/ory/discussions). This is a great place for 116 | in-depth discussions and lots of code examples, logs and similar data. 117 | 118 | You can also join our community calls if you want to speak to the Ory team 119 | directly or ask some questions. You can find more info and participate in 120 | [Slack](https://www.ory.sh/chat) in the #community-call channel. 121 | 122 | If you want to receive regular notifications about updates to Ory Ory Hydra Maester, 123 | consider joining the mailing list. We will _only_ send you vital information on 124 | the projects that you are interested in. 125 | 126 | Also, [follow us on Twitter](https://twitter.com/orycorp). 127 | 128 | ## Contribute examples or community projects 129 | 130 | One of the most impactful ways to contribute is by adding code examples or other 131 | Ory-related code. You can find an overview of community code in the 132 | [awesome-ory](https://github.com/ory/awesome-ory) repository. 133 | 134 | _If you would like to contribute a new example, we would love to hear from you!_ 135 | 136 | Please [open a pull request at awesome-ory](https://github.com/ory/awesome-ory/) 137 | to add your example or Ory-related project to the awesome-ory README. 138 | 139 | ## Contribute code 140 | 141 | Unless you are fixing a known bug, we **strongly** recommend discussing it with 142 | the core team via a GitHub issue or [in our chat](https://www.ory.sh/chat) 143 | before getting started to ensure your work is consistent with Ory Ory Hydra Maester's 144 | roadmap and architecture. 145 | 146 | All contributions are made via pull requests. To make a pull request, you will 147 | need a GitHub account; if you are unclear on this process, see GitHub's 148 | documentation on [forking](https://help.github.com/articles/fork-a-repo) and 149 | [pull requests](https://help.github.com/articles/using-pull-requests). Pull 150 | requests should be targeted at the `master` branch. Before creating a pull 151 | request, go through this checklist: 152 | 153 | 1. Create a feature branch off of `master` so that changes do not get mixed up. 154 | 1. [Rebase](http://git-scm.com/book/en/Git-Branching-Rebasing) your local 155 | changes against the `master` branch. 156 | 1. Run the full project test suite with the `go test -tags sqlite ./...` (or 157 | equivalent) command and confirm that it passes. 158 | 1. Run `make format` 159 | 1. Add a descriptive prefix to commits. This ensures a uniform commit history 160 | and helps structure the changelog. Please refer to this 161 | [Convential Commits configuration](https://github.com/ory/hydra-maester/blob/master/.github/workflows/conventional_commits.yml) 162 | for the list of accepted prefixes. You can read more about the Conventional 163 | Commit specification 164 | [at their site](https://www.conventionalcommits.org/en/v1.0.0/). 165 | 166 | If a pull request is not ready to be reviewed yet 167 | [it should be marked as a "Draft"](https://docs.github.com/en/github/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request). 168 | 169 | Before your contributions can be reviewed you need to sign our 170 | [Contributor License Agreement](https://cla-assistant.io/ory/hydra-maester). 171 | 172 | This agreement defines the terms under which your code is contributed to Ory. 173 | More specifically it declares that you have the right to, and actually do, grant 174 | us the rights to use your contribution. You can see the Apache 2.0 license under 175 | which our projects are published 176 | [here](https://github.com/ory/meta/blob/master/LICENSE). 177 | 178 | When pull requests fail the automated testing stages (for example unit or E2E 179 | tests), authors are expected to update their pull requests to address the 180 | failures until the tests pass. 181 | 182 | Pull requests eligible for review 183 | 184 | 1. follow the repository's code formatting conventions; 185 | 2. include tests that prove that the change works as intended and does not add 186 | regressions; 187 | 3. document the changes in the code and/or the project's documentation; 188 | 4. pass the CI pipeline; 189 | 5. have signed our 190 | [Contributor License Agreement](https://cla-assistant.io/ory/hydra-maester); 191 | 6. include a proper git commit message following the 192 | [Conventional Commit Specification](https://www.conventionalcommits.org/en/v1.0.0/). 193 | 194 | If all of these items are checked, the pull request is ready to be reviewed and 195 | you should change the status to "Ready for review" and 196 | [request review from a maintainer](https://docs.github.com/en/github/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/requesting-a-pull-request-review). 197 | 198 | Reviewers will approve the pull request once they are satisfied with the patch. 199 | 200 | ## Contribute documentation 201 | 202 | Please provide documentation when changing, removing, or adding features. All 203 | Ory Documentation resides in the 204 | [Ory documentation repository](https://github.com/ory/docs/). For further 205 | instructions please head over to the Ory Documentation 206 | [README.md](https://github.com/ory/docs/blob/master/README.md). 207 | 208 | ## Disclosing vulnerabilities 209 | 210 | Please disclose vulnerabilities exclusively to 211 | [security@ory.sh](mailto:security@ory.sh). Do not use GitHub issues. 212 | 213 | ## Code style 214 | 215 | Please run `make format` to format all source code following the Ory standard. 216 | 217 | ### Working with forks 218 | 219 | ```bash 220 | # First you clone the original repository 221 | git clone git@github.com:ory/ory/hydra-maester.git 222 | 223 | # Next you add a git remote that is your fork: 224 | git remote add fork git@github.com:/ory/hydra-maester.git 225 | 226 | # Next you fetch the latest changes from origin for master: 227 | git fetch origin 228 | git checkout master 229 | git pull --rebase 230 | 231 | # Next you create a new feature branch off of master: 232 | git checkout my-feature-branch 233 | 234 | # Now you do your work and commit your changes: 235 | git add -A 236 | git commit -a -m "fix: this is the subject line" -m "This is the body line. Closes #123" 237 | 238 | # And the last step is pushing this to your fork 239 | git push -u fork my-feature-branch 240 | ``` 241 | 242 | Now go to the project's GitHub Pull Request page and click "New pull request" 243 | 244 | ## Conduct 245 | 246 | Whether you are a regular contributor or a newcomer, we care about making this 247 | community a safe place for you and we've got your back. 248 | 249 | [Ory Community Code of Conduct](https://github.com/ory/hydra-maester/blob/master/CODE_OF_CONDUCT.md) 250 | 251 | We welcome discussion about creating a welcoming, safe, and productive 252 | environment for the community. If you have any questions, feedback, or concerns 253 | [please let us know](https://www.ory.sh/chat). 254 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | ifeq ($(OS),Windows_NT) 2 | ifeq ($(PROCESSOR_ARCHITECTURE),AMD64) 3 | ARCH=amd64 4 | OS=windows 5 | endif 6 | else 7 | UNAME_S := $(shell uname -s) 8 | ifeq ($(UNAME_S),Linux) 9 | OS=linux 10 | ARCH=amd64 11 | endif 12 | ifeq ($(UNAME_S),Darwin) 13 | OS=darwin 14 | ifeq ($(shell uname -m),x86_64) 15 | ARCH=amd64 16 | endif 17 | ifeq ($(shell uname -m),arm64) 18 | ARCH=arm64 19 | endif 20 | endif 21 | endif 22 | ##@ Build Dependencies 23 | 24 | ## Location to install dependencies to 25 | LOCALBIN ?= $(shell pwd)/.bin 26 | $(LOCALBIN): 27 | mkdir -p $(LOCALBIN) 28 | 29 | SHELL=/bin/bash -euo pipefail 30 | 31 | export PATH := .bin:${PATH} 32 | export PWD := $(shell pwd) 33 | export K3SIMAGE := docker.io/rancher/k3s:v1.26.1-k3s1 34 | ## Tool Binaries 35 | CONTROLLER_GEN ?= $(LOCALBIN)/controller-gen 36 | ENVTEST ?= $(LOCALBIN)/setup-envtest 37 | 38 | ## Tool Versions 39 | CONTROLLER_TOOLS_VERSION ?= v0.15.0 40 | ENVTEST_K8S_VERSION = 1.29.0 41 | 42 | # Image URL to use all building/pushing image targets 43 | IMG ?= controller:latest 44 | 45 | run-with-cleanup = $(1) && $(2) || (ret=$$?; $(2) && exit $$ret) 46 | 47 | # find or download controller-gen 48 | # download controller-gen if necessary 49 | .PHONY: controller-gen 50 | controller-gen: $(CONTROLLER_GEN) 51 | $(CONTROLLER_GEN): $(LOCALBIN) 52 | test -s $(LOCALBIN)/controller-gen && $(LOCALBIN)/controller-gen --version | grep -q $(CONTROLLER_TOOLS_VERSION) || \ 53 | GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_TOOLS_VERSION) 54 | 55 | ## Download envtest-setup locally if necessary. 56 | .PHONY: envtest 57 | envtest: $(ENVTEST) 58 | $(ENVTEST): $(LOCALBIN) 59 | test -s $(LOCALBIN)/setup-envtest || GOBIN=$(LOCALBIN) go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest 60 | 61 | .bin/ory: Makefile 62 | curl https://raw.githubusercontent.com/ory/meta/master/install.sh | bash -s -- -b .bin ory 63 | touch .bin/ory 64 | 65 | .bin/kubectl: Makefile 66 | @URL=$$(.bin/ory dev ci deps url -o ${OS} -a ${ARCH} -c .deps/kubectl.yaml); \ 67 | echo "Downloading 'kubectl' $${URL}...."; \ 68 | curl -Lo .bin/kubectl $${URL}; \ 69 | chmod +x .bin/kubectl; 70 | 71 | .bin/kustomize: Makefile 72 | @URL=$$(.bin/ory dev ci deps url -o ${OS} -a ${ARCH} -c .deps/kustomize.yaml); \ 73 | echo "Downloading 'kustomize' $${URL}...."; \ 74 | curl -L $${URL} | tar -xmz -C .bin kustomize; \ 75 | chmod +x .bin/kustomize; 76 | 77 | .bin/k3d: Makefile 78 | @URL=$$(.bin/ory dev ci deps url -o ${OS} -a ${ARCH} -c .deps/k3d.yaml); \ 79 | echo "Downloading 'k3d' $${URL}...."; \ 80 | curl -Lo .bin/k3d $${URL}; \ 81 | chmod +x .bin/k3d; 82 | 83 | .PHONY: deps 84 | deps: .bin/ory .bin/k3d .bin/kubectl .bin/kustomize 85 | 86 | .PHONY: all 87 | all: manager 88 | 89 | # Run tests 90 | .PHONY: test 91 | test: manifests generate vet envtest 92 | KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path)" go test ./... -coverprofile cover.out 93 | 94 | .PHONY: k3d-up 95 | k3d-up: 96 | k3d cluster create --image $${K3SIMAGE} ory \ 97 | --k3s-arg=--kube-apiserver-arg="enable-admission-plugins=NodeRestriction,ServiceAccount@server:0" \ 98 | --k3s-arg=feature-gates="NamespaceDefaultLabelName=true@server:0"; 99 | 100 | .PHONY: k3d-down 101 | k3d-down: 102 | k3d cluster delete ory || true 103 | 104 | .PHONY: k3d-deploy 105 | k3d-deploy: manager-ci manifests docker-build-notest k3d-up 106 | kubectl config set-context k3d-ory 107 | k3d image load controller:latest -c ory 108 | kubectl apply -f config/crd/bases 109 | kustomize build config/default | kubectl apply -f - 110 | 111 | .PHONY: k3d-test 112 | k3d-test: k3d-deploy 113 | kubectl config set-context k3d-ory 114 | go install github.com/onsi/ginkgo/ginkgo@latest 115 | USE_EXISTING_CLUSTER=true ginkgo -v ./controllers/... 116 | 117 | # Run integration tests on local cluster 118 | .PHONY: test-integration 119 | test-integration: 120 | $(call run-with-cleanup, $(MAKE) k3d-test, $(MAKE) k3d-down) 121 | 122 | # Build manager binary 123 | .PHONY: manager 124 | manager: generate vet 125 | CGO_ENABLED=0 GOOS=$(OS) GOARCH=$(ARCH) go build -a -o manager main.go 126 | 127 | # Build manager binary for CI 128 | .PHONY: manager-ci 129 | manager-ci: generate vet 130 | CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -o manager main.go 131 | 132 | # Run against the configured Kubernetes cluster in ~/.kube/config 133 | .PHONY: run 134 | run: generate vet 135 | go run ./main.go --hydra-url ${HYDRA_URL} 136 | 137 | # Install CRDs into a cluster 138 | .PHONY: install 139 | install: manifests 140 | kubectl apply -f config/crd/bases 141 | 142 | # Deploy controller in the configured Kubernetes cluster in ~/.kube/config 143 | .PHONY: deploy 144 | deploy: manifests 145 | kubectl apply -f config/crd/bases 146 | kustomize build config/default | kubectl apply -f - 147 | 148 | # Generate manifests e.g. CRD, RBAC etc. 149 | .PHONY: manifests 150 | manifests: controller-gen 151 | $(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases 152 | 153 | # Format the source code 154 | format: .bin/ory node_modules 155 | .bin/ory dev headers copyright --type=open-source 156 | go fmt ./... 157 | npm exec -- prettier --write . 158 | 159 | # Run go vet against code 160 | .PHONY: vet 161 | vet: 162 | go vet ./... 163 | 164 | # Generate code 165 | .PHONY: generate 166 | generate: controller-gen 167 | $(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./..." 168 | 169 | # Build the docker image 170 | .PHONY: docker-build-notest 171 | docker-build-notest: 172 | docker build . -t ${IMG} -f .docker/Dockerfile-build 173 | @echo "updating kustomize image patch file for manager resource" 174 | sed -i'' -e 's@image: .*@image: '"${IMG}"'@' ./config/default/manager_image_patch.yaml 175 | 176 | .PHONY: docker-build 177 | docker-build: test docker-build-notest 178 | 179 | # Push the docker image 180 | .PHONY: docker-push 181 | docker-push: 182 | docker push ${IMG} 183 | 184 | licenses: .bin/licenses node_modules # checks open-source licenses 185 | .bin/licenses 186 | 187 | .bin/licenses: Makefile 188 | curl https://raw.githubusercontent.com/ory/ci/master/licenses/install | sh 189 | 190 | node_modules: package-lock.json 191 | npm ci 192 | touch node_modules 193 | -------------------------------------------------------------------------------- /PROJECT: -------------------------------------------------------------------------------- 1 | version: "3" 2 | domain: ory.sh 3 | repo: github.com/ory/hydra-maester 4 | projectName: hydra-maester 5 | layout: 6 | - go.kubebuilder.io/v4 7 | resources: 8 | - group: hydra 9 | version: v1alpha1 10 | kind: OAuth2Client -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | - [Ory Hydra Maester](#ory-hydra-maester) 5 | - [Prerequisites](#prerequisites) 6 | - [Design](#design) 7 | - [How to use it](#how-to-use-it) 8 | - [Command-line flags](#command-line-flags) 9 | - [Development](#development) 10 | - [Testing](#testing) 11 | 12 | 13 | 14 | # Ory Hydra Maester 15 | 16 | ⚠️ ⚠️ ⚠️ 17 | 18 | > Ory Hydra Maester is developed by the Ory community and is not actively 19 | > maintained by Ory core maintainers due to lack of resources, time, and 20 | > knolwedge. As such please be aware that there might be issues with the system. 21 | > If you have ideas for better testing and development principles please open an 22 | > issue or PR! 23 | 24 | ⚠️ ⚠️ ⚠️ 25 | 26 | This project contains a Kubernetes controller that uses Custom Resources (CR) to 27 | manage Hydra Oauth2 clients. ORY Hydra Maester watches for instances of 28 | `oauth2clients.hydra.ory.sh/v1alpha1` CR and creates, updates, or deletes 29 | corresponding OAuth2 clients by communicating with ORY Hydra's API. 30 | 31 | Visit Hydra-maester's 32 | [chart documentation](https://github.com/ory/k8s/blob/master/docs/helm/hydra-maester.md) 33 | and view [sample OAuth2 client resources](config/samples) to learn more about 34 | the `oauth2clients.hydra.ory.sh/v1alpha1` CR. 35 | 36 | The project is based on 37 | [Kubebuilder](https://github.com/kubernetes-sigs/kubebuilder). 38 | 39 | ## Prerequisites 40 | 41 | - recent version of Go language with support for modules (e.g: 1.12.6) 42 | - make 43 | - kubectl 44 | - kustomize 45 | - [kubebuilder](https://github.com/kubernetes-sigs/kubebuilder) for running 46 | tests 47 | - [ginkgo](https://onsi.github.io/ginkgo/) for local integration testing 48 | - access to K8s environment: minikube or a remote K8s cluster 49 | - [mockery](https://github.com/vektra/mockery) to generate mocks for testing 50 | purposes 51 | 52 | ## Design 53 | 54 | Take a look at [Design Readme](./docs/README.md). 