feat: Kubernetes-based data protection provider (#520)

Author: IvanJosipovic

OIDC-Guard.sln

@@ -1,47 +1,47 @@
-
-Microsoft Visual Studio Solution File, Format Version 12.00
-# Visual Studio Version 17
-VisualStudioVersion = 17.7.33711.374
-MinimumVisualStudioVersion = 10.0.40219.1
-Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "oidc-guard", "src\oidc-guard\oidc-guard.csproj", "{6929C116-97B2-441D-A5D0-183DBCF7FB91}"
-EndProject
-Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{0A693076-F1A0-42D6-BC38-FD7EB3717CF8}"
-	ProjectSection(SolutionItems) = preProject
-		.releaserc.json = .releaserc.json
-		.github\workflows\cicd.yml = .github\workflows\cicd.yml
-		global.json = global.json
-		README.md = README.md
-		.github\renovate.json = .github\renovate.json
-		charts\oidc-guard\values.yaml = charts\oidc-guard\values.yaml
-	EndProjectSection
-EndProject
-Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "oidc-guard-tests", "tests\oidc-guard-tests\oidc-guard-tests.csproj", "{21CCD575-7BEC-4CA8-B6EA-C0A66E2EB330}"
-EndProject
-Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "oidc-guard-benchmarks", "benchmarks\oidc-guard-benchmarks\oidc-guard-benchmarks.csproj", "{EEC646DE-2009-4AC4-94E7-AB9108CCE80B}"
-EndProject
-Global
-	GlobalSection(SolutionConfigurationPlatforms) = preSolution
-		Debug|Any CPU = Debug|Any CPU
-		Release|Any CPU = Release|Any CPU
-	EndGlobalSection
-	GlobalSection(ProjectConfigurationPlatforms) = postSolution
-		{6929C116-97B2-441D-A5D0-183DBCF7FB91}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-		{6929C116-97B2-441D-A5D0-183DBCF7FB91}.Debug|Any CPU.Build.0 = Debug|Any CPU
-		{6929C116-97B2-441D-A5D0-183DBCF7FB91}.Release|Any CPU.ActiveCfg = Release|Any CPU
-		{6929C116-97B2-441D-A5D0-183DBCF7FB91}.Release|Any CPU.Build.0 = Release|Any CPU
-		{21CCD575-7BEC-4CA8-B6EA-C0A66E2EB330}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-		{21CCD575-7BEC-4CA8-B6EA-C0A66E2EB330}.Debug|Any CPU.Build.0 = Debug|Any CPU
-		{21CCD575-7BEC-4CA8-B6EA-C0A66E2EB330}.Release|Any CPU.ActiveCfg = Release|Any CPU
-		{21CCD575-7BEC-4CA8-B6EA-C0A66E2EB330}.Release|Any CPU.Build.0 = Release|Any CPU
-		{EEC646DE-2009-4AC4-94E7-AB9108CCE80B}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-		{EEC646DE-2009-4AC4-94E7-AB9108CCE80B}.Debug|Any CPU.Build.0 = Debug|Any CPU
-		{EEC646DE-2009-4AC4-94E7-AB9108CCE80B}.Release|Any CPU.ActiveCfg = Release|Any CPU
-		{EEC646DE-2009-4AC4-94E7-AB9108CCE80B}.Release|Any CPU.Build.0 = Release|Any CPU
-	EndGlobalSection
-	GlobalSection(SolutionProperties) = preSolution
-		HideSolutionNode = FALSE
-	EndGlobalSection
-	GlobalSection(ExtensibilityGlobals) = postSolution
-		SolutionGuid = {E595A20B-B5ED-400D-80A3-C453B0796AA9}
-	EndGlobalSection
-EndGlobal
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 18
+VisualStudioVersion = 18.0.11104.47 d18.0
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "oidc-guard", "src\oidc-guard\oidc-guard.csproj", "{6929C116-97B2-441D-A5D0-183DBCF7FB91}"
+EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{0A693076-F1A0-42D6-BC38-FD7EB3717CF8}"
+	ProjectSection(SolutionItems) = preProject
+		.releaserc.json = .releaserc.json
+		.github\workflows\cicd.yml = .github\workflows\cicd.yml
+		global.json = global.json
+		README.md = README.md
+		.github\renovate.json = .github\renovate.json
+		charts\oidc-guard\values.yaml = charts\oidc-guard\values.yaml
+	EndProjectSection
+EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "oidc-guard-tests", "tests\oidc-guard-tests\oidc-guard-tests.csproj", "{21CCD575-7BEC-4CA8-B6EA-C0A66E2EB330}"
+EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "oidc-guard-benchmarks", "benchmarks\oidc-guard-benchmarks\oidc-guard-benchmarks.csproj", "{EEC646DE-2009-4AC4-94E7-AB9108CCE80B}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Any CPU = Debug|Any CPU
+		Release|Any CPU = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{6929C116-97B2-441D-A5D0-183DBCF7FB91}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{6929C116-97B2-441D-A5D0-183DBCF7FB91}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{6929C116-97B2-441D-A5D0-183DBCF7FB91}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{6929C116-97B2-441D-A5D0-183DBCF7FB91}.Release|Any CPU.Build.0 = Release|Any CPU
+		{21CCD575-7BEC-4CA8-B6EA-C0A66E2EB330}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{21CCD575-7BEC-4CA8-B6EA-C0A66E2EB330}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{21CCD575-7BEC-4CA8-B6EA-C0A66E2EB330}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{21CCD575-7BEC-4CA8-B6EA-C0A66E2EB330}.Release|Any CPU.Build.0 = Release|Any CPU
+		{EEC646DE-2009-4AC4-94E7-AB9108CCE80B}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{EEC646DE-2009-4AC4-94E7-AB9108CCE80B}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{EEC646DE-2009-4AC4-94E7-AB9108CCE80B}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{EEC646DE-2009-4AC4-94E7-AB9108CCE80B}.Release|Any CPU.Build.0 = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {E595A20B-B5ED-400D-80A3-C453B0796AA9}
+	EndGlobalSection
+EndGlobal

