working x-domain skaffold

.gitignore

@@ -5,6 +5,9 @@
 *.so
 *.dylib
 
+#env files
+*.env
+
 # Test binary, built with `go test -c`
 *.test
 
@@ -28,3 +31,4 @@ e2e/test-results/
 e2e/playwright-report/
 e2e/playwright/.cache/
 /backend/build_info/version.txt
+

backend/config/config.go

@@ -510,7 +510,7 @@ func (t *ThirdParty) PostProcess() error {
 
 type ThirdPartyProvider struct {
 	Enabled  bool   `yaml:"enabled" json:"enabled" koanf:"enabled"`
-	ClientID string `yaml:"client_id" json:"client_id" koanf:"client_id"`
+	ClientID string `yaml:"client_id" json:"client_id" koanf:"client_id" split_words:"true"`
 	Secret   string `yaml:"secret" json:"secret" koanf:"secret"`
 }
 

deploy/k8s/base/elements/ingress.yaml

@@ -8,13 +8,15 @@ metadata:
     cert-manager.io/cluster-issuer: "letsencrypt-prod"
     nginx.ingress.kubernetes.io/ssl-redirect: "true"
     nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+  labels:
+    fqdn: elements.quickstart.test
 spec:
   tls:
     - hosts:
-        - elements.quickstart.test
+        - $(ELEMENTS_FQDN)
       secretName: elements-tls
   rules:
-    - host: elements.quickstart.test
+    - host: $(ELEMENTS_FQDN)
       http:
         paths:
           - path: /

deploy/k8s/base/elements/kustomization.yaml

@@ -2,3 +2,11 @@ resources:
   - deployment.yaml
   - service.yaml
   - ingress.yaml
+vars:
+  - fieldref:
+      fieldpath: metadata.labels.fqdn
+    name: ELEMENTS_FQDN
+    objref:
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      name: hanko-elements

deploy/k8s/base/quickstart/ingress.yaml

@@ -8,13 +8,15 @@ metadata:
     cert-manager.io/cluster-issuer: "letsencrypt-prod"
     nginx.ingress.kubernetes.io/ssl-redirect: "true"
     nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+  labels:
+    fqdn: app.quickstart.test
 spec:
   tls:
     - hosts:
-        - app.quickstart.test
+        - $(QUICKSTART_FQDN)
       secretName: quickstart-tls
   rules:
-    - host: app.quickstart.test
+    - host: $(QUICKSTART_FQDN)
       http:
         paths:
           - path: /

deploy/k8s/base/quickstart/kustomization.yaml

@@ -2,3 +2,11 @@ resources:
   - deployment.yaml
   - service.yaml
   - ingress.yaml
+vars:
+  - fieldref:
+      fieldpath: metadata.labels.fqdn
+    name: QUICKSTART_FQDN
+    objref:
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      name: hanko-quickstart

deploy/k8s/overlays/thirdparty-x-domain/README.md

@@ -0,0 +1,15 @@
+# Adding OIDC Clients
+To successfully test this you need to add OIDC Clients as Secrets:
+
+Create a github.env and a google.env of the form:
+```
+client_id=your-id
+client_secret=your-secret
+```
+
+Run
+> skaffold run -p thirdparty-x-domain
+
+to build and deploy to local cluster.
+
+The quickstart app should then be running on **https://app.domain-app.grocery**

deploy/k8s/overlays/thirdparty-x-domain/config.yaml

@@ -0,0 +1,39 @@
+database:
+  user: hanko
+  password: hanko
+  host: postgres
+  port: 5432
+  dialect: postgres
+passcode:
+  email:
+    from_address: [email protected]
+  smtp:
+    host: "mailslurper"
+    port: "2500"
+secrets:
+  keys:
+    - abcedfghijklmnopqrstuvwxyz
+service:
+  name: Hanko Authentication Service
+session:
+  enable_auth_token_header: true
+server:
+  public:
+    cors:
+      enabled: true
+      allow_credentials: true
+      allow_origins:
+        - 'https://app.domain-app.grocery'
+webauthn:
+  relying_party:
+    origin: "https://app.domain-app.grocery"
+third_party:
+  error_redirect_url: https://app.domain-app.grocery
+  allowed_redirect_urls:
+    - https://app.domain-app.grocery**
+  redirect_url: https://hanko.domain-hanko.grocery/thirdparty/callback
+  providers:
+    google:
+      enabled: true
+    github:
+      enabled: true