55 | 56 | ## How to use it 57 | 58 | - `make test` to run tests 59 | - `make test-integration` to run integration tests 60 | - `make install` to generate CRD file from go sources and install it on the 61 | cluster 62 | - `export HYDRA_URL={HYDRA_SERVICE_URL} && make run` to run the controller 63 | 64 | To deploy the controller, edit the value of the `--hydra-url` argument in the 65 | [manager.yaml](config/manager/manager.yaml) file and run `make deploy`. 66 | 67 | ### Command-line flags 68 | 69 | | Name | Required | Description | Default value | Example values | 70 | | ---------------------------- | -------- | ---------------------------------------------------------------------------------------------------------------- | ------------- | ---------------------------------------- | 71 | | **hydra-url** | yes | ORY Hydra's service address | - | ` ory-hydra-admin.ory.svc.cluster.local` | 72 | | **hydra-port** | no | ORY Hydra's service port | `4445` | `4445` | 73 | | **tls-trust-store** | no | TLS cert path for hydra client | `""` | `/etc/ssl/certs/ca-certificates.crt` | 74 | | **insecure-skip-verify** | no | Skip http client insecure verification | `false` | `true` or `false` | 75 | | **namespace** | no | Namespace in which the controller should operate. Setting this will make the controller ignore other namespaces. | `""` | `"my-namespace"` | 76 | | **leader-elector-namespace** | no | Leader elector namespace where controller should be set. | `""` | `"my-namespace"` | 77 | 78 | ### Environmental Variables 79 | 80 | | Variable name | Default value | Example value | 81 | | :---------------------- | ------------------- | --------------------- | 82 | | `**CLIENT_ID_KEY**` | `**CLIENT_ID**` | `**MY_SECRET_NAME**` | 83 | | `**CLIENT_SECRET_KEY**` | `**CLIENT_SECRET**` | `**MY_SECRET_VALUE**` | 84 | 85 | ## Development 86 | 87 | ### Testing 88 | 89 | Use mockery to generate mock types that implement existing interfaces. To 90 | generate a mock type for an interface, navigate to the directory containing that 91 | interface and run this command: 92 | 93 | ``` 94 | mockery -name={INTERFACE_NAME} 95 | ``` 96 | -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | # Ory Security Policy 5 | 6 | This policy outlines Ory's security commitments and practices for users across 7 | different licensing and deployment models. 8 | 9 | To learn more about Ory's security service level agreements (SLAs) and 10 | processes, please [contact us](https://www.ory.sh/contact/). 11 | 12 | ## Ory Network Users 13 | 14 | - **Security SLA:** Ory addresses vulnerabilities in the Ory Network according 15 | to the following guidelines: 16 | - Critical: Typically addressed within 14 days. 17 | - High: Typically addressed within 30 days. 18 | - Medium: Typically addressed within 90 days. 19 | - Low: Typically addressed within 180 days. 20 | - Informational: Addressed as necessary. 21 | These timelines are targets and may vary based on specific circumstances. 22 | - **Release Schedule:** Updates are deployed to the Ory Network as 23 | vulnerabilities are resolved. 24 | - **Version Support:** The Ory Network always runs the latest version, ensuring 25 | up-to-date security fixes. 26 | 27 | ## Ory Enterprise License Customers 28 | 29 | - **Security SLA:** Ory addresses vulnerabilities based on their severity: 30 | - Critical: Typically addressed within 14 days. 31 | - High: Typically addressed within 30 days. 32 | - Medium: Typically addressed within 90 days. 33 | - Low: Typically addressed within 180 days. 34 | - Informational: Addressed as necessary. 35 | These timelines are targets and may vary based on specific circumstances. 36 | - **Release Schedule:** Updates are made available as vulnerabilities are 37 | resolved. Ory works closely with enterprise customers to ensure timely updates 38 | that align with their operational needs. 39 | - **Version Support:** Ory may provide security support for multiple versions, 40 | depending on the terms of the enterprise agreement. 41 | 42 | ## Apache 2.0 License Users 43 | 44 | - **Security SLA:** Ory does not provide a formal SLA for security issues under 45 | the Apache 2.0 License. 46 | - **Release Schedule:** Releases prioritize new functionality and include fixes 47 | for known security vulnerabilities at the time of release. While major 48 | releases typically occur one to two times per year, Ory does not guarantee a 49 | fixed release schedule. 50 | - **Version Support:** Security patches are only provided for the latest release 51 | version. 52 | 53 | ## Reporting a Vulnerability 54 | 55 | For details on how to report security vulnerabilities, visit our 56 | [security policy documentation](https://www.ory.sh/docs/ecosystem/security). 57 | -------------------------------------------------------------------------------- /api/v1alpha1/groupversion_info.go: -------------------------------------------------------------------------------- 1 | // Copyright © 2023 Ory Corp 2 | // SPDX-License-Identifier: Apache-2.0 3 | 4 | // Package v1alpha1 contains API Schema definitions for the hydra v1alpha1 API group 5 | // +kubebuilder:object:generate=true 6 | // +groupName=hydra.ory.sh 7 | package v1alpha1 8 | 9 | import ( 10 | "k8s.io/apimachinery/pkg/runtime/schema" 11 | "sigs.k8s.io/controller-runtime/pkg/scheme" 12 | ) 13 | 14 | var ( 15 | // GroupVersion is group version used to register these objects 16 | GroupVersion = schema.GroupVersion{Group: "hydra.ory.sh", Version: "v1alpha1"} 17 | 18 | // SchemeBuilder is used to add go types to the GroupVersionKind scheme 19 | SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion} 20 | 21 | // AddToScheme adds the types in this group-version to the given scheme. 22 | AddToScheme = SchemeBuilder.AddToScheme 23 | ) 24 | -------------------------------------------------------------------------------- /api/v1alpha1/oauth2client_types.go: -------------------------------------------------------------------------------- 1 | // Copyright © 2023 Ory Corp 2 | // SPDX-License-Identifier: Apache-2.0 3 | 4 | package v1alpha1 5 | 6 | import ( 7 | apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" 8 | metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 9 | ) 10 | 11 | type StatusCode string 12 | 13 | const ( 14 | StatusRegistrationFailed StatusCode = "CLIENT_REGISTRATION_FAILED" 15 | StatusCreateSecretFailed StatusCode = "SECRET_CREATION_FAILED" 16 | StatusUpdateFailed StatusCode = "CLIENT_UPDATE_FAILED" 17 | StatusInvalidSecret StatusCode = "INVALID_SECRET" 18 | StatusInvalidHydraAddress StatusCode = "INVALID_HYDRA_ADDRESS" 19 | ) 20 | 21 | // HydraAdmin defines the desired hydra admin instance to use for OAuth2Client 22 | type HydraAdmin struct { 23 | // +kubebuilder:validation:MaxLength=256 24 | // +kubebuilder:validation:Pattern=`(^$|^https?://.*)` 25 | // 26 | // URL is the URL for the hydra instance on 27 | // which to set up the client. This value will override the value 28 | // provided to `--hydra-url` 29 | URL string `json:"url,omitempty"` 30 | 31 | // +kubebuilder:validation:Maximum=65535 32 | // 33 | // Port is the port for the hydra instance on 34 | // which to set up the client. This value will override the value 35 | // provided to `--hydra-port` 36 | Port int `json:"port,omitempty"` 37 | 38 | // +kubebuilder:validation:Pattern=(^$|^/.*) 39 | // 40 | // Endpoint is the endpoint for the hydra instance on which 41 | // to set up the client. This value will override the value 42 | // provided to `--endpoint` (defaults to `"/clients"` in the 43 | // application) 44 | Endpoint string `json:"endpoint,omitempty"` 45 | 46 | // +kubebuilder:validation:Pattern=(^$|https?|off) 47 | // 48 | // ForwardedProto overrides the `--forwarded-proto` flag. The 49 | // value "off" will force this to be off even if 50 | // `--forwarded-proto` is specified 51 | ForwardedProto string `json:"forwardedProto,omitempty"` 52 | } 53 | 54 | // TokenLifespans defines the desired token durations by grant type for OAuth2Client 55 | type TokenLifespans struct { 56 | // +kubebuilder:validation:Pattern=[0-9]+(ns|us|ms|s|m|h) 57 | // 58 | // AuthorizationCodeGrantAccessTokenLifespan is the access token lifespan 59 | // issued on an authorization_code grant. 60 | AuthorizationCodeGrantAccessTokenLifespan string `json:"authorization_code_grant_access_token_lifespan,omitempty"` 61 | 62 | // +kubebuilder:validation:Pattern=[0-9]+(ns|us|ms|s|m|h) 63 | // 64 | // AuthorizationCodeGrantIdTokenLifespan is the id token lifespan 65 | // issued on an authorization_code grant. 66 | AuthorizationCodeGrantIdTokenLifespan string `json:"authorization_code_grant_id_token_lifespan,omitempty"` 67 | 68 | // +kubebuilder:validation:Pattern=[0-9]+(ns|us|ms|s|m|h) 69 | // 70 | // AuthorizationCodeGrantRefreshTokenLifespan is the refresh token lifespan 71 | // issued on an authorization_code grant. 72 | AuthorizationCodeGrantRefreshTokenLifespan string `json:"authorization_code_grant_refresh_token_lifespan,omitempty"` 73 | 74 | // +kubebuilder:validation:Pattern=[0-9]+(ns|us|ms|s|m|h) 75 | // 76 | // AuthorizationCodeGrantRefreshTokenLifespan is the access token lifespan 77 | // issued on a client_credentials grant. 78 | ClientCredentialsGrantAccessTokenLifespan string `json:"client_credentials_grant_access_token_lifespan,omitempty"` 79 | 80 | // +kubebuilder:validation:Pattern=[0-9]+(ns|us|ms|s|m|h) 81 | // 82 | // ImplicitGrantAccessTokenLifespan is the access token lifespan 83 | // issued on an implicit grant. 84 | ImplicitGrantAccessTokenLifespan string `json:"implicit_grant_access_token_lifespan,omitempty"` 85 | 86 | // +kubebuilder:validation:Pattern=[0-9]+(ns|us|ms|s|m|h) 87 | // 88 | // ImplicitGrantIdTokenLifespan is the id token lifespan 89 | // issued on an implicit grant. 90 | ImplicitGrantIdTokenLifespan string `json:"implicit_grant_id_token_lifespan,omitempty"` 91 | 92 | // +kubebuilder:validation:Pattern=[0-9]+(ns|us|ms|s|m|h) 93 | // 94 | // JwtBearerGrantAccessTokenLifespan is the access token lifespan 95 | // issued on a jwt_bearer grant. 96 | JwtBearerGrantAccessTokenLifespan string `json:"jwt_bearer_grant_access_token_lifespan,omitempty"` 97 | 98 | // +kubebuilder:validation:Pattern=[0-9]+(ns|us|ms|s|m|h) 99 | // 100 | // RefreshTokenGrantAccessTokenLifespan is the access token lifespan 101 | // issued on a refresh_token grant. 102 | RefreshTokenGrantAccessTokenLifespan string `json:"refresh_token_grant_access_token_lifespan,omitempty"` 103 | 104 | // +kubebuilder:validation:Pattern=[0-9]+(ns|us|ms|s|m|h) 105 | // 106 | // RefreshTokenGrantIdTokenLifespan is the id token lifespan 107 | // issued on a refresh_token grant. 108 | RefreshTokenGrantIdTokenLifespan string `json:"refresh_token_grant_id_token_lifespan,omitempty"` 109 | 110 | // +kubebuilder:validation:Pattern=[0-9]+(ns|us|ms|s|m|h) 111 | // 112 | // RefreshTokenGrantRefreshTokenLifespan is the refresh token lifespan 113 | // issued on a refresh_token grant. 114 | RefreshTokenGrantRefreshTokenLifespan string `json:"refresh_token_grant_refresh_token_lifespan,omitempty"` 115 | } 116 | 117 | // OAuth2ClientSpec defines the desired state of OAuth2Client 118 | type OAuth2ClientSpec struct { 119 | 120 | // ClientName is the human-readable string name of the client to be presented to the end-user during authorization. 121 | ClientName string `json:"clientName,omitempty"` 122 | 123 | // +kubebuilder:validation:MaxItems=4 124 | // +kubebuilder:validation:MinItems=1 125 | // 126 | // GrantTypes is an array of grant types the client is allowed to use. 127 | GrantTypes []GrantType `json:"grantTypes"` 128 | 129 | // +kubebuilder:validation:MaxItems=3 130 | // +kubebuilder:validation:MinItems=1 131 | // 132 | // ResponseTypes is an array of the OAuth 2.0 response type strings that the client can 133 | // use at the authorization endpoint. 134 | ResponseTypes []ResponseType `json:"responseTypes,omitempty"` 135 | 136 | // RedirectURIs is an array of the redirect URIs allowed for the application 137 | RedirectURIs []RedirectURI `json:"redirectUris,omitempty"` 138 | 139 | // PostLogoutRedirectURIs is an array of the post logout redirect URIs allowed for the application 140 | PostLogoutRedirectURIs []RedirectURI `json:"postLogoutRedirectUris,omitempty"` 141 | 142 | // AllowedCorsOrigins is an array of allowed CORS origins 143 | AllowedCorsOrigins []RedirectURI `json:"allowedCorsOrigins,omitempty"` 144 | 145 | // Audience is a whitelist defining the audiences this client is allowed to request tokens for 146 | Audience []string `json:"audience,omitempty"` 147 | 148 | // +kubebuilder:validation:Pattern=([a-zA-Z0-9\.\*]+\s?)* 149 | // +kubebuilder:deprecatedversion:warning="Property scope is deprecated. Use scopeArray instead." 150 | // 151 | // Scope is a string containing a space-separated list of scope values (as 152 | // described in Section 3.3 of OAuth 2.0 [RFC6749]) that the client 153 | // can use when requesting access tokens. 154 | // Use scopeArray instead. 155 | Scope string `json:"scope,omitempty"` 156 | 157 | // Scope is an array of scope values (as described in Section 3.3 of OAuth 2.0 [RFC6749]) 158 | // that the client can use when requesting access tokens. 159 | ScopeArray []string `json:"scopeArray,omitempty"` 160 | 161 | // +kubebuilder:validation:MinLength=1 162 | // +kubebuilder:validation:MaxLength=253 163 | // +kubebuilder:validation:Pattern=[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)* 164 | // 165 | // SecretName points to the K8s secret that contains this client's ID and password 166 | SecretName string `json:"secretName"` 167 | 168 | // SkipConsent skips the consent screen for this client. 169 | // +kubebuilder:validation:type=bool 170 | // +kubebuilder:default=false 171 | SkipConsent bool `json:"skipConsent,omitempty"` 172 | 173 | // HydraAdmin is the optional configuration to use for managing 174 | // this client 175 | HydraAdmin HydraAdmin `json:"hydraAdmin,omitempty"` 176 | 177 | // +kubebuilder:validation:Enum=client_secret_basic;client_secret_post;private_key_jwt;none 178 | // 179 | // Indication which authentication method should be used for the token endpoint 180 | TokenEndpointAuthMethod TokenEndpointAuthMethod `json:"tokenEndpointAuthMethod,omitempty"` 181 | 182 | // TokenLifespans is the configuration to use for managing different token lifespans 183 | // depending on the used grant type. 184 | TokenLifespans TokenLifespans `json:"tokenLifespans,omitempty"` 185 | 186 | // +kubebuilder:validation:Type=object 187 | // +nullable 188 | // +optional 189 | // 190 | // Metadata is arbitrary data 191 | Metadata apiextensionsv1.JSON `json:"metadata,omitempty"` 192 | 193 | // +kubebuilder:validation:type=string 194 | // +kubebuilder:validation:Pattern=`(^$|^https?://.*)` 195 | // 196 | // JwksUri Define the URL where the JSON Web Key Set should be fetched from when performing the private_key_jwt client authentication method. 197 | JwksUri string `json:"jwksUri,omitempty"` 198 | 199 | // +kubebuilder:validation:type=bool 200 | // +kubebuilder:default=false 201 | // 202 | // FrontChannelLogoutSessionRequired Boolean value specifying whether the RP requires that iss (issuer) and sid (session ID) query parameters be included to identify the RP session with the OP when the frontchannel_logout_uri is used 203 | FrontChannelLogoutSessionRequired bool `json:"frontChannelLogoutSessionRequired,omitempty"` 204 | 205 | // +kubebuilder:validation:type=string 206 | // +kubebuilder:validation:Pattern=`(^$|^https?://.