charts/oidc-guard/templates/deployment.yaml

@@ -1,108 +1,108 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: {{ include "oidc-guard.fullname" . }}
-  labels:
-    {{- include "oidc-guard.labels" . | nindent 4 }}
-spec:
-  {{- if not .Values.autoscaling.enabled }}
-  replicas: {{ .Values.replicaCount }}
-  {{- end }}
-  selector:
-    matchLabels:
-      {{- include "oidc-guard.selectorLabels" . | nindent 6 }}
-  template:
-    metadata:
-      annotations:
-        checksum/config: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
-      {{- with .Values.podAnnotations }}
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      labels:
-        {{- include "oidc-guard.selectorLabels" . | nindent 8 }}
-    spec:
-      {{- with .Values.imagePullSecrets }}
-      imagePullSecrets:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      serviceAccountName: {{ include "oidc-guard.serviceAccountName" . }}
-      securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
-      containers:
-        - name: {{ .Chart.Name }}
-          env:
-          - name: ASPNETCORE_ENVIRONMENT
-            value: Production
-          {{- if .Values.settings.sslCertSecretName }}
-          - name: Certificates__Default__Path
-            value: /app/ssl/tls.crt
-          - name: Certificates__Default__KeyPath
-            value: /app/ssl/tls.key
-          {{- end }}
-          {{- if .Values.settings.cookie.clientSecretName }}
-          - name: settings__cookie__clientSecret
-            valueFrom:
-              secretKeyRef:
-                name: {{ .Values.settings.cookie.clientSecretName }}
-                key: {{ .Values.settings.cookie.clientSecretKey }}
-          {{- end }}
-          - name: settings__name
-            value: {{ include "oidc-guard.fullname" . }}
-          - name: settings__namespace
-            value: {{ .Release.Namespace }}
-          securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
-          ports:
-            - name: http
-              containerPort: 8080
-              protocol: TCP
-            - name: https
-              containerPort: 8443
-              protocol: TCP
-          livenessProbe:
-            httpGet:
-              path: /health
-              port: http
-          readinessProbe:
-            httpGet:
-              path: /health
-              port: http
-          resources:
-            {{- toYaml .Values.resources | nindent 12 }}
-          volumeMounts:
-            - mountPath: /tmp
-              name: tmp-volume
-            - name: appsettings-volume
-              mountPath: /app/appsettings.Production.json
-              subPath: appsettings.Production.json
-              readOnly: true
-            {{- if .Values.settings.sslCertSecretName }}
-            - name: appsettings-ssl
-              mountPath: /app/ssl/
-              readOnly: true
-            {{- end }}
-      volumes:
-        - name: tmp-volume
-          emptyDir: {}
-        - name: appsettings-volume
-          secret:
-            secretName: {{ include "oidc-guard.fullname" . }}
-        {{- if .Values.settings.sslCertSecretName }}
-        - name: appsettings-ssl
-          secret:
-            secretName: "{{ .Values.settings.sslCertSecretName }}"
-        {{- end }}
-      {{- with .Values.nodeSelector }}
-      nodeSelector:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.affinity }}
-      affinity:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.tolerations }}
-      tolerations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "oidc-guard.fullname" . }}
+  labels:
+    {{- include "oidc-guard.labels" . | nindent 4 }}
+spec:
+  {{- if not .Values.autoscaling.enabled }}
+  replicas: {{ .Values.replicaCount }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "oidc-guard.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
+      {{- with .Values.podAnnotations }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "oidc-guard.selectorLabels" . | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "oidc-guard.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+        - name: {{ .Chart.Name }}
+          env:
+          - name: ASPNETCORE_ENVIRONMENT
+            value: Production
+          {{- if .Values.settings.sslCertSecretName }}
+          - name: Certificates__Default__Path
+            value: /app/ssl/tls.crt
+          - name: Certificates__Default__KeyPath
+            value: /app/ssl/tls.key
+          {{- end }}