deploy/k8s/overlays/thirdparty-x-domain/env-patch.yaml

@@ -0,0 +1,74 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: hanko-quickstart
+  namespace: hanko-tenant
+spec:
+  template:
+    spec:
+      containers:
+        - name: hanko-quickstart
+          env:
+            - name: HANKO_URL
+              value: https://hanko.domain-hanko.grocery
+            - name: HANKO_URL_INTERNAL
+              value: http://hanko-public
+            - name: HANKO_ELEMENT_URL
+              value: https://elements.domain-app.grocery/elements.js
+            - name: HANKO_FRONTEND_SDK_URL
+              value: https://elements.domain-app.grocery/sdk.modern.js
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: hanko
+  namespace: hanko-tenant
+spec:
+  template:
+    spec:
+      containers:
+        - name: hanko
+          env:
+            - name: THIRD_PARTY_PROVIDERS_GOOGLE_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  key: client_id
+                  name: google
+            - name: THIRD_PARTY_PROVIDERS_GOOGLE_SECRET
+              valueFrom:
+                secretKeyRef:
+                  key: client_secret
+                  name: google
+            - name: THIRD_PARTY_PROVIDERS_GITHUB_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  key: client_id
+                  name: github
+            - name: THIRD_PARTY_PROVIDERS_GITHUB_SECRET
+              valueFrom:
+                secretKeyRef:
+                  key: client_secret
+                  name: github
+      initContainers:
+        - name: hanko-migrate
+          env:
+            - name: THIRD_PARTY_PROVIDERS_GOOGLE_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  key: client_id
+                  name: google
+            - name: THIRD_PARTY_PROVIDERS_GOOGLE_SECRET
+              valueFrom:
+                secretKeyRef:
+                  key: client_secret
+                  name: google
+            - name: THIRD_PARTY_PROVIDERS_GITHUB_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  key: client_id
+                  name: github
+            - name: THIRD_PARTY_PROVIDERS_GITHUB_SECRET
+              valueFrom:
+                secretKeyRef:
+                  key: client_secret
+                  name: github

deploy/k8s/overlays/thirdparty-x-domain/ingress-patch.yaml

@@ -0,0 +1,23 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: hanko
+  namespace: hanko-tenant
+  labels:
+    fqdn: hanko.domain-hanko.grocery
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: hanko-elements
+  namespace: hanko-tenant
+  labels:
+    fqdn: elements.domain-app.grocery
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: hanko-quickstart
+  namespace: hanko-tenant
+  labels:
+    fqdn: app.domain-app.grocery

deploy/k8s/overlays/thirdparty-x-domain/kustomization.yaml

@@ -4,3 +4,18 @@ resources:
   - ../../base/hanko
   - ../../base/elements
   - ../../base/quickstart
+patchesStrategicMerge:
+  - ingress-patch.yaml
+  - env-patch.yaml
+configMapGenerator:
+  - files:
+      - config.yaml
+    name: hanko
+    behavior: replace
+secretGenerator:
+  - name: github
+    envs:
+      - github.env
+  - name: google
+    envs:
+      - google.env

skaffold.yaml

@@ -26,8 +26,8 @@ profiles:
     kustomize:
       paths:
       - deploy/k8s/overlays/quickstart
-- name: thirdparty
+- name: thirdparty-x-domain
   deploy:
     kustomize:
       paths:
-        - deploy/k8s/overlays/thirdparty
+        - deploy/k8s/overlays/thirdparty-x-domain