*)` 207 | // 208 | // FrontChannelLogoutURI RP URL that will cause the RP to log itself out when rendered in an iframe by the OP. An iss (issuer) query parameter and a sid (session ID) query parameter MAY be included by the OP to enable the RP to validate the request and to determine which of the potentially multiple sessions is to be logged out; if either is included, both MUST be 209 | FrontChannelLogoutURI string `json:"frontChannelLogoutURI,omitempty"` 210 | 211 | // +kubebuilder:validation:type=bool 212 | // +kubebuilder:default=false 213 | // 214 | // BackChannelLogoutSessionRequired Boolean value specifying whether the RP requires that a sid (session ID) Claim be included in the Logout Token to identify the RP session with the OP when the backchannel_logout_uri is used. If omitted, the default value is false. 215 | BackChannelLogoutSessionRequired bool `json:"backChannelLogoutSessionRequired,omitempty"` 216 | 217 | // +kubebuilder:validation:type=string 218 | // +kubebuilder:validation:Pattern=`(^$|^https?://.*)` 219 | // 220 | // BackChannelLogoutURI RP URL that will cause the RP to log itself out when sent a Logout Token by the OP 221 | BackChannelLogoutURI string `json:"backChannelLogoutURI,omitempty"` 222 | 223 | // +kubebuilder:validation:Enum=delete;orphan 224 | // 225 | // Indicates if a deleted OAuth2Client custom resource should delete the database row or not. 226 | // Values can be 'delete' to delete the OAuth2 client, value 'orphan' to keep an orphan oauth2 client. 227 | DeletionPolicy OAuth2ClientDeletionPolicy `json:"deletionPolicy,omitempty"` 228 | } 229 | 230 | // GrantType represents an OAuth 2.0 grant type 231 | // +kubebuilder:validation:Enum=client_credentials;authorization_code;implicit;refresh_token 232 | type GrantType string 233 | 234 | // ResponseType represents an OAuth 2.0 response type strings 235 | // +kubebuilder:validation:Enum=id_token;code;token;code token;code id_token;id_token token;code id_token token 236 | type ResponseType string 237 | 238 | // RedirectURI represents a redirect URI for the client 239 | // +kubebuilder:validation:Pattern=`\w+:/?/?[^\s]+` 240 | type RedirectURI string 241 | 242 | // TokenEndpointAuthMethod represents an authentication method for token endpoint 243 | // +kubebuilder:validation:Enum=client_secret_basic;client_secret_post;private_key_jwt;none 244 | type TokenEndpointAuthMethod string 245 | 246 | // OAuth2ClientStatus defines the observed state of OAuth2Client 247 | type OAuth2ClientStatus struct { 248 | // ObservedGeneration represents the most recent generation observed by the daemon set controller. 249 | ObservedGeneration int64 `json:"observedGeneration,omitempty"` 250 | ReconciliationError ReconciliationError `json:"reconciliationError,omitempty"` 251 | Conditions []OAuth2ClientCondition `json:"conditions,omitempty"` 252 | } 253 | 254 | // ReconciliationError represents an error that occurred during the reconciliation process 255 | type ReconciliationError struct { 256 | // Code is the status code of the reconciliation error 257 | Code StatusCode `json:"statusCode,omitempty"` 258 | // Description is the description of the reconciliation error 259 | Description string `json:"description,omitempty"` 260 | } 261 | 262 | // OAuth2ClientCondition contains condition information for an OAuth2Client 263 | type OAuth2ClientCondition struct { 264 | Type OAuth2ClientConditionType `json:"type"` 265 | Status ConditionStatus `json:"status"` 266 | } 267 | 268 | type OAuth2ClientConditionType string 269 | 270 | const ( 271 | OAuth2ClientConditionReady = "Ready" 272 | ) 273 | 274 | // OAuth2ClientDeletionPolicy represents if a deleted oauth2 client object should delete the database row or not. 275 | type OAuth2ClientDeletionPolicy string 276 | 277 | const ( 278 | OAuth2ClientDeletionPolicyDelete = "delete" 279 | OAuth2ClientDeletionPolicyOrphan = "orphan" 280 | ) 281 | 282 | // +kubebuilder:validation:Enum=True;False;Unknown 283 | type ConditionStatus string 284 | 285 | const ( 286 | ConditionTrue ConditionStatus = "True" 287 | ConditionFalse ConditionStatus = "False" 288 | ConditionUnknown ConditionStatus = "Unknown" 289 | ) 290 | 291 | // +kubebuilder:object:root=true 292 | // +kubebuilder:subresource:status 293 | 294 | // OAuth2Client is the Schema for the oauth2clients API 295 | type OAuth2Client struct { 296 | metav1.TypeMeta `json:",inline"` 297 | metav1.ObjectMeta `json:"metadata,omitempty"` 298 | 299 | Spec OAuth2ClientSpec `json:"spec,omitempty"` 300 | Status OAuth2ClientStatus `json:"status,omitempty"` 301 | } 302 | 303 | // +kubebuilder:object:root=true 304 | 305 | // OAuth2ClientList contains a list of OAuth2Client 306 | type OAuth2ClientList struct { 307 | metav1.TypeMeta `json:",inline"` 308 | metav1.ListMeta `json:"metadata,omitempty"` 309 | Items []OAuth2Client `json:"items"` 310 | } 311 | 312 | func init() { 313 | SchemeBuilder.Register(&OAuth2Client{}, &OAuth2ClientList{}) 314 | } 315 | -------------------------------------------------------------------------------- /api/v1alpha1/oauth2client_types_test.go: -------------------------------------------------------------------------------- 1 | // Copyright © 2023 Ory Corp 2 | // SPDX-License-Identifier: Apache-2.0 3 | 4 | package v1alpha1 5 | 6 | import ( 7 | "fmt" 8 | "path/filepath" 9 | "strings" 10 | "testing" 11 | 12 | "github.com/stretchr/testify/assert" 13 | "github.com/stretchr/testify/require" 14 | "golang.org/x/net/context" 15 | metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 16 | "k8s.io/apimachinery/pkg/types" 17 | "k8s.io/client-go/kubernetes/scheme" 18 | "k8s.io/client-go/rest" 19 | "sigs.k8s.io/controller-runtime/pkg/client" 20 | "sigs.k8s.io/controller-runtime/pkg/envtest" 21 | ) 22 | 23 | var ( 24 | k8sClient client.Client 25 | cfg *rest.Config 26 | testEnv *envtest.Environment 27 | key types.NamespacedName 28 | created, fetched *OAuth2Client 29 | createErr, getErr, deleteErr error 30 | ) 31 | 32 | func TestCreateAPI(t *testing.T) { 33 | 34 | runEnv(t) 35 | defer stopEnv(t) 36 | 37 | t.Run("should handle an object properly", func(t *testing.T) { 38 | 39 | key = types.NamespacedName{ 40 | Name: "foo", 41 | Namespace: "default", 42 | } 43 | 44 | t.Run("by creating an API object if it meets CRD requirements without optional parameters", func(t *testing.T) { 45 | 46 | resetTestClient() 47 | 48 | createErr = k8sClient.Create(context.TODO(), created) 49 | require.NoError(t, createErr) 50 | 51 | fetched = &OAuth2Client{} 52 | getErr = k8sClient.Get(context.TODO(), key, fetched) 53 | require.NoError(t, getErr) 54 | assert.Equal(t, created, fetched) 55 | 56 | deleteErr = k8sClient.Delete(context.TODO(), created) 57 | require.NoError(t, deleteErr) 58 | 59 | getErr = k8sClient.Get(context.TODO(), key, created) 60 | require.Error(t, getErr) 61 | }) 62 | 63 | t.Run("by creating an API object if it meets CRD requirements with optional parameters", func(t *testing.T) { 64 | 65 | resetTestClient() 66 | 67 | created.Spec.RedirectURIs = []RedirectURI{"https://client/account", "http://localhost:8080/account"} 68 | created.Spec.HydraAdmin = HydraAdmin{ 69 | URL: "http://localhost", 70 | Port: 4445, 71 | // Endpoint: "/clients", 72 | ForwardedProto: "https", 73 | } 74 | 75 | createErr = k8sClient.Create(context.TODO(), created) 76 | require.NoError(t, createErr) 77 | 78 | fetched = &OAuth2Client{} 79 | getErr = k8sClient.Get(context.TODO(), key, fetched) 80 | require.NoError(t, getErr) 81 | assert.Equal(t, created, fetched) 82 | 83 | deleteErr = k8sClient.Delete(context.TODO(), created) 84 | require.NoError(t, deleteErr) 85 | 86 | getErr = k8sClient.Get(context.TODO(), key, created) 87 | require.Error(t, getErr) 88 | }) 89 | 90 | t.Run("by failing if the requested object doesn't meet CRD requirements", func(t *testing.T) { 91 | 92 | for desc, modifyClient := range map[string]func(){ 93 | "invalid grant type": func() { created.Spec.GrantTypes = []GrantType{"invalid"} }, 94 | "invalid response type": func() { created.Spec.ResponseTypes = []ResponseType{"invalid", "code"} }, 95 | "invalid composite response type": func() { created.Spec.ResponseTypes = []ResponseType{"invalid code", "code id_token"} }, 96 | "missing secret name": func() { created.Spec.SecretName = "" }, 97 | "invalid redirect URI": func() { created.Spec.RedirectURIs = []RedirectURI{"invalid"} }, 98 | "invalid logout redirect URI": func() { created.Spec.PostLogoutRedirectURIs = []RedirectURI{"invalid"} }, 99 | "invalid hydra url": func() { created.Spec.HydraAdmin.URL = "invalid" }, 100 | "invalid hydra url too long": func() { created.Spec.HydraAdmin.URL = "https://" + strings.Repeat("a", 260) }, 101 | "invalid hydra port high": func() { created.Spec.HydraAdmin.Port = 65536 }, 102 | "invalid hydra endpoint": func() { created.Spec.HydraAdmin.Endpoint = "invalid" }, 103 | "invalid hydra forwarded proto": func() { created.Spec.HydraAdmin.ForwardedProto = "invalid" }, 104 | "invalid lifespan authorization code access token": func() { created.Spec.TokenLifespans.AuthorizationCodeGrantAccessTokenLifespan = "invalid" }, 105 | "invalid lifespan authorization code id token": func() { created.Spec.TokenLifespans.AuthorizationCodeGrantIdTokenLifespan = "invalid" }, 106 | "invalid lifespan authorization code refresh token": func() { created.Spec.TokenLifespans.AuthorizationCodeGrantRefreshTokenLifespan = "invalid" }, 107 | "invalid lifespan client credentials access token": func() { created.Spec.TokenLifespans.ClientCredentialsGrantAccessTokenLifespan = "invalid" }, 108 | "invalid lifespan implicit access token": func() { created.Spec.TokenLifespans.ImplicitGrantAccessTokenLifespan = "invalid" }, 109 | "invalid lifespan implicit id token": func() { created.Spec.TokenLifespans.ImplicitGrantIdTokenLifespan = "invalid" }, 110 | "invalid lifespan jwt bearer access token": func() { created.Spec.TokenLifespans.JwtBearerGrantAccessTokenLifespan = "invalid" }, 111 | "invalid lifespan refresh token access token": func() { created.Spec.TokenLifespans.RefreshTokenGrantAccessTokenLifespan = "invalid" }, 112 | "invalid lifespan refresh token id token": func() { created.Spec.TokenLifespans.RefreshTokenGrantIdTokenLifespan = "invalid" }, 113 | "invalid lifespan refresh token refresh token": func() { created.Spec.TokenLifespans.RefreshTokenGrantRefreshTokenLifespan = "invalid" }, 114 | "invalid deletion policy": func() { created.Spec.DeletionPolicy = "invalid" }, 115 | } { 116 | t.Run(fmt.Sprintf("case=%s", desc), func(t *testing.T) { 117 | resetTestClient() 118 | modifyClient() 119 | createErr = k8sClient.Create(context.TODO(), created) 120 | require.Error(t, createErr) 121 | }) 122 | } 123 | }) 124 | 125 | t.Run("by creating an object if it passes validation", func(t *testing.T) { 126 | for desc, modifyClient := range map[string]func(){ 127 | "single response type": func() { created.Spec.ResponseTypes = []ResponseType{"token", "id_token", "code"} }, 128 | "double response type": func() { created.Spec.ResponseTypes = []ResponseType{"id_token token", "code id_token", "code token"} }, 129 | "triple response type": func() { created.Spec.ResponseTypes = []ResponseType{"code id_token token"} }, 130 | } { 131 | t.Run(fmt.Sprintf("case=%s", desc), func(t *testing.T) { 132 | resetTestClient() 133 | modifyClient() 134 | require.NoError(t, k8sClient.Create(context.TODO(), created)) 135 | require.NoError(t, k8sClient.Delete(context.TODO(), created)) 136 | }) 137 | } 138 | }) 139 | }) 140 | } 141 | 142 | func runEnv(t *testing.T) { 143 | 144 | testEnv = &envtest.Environment{ 145 | CRDDirectoryPaths: []string{filepath.Join("..", "..", "config", "crd", "bases")}, 146 | } 147 | 148 | err := SchemeBuilder.AddToScheme(scheme.Scheme) 149 | require.NoError(t, err) 150 | 151 | cfg, err = testEnv.Start() 152 | require.NoError(t, err) 153 | require.NotNil(t, cfg) 154 | 155 | k8sClient, err = client.New(cfg, client.Options{Scheme: scheme.Scheme}) 156 | require.NoError(t, err) 157 | require.NotNil(t, k8sClient) 158 | 159 | } 160 | 161 | func stopEnv(t *testing.T) { 162 | err := testEnv.Stop() 163 | require.NoError(t, err) 164 | } 165 | 166 | func resetTestClient() { 167 | created = &OAuth2Client{ 168 | ObjectMeta: metav1.ObjectMeta{ 169 | Name: "foo", 170 | Namespace: "default", 171 | }, 172 | Spec: OAuth2ClientSpec{ 173 | GrantTypes: []GrantType{"implicit", "client_credentials", "authorization_code", "refresh_token"}, 174 | ResponseTypes: []ResponseType{"id_token", "code", "token"}, 175 | Scope: "read,write", 176 | SecretName: "secret-name", 177 | TokenLifespans: TokenLifespans{}, 178 | }, 179 | } 180 | } 181 | -------------------------------------------------------------------------------- /api/v1alpha1/zz_generated.deepcopy.go: -------------------------------------------------------------------------------- 1 | //go:build !ignore_autogenerated 2 | 3 | /* 4 | Copyright © 2023 Ory Corp 5 | SPDX-License-Identifier: Apache-2.0 6 | 7 | Licensed under the Apache License, Version 2.0 (the "License"); 8 | you may not use this file except in compliance with the License. 9 | You may obtain a copy of the License at 10 | 11 | http://www.apache.org/licenses/LICENSE-2.0 12 | 13 | Unless required by applicable law or agreed to in writing, software 14 | distributed under the License is distributed on an "AS IS" BASIS, 15 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | See the License for the specific language governing permissions and 17 | limitations under the License. 18 | */ 19 | 20 | // Code generated by controller-gen. DO NOT EDIT. 21 | 22 | package v1alpha1 23 | 24 | import ( 25 | runtime "k8s.io/apimachinery/pkg/runtime" 26 | ) 27 | 28 | // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. 29 | func (in *HydraAdmin) DeepCopyInto(out *HydraAdmin) { 30 | *out = *in 31 | } 32 | 33 | // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HydraAdmin. 34 | func (in *HydraAdmin) DeepCopy() *HydraAdmin { 35 | if in == nil { 36 | return nil 37 | } 38 | out := new(HydraAdmin) 39 | in.DeepCopyInto(out) 40 | return out 41 | } 42 | 43 | // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. 44 | func (in *OAuth2Client) DeepCopyInto(out *OAuth2Client) { 45 | *out = *in 46 | out.TypeMeta = in.TypeMeta 47 | in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) 48 | in.Spec.DeepCopyInto(&out.Spec) 49 | in.Status.DeepCopyInto(&out.Status) 50 | } 51 | 52 | // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OAuth2Client. 53 | func (in *OAuth2Client) DeepCopy() *OAuth2Client { 54 | if in == nil { 55 | return nil 56 | } 57 | out := new(OAuth2Client) 58 | in.DeepCopyInto(out) 59 | return out 60 | } 61 | 62 | // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. 63 | func (in *OAuth2Client) DeepCopyObject() runtime.Object { 64 | if c := in.DeepCopy(); c != nil { 65 | return c 66 | } 67 | return nil 68 | } 69 | 70 | // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. 71 | func (in *OAuth2ClientCondition) DeepCopyInto(out *OAuth2ClientCondition) { 72 | *out = *in 73 | } 74 | 75 | // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OAuth2ClientCondition. 76 | func (in *OAuth2ClientCondition) DeepCopy() *OAuth2ClientCondition { 77 | if in == nil { 78 | return nil 79 | } 80 | out := new(OAuth2ClientCondition) 81 | in.DeepCopyInto(out) 82 | return out 83 | } 84 | 85 | // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. 86 | func (in *OAuth2ClientList) DeepCopyInto(out *OAuth2ClientList) { 87 | *out = *in 88 | out.TypeMeta = in.TypeMeta 89 | in.ListMeta.DeepCopyInto(&out.ListMeta) 90 | if in.Items != nil { 91 | in, out := &in.Items, &out.Items 92 | *out = make([]OAuth2Client, len(*in)) 93 | for i := range *in { 94 | (*in)[i].DeepCopyInto(&(*out)[i]) 95 | } 96 | } 97 | } 98 | 99 | // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OAuth2ClientList. 