This project implements a container which can be used to get client credentials (client id and secret) from a wicked.haufe.io instance running inside Kubernetes.
It will do the following things:
- Initialize the wicked SDK and check there's a Portal API instance to talk to
- Locate or create a machine user called
auto-deploy; machine users are always administrators internally - Locate or create a wicked application with the name
APP_IDand the specifiedCLIENT_TYPE - Locate or create a subscription to the API
API_IDwith the planPLAN_ID - Upsert (create or update) a secret inside Kubernetes in the namespace
NAMESPACEwith the nameSECRET_NAME
The secret will contain two string keys, client_id and client_secret, which in turn can be used inside pod definitions to retrieve credentials to an application. This is how you can use credentials created in case you have an OAuth2 secured API:
# ....
spec:
containers:
- name: your-container
image: yourorg/your-container:latest
env:
# ...
- name: CLIENT_ID
valueFrom:
secretKeyRef:
name: secret-name
key: client_id
- name: CLIENT_SECRET
valueFrom:
secretKeyRef:
name: secret-name
key: client_secretIn case your API is secured by an API key, you will find the API Key in key: apikey:
# ....
spec:
containers:
- name: your-container
image: yourorg/your-container:latest
env:
# ...
- name: API_KEY
valueFrom:
secretKeyRef:
name: secret-name
key: api_keyUse haufelexware/wicked.k8s-init:latest either as an Init Container, or as a Kubernetes Job, see also wicked-init.yml for an example.
Pre Kubernetes 1.6 (<= 1.5):
apiVersion: v1
kind: Pod
metadata:
name: myapp-pod
labels:
app: myapp
annotations:
pod.beta.kubernetes.io/init-containers: '[
{
"name": "wicked-init",
"image": "haufelexware/wicked.k8s-init:latest",
"env": [
{
"name": "APP_ID",
"value": "wicked-app-id"
},
{
"name": "API_ID",
"value": "some-api"
},
{
"name": "PLAN_ID",
"value": "unlimited"
},
{
"name": "NAMESPACE",
"value": "default"
},
{
"name": "REDIRECT_URI",
"value": "https://uri.of.your.app.com/callback"
},
{
"name": "SECRET_NAME",
"value": "wicked-client-creds"
}
]
}
]'
spec:
containers:
- name: myapp-container
image: busybox
command: ['sh', '-c', 'echo The app is running! && sleep 3600']Kubernetes 1.6 or later (recommended):
apiVersion: v1
kind: Pod
metadata:
name: myapp-pod
labels:
app: myapp
spec:
initContainers:
- name: wicked-init
images: haufelexware/wicked.k8s-init:latest
env:
- name: APP_ID
value: wicked-app-id
- name: API_ID
value: some-api
- name: PLAN_ID
value: unlimited
- name: CLIENT_TYPE
value: confidential
- name: NAMESPACE
value: default
- name: REDIRECT_URI
value: "https://uri.of.your.app.com/callback"
- name: SECRET_NAME
value: wicked-client-creds
containers:
- name: myapp-container
image: busybox
command: ['sh', '-c', 'echo The app is running! && sleep 3600']Use the following environment variables when running the init container/job:
| Env var | Default | Description |
|---|---|---|
APP_ID |
app-id |
The application ID in the wicked portal to be created |
API_ID |
api-id |
The API ID of the API to create a subscription for |
PLAN_ID |
unlimited |
The plan ID to use for the subscription |
CLIENT_TYPE |
public_spa |
The client type; one of public_spa, public_native or confidential |
REDIRECT_URI |
-- | The redirect URI of the application; to specify multiple redirect URIs, separate them with a pipe ` |
SECRET_NAME |
some-secret |
The name of the kubernetes secret to create (retrieve with kubectl get secret some-secret) |
NAMESPACE |
default |
The Kubernetes namespace to create the secret for |
PORTAL_API_URL |
http://portal-api:3001 |
If wicked runs in a different location, specify this env var; note that the portal API must be accessible directly via http! |
The network connection to the Kubernetes API will be retrieved from the injected env vars KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT, using the token automatically stored in /var/run/secrets/kubernetes.io/serviceaccount/token.
Apache 2.0.