100 | func (in *OAuth2ClientList) DeepCopy() *OAuth2ClientList { 101 | if in == nil { 102 | return nil 103 | } 104 | out := new(OAuth2ClientList) 105 | in.DeepCopyInto(out) 106 | return out 107 | } 108 | 109 | // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. 110 | func (in *OAuth2ClientList) DeepCopyObject() runtime.Object { 111 | if c := in.DeepCopy(); c != nil { 112 | return c 113 | } 114 | return nil 115 | } 116 | 117 | // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. 118 | func (in *OAuth2ClientSpec) DeepCopyInto(out *OAuth2ClientSpec) { 119 | *out = *in 120 | if in.GrantTypes != nil { 121 | in, out := &in.GrantTypes, &out.GrantTypes 122 | *out = make([]GrantType, len(*in)) 123 | copy(*out, *in) 124 | } 125 | if in.ResponseTypes != nil { 126 | in, out := &in.ResponseTypes, &out.ResponseTypes 127 | *out = make([]ResponseType, len(*in)) 128 | copy(*out, *in) 129 | } 130 | if in.RedirectURIs != nil { 131 | in, out := &in.RedirectURIs, &out.RedirectURIs 132 | *out = make([]RedirectURI, len(*in)) 133 | copy(*out, *in) 134 | } 135 | if in.PostLogoutRedirectURIs != nil { 136 | in, out := &in.PostLogoutRedirectURIs, &out.PostLogoutRedirectURIs 137 | *out = make([]RedirectURI, len(*in)) 138 | copy(*out, *in) 139 | } 140 | if in.AllowedCorsOrigins != nil { 141 | in, out := &in.AllowedCorsOrigins, &out.AllowedCorsOrigins 142 | *out = make([]RedirectURI, len(*in)) 143 | copy(*out, *in) 144 | } 145 | if in.Audience != nil { 146 | in, out := &in.Audience, &out.Audience 147 | *out = make([]string, len(*in)) 148 | copy(*out, *in) 149 | } 150 | if in.ScopeArray != nil { 151 | in, out := &in.ScopeArray, &out.ScopeArray 152 | *out = make([]string, len(*in)) 153 | copy(*out, *in) 154 | } 155 | out.HydraAdmin = in.HydraAdmin 156 | out.TokenLifespans = in.TokenLifespans 157 | in.Metadata.DeepCopyInto(&out.Metadata) 158 | } 159 | 160 | // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OAuth2ClientSpec. 161 | func (in *OAuth2ClientSpec) DeepCopy() *OAuth2ClientSpec { 162 | if in == nil { 163 | return nil 164 | } 165 | out := new(OAuth2ClientSpec) 166 | in.DeepCopyInto(out) 167 | return out 168 | } 169 | 170 | // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. 171 | func (in *OAuth2ClientStatus) DeepCopyInto(out *OAuth2ClientStatus) { 172 | *out = *in 173 | out.ReconciliationError = in.ReconciliationError 174 | if in.Conditions != nil { 175 | in, out := &in.Conditions, &out.Conditions 176 | *out = make([]OAuth2ClientCondition, len(*in)) 177 | copy(*out, *in) 178 | } 179 | } 180 | 181 | // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OAuth2ClientStatus. 182 | func (in *OAuth2ClientStatus) DeepCopy() *OAuth2ClientStatus { 183 | if in == nil { 184 | return nil 185 | } 186 | out := new(OAuth2ClientStatus) 187 | in.DeepCopyInto(out) 188 | return out 189 | } 190 | 191 | // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. 192 | func (in *ReconciliationError) DeepCopyInto(out *ReconciliationError) { 193 | *out = *in 194 | } 195 | 196 | // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReconciliationError. 197 | func (in *ReconciliationError) DeepCopy() *ReconciliationError { 198 | if in == nil { 199 | return nil 200 | } 201 | out := new(ReconciliationError) 202 | in.DeepCopyInto(out) 203 | return out 204 | } 205 | 206 | // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. 207 | func (in *TokenLifespans) DeepCopyInto(out *TokenLifespans) { 208 | *out = *in 209 | } 210 | 211 | // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenLifespans. 212 | func (in *TokenLifespans) DeepCopy() *TokenLifespans { 213 | if in == nil { 214 | return nil 215 | } 216 | out := new(TokenLifespans) 217 | in.DeepCopyInto(out) 218 | return out 219 | } 220 | -------------------------------------------------------------------------------- /config/certmanager/certificate.yaml: -------------------------------------------------------------------------------- 1 | # The following manifests contain a self-signed issuer CR and a certificate CR. 2 | # More document can be found at https://docs.cert-manager.io 3 | apiVersion: certmanager.k8s.io/v1alpha1 4 | kind: Issuer 5 | metadata: 6 | name: selfsigned-issuer 7 | namespace: system 8 | spec: 9 | selfSigned: {} 10 | --- 11 | apiVersion: certmanager.k8s.io/v1alpha1 12 | kind: Certificate 13 | metadata: 14 | name: serving-cert # this name should match the one appeared in kustomizeconfig.yaml 15 | namespace: system 16 | spec: 17 | # $(SERVICENAME) and $(NAMESPACE) will be substituted by kustomize 18 | commonName: $(SERVICENAME).$(NAMESPACE).svc 19 | dnsNames: 20 | - $(SERVICENAME).$(NAMESPACE).svc.cluster.local 21 | issuerRef: 22 | kind: Issuer 23 | name: selfsigned-issuer 24 | secretName: webhook-server-cert # this secret will not be prefixed, since it's not managed by kustomize 25 | -------------------------------------------------------------------------------- /config/certmanager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - certificate.yaml 3 | 4 | # the following config is for teaching kustomize how to do var substitution 5 | vars: 6 | - name: NAMESPACE # namespace of the service and the certificate CR 7 | objref: 8 | kind: Service 9 | version: v1 10 | name: webhook-service 11 | fieldref: 12 | fieldpath: metadata.namespace 13 | - name: CERTIFICATENAME 14 | objref: 15 | kind: Certificate 16 | group: certmanager.k8s.io 17 | version: v1alpha1 18 | name: serving-cert # this name should match the one in certificate.yaml 19 | - name: SERVICENAME 20 | objref: 21 | kind: Service 22 | version: v1 23 | name: webhook-service 24 | 25 | configurations: 26 | - kustomizeconfig.yaml 27 | -------------------------------------------------------------------------------- /config/certmanager/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | # This configuration is for teaching kustomize how to update name ref and var substitution 2 | nameReference: 3 | - kind: Issuer 4 | group: certmanager.k8s.io 5 | fieldSpecs: 6 | - kind: Certificate 7 | group: certmanager.k8s.io 8 | path: spec/issuerRef/name 9 | 10 | varReference: 11 | - kind: Certificate 12 | group: certmanager.k8s.io 13 | path: spec/commonName 14 | - kind: Certificate 15 | group: certmanager.k8s.io 16 | path: spec/dnsNames 17 | -------------------------------------------------------------------------------- /config/crd/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # This kustomization.yaml is not intended to be run by itself, 2 | # since it depends on service name and namespace that are out of this kustomize package. 3 | # It should be run by config/default 4 | resources: 5 | - bases/hydra.ory.sh_oauth2clients.yaml 6 | # +kubebuilder:scaffold:crdkustomizeresource 7 | 8 | patches: 9 | # [WEBHOOK] patches here are for enabling the conversion webhook for each CRD 10 | #- patches/webhook_in_oauth2clients.yaml 11 | # +kubebuilder:scaffold:crdkustomizewebhookpatch 12 | 13 | # [CAINJECTION] patches here are for enabling the CA injection for each CRD 14 | #- patches/cainjection_in_oauth2clients.yaml 15 | # +kubebuilder:scaffold:crdkustomizecainjectionpatch 16 | 17 | # the following config is for teaching kustomize how to do kustomization for CRDs. 18 | configurations: 19 | - kustomizeconfig.yaml 20 | -------------------------------------------------------------------------------- /config/crd/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | # This file is for teaching kustomize how to substitute name and namespace reference in CRD 2 | nameReference: 3 | - kind: Service 4 | version: v1 5 | fieldSpecs: 6 | - kind: CustomResourceDefinition 7 | group: apiextensions.k8s.io 8 | path: spec/conversion/webhookClientConfig/service/name 9 | 10 | namespace: 11 | - kind: CustomResourceDefinition 12 | group: apiextensions.k8s.io 13 | path: spec/conversion/webhookClientConfig/service/namespace 14 | create: false 15 | 16 | varReference: 17 | - path: metadata/annotations 18 | -------------------------------------------------------------------------------- /config/crd/patches/cainjection_in_oauth2clients.yaml: -------------------------------------------------------------------------------- 1 | # The following patch adds a directive for certmanager to inject CA into the CRD 2 | # CRD conversion requires k8s 1.13 or later. 3 | apiVersion: apiextensions.k8s.io/v1beta1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | annotations: 7 | certmanager.k8s.io/inject-ca-from: $(NAMESPACE)/$(CERTIFICATENAME) 8 | name: oauth2clients.hydra.ory.sh 9 | -------------------------------------------------------------------------------- /config/crd/patches/webhook_in_oauth2clients.yaml: -------------------------------------------------------------------------------- 1 | # The following patch enables conversion webhook for CRD 2 | # CRD conversion requires k8s 1.13 or later. 3 | apiVersion: apiextensions.k8s.io/v1beta1 4 | kind: CustomResourceDefinition 5 | metadata: 6 | name: oauth2clients.hydra.ory.sh 7 | spec: 8 | conversion: 9 | strategy: Webhook 10 | webhookClientConfig: 11 | # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank, 12 | # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager) 13 | caBundle: Cg== 14 | service: 15 | namespace: system 16 | name: webhook-service 17 | path: /convert 18 | -------------------------------------------------------------------------------- /config/default/kustomization.yaml: -------------------------------------------------------------------------------- 1 | # Adds namespace to all resources. 2 | namespace: hydra-maester-system 3 | 4 | # Value of this field is prepended to the 5 | # names of all resources, e.g. a deployment named 6 | # "wordpress" becomes "alices-wordpress". 7 | # Note that it should also match with the prefix (text before '-') of the namespace 8 | # field above. 9 | namePrefix: hydra-maester- 10 | 11 | # Labels to add to all resources and selectors. 12 | #commonLabels: 13 | # someName: someValue 14 | 15 | # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in crd/kustomization.yaml 16 | #- ../webhook 17 | # [CERTMANAGER] To enable cert-manager, uncomment next line. 'WEBHOOK' components are required. 18 | #- ../certmanager 19 | 20 | # Protect the /metrics endpoint by putting it behind auth. 21 | # Only one of manager_auth_proxy_patch.yaml and 22 | # manager_prometheus_metrics_patch.yaml should be enabled. 23 | apiVersion: kustomize.config.k8s.io/v1beta1 24 | kind: Kustomization 25 | resources: 26 | - ../crd 27 | - ../rbac 28 | - ../manager 29 | patches: 30 | - path: manager_image_patch.yaml 31 | - path: manager_auth_proxy_patch.yaml 32 | -------------------------------------------------------------------------------- /config/default/manager_auth_proxy_patch.yaml: -------------------------------------------------------------------------------- 1 | # This patch inject a sidecar container which is a HTTP proxy for the controller manager, 2 | # it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. 3 | apiVersion: apps/v1 4 | kind: Deployment 5 | metadata: 6 | name: controller-manager 7 | namespace: system 8 | spec: 9 | template: 10 | spec: 11 | containers: 12 | - name: kube-rbac-proxy 13 | image: gcr.io/kubebuilder/kube-rbac-proxy:v0.4.0 14 | args: 15 | - "--secure-listen-address=0.0.0.0:8443" 16 | - "--upstream=http://127.0.0.1:8080/" 17 | - "--logtostderr=true" 18 | - "--v=10" 19 | ports: 20 | - containerPort: 8443 21 | name: https 22 | - name: manager 23 | args: 24 | - "--metrics-addr=127.0.0.1:8080" 25 | -------------------------------------------------------------------------------- /config/default/manager_image_patch.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: controller-manager 5 | namespace: system 6 | spec: 7 | template: 8 | spec: 9 | containers: 10 | # Change the value of image field below to your controller image URL 11 | - image: controller:latest 12 | name: manager 13 | imagePullPolicy: IfNotPresent 14 | -------------------------------------------------------------------------------- /config/default/manager_prometheus_metrics_patch.yaml: -------------------------------------------------------------------------------- 1 | # This patch enables Prometheus scraping for the manager pod. 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: controller-manager 6 | namespace: system 7 | spec: 8 | template: 9 | metadata: 10 | annotations: 11 | prometheus.io/scrape: "true" 12 | spec: 13 | containers: 14 | # Expose the prometheus metrics on default port 15 | - name: manager 16 | ports: 17 | - containerPort: 8080 18 | name: metrics 19 | protocol: TCP 20 | -------------------------------------------------------------------------------- /config/default/manager_webhook_patch.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: controller-manager 5 | namespace: system 6 | spec: 7 | template: 8 | spec: 9 | containers: 10 | - name: manager 11 | ports: 12 | - containerPort: 443 13 | name: webhook-server 14 | protocol: TCP 15 | volumeMounts: 16 | - mountPath: /tmp/k8s-webhook-server/serving-certs 17 | name: cert 18 | readOnly: true 19 | volumes: 20 | - name: cert 21 | secret: 22 | defaultMode: 420 23 | secretName: webhook-server-cert 24 | -------------------------------------------------------------------------------- /config/default/webhookcainjection_patch.yaml: -------------------------------------------------------------------------------- 1 | # This patch add annotation to admission webhook config and 2 | # the variables $(NAMESPACE) and $(CERTIFICATENAME) will be substituted by kustomize. 3 | apiVersion: admissionregistration.k8s.io/v1beta1 4 | kind: MutatingWebhookConfiguration 5 | metadata: 6 | name: mutating-webhook-configuration 7 | annotations: 8 | certmanager.k8s.io/inject-ca-from: $(NAMESPACE)/$(CERTIFICATENAME) 9 | --- 10 | apiVersion: admissionregistration.k8s.io/v1beta1 11 | kind: ValidatingWebhookConfiguration 12 | metadata: 13 | name: validating-webhook-configuration 14 | annotations: 15 | certmanager.k8s.io/inject-ca-from: $(NAMESPACE)/$(CERTIFICATENAME) 16 | -------------------------------------------------------------------------------- /config/manager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - manager.yaml 3 | -------------------------------------------------------------------------------- /config/manager/manager.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | labels: 5 | control-plane: controller-manager 6 | name: system 7 | --- 8 | apiVersion: apps/v1 9 | kind: Deployment 10 | metadata: 11 | name: controller-manager 12 | namespace: system 13 | labels: 14 | control-plane: controller-manager 15 | spec: 16 | selector: 17 | matchLabels: 18 | control-plane: controller-manager 19 | replicas: 1 20 | template: 21 | metadata: 22 | labels: 23 | control-plane: controller-manager 24 | spec: 25 | containers: 26 | - command: 27 | - /manager 28 | args: 29 | - --enable-leader-election 30 | - --hydra-url=http://use.actual.hydra.fqdn #change it to your ORY Hydra address 31 | image: controller:latest 32 | name: manager 33 | resources: 34 | limits: 35 | cpu: 100m 36 | memory: 30Mi 37 | requests: 38 | cpu: 100m 39 | memory: 20Mi 40 | terminationGracePeriodSeconds: 10 41 | -------------------------------------------------------------------------------- /config/rbac/auth_proxy_role.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: proxy-role 5 | rules: 6 | - apiGroups: ["authentication.k8s.io"] 7 | resources: 8 | - tokenreviews 9 | verbs: ["create"] 10 | - apiGroups: ["authorization.k8s.io"] 11 | resources: 12 | - subjectaccessreviews 13 | verbs: ["create"] 14 | -------------------------------------------------------------------------------- /config/rbac/auth_proxy_role_binding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: proxy-rolebinding 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: ClusterRole 8 | name: proxy-role 9 | subjects: 10 | - kind: ServiceAccount 11 | name: default 12 | namespace: system 13 | -------------------------------------------------------------------------------- /config/rbac/auth_proxy_service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | annotations: 5 | prometheus.io/port: "8443" 6 | prometheus.io/scheme: https 7 | prometheus.io/scrape: "true" 8 | labels: 9 | control-plane: controller-manager 10 | name: controller-manager-metrics-service 11 | namespace: system 12 | spec: 13 | ports: 14 | - name: https 15 | port: 8443 16 | targetPort: https 17 | selector: 18 | control-plane: controller-manager 19 | -------------------------------------------------------------------------------- /config/rbac/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - role.yaml 3 | - role_binding.yaml 4 | - leader_election_role.yaml 5 | - leader_election_role_binding.yaml 6 | # Comment the following 3 lines if you want to disable 7 | # the auth proxy (https://github.com/brancz/kube-rbac-proxy) 8 | # which protects your /metrics endpoint. 9 | - auth_proxy_service.yaml 10 | - auth_proxy_role.yaml 11 | - auth_proxy_role_binding.yaml 12 | -------------------------------------------------------------------------------- /config/rbac/leader_election_role.yaml: -------------------------------------------------------------------------------- 1 | # permissions to do leader election. 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: Role 4 | metadata: 5 | name: leader-election-role 6 | rules: 7 | - apiGroups: 8 | - "" 9 | resources: 10 | - configmaps 11 | verbs: 12 | - get 13 | - list 14 | - watch 15 | - create 16 | - update 17 | - patch 18 | - delete 19 | - apiGroups: 20 | - "" 21 | resources: 22 | - configmaps/status 23 | verbs: 24 | - get 25 | - update 26 | - patch 27 | -------------------------------------------------------------------------------- /config/rbac/leader_election_role_binding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: RoleBinding 3 | metadata: 4 | name: leader-election-rolebinding 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: Role 8 | name: leader-election-role 9 | subjects: 10 | - kind: ServiceAccount 11 | name: default 12 | namespace: system 13 | -------------------------------------------------------------------------------- /config/rbac/role.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: manager-role 6 | rules: 7 | - apiGroups: 8 | - "" 9 | resources: 10 | - secrets 11 | verbs: 12 | - create 13 | - delete 14 | - get 15 | - list 16 | - patch 17 | - update 18 | - watch 19 | - apiGroups: 20 | - hydra.ory.sh 21 | resources: 22 | - oauth2clients 23 | verbs: 24 | - create 25 | - delete 26 | - get 27 | - list 28 | - patch 29 | - update 30 | - watch 31 | - apiGroups: 32 | - hydra.ory.sh 33 | resources: 34 | - oauth2clients/status 35 | verbs: 36 | - get 37 | - patch 38 | - update 39 | -------------------------------------------------------------------------------- /config/rbac/role_binding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: manager-rolebinding 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: ClusterRole 8 | name: manager-role 9 | subjects: 10 | - kind: ServiceAccount 11 | name: default 12 | namespace: system 13 | -------------------------------------------------------------------------------- /config/samples/hydra_v1alpha1_oauth2client.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: hydra.ory.sh/v1alpha1 2 | kind: OAuth2Client 3 | metadata: 4 | name: my-oauth2-client 5 | namespace: default 6 | spec: 7 | grantTypes: 8 | - client_credentials 9 | - implicit 10 | - authorization_code 11 | - refresh_token 12 | responseTypes: 13 | - id_token 14 | - code 15 | - token 16 | - code token 17 | - code id_token 18 | - id_token token 19 | - code id_token token 20 | scope: "read write" 21 | secretName: my-secret-123 22 | # these are optional 23 | redirectUris: 24 | - https://client/account 25 | - http://localhost:8080 26 | postLogoutRedirectUris: 27 | - https://client/logout 28 | audience: 29 | - audience-a 30 | - audience-b 31 | hydraAdmin: 32 | # if hydraAdmin is specified, all of these fields are requried, 33 | # but they can be empty/0 34 | url: http://hydra-admin.namespace.cluster.domain 35 | port: 4445 36 | endpoint: /clients 37 | forwardedProto: https 38 | tokenEndpointAuthMethod: client_secret_basic 39 | -------------------------------------------------------------------------------- /config/samples/hydra_v1alpha1_oauth2client_custom_namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: custom-namespace 6 | --- 7 | apiVersion: v1 8 | kind: Secret 9 | metadata: 10 | name: my-secret-123 11 | namespace: custom-namespace 12 | type: Opaque 13 | data: 14 | CLIENT_ID: NDI0MjQyNDI= 15 | CLIENT_SECRET: czNjUjM3cDRzc1ZWMHJENDMyMQ== 16 | --- 17 | apiVersion: hydra.ory.sh/v1alpha1 18 | kind: OAuth2Client 19 | metadata: 20 | name: my-oauth2-client-3 21 | namespace: custom-namespace 22 | spec: 23 | grantTypes: 24 | - client_credentials 25 | - implicit 26 | - authorization_code 27 | - refresh_token 28 | responseTypes: 29 | - id_token 30 | - code 31 | - token 32 | scope: "read write" 33 | secretName: my-secret-123 34 | # these are optional 35 | redirectUris: 36 | - https://client/account 37 | - http://localhost:8080 38 | postLogoutRedirectUris: 39 | - https://client/logout 40 | audience: 41 | - audience-a 42 | - audience-b 43 | hydraAdmin: {} 44 | tokenEndpointAuthMethod: client_secret_basic 45 | -------------------------------------------------------------------------------- /config/samples/hydra_v1alpha1_oauth2client_user_credentials.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: my-secret-456 5 | namespace: default 6 | type: Opaque 7 | data: 8 | CLIENT_ID: MDA5MDA5MDA= 9 | CLIENT_SECRET: czNjUjM3cDRzc1ZWMHJEMTIzNA== 10 | --- 11 | apiVersion: hydra.ory.sh/v1alpha1 12 | kind: OAuth2Client 13 | metadata: 14 | name: my-oauth2-client-2 15 | namespace: default 16 | spec: 17 | grantTypes: 18 | - client_credentials 19 | - implicit 20 | - authorization_code 21 | - refresh_token 22 | responseTypes: 23 | - id_token 24 | - code 25 | - token 26 | scope: "read write" 27 | secretName: my-secret-456 28 | # these are optional 29 | redirectUris: 30 | - https://client/account 31 | - http://localhost:8080 32 | postLogoutRedirectUris: 33 | - https://client/logout 34 | audience: 35 | - audience-a 36 | - audience-b 37 | hydraAdmin: {} 38 | tokenEndpointAuthMethod: client_secret_basic 39 | -------------------------------------------------------------------------------- /config/webhook/kustomization.yaml: -------------------------------------------------------------------------------- 1 | resources: 2 | - manifests.yaml 3 | - service.yaml 4 | 5 | configurations: 6 | - kustomizeconfig.yaml 7 | -------------------------------------------------------------------------------- /config/webhook/kustomizeconfig.yaml: -------------------------------------------------------------------------------- 1 | # the following config is for teaching kustomize where to look at when substituting vars. 2 | # It requires kustomize v2.1.0 or newer to work properly. 3 | nameReference: 4 | - kind: Service 5 | version: v1 6 | fieldSpecs: 7 | - kind: MutatingWebhookConfiguration 8 | group: admissionregistration.k8s.io 9 | path: webhooks/clientConfig/service/name 10 | - kind: ValidatingWebhookConfiguration 11 | group: admissionregistration.k8s.io 12 | path: webhooks/clientConfig/service/name 13 | 14 | namespace: 15 | - kind: MutatingWebhookConfiguration 16 | group: admissionregistration.k8s.io 17 | path: webhooks/clientConfig/service/namespace 18 | create: true 19 | - kind: ValidatingWebhookConfiguration 20 | group: admissionregistration.k8s.io 21 | path: webhooks/clientConfig/service/namespace 22 | create: true 23 | 24 | varReference: 25 | - path: metadata/annotations 26 | -------------------------------------------------------------------------------- /config/webhook/manifests.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ory/hydra-maester/f55b25074acd161f29eb91b59cc33a8c473d7655/config/webhook/manifests.yaml -------------------------------------------------------------------------------- /config/webhook/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: webhook-service 5 | namespace: system 6 | spec: 7 | ports: 8 | - port: 443 9 | targetPort: 443 10 | selector: 11 | control-plane: controller-manager 12 | -------------------------------------------------------------------------------- /controllers/mocks/hydra/Client.go: -------------------------------------------------------------------------------- 1 | // Copyright © 2023 Ory Corp 2 | // SPDX-License-Identifier: Apache-2.0 3 | 4 | // Code generated by mockery v1.0.0. DO NOT EDIT. 5 | 6 | package mocks 7 | 8 | import ( 9 | hydra "github.com/ory/hydra-maester/hydra" 10 | mock "github.com/stretchr/testify/mock" 11 | ) 12 | 13 | // Client is an autogenerated mock type for the Client type 14 | type Client struct { 15 | mock.Mock 16 | } 17 | 18 | // DeleteOAuth2Client provides a mock function with given fields: id 19 | func (_m *Client) DeleteOAuth2Client(id string) error { 20 | ret := _m.Called(id) 21 | 22 | var r0 error 23 | if rf, ok := ret.Get(0).(func(string) error); ok { 24 | r0 = rf(id) 25 | } else { 26 | r0 = ret.Error(0) 27 | } 28 | 29 | return r0 30 | } 31 | 32 | // GetOAuth2Client provides a mock function with given fields: id 33 | func (_m *Client) GetOAuth2Client(id string) (*hydra.OAuth2ClientJSON, bool, error) { 34 | ret := _m.Called(id) 35 | 36 | var r0 *hydra.OAuth2ClientJSON 37 | if rf, ok := ret.Get(0).(func(string) *hydra.OAuth2ClientJSON); ok { 38 | r0 = rf(id) 39 | } else { 40 | if ret.Get(0) != nil { 41 | r0 = ret.Get(0).(*hydra.OAuth2ClientJSON) 42 | } 43 | } 44 | 45 | var r1 bool 46 | if rf, ok := ret.Get(1).(func(string) bool); ok { 47 | r1 = rf(id) 48 | } else { 49 | r1 = ret.Get(1).(bool) 50 | } 51 | 52 | var r2 error 53 | if rf, ok := ret.Get(2).(func(string) error); ok { 54 | r2 = rf(id) 55 | } else { 56 | r2 = ret.Error(2) 57 | } 58 | 59 | return r0, r1, r2 60 | } 61 | 62 | // ListOAuth2Client provides a mock function with given fields: 63 | func (_m *Client) ListOAuth2Client() ([]*hydra.OAuth2ClientJSON, error) { 64 | ret := _m.Called() 65 | 66 | var r0 []*hydra.OAuth2ClientJSON 67 | if rf, ok := ret.Get(0).(func() []*hydra.OAuth2ClientJSON); ok { 68 | r0 = rf() 69 | } else { 70 | if ret.Get(0) != nil { 71 | r0 = ret.Get(0).([]*hydra.OAuth2ClientJSON) 72 | } 73 | } 74 | 75 | var r1 error 76 | if rf, ok := ret.Get(1).(func() error); ok { 77 | r1 = rf() 78 | } else { 79 | r1 = ret.Error(1) 80 | } 81 | 82 | return r0, r1 83 | } 84 | 85 | // PostOAuth2Client provides a mock function with given fields: o 86 | func (_m *Client) PostOAuth2Client(o *hydra.OAuth2ClientJSON) (*hydra.OAuth2ClientJSON, error) { 87 | ret := _m.Called(o) 88 | 89 | var r0 *hydra.OAuth2ClientJSON 90 | if rf, ok := ret.Get(0).(func(*hydra.OAuth2ClientJSON) *hydra.OAuth2ClientJSON); ok { 91 | r0 = rf(o) 92 | } else { 93 | if ret.Get(0) != nil { 94 | r0 = ret.Get(0).(*hydra.OAuth2ClientJSON) 95 | } 96 | } 97 | 98 | var r1 error 99 | if rf, ok := ret.Get(1).(func(*hydra.OAuth2ClientJSON) error); ok { 100 | r1 = rf(o) 101 | } else { 102 | r1 = ret.Error(1) 103 | } 104 | 105 | return r0, r1 106 | } 107 | 108 | // PutOAuth2Client provides a mock function with given fields: o 109 | func (_m *Client) PutOAuth2Client(o *hydra.OAuth2ClientJSON) (*hydra.OAuth2ClientJSON, error) { 110 | ret := _m.Called(o) 111 | 112 | var r0 *hydra.OAuth2ClientJSON 113 | if rf, ok := ret.Get(0).(func(*hydra.OAuth2ClientJSON) *hydra.OAuth2ClientJSON); ok { 114 | r0 = rf(o) 115 | } else { 116 | if ret.Get(0) != nil { 117 | r0 = ret.Get(0).(*hydra.OAuth2ClientJSON) 118 | } 119 | } 120 | 121 | var r1 error 122 | if rf, ok := ret.Get(1).(func(*hydra.OAuth2ClientJSON) error); ok { 123 | r1 = rf(o) 124 | } else { 125 | r1 = ret.Error(1) 126 | } 127 | 128 | return r0, r1 129 | } 130 | -------------------------------------------------------------------------------- /controllers/suite_test.go: -------------------------------------------------------------------------------- 1 | // Copyright © 2023 Ory Corp 2 | // SPDX-License-Identifier: Apache-2.0 3 | 4 | package controllers_test 5 | 6 | import ( 7 | "context" 8 | "path/filepath" 9 | "testing" 10 | 11 | . "github.com/onsi/ginkgo" 12 | . "github.com/onsi/gomega" 13 | 14 | "k8s.io/client-go/kubernetes/scheme" 15 | "k8s.io/client-go/rest" 16 | "k8s.io/client-go/util/retry" 17 | "sigs.k8s.io/controller-runtime/pkg/client" 18 | "sigs.k8s.io/controller-runtime/pkg/envtest" 19 | logf "sigs.k8s.io/controller-runtime/pkg/log" 20 | "sigs.k8s.io/controller-runtime/pkg/log/zap" 21 | "sigs.k8s.io/controller-runtime/pkg/manager" 22 | "sigs.k8s.io/controller-runtime/pkg/reconcile" 23 | // +kubebuilder:scaffold:imports 24 | ) 25 | 26 | // These tests use Ginkgo (BDD-style Go testing framework). Refer to 27 | // http://onsi.github.io/ginkgo/ to learn more about Ginkgo. 28 | 29 | var cfg *rest.Config 30 | var k8sClient client.Client 31 | var testEnv *envtest.Environment 32 | 33 | func TestAPIs(t *testing.T) { 34 | RegisterFailHandler(Fail) 35 | 36 | RunSpecsWithDefaultAndCustomReporters(t, 37 | "Controller Suite", 38 | []Reporter{}) 39 | } 40 | 41 | var _ = BeforeSuite(func(done Done) { 42 | logf.SetLogger(zap.New(zap.UseDevMode(true), zap.WriteTo(GinkgoWriter))) 43 | 44 | By("bootstrapping test environment") 45 | testEnv = &envtest.Environment{ 46 | CRDDirectoryPaths: []string{filepath.Join("..", "config", "crd", "bases")}, 47 | } 48 | 49 | var err error 50 | cfg, err = testEnv.Start() 51 | Expect(err).ToNot(HaveOccurred()) 52 | Expect(cfg).ToNot(BeNil()) 53 | 54 | // +kubebuilder:scaffold:scheme 55 | 56 | k8sClient, err = client.New(cfg, client.Options{Scheme: scheme.Scheme}) 57 | Expect(err).ToNot(HaveOccurred()) 58 | Expect(k8sClient).ToNot(BeNil()) 59 | 60 | close(done) 61 | }, 60) 62 | 63 | var _ = AfterSuite(func() { 64 | By("tearing down the test environment") 65 | 66 | // Need to retry a bit if the first stop fails due to a bug: 67 | // https://github.com/kubernetes-sigs/controller-runtime/issues/1571 68 | err := retry.OnError(retry.DefaultBackoff, func(err error) bool { 69 | return true 70 | }, func() error { 71 | return testEnv.Stop() 72 | }) 73 | Expect(err).NotTo(HaveOccurred()) 74 | }) 75 | 76 | // SetupTestReconcile returns a reconcile.Reconcile implementation that delegates to inner and 77 | // writes the request to requests after Reconcile is finished. 78 | func SetupTestReconcile(inner reconcile.Reconciler) (reconcile.Reconciler, chan reconcile.Request) { 79 | requests := make(chan reconcile.Request) 80 | fn := reconcile.Func(func(ctx context.Context, req reconcile.Request) (reconcile.Result, error) { 81 | result, err := inner.Reconcile(ctx, req) 82 | requests <- req 83 | return result, err 84 | }) 85 | return fn, requests 86 | } 87 | 88 | // StartTestManager adds recFn 89 | func StartTestManager(mgr manager.Manager) context.Context { 90 | ctx := context.Background() 91 | 92 | go func() { 93 | defer GinkgoRecover() 94 | defer ctx.Done() 95 | Expect(mgr.Start(ctx)).NotTo(HaveOccurred()) 96 | }() 97 | return ctx 98 | } 99 | -------------------------------------------------------------------------------- /docs/README.md: -------------------------------------------------------------------------------- 1 | # Design 2 | 3 | ## Controller design 4 | 5 | The controller listens for Custom Resource which defines client registration 6 | request. Once Custom resource is created, the controller register oauth2 client 7 | in hydra using hydra's REST API. Client Id, Client Secret and Identifier of the 8 | client in hydra are be stored in the kubernetes as a secret and referenced in 9 | the applied CR. Reference is used to identify in which kubernetes secret are 10 | stored mentioned properties. Secret iscreated in the same namespace of applied 11 | CR. By default controller should be deployed in the same pod as hydra. Service 12 | discovery will come in place in the future. 13 | 14 | Custom Resource should be Namespace scoped to enable isolation in k8s. It is 15 | represented in the diagram 16 | 17 | ![diagram](./assets/workflow.svg) 18 | 19 | ## Synchronization mode 20 | 21 | Additionally, controller supports synchronization mode, where it tries to 22 | register all clients in hydra. Synchronization is an optional mode, enabled via 23 | config, which is meant for use cases where hydra is deployed with in memory 24 | storage. If hydra pod is restarted for some reason then it does not have client 25 | in its storage. With synchronization mode the controller makes sure that hydra 26 | has up to date clients. Synchronization is done by making POST request to hydra 27 | with payload describing all client information including clientID,clientSecret 28 | and Identifier of last applied client. If client exists in hydra storage 409 is 29 | returned which is considered as ok and synchronization continues with other 30 | clients. 31 | 32 | ![diagram](./assets/synchronization-mode.svg) 33 | -------------------------------------------------------------------------------- /docs/assets/synchronization-mode.svg: -------------------------------------------------------------------------------- 1 | 2 |
POST /clients
POST /clients
Hydra
Hydra
Cron Job
Cron Job
Response
201 or 409
Response <br>201 or 409
yes
yes
no
no
Fetch all CRs + their secrets
Fetch all CRs + their secrets
K8s
K8s -------------------------------------------------------------------------------- /docs/assets/workflow.svg: -------------------------------------------------------------------------------- 1 | 2 |
Create  Client Request CR
Create  Client Request CR
Notify about  CR
Notify about  CR
CRUD Oauth2 client in Hydra
CRUD Oauth2 client in Hydra
Kubernetes
Kubernetes
Hydra Maester
Hydra Maester
Hydra
Hydra
Developer
Developer
Validate CR
Validate CR
Validate CR
Validate CR
Create secret with
 ID,clientID, client secret 
[Not supported by viewer] -------------------------------------------------------------------------------- /go.mod: -------------------------------------------------------------------------------- 1 | module github.com/ory/hydra-maester 2 | 3 | go 1.23.2 4 | 5 | require ( 6 | github.com/go-logr/logr v1.4.3 7 | github.com/go-openapi/runtime v0.28.0 8 | github.com/go-playground/validator/v10 v10.26.0 9 | github.com/google/uuid v1.6.0 10 | github.com/onsi/ginkgo v1.16.5 11 | github.com/onsi/gomega v1.37.0 12 | github.com/stretchr/testify v1.10.0 13 | golang.org/x/net v0.40.0 14 | k8s.io/api v0.32.1 15 | k8s.io/apiextensions-apiserver v0.32.1 16 | k8s.io/apimachinery v0.32.1 17 | k8s.io/client-go v0.32.1 18 | k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 19 | sigs.k8s.io/controller-runtime v0.20.4 20 | ) 21 | 22 | require ( 23 | github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect 24 | github.com/beorn7/perks v1.0.1 // indirect 25 | github.com/cespare/xxhash/v2 v2.3.0 // indirect 26 | github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect 27 | github.com/emicklei/go-restful/v3 v3.11.0 // indirect 28 | github.com/evanphx/json-patch/v5 v5.9.11 // indirect 29 | github.com/fsnotify/fsnotify v1.7.0 // indirect 30 | github.com/fxamacker/cbor/v2 v2.7.0 // indirect 31 | github.com/gabriel-vasile/mimetype v1.4.8 // indirect 32 | github.com/go-logr/stdr v1.2.2 // indirect 33 | github.com/go-logr/zapr v1.3.0 // indirect 34 | github.com/go-openapi/analysis v0.23.0 // indirect 35 | github.com/go-openapi/errors v0.22.0 // indirect 36 | github.com/go-openapi/jsonpointer v0.21.0 // indirect 37 | github.com/go-openapi/jsonreference v0.21.0 // indirect 38 | github.com/go-openapi/loads v0.22.0 // indirect 39 | github.com/go-openapi/spec v0.21.0 // indirect 40 | github.com/go-openapi/strfmt v0.23.0 // indirect 41 | github.com/go-openapi/swag v0.23.0 // indirect 42 | github.com/go-openapi/validate v0.24.0 // indirect 43 | github.com/go-playground/locales v0.14.1 // indirect 44 | github.com/go-playground/universal-translator v0.18.1 // indirect 45 | github.com/gogo/protobuf v1.3.2 // indirect 46 | github.com/golang/protobuf v1.5.4 // indirect 47 | github.com/google/btree v1.1.3 // indirect 48 | github.com/google/gnostic-models v0.6.8 // indirect 49 | github.com/google/go-cmp v0.7.0 // indirect 50 | github.com/google/gofuzz v1.2.0 // indirect 51 | github.com/josharian/intern v1.0.0 // indirect 52 | github.com/json-iterator/go v1.1.12 // indirect 53 | github.com/leodido/go-urn v1.4.0 // indirect 54 | github.com/mailru/easyjson v0.7.7 // indirect 55 | github.com/mitchellh/mapstructure v1.5.0 // indirect 56 | github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect 57 | github.com/modern-go/reflect2 v1.0.2 // indirect 58 | github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect 59 | github.com/nxadm/tail v1.4.8 // indirect 60 | github.com/oklog/ulid v1.3.1 // indirect 61 | github.com/onsi/ginkgo/v2 v2.23.4 // indirect 62 | github.com/opentracing/opentracing-go v1.2.0 // indirect 63 | github.com/pkg/errors v0.9.1 // indirect 64 | github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect 65 | github.com/prometheus/client_golang v1.19.1 // indirect 66 | github.com/prometheus/client_model v0.6.1 // indirect 67 | github.com/prometheus/common v0.55.0 // indirect 68 | github.com/prometheus/procfs v0.15.1 // indirect 69 | github.com/spf13/pflag v1.0.5 // indirect 70 | github.com/stretchr/objx v0.5.2 // indirect 71 | github.com/x448/float16 v0.8.4 // indirect 72 | go.mongodb.org/mongo-driver v1.14.0 // indirect 73 | go.opentelemetry.io/otel v1.28.0 // indirect 74 | go.opentelemetry.io/otel/metric v1.28.0 // indirect 75 | go.opentelemetry.io/otel/trace v1.28.0 // indirect 76 | go.uber.org/multierr v1.11.0 // indirect 77 | go.uber.org/zap v1.27.0 // indirect 78 | golang.org/x/crypto v0.38.0 // indirect 79 | golang.org/x/oauth2 v0.23.0 // indirect 80 | golang.org/x/sync v0.14.0 // indirect 81 | golang.org/x/sys v0.33.0 // indirect 82 | golang.org/x/term v0.32.0 // indirect 83 | golang.org/x/text v0.25.0 // indirect 84 | golang.org/x/time v0.7.0 // indirect 85 | gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect 86 | google.golang.org/protobuf v1.36.5 // indirect 87 | gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect 88 | gopkg.in/inf.v0 v0.9.1 // indirect 89 | gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect 90 | gopkg.in/yaml.v3 v3.0.1 // indirect 91 | k8s.io/klog/v2 v2.130.1 // indirect 92 | k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f // indirect 93 | sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect 94 | sigs.k8s.io/structured-merge-diff/v4 v4.4.2 // indirect 95 | sigs.k8s.io/yaml v1.4.0 // indirect 96 | ) 97 | -------------------------------------------------------------------------------- /hack/boilerplate.go.txt: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright © 2023 Ory Corp 3 | SPDX-License-Identifier: Apache-2.0 4 | 5 | Licensed under the Apache License, Version 2.0 (the "License"); 6 | you may not use this file except in compliance with the License. 7 | You may obtain a copy of the License at 8 | 9 | http://www.apache.org/licenses/LICENSE-2.0 10 | 11 | Unless required by applicable law or agreed to in writing, software 12 | distributed under the License is distributed on an "AS IS" BASIS, 13 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | See the License for the specific language governing permissions and 15 | limitations under the License. 16 | */ -------------------------------------------------------------------------------- /helpers/http_client.go: -------------------------------------------------------------------------------- 1 | // Copyright © 2023 Ory Corp 2 | // SPDX-License-Identifier: Apache-2.0 3 | 4 | package helpers 5 | 6 | import ( 7 | "crypto/tls" 8 | "net/http" 9 | "os" 10 | 11 | ctrl "sigs.k8s.io/controller-runtime" 12 | 13 | httptransport "github.com/go-openapi/runtime/client" 14 | ) 15 | 16 | func CreateHttpClient(insecureSkipVerify bool, tlsTrustStore string) (*http.Client, error) { 17 | setupLog := ctrl.Log.WithName("setup") 18 | tr := &http.Transport{} 19 | httpClient := &http.Client{} 20 | if insecureSkipVerify { 21 | setupLog.Info("configuring TLS with InsecureSkipVerify") 22 | tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: true} 23 | httpClient.Transport = tr 24 | } 25 | if tlsTrustStore != "" { 26 | if _, err := os.Stat(tlsTrustStore); err != nil { 27 | return nil, err 28 | } 29 | 30 | setupLog.Info("configuring TLS with tlsTrustStore") 31 | ops := httptransport.TLSClientOptions{ 32 | CA: tlsTrustStore, 33 | InsecureSkipVerify: insecureSkipVerify, 34 | } 35 | if tlsClient, err := httptransport.TLSClient(ops); err != nil { 36 | setupLog.Error(err, "Error while getting TLSClient, default http client will be used") 37 | return tlsClient, nil 38 | } 39 | } 40 | return httpClient, nil 41 | } 42 | -------------------------------------------------------------------------------- /helpers/http_client_test.go: -------------------------------------------------------------------------------- 1 | // Copyright © 2023 Ory Corp 2 | // SPDX-License-Identifier: Apache-2.0 3 | 4 | package helpers_test 5 | 6 | import ( 7 | "os" 8 | "testing" 9 | 10 | "github.com/ory/hydra-maester/helpers" 11 | 12 | "github.com/stretchr/testify/require" 13 | ) 14 | 15 | func TestCreateHttpClient(t *testing.T) { 16 | t.Run("should create insecureSkipVerify client", func(t *testing.T) { 17 | client, err := helpers.CreateHttpClient(true, "") 18 | require.NotNil(t, client) 19 | require.Nil(t, err) 20 | }) 21 | 22 | t.Run("should create client with and tlsTrustStore", func(t *testing.T) { 23 | file, err := os.CreateTemp("", "test") 24 | require.Nil(t, err) 25 | client, err := helpers.CreateHttpClient(true, file.Name()) 26 | defer os.Remove(file.Name()) 27 | require.NotNil(t, client) 28 | require.Nil(t, err) 29 | }) 30 | 31 | t.Run("should not create client with and wrong tlsTrustStore", func(t *testing.T) { 32 | client, err := helpers.CreateHttpClient(true, "/somefile") 33 | require.Nil(t, client) 34 | require.NotNil(t, err) 35 | require.Equal(t, err.Error(), "stat /somefile: no such file or directory") 36 | }) 37 | 38 | t.Run("should create client without and tlsTrustStore", func(t *testing.T) { 39 | client, err := helpers.CreateHttpClient(true, "") 40 | require.NotNil(t, client) 41 | require.Nil(t, err) 42 | }) 43 | } 44 | -------------------------------------------------------------------------------- /hydra/client.go: -------------------------------------------------------------------------------- 1 | // Copyright © 2023 Ory Corp 2 | // SPDX-License-Identifier: Apache-2.0 3 | 4 | package hydra 5 | 6 | import ( 7 | "bytes" 8 | "encoding/json" 9 | "fmt" 10 | "io" 11 | "net/http" 12 | "net/url" 13 | "path" 14 | 15 | hydrav1alpha1 "github.com/ory/hydra-maester/api/v1alpha1" 16 | "github.com/ory/hydra-maester/helpers" 17 | ) 18 | 19 | type Client interface { 20 | GetOAuth2Client(id string) (*OAuth2ClientJSON, bool, error) 21 | ListOAuth2Client() ([]*OAuth2ClientJSON, error) 22 | PostOAuth2Client(o *OAuth2ClientJSON) (*OAuth2ClientJSON, error) 23 | PutOAuth2Client(o *OAuth2ClientJSON) (*OAuth2ClientJSON, error) 24 | DeleteOAuth2Client(id string) error 25 | } 26 | 27 | type InternalClient struct { 28 | HydraURL url.URL 29 | HTTPClient *http.Client 30 | ForwardedProto string 31 | } 32 | 33 | // New returns a new hydra InternalClient instance. 34 | func New(spec hydrav1alpha1.OAuth2ClientSpec, tlsTrustStore string, insecureSkipVerify bool) (Client, error) { 35 | address := fmt.Sprintf("%s:%d", spec.HydraAdmin.URL, spec.HydraAdmin.Port) 36 | u, err := url.Parse(address) 37 | if err != nil { 38 | return nil, err 39 | } 40 | 41 | c, err := helpers.CreateHttpClient(insecureSkipVerify, tlsTrustStore) 42 | if err != nil { 43 | return nil, err 44 | } 45 | 46 | client := &InternalClient{ 47 | HydraURL: *u.ResolveReference(&url.URL{Path: spec.HydraAdmin.Endpoint}), 48 | HTTPClient: c, 49 | } 50 | 51 | if spec.HydraAdmin.ForwardedProto != "" && spec.HydraAdmin.ForwardedProto != "off" { 52 | client.ForwardedProto = spec.HydraAdmin.ForwardedProto 53 | } 54 | 55 | return client, nil 56 | } 57 | 58 | func (c *InternalClient) GetOAuth2Client(id string) (*OAuth2ClientJSON, bool, error) { 59 | var jsonClient *OAuth2ClientJSON 60 | 61 | req, err := c.newRequest(http.MethodGet, id, nil) 62 | if err != nil { 63 | return nil, false, err 64 | } 65 | 66 | resp, err := c.do(req, &jsonClient) 67 | if err != nil { 68 | return nil, false, err 69 | } 70 | 71 | switch resp.StatusCode { 72 | case http.StatusOK: 73 | return jsonClient, true, nil 74 | case http.StatusNotFound, http.StatusUnauthorized: 75 | return nil, false, nil 76 | default: 77 | return nil, false, fmt.Errorf("%s %s http request returned unexpected status code %s", req.Method, req.URL.String(), resp.Status) 78 | } 79 | } 80 | 81 | func (c *InternalClient) ListOAuth2Client() ([]*OAuth2ClientJSON, error) { 82 | var jsonClientList []*OAuth2ClientJSON 83 | 84 | req, err := c.newRequest(http.MethodGet, "", nil) 85 | if err != nil { 86 | return nil, err 87 | } 88 | 89 | resp, err := c.do(req, &jsonClientList) 90 | if err != nil { 91 | return nil, err 92 | } 93 | 94 | switch resp.StatusCode { 95 | case http.StatusOK: 96 | return jsonClientList, nil 97 | default: 98 | return nil, fmt.Errorf("%s %s http request returned unexpected status code %s", req.Method, req.URL.String(), resp.Status) 99 | } 100 | } 101 | 102 | func (c *InternalClient) PostOAuth2Client(o *OAuth2ClientJSON) (*OAuth2ClientJSON, error) { 103 | var jsonClient *OAuth2ClientJSON 104 | 105 | req, err := c.newRequest(http.MethodPost, "", o) 106 | if err != nil { 107 | return nil, err 108 | } 109 | 110 | resp, err := c.do(req, &jsonClient) 111 | if err != nil { 112 | return nil, err 113 | } 114 | 115 | switch resp.StatusCode { 116 | case http.StatusCreated: 117 | return jsonClient, nil 118 | case http.StatusConflict: 119 | return nil, fmt.Errorf("%s %s http request failed: requested ID already exists", req.Method, req.URL) 120 | default: 121 | return nil, fmt.Errorf("%s %s http request returned unexpected status code: %s", req.Method, req.URL, resp.Status) 122 | } 123 | } 124 | 125 | func (c *InternalClient) PutOAuth2Client(o *OAuth2ClientJSON) (*OAuth2ClientJSON, error) { 126 | var jsonClient *OAuth2ClientJSON 127 | 128 | req, err := c.newRequest(http.MethodPut, *o.ClientID, o) 129 | if err != nil { 130 | return nil, err 131 | } 132 | 133 | resp, err := c.do(req, &jsonClient) 134 | if err != nil { 135 | return nil, err 136 | } 137 | 138 | if resp.StatusCode != http.StatusOK { 139 | return nil, fmt.Errorf("%s %s http request returned unexpected status code: %s", req.Method, req.URL, resp.Status) 140 | } 141 | 142 | return jsonClient, nil 143 | } 144 | 145 | func (c *InternalClient) DeleteOAuth2Client(id string) error { 146 | req, err := c.newRequest(http.MethodDelete, id, nil) 147 | if err != nil { 148 | return err 149 | } 150 | 151 | resp, err := c.do(req, nil) 152 | if err != nil { 153 | return err 154 | } 155 | 156 | switch resp.StatusCode { 157 | case http.StatusNoContent: 158 | return nil 159 | case http.StatusNotFound: 160 | fmt.Printf("InternalClient with id %s does not exist", id) 161 | return nil 162 | default: 163 | return fmt.Errorf("%s %s http request returned unexpected status code %s", req.Method, req.URL.String(), resp.Status) 164 | } 165 | } 166 | 167 | func (c *InternalClient) newRequest(method, relativePath string, body interface{}) (*http.Request, error) { 168 | var buf io.ReadWriter 169 | if body != nil { 170 | buf = new(bytes.Buffer) 171 | err := json.NewEncoder(buf).Encode(body) 172 | if err != nil { 173 | return nil, err 174 | } 175 | } 176 | 177 | u := c.HydraURL 178 | u.Path = path.Join(u.Path, relativePath) 179 | 180 | req, err := http.NewRequest(method, u.String(), buf) 181 | if err != nil { 182 | return nil, err 183 | } 184 | 185 | if c.ForwardedProto != "" { 186 | req.Header.Add("X-Forwarded-Proto", c.ForwardedProto) 187 | } 188 | 189 | if body != nil { 190 | req.Header.Set("Content-Type", "application/json") 191 | } 192 | req.Header.Set("Accept", "application/json") 193 | 194 | return req, nil 195 | 196 | } 197 | 198 | func (c *InternalClient) do(req *http.Request, v interface{}) (*http.Response, error) { 199 | resp, err := c.HTTPClient.Do(req) 200 | if err != nil { 201 | return nil, err 202 | } 203 | 204 | defer resp.Body.Close() 205 | if v != nil && resp.StatusCode < 300 { 206 | err = json.NewDecoder(resp.Body).Decode(v) 207 | } 208 | return resp, err 209 | } 210 | -------------------------------------------------------------------------------- /hydra/client_test.go: -------------------------------------------------------------------------------- 1 | // Copyright © 2023 Ory Corp 2 | // SPDX-License-Identifier: Apache-2.0 3 | 4 | package hydra_test 5 | 6 | import ( 7 | "encoding/json" 8 | "errors" 9 | "fmt" 10 | "net/http" 11 | "net/http/httptest" 12 | "net/url" 13 | "strings" 14 | "testing" 15 | 16 | "github.com/stretchr/testify/assert" 17 | "github.com/stretchr/testify/require" 18 | "k8s.io/utils/ptr" 19 | 20 | "github.com/ory/hydra-maester/hydra" 21 | ) 22 | 23 | const ( 24 | clientsEndpoint = "/clients" 25 | schemeHTTP = "http" 26 | 27 | testID = "test-id" 28 | testClient = `{"client_id":"test-id","owner":"test-name","scope":"some,scopes","grant_types":["type1"],"token_endpoint_auth_method":"client_secret_basic"}` 29 | testClientCreated = `{"client_id":"test-id-2","client_secret":"TmGkvcY7k526","owner":"test-name-2","scope":"some,other,scopes","grant_types":["type2"],"audience":["audience-a","audience-b"],"token_endpoint_auth_method":"client_secret_basic","backchannel_logout_uri":"https://localhost/backchannel-logout","frontchannel_logout_uri":"https://localhost/frontchannel-logout"}` 30 | testClientUpdated = `{"client_id":"test-id-3","client_secret":"xFoPPm654por","owner":"test-name-3","scope":"yet,another,scope","grant_types":["type3"],"audience":["audience-c"],"token_endpoint_auth_method":"client_secret_basic"}` 31 | testClientList = `{"client_id":"test-id-4","owner":"test-name-4","scope":"scope1 scope2","grant_types":["type4"],"token_endpoint_auth_method":"client_secret_basic"}` 32 | testClientList2 = `{"client_id":"test-id-5","owner":"test-name-5","scope":"scope3 scope4","grant_types":["type5"],"token_endpoint_auth_method":"client_secret_basic"}` 33 | testClientWithMetadataCreated = `{"client_id":"test-id-21","client_secret":"TmGkvcY7k526","owner":"test-name-21","scope":"some,other,scopes","grant_types":["type2"],"token_endpoint_auth_method":"client_secret_basic","metadata":{"property1":1,"property2":"2"},"backchannel_logout_uri":"https://localhost/backchannel-logout","frontchannel_logout_uri":"https://localhost/frontchannel-logout"}` 34 | 35 | statusNotFoundBody = `{"error":"Not Found","error_description":"Unable to locate the requested resource","status_code":404,"request_id":"id"}` 36 | statusUnauthorizedBody = `{"error":"The request could not be authorized","error_description":"The requested OAuth 2.0 client does not exist or you did not provide the necessary credentials","status_code":401,"request_id":"id"}` 37 | statusConflictBody = `{"error":"Unable to insert or update resource because a resource with that value exists already","error_description":"","status_code":409,"request_id":"id"` 38 | statusInternalServerErrorBody = "the server encountered an internal error or misconfiguration and was unable to complete your request" 39 | ) 40 | 41 | type server struct { 42 | statusCode int 43 | respBody string 44 | err error 45 | } 46 | 47 | var testOAuthJSONPost = &hydra.OAuth2ClientJSON{ 48 | Scope: "some,other,scopes", 49 | GrantTypes: []string{"type2"}, 50 | Owner: "test-name-2", 51 | Audience: []string{"audience-a", "audience-b"}, 52 | FrontChannelLogoutURI: "https://localhost/frontchannel-logout", 53 | FrontChannelLogoutSessionRequired: false, 54 | BackChannelLogoutURI: "https://localhost/backchannel-logout", 55 | BackChannelLogoutSessionRequired: false, 56 | AuthorizationCodeGrantAccessTokenLifespan: "6h", 57 | } 58 | 59 | var testOAuthJSONPut = &hydra.OAuth2ClientJSON{ 60 | ClientID: ptr.To("test-id-3"), 61 | Scope: "yet,another,scope", 62 | GrantTypes: []string{"type3"}, 63 | Owner: "test-name-3", 64 | Audience: []string{"audience-c"}, 65 | } 66 | 67 | func TestCRUD(t *testing.T) { 68 | 69 | assert := assert.New(t) 70 | 71 | c := hydra.InternalClient{ 72 | HTTPClient: &http.Client{}, 73 | HydraURL: url.URL{Scheme: schemeHTTP}, 74 | } 75 | 76 | t.Run("method=get", func(t *testing.T) { 77 | 78 | for d, tc := range map[string]server{ 79 | "getting registered client": { 80 | http.StatusOK, 81 | testClient, 82 | nil, 83 | }, 84 | "getting unregistered client": { 85 | http.StatusNotFound, 86 | statusNotFoundBody, 87 | nil, 88 | }, 89 | "getting unauthorized request": { 90 | http.StatusUnauthorized, 91 | statusUnauthorizedBody, 92 | nil, 93 | }, 94 | "internal server error when requesting": { 95 | http.StatusInternalServerError, 96 | statusInternalServerErrorBody, 97 | errors.New("http request returned unexpected status code"), 98 | }, 99 | } { 100 | t.Run(fmt.Sprintf("case/%s", d), func(t *testing.T) { 101 | 102 | //given 103 | shouldFind := tc.statusCode == http.StatusOK 104 | 105 | h := http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { 106 | assert.Equal(fmt.Sprintf("%s/%s", c.HydraURL.String(), testID), fmt.Sprintf("%s://%s%s", schemeHTTP, req.Host, req.URL.Path)) 107 | assert.Equal(http.MethodGet, req.Method) 108 | w.WriteHeader(tc.statusCode) 109 | w.Write([]byte(tc.respBody)) 110 | if shouldFind { 111 | w.Header().Set("Content-type", "application/json") 112 | } 113 | }) 114 | runServer(&c, h) 115 | 116 | //when 117 | o, found, err := c.GetOAuth2Client(testID) 118 | 119 | //then 120 | if tc.err == nil { 121 | require.NoError(t, err) 122 | } else { 123 | require.Error(t, err) 124 | assert.Contains(err.Error(), tc.err.Error()) 125 | } 126 | 127 | assert.Equal(shouldFind, found) 128 | if shouldFind { 129 | require.NotNil(t, o) 130 | var expected hydra.OAuth2ClientJSON 131 | json.Unmarshal([]byte(testClient), &expected) 132 | assert.Equal(&expected, o) 133 | } 134 | }) 135 | } 136 | }) 137 | 138 | t.Run("method=post", func(t *testing.T) { 139 | 140 | for d, tc := range map[string]server{ 141 | "with new client": { 142 | http.StatusCreated, 143 | testClientCreated, 144 | nil, 145 | }, 146 | "with new client with metadata": { 147 | http.StatusCreated, 148 | testClientWithMetadataCreated, 149 | nil, 150 | }, 151 | "with existing client": { 152 | http.StatusConflict, 153 | statusConflictBody, 154 | errors.New("requested ID already exists"), 155 | }, 156 | "internal server error when requesting": { 157 | http.StatusInternalServerError, 158 | statusInternalServerErrorBody, 159 | errors.New("http request returned unexpected status code"), 160 | }, 161 | } { 162 | t.Run(fmt.Sprintf("case/%s", d), func(t *testing.T) { 163 | var ( 164 | err error 165 | o *hydra.OAuth2ClientJSON 166 | expected *hydra.OAuth2ClientJSON 167 | ) 168 | //given 169 | new := tc.statusCode == http.StatusCreated 170 | newWithMetadata := d == "with new client with metadata" 171 | 172 | h := http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { 173 | assert.Equal(c.HydraURL.String(), fmt.Sprintf("%s://%s%s", schemeHTTP, req.Host, req.URL.Path)) 174 | assert.Equal(http.MethodPost, req.Method) 175 | w.WriteHeader(tc.statusCode) 176 | w.Write([]byte(tc.respBody)) 177 | if new { 178 | w.Header().Set("Content-type", "application/json") 179 | } 180 | }) 181 | runServer(&c, h) 182 | 183 | //when 184 | if newWithMetadata { 185 | meta, _ := json.Marshal(map[string]interface{}{ 186 | "property1": float64(1), 187 | "property2": "2", 188 | }) 189 | var testOAuthJSONPost2 = &hydra.OAuth2ClientJSON{ 190 | Scope: "some,other,scopes", 191 | GrantTypes: []string{"type2"}, 192 | Owner: "test-name-21", 193 | Metadata: meta, 194 | FrontChannelLogoutURI: "https://localhost/frontchannel-logout", 195 | FrontChannelLogoutSessionRequired: false, 196 | BackChannelLogoutURI: "https://localhost/backchannel-logout", 197 | BackChannelLogoutSessionRequired: false, 198 | } 199 | o, err = c.PostOAuth2Client(testOAuthJSONPost2) 200 | expected = testOAuthJSONPost2 201 | } else { 202 | o, err = c.PostOAuth2Client(testOAuthJSONPost) 203 | expected = testOAuthJSONPost 204 | } 205 | 206 | //then 207 | if tc.err == nil { 208 | require.NoError(t, err) 209 | } else { 210 | require.Error(t, err) 211 | assert.Contains(err.Error(), tc.err.Error()) 212 | } 213 | 214 | if new { 215 | require.NotNil(t, o) 216 | assert.Equal(expected.Scope, o.Scope) 217 | assert.Equal(expected.GrantTypes, o.GrantTypes) 218 | assert.Equal(expected.Owner, o.Owner) 219 | assert.Equal(expected.Audience, o.Audience) 220 | assert.NotNil(o.Secret) 221 | assert.NotNil(o.ClientID) 222 | assert.NotNil(o.TokenEndpointAuthMethod) 223 | assert.Equal(expected.FrontChannelLogoutURI, o.FrontChannelLogoutURI) 224 | assert.Equal(expected.FrontChannelLogoutSessionRequired, o.FrontChannelLogoutSessionRequired) 225 | assert.Equal(expected.BackChannelLogoutURI, o.BackChannelLogoutURI) 226 | assert.Equal(expected.BackChannelLogoutSessionRequired, o.BackChannelLogoutSessionRequired) 227 | if expected.TokenEndpointAuthMethod != "" { 228 | assert.Equal(expected.TokenEndpointAuthMethod, o.TokenEndpointAuthMethod) 229 | } 230 | if newWithMetadata { 231 | assert.NotNil(o.Metadata) 232 | assert.True(len(o.Metadata) > 0) 233 | for key := range o.Metadata { 234 | assert.Equal(o.Metadata[key], expected.Metadata[key]) 235 | } 236 | } else { 237 | assert.Nil(o.Metadata) 238 | } 239 | } 240 | }) 241 | } 242 | }) 243 | 244 | t.Run("method=put", func(t *testing.T) { 245 | for d, tc := range map[string]server{ 246 | "with registered client": { 247 | http.StatusOK, 248 | testClientUpdated, 249 | nil, 250 | }, 251 | "internal server error when requesting": { 252 | http.StatusInternalServerError, 253 | statusInternalServerErrorBody, 254 | errors.New("http request returned unexpected status code"), 255 | }, 256 | } { 257 | t.Run(fmt.Sprintf("case/%s", d), func(t *testing.T) { 258 | 259 | ok := tc.statusCode == http.StatusOK 260 | 261 | //given 262 | h := http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { 263 | assert.Equal(fmt.Sprintf("%s/%s", c.HydraURL.String(), *testOAuthJSONPut.ClientID), fmt.Sprintf("%s://%s%s", schemeHTTP, req.Host, req.URL.Path)) 264 | assert.Equal(http.MethodPut, req.Method) 265 | w.WriteHeader(tc.statusCode) 266 | w.Write([]byte(tc.respBody)) 267 | if ok { 268 | w.Header().Set("Content-type", "application/json") 269 | } 270 | }) 271 | runServer(&c, h) 272 | 273 | //when 274 | o, err := c.PutOAuth2Client(testOAuthJSONPut) 275 | 276 | //then 277 | if tc.err == nil { 278 | require.NoError(t, err) 279 | } else { 280 | require.Error(t, err) 281 | assert.Contains(err.Error(), tc.err.Error()) 282 | } 283 | 284 | if ok { 285 | require.NotNil(t, o) 286 | 287 | assert.Equal(testOAuthJSONPut.Scope, o.Scope) 288 | assert.Equal(testOAuthJSONPut.GrantTypes, o.GrantTypes) 289 | assert.Equal(testOAuthJSONPut.ClientID, o.ClientID) 290 | assert.Equal(testOAuthJSONPut.Owner, o.Owner) 291 | assert.Equal(testOAuthJSONPut.Audience, o.Audience) 292 | assert.NotNil(o.Secret) 293 | } 294 | }) 295 | } 296 | }) 297 | 298 | t.Run("method=delete", func(t *testing.T) { 299 | 300 | for d, tc := range map[string]server{ 301 | "with registered client": { 302 | statusCode: http.StatusNoContent, 303 | }, 304 | "with unregistered client": { 305 | statusCode: http.StatusNotFound, 306 | respBody: statusNotFoundBody, 307 | }, 308 | "internal server error when requesting": { 309 | statusCode: http.StatusInternalServerError, 310 | respBody: statusInternalServerErrorBody, 311 | err: errors.New("http request returned unexpected status code"), 312 | }, 313 | } { 314 | t.Run(fmt.Sprintf("case/%s", d), func(t *testing.T) { 315 | 316 | //given 317 | h := http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { 318 | assert.Equal(fmt.Sprintf("%s/%s", c.HydraURL.String(), testID), fmt.Sprintf("%s://%s%s", schemeHTTP, req.Host, req.URL.Path)) 319 | assert.Equal(http.MethodDelete, req.Method) 320 | w.WriteHeader(tc.statusCode) 321 | }) 322 | runServer(&c, h) 323 | 324 | //when 325 | err := c.DeleteOAuth2Client(testID) 326 | 327 | //then 328 | if tc.err == nil { 329 | require.NoError(t, err) 330 | } else { 331 | require.Error(t, err) 332 | assert.Contains(err.Error(), tc.err.Error()) 333 | } 334 | }) 335 | } 336 | }) 337 | 338 | t.Run("method=list", func(t *testing.T) { 339 | 340 | for d, tc := range map[string]server{ 341 | "no clients": { 342 | http.StatusOK, 343 | `[]`, 344 | nil, 345 | }, 346 | "one client": { 347 | http.StatusOK, 348 | fmt.Sprintf("[%s]", testClientList), 349 | nil, 350 | }, 351 | "more clients": { 352 | http.StatusOK, 353 | fmt.Sprintf("[%s,%s]", testClientList, testClientList2), 354 | nil, 355 | }, 356 | "internal server error when requesting": { 357 | http.StatusInternalServerError, 358 | statusInternalServerErrorBody, 359 | errors.New("http request returned unexpected status code"), 360 | }, 361 | } { 362 | t.Run(fmt.Sprintf("case/%s", d), func(t *testing.T) { 363 | 364 | //given 365 | h := http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { 366 | assert.Equal(c.HydraURL.String(), fmt.Sprintf("%s://%s%s", schemeHTTP, req.Host, req.URL.Path)) 367 | assert.Equal(http.MethodGet, req.Method) 368 | w.WriteHeader(tc.statusCode) 369 | w.Write([]byte(tc.respBody)) 370 | w.Header().Set("Content-type", "application/json") 371 | 372 | }) 373 | runServer(&c, h) 374 | 375 | //when 376 | list, err := c.ListOAuth2Client() 377 | 378 | //then 379 | if tc.err == nil { 380 | require.NoError(t, err) 381 | require.NotNil(t, list) 382 | var expectedList []*hydra.OAuth2ClientJSON 383 | json.Unmarshal([]byte(tc.respBody), &expectedList) 384 | assert.Equal(expectedList, list) 385 | } else { 386 | require.Error(t, err) 387 | assert.Contains(err.Error(), tc.err.Error()) 388 | } 389 | }) 390 | } 391 | }) 392 | 393 | t.Run("default parameters", func(t *testing.T) { 394 | var input = &hydra.OAuth2ClientJSON{ 395 | Scope: "some,other,scopes", 396 | GrantTypes: []string{"type2"}, 397 | Owner: "test-name-2", 398 | } 399 | assert.Equal(input.TokenEndpointAuthMethod, "") 400 | b, _ := json.Marshal(input) 401 | payload := string(b) 402 | assert.Equal(strings.Index(payload, "token_endpoint_auth_method"), -1) 403 | 404 | input = &hydra.OAuth2ClientJSON{ 405 | Scope: "some,other,scopes", 406 | GrantTypes: []string{"type2"}, 407 | Owner: "test-name-3", 408 | TokenEndpointAuthMethod: "none", 409 | } 410 | b, _ = json.Marshal(input) 411 | payload = string(b) 412 | assert.True(strings.Index(payload, "token_endpoint_auth_method") > 0) 413 | }) 414 | } 415 | 416 | func runServer(c *hydra.InternalClient, h http.HandlerFunc) { 417 | s := httptest.NewServer(h) 418 | serverUrl, _ := url.Parse(s.URL) 419 | c.HydraURL = *serverUrl.ResolveReference(&url.URL{Path: clientsEndpoint}) 420 | } 421 | -------------------------------------------------------------------------------- /hydra/types.go: -------------------------------------------------------------------------------- 1 | // Copyright © 2023 Ory Corp 2 | // SPDX-License-Identifier: Apache-2.0 3 | 4 | package hydra 5 | 6 | import ( 7 | "encoding/json" 8 | "fmt" 9 | "github.com/go-playground/validator/v10" 10 | "strings" 11 | 12 | "k8s.io/utils/ptr" 13 | 14 | hydrav1alpha1 "github.com/ory/hydra-maester/api/v1alpha1" 15 | ) 16 | 17 | // OAuth2ClientJSON represents an OAuth2 client digestible by ORY Hydra 18 | type OAuth2ClientJSON struct { 19 | ClientName string `json:"client_name,omitempty"` 20 | ClientID *string `json:"client_id,omitempty"` 21 | Secret *string `json:"client_secret,omitempty"` 22 | GrantTypes []string `json:"grant_types"` 23 | RedirectURIs []string `json:"redirect_uris,omitempty"` 24 | PostLogoutRedirectURIs []string `json:"post_logout_redirect_uris,omitempty"` 25 | AllowedCorsOrigins []string `json:"allowed_cors_origins,omitempty"` 26 | ResponseTypes []string `json:"response_types,omitempty"` 27 | Audience []string `json:"audience,omitempty"` 28 | Scope string `json:"scope"` 29 | SkipConsent bool `json:"skip_consent,omitempty"` 30 | Owner string `json:"owner"` 31 | TokenEndpointAuthMethod string `json:"token_endpoint_auth_method,omitempty"` 32 | Metadata json.RawMessage `json:"metadata,omitempty"` 33 | JwksUri string `json:"jwks_uri,omitempty" validate:"required_if=TokenEndpointAuthMethod private_key_jwt"` 34 | FrontChannelLogoutSessionRequired bool `json:"frontchannel_logout_session_required"` 35 | FrontChannelLogoutURI string `json:"frontchannel_logout_uri"` 36 | BackChannelLogoutSessionRequired bool `json:"backchannel_logout_session_required"` 37 | BackChannelLogoutURI string `json:"backchannel_logout_uri"` 38 | AuthorizationCodeGrantAccessTokenLifespan string `json:"authorization_code_grant_access_token_lifespan,omitempty"` 39 | AuthorizationCodeGrantIdTokenLifespan string `json:"authorization_code_grant_id_token_lifespan,omitempty"` 40 | AuthorizationCodeGrantRefreshTokenLifespan string `json:"authorization_code_grant_refresh_token_lifespan,omitempty"` 41 | ClientCredentialsGrantAccessTokenLifespan string `json:"client_credentials_grant_access_token_lifespan,omitempty"` 42 | ImplicitGrantAccessTokenLifespan string `json:"implicit_grant_access_token_lifespan,omitempty"` 43 | ImplicitGrantIdTokenLifespan string `json:"implicit_grant_id_token_lifespan,omitempty"` 44 | JwtBearerGrantAccessTokenLifespan string `json:"jwt_bearer_grant_access_token_lifespan,omitempty"` 45 | RefreshTokenGrantAccessTokenLifespan string `json:"refresh_token_grant_access_token_lifespan,omitempty"` 46 | RefreshTokenGrantIdTokenLifespan string `json:"refresh_token_grant_id_token_lifespan,omitempty"` 47 | RefreshTokenGrantRefreshTokenLifespan string `json:"refresh_token_grant_refresh_token_lifespan,omitempty"` 48 | } 49 | 50 | // Oauth2ClientCredentials represents client ID and password fetched from a 51 | // Kubernetes secret 52 | type Oauth2ClientCredentials struct { 53 | ID []byte 54 | Password []byte 55 | } 56 | 57 | func (oj *OAuth2ClientJSON) WithCredentials(credentials *Oauth2ClientCredentials) *OAuth2ClientJSON { 58 | oj.ClientID = ptr.To(string(credentials.ID)) 59 | if credentials.Password != nil { 60 | oj.Secret = ptr.To(string(credentials.Password)) 61 | } 62 | return oj 63 | } 64 | 65 | // FromOAuth2Client converts an OAuth2Client into a OAuth2ClientJSON object that represents an OAuth2 InternalClient digestible by ORY Hydra 66 | func FromOAuth2Client(c *hydrav1alpha1.OAuth2Client) (*OAuth2ClientJSON, error) { 67 | meta, err := json.Marshal(c.Spec.Metadata) 68 | if err != nil { 69 | return nil, fmt.Errorf("unable to encode `metadata` property value to json: %w", err) 70 | } 71 | 72 | if c.Spec.Scope != "" { 73 | fmt.Println("Property `scope` in client '" + c.Name + "' is deprecated. Rather use scopeArray.") 74 | } 75 | 76 | var scope = c.Spec.Scope 77 | if c.Spec.ScopeArray != nil { 78 | scope = strings.Trim(strings.Join(c.Spec.ScopeArray, " ")+" "+scope, " ") 79 | } 80 | 81 | client := &OAuth2ClientJSON{ 82 | ClientName: c.Spec.ClientName, 83 | GrantTypes: grantToStringSlice(c.Spec.GrantTypes), 84 | ResponseTypes: responseToStringSlice(c.Spec.ResponseTypes), 85 | RedirectURIs: redirectToStringSlice(c.Spec.RedirectURIs), 86 | PostLogoutRedirectURIs: redirectToStringSlice(c.Spec.PostLogoutRedirectURIs), 87 | AllowedCorsOrigins: redirectToStringSlice(c.Spec.AllowedCorsOrigins), 88 | Audience: c.Spec.Audience, 89 | Scope: scope, 90 | SkipConsent: c.Spec.SkipConsent, 91 | Owner: fmt.Sprintf("%s/%s", c.Name, c.Namespace), 92 | TokenEndpointAuthMethod: string(c.Spec.TokenEndpointAuthMethod), 93 | Metadata: meta, 94 | JwksUri: c.Spec.JwksUri, 95 | FrontChannelLogoutURI: c.Spec.BackChannelLogoutURI, 96 | FrontChannelLogoutSessionRequired: c.Spec.BackChannelLogoutSessionRequired, 97 | BackChannelLogoutSessionRequired: c.Spec.BackChannelLogoutSessionRequired, 98 | BackChannelLogoutURI: c.Spec.BackChannelLogoutURI, 99 | AuthorizationCodeGrantAccessTokenLifespan: c.Spec.TokenLifespans.AuthorizationCodeGrantAccessTokenLifespan, 100 | AuthorizationCodeGrantIdTokenLifespan: c.Spec.TokenLifespans.AuthorizationCodeGrantIdTokenLifespan, 101 | AuthorizationCodeGrantRefreshTokenLifespan: c.Spec.TokenLifespans.AuthorizationCodeGrantRefreshTokenLifespan, 102 | ClientCredentialsGrantAccessTokenLifespan: c.Spec.TokenLifespans.ClientCredentialsGrantAccessTokenLifespan, 103 | ImplicitGrantAccessTokenLifespan: c.Spec.TokenLifespans.ImplicitGrantAccessTokenLifespan, 104 | ImplicitGrantIdTokenLifespan: c.Spec.TokenLifespans.ImplicitGrantIdTokenLifespan, 105 | JwtBearerGrantAccessTokenLifespan: c.Spec.TokenLifespans.JwtBearerGrantAccessTokenLifespan, 106 | RefreshTokenGrantAccessTokenLifespan: c.Spec.TokenLifespans.RefreshTokenGrantAccessTokenLifespan, 107 | RefreshTokenGrantIdTokenLifespan: c.Spec.TokenLifespans.RefreshTokenGrantIdTokenLifespan, 108 | RefreshTokenGrantRefreshTokenLifespan: c.Spec.TokenLifespans.RefreshTokenGrantRefreshTokenLifespan, 109 | } 110 | 111 | validate := validator.New() 112 | if err := validate.Struct(client); err != nil { 113 | return nil, err 114 | } 115 | 116 | return client, nil 117 | } 118 | 119 | func responseToStringSlice(rt []hydrav1alpha1.ResponseType) []string { 120 | var output = make([]string, len(rt)) 121 | for i, elem := range rt { 122 | output[i] = string(elem) 123 | } 124 | return output 125 | } 126 | 127 | func grantToStringSlice(gt []hydrav1alpha1.GrantType) []string { 128 | var output = make([]string, len(gt)) 129 | for i, elem := range gt { 130 | output[i] = string(elem) 131 | } 132 | return output 133 | } 134 | 135 | func redirectToStringSlice(ru []hydrav1alpha1.RedirectURI) []string { 136 | var output = make([]string, len(ru)) 137 | for i, elem := range ru { 138 | output[i] = string(elem) 139 | } 140 | return output 141 | } 142 | -------------------------------------------------------------------------------- /hydra/types_test.go: -------------------------------------------------------------------------------- 1 | // Copyright © 2024 Ory Corp 2 | // SPDX-License-Identifier: Apache-2.0 3 | 4 | package hydra_test 5 | 6 | import ( 7 | "testing" 8 | 9 | hydrav1alpha1 "github.com/ory/hydra-maester/api/v1alpha1" 10 | "github.com/ory/hydra-maester/hydra" 11 | "github.com/stretchr/testify/assert" 12 | ) 13 | 14 | func TestTypes(t *testing.T) { 15 | t.Run("Test ScopeArray", func(t *testing.T) { 16 | c := hydrav1alpha1.OAuth2Client{ 17 | Spec: hydrav1alpha1.OAuth2ClientSpec{ 18 | ScopeArray: []string{"scope1", "scope2"}, 19 | }, 20 | } 21 | 22 | var parsedClient, err = hydra.FromOAuth2Client(&c) 23 | if err != nil { 24 | assert.Fail(t, "unexpected error: %s", err) 25 | } 26 | 27 | assert.Equal(t, "scope1 scope2", parsedClient.Scope) 28 | }) 29 | 30 | t.Run("Test having both Scope and ScopeArray", func(t *testing.T) { 31 | c := hydrav1alpha1.OAuth2Client{ 32 | Spec: hydrav1alpha1.OAuth2ClientSpec{ 33 | Scope: "scope3", 34 | ScopeArray: []string{"scope1", "scope2"}, 35 | }, 36 | } 37 | 38 | var parsedClient, err = hydra.FromOAuth2Client(&c) 39 | if err != nil { 40 | assert.Fail(t, "unexpected error: %s", err) 41 | } 42 | 43 | assert.Equal(t, "scope1 scope2 scope3", parsedClient.Scope) 44 | }) 45 | 46 | t.Run("Test having jwks uri", func(t *testing.T) { 47 | c := hydrav1alpha1.OAuth2Client{ 48 | Spec: hydrav1alpha1.OAuth2ClientSpec{ 49 | JwksUri: "https://ory.sh/jwks.json", 50 | }, 51 | } 52 | 53 | var parsedClient, err = hydra.FromOAuth2Client(&c) 54 | if err != nil { 55 | assert.Fail(t, "unexpected error: %s", err) 56 | } 57 | 58 | assert.Equal(t, "https://ory.sh/jwks.json", parsedClient.JwksUri) 59 | }) 60 | 61 | t.Run("Test jwks uri is required when token endpoint auth method is private_key_jwt", func(t *testing.T) { 62 | c := hydrav1alpha1.OAuth2Client{ 63 | Spec: hydrav1alpha1.OAuth2ClientSpec{ 64 | TokenEndpointAuthMethod: "private_key_jwt", 65 | }, 66 | } 67 | 68 | var _, err = hydra.FromOAuth2Client(&c) 69 | 70 | assert.ErrorContains(t, err, "JwksUri") 71 | }) 72 | } 73 | -------------------------------------------------------------------------------- /main.go: -------------------------------------------------------------------------------- 1 | // Copyright © 2023 Ory Corp 2 | // SPDX-License-Identifier: Apache-2.0 3 | 4 | package main 5 | 6 | import ( 7 | "flag" 8 | "fmt" 9 | "os" 10 | "sigs.k8s.io/controller-runtime/pkg/cache" 11 | "sigs.k8s.io/controller-runtime/pkg/metrics/server" 12 | "time" 13 | 14 | "github.com/ory/hydra-maester/hydra" 15 | 16 | apiv1 "k8s.io/api/core/v1" 17 | "k8s.io/apimachinery/pkg/runtime" 18 | _ "k8s.io/client-go/plugin/pkg/client/auth/gcp" 19 | ctrl "sigs.k8s.io/controller-runtime" 20 | "sigs.k8s.io/controller-runtime/pkg/log/zap" 21 | 22 | hydrav1alpha1 "github.com/ory/hydra-maester/api/v1alpha1" 23 | "github.com/ory/hydra-maester/controllers" 24 | // +kubebuilder:scaffold:imports 25 | ) 26 | 27 | var ( 28 | scheme = runtime.NewScheme() 29 | setupLog = ctrl.Log.WithName("setup") 30 | ) 31 | 32 | func init() { 33 | _ = apiv1.AddToScheme(scheme) 34 | _ = hydrav1alpha1.AddToScheme(scheme) 35 | // +kubebuilder:scaffold:scheme 36 | } 37 | 38 | func main() { 39 | var ( 40 | metricsAddr, hydraURL, endpoint, forwardedProto, syncPeriod, tlsTrustStore, namespace, leaderElectorNs string 41 | hydraPort int 42 | enableLeaderElection, insecureSkipVerify bool 43 | ) 44 | 45 | flag.StringVar(&metricsAddr, "metrics-addr", ":8080", "The address the metric endpoint binds to.") 46 | flag.StringVar(&hydraURL, "hydra-url", "", "The address of ORY Hydra") 47 | flag.IntVar(&hydraPort, "hydra-port", 4445, "Port ORY Hydra is listening on") 48 | flag.StringVar(&endpoint, "endpoint", "/clients", "ORY Hydra's client endpoint") 49 | flag.StringVar(&forwardedProto, "forwarded-proto", "", "If set, this adds the value as the X-Forwarded-Proto header in requests to the ORY Hydra admin server") 50 | flag.StringVar(&tlsTrustStore, "tls-trust-store", "", "trust store certificate path. If set ca will be set in http client to connect with hydra admin") 51 | flag.StringVar(&syncPeriod, "sync-period", "10h", "Determines the minimum frequency at which watched resources are reconciled") 52 | flag.BoolVar(&enableLeaderElection, "enable-leader-election", false, "Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager.") 53 | flag.BoolVar(&insecureSkipVerify, "insecure-skip-verify", false, "If set, http client will be configured to skip insecure verification to connect with hydra admin") 54 | flag.StringVar(&namespace, "namespace", "", "Namespace in which the controller should operate. Setting this will make the controller ignore other namespaces.") 55 | flag.StringVar(&leaderElectorNs, "leader-elector-namespace", "", "Leader elector namespace where controller should be set.") 56 | flag.Parse() 57 | 58 | ctrl.SetLogger(zap.New(zap.UseDevMode(true))) 59 | 60 | syncPeriodParsed, err := time.ParseDuration(syncPeriod) 61 | if err != nil { 62 | setupLog.Error(err, "unable to start manager") 63 | os.Exit(1) 64 | } 65 | 66 | mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ 67 | Scheme: scheme, 68 | Metrics: server.Options{ 69 | BindAddress: metricsAddr, 70 | }, 71 | LeaderElection: enableLeaderElection, 72 | Cache: cache.Options{ 73 | SyncPeriod: &syncPeriodParsed, 74 | DefaultNamespaces: map[string]cache.Config{ 75 | namespace: {}, 76 | }, 77 | }, 78 | LeaderElectionNamespace: leaderElectorNs, 79 | }) 80 | if err != nil { 81 | setupLog.Error(err, "unable to start manager") 82 | os.Exit(1) 83 | } 84 | 85 | if hydraURL == "" { 86 | setupLog.Error(fmt.Errorf("hydra URL can't be empty"), "unable to create controller", "controller", "OAuth2Client") 87 | os.Exit(1) 88 | } 89 | 90 | defaultSpec := hydrav1alpha1.OAuth2ClientSpec{ 91 | HydraAdmin: hydrav1alpha1.HydraAdmin{ 92 | URL: hydraURL, 93 | Port: hydraPort, 94 | Endpoint: endpoint, 95 | ForwardedProto: forwardedProto, 96 | }, 97 | } 98 | if tlsTrustStore != "" { 99 | if _, err := os.Stat(tlsTrustStore); err != nil { 100 | setupLog.Error(err, "cannot parse tls trust store") 101 | os.Exit(1) 102 | } 103 | } 104 | 105 | hydraClient, err := hydra.New(defaultSpec, tlsTrustStore, insecureSkipVerify) 106 | if err != nil { 107 | setupLog.Error(err, "making default hydra client", "controller", "OAuth2Client") 108 | os.Exit(1) 109 | 110 | } 111 | 112 | err = controllers.New( 113 | mgr.GetClient(), 114 | hydraClient, 115 | ctrl.Log.WithName("controllers").WithName("OAuth2Client"), 116 | controllers.WithNamespace(namespace), 117 | ).SetupWithManager(mgr) 118 | if err != nil { 119 | setupLog.Error(err, "unable to create controller", "controller", "OAuth2Client") 120 | os.Exit(1) 121 | } 122 | // +kubebuilder:scaffold:builder 123 | 124 | setupLog.Info("starting manager") 125 | if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil { 126 | setupLog.Error(err, "problem running manager") 127 | os.Exit(1) 128 | } 129 | } 130 | -------------------------------------------------------------------------------- /package.json: -------------------------------------------------------------------------------- 1 | { 2 | "private": true, 3 | "prettier": "ory-prettier-styles", 4 | "devDependencies": { 5 | "license-checker": "^25.0.1", 6 | "ory-prettier-styles": "1.3.0", 7 | "prettier": "3.5.3" 8 | } 9 | } 10 | -------------------------------------------------------------------------------- /renovate.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://docs.renovatebot.com/renovate-schema.json", 3 | "extends": ["config:recommended"], 4 | "packageRules": [ 5 | { 6 | "description": "Github workflows and actions", 7 | "enabled": true, 8 | "groupName": "github Actions", 9 | "matchFileNames": [".github/**"] 10 | }, 11 | { 12 | "description": "Docker image", 13 | "enabled": true, 14 | "groupName": "docker images", 15 | "matchFileNames": [".docker/**"] 16 | } 17 | ] 18 | } 19 | --------------------------------------------------------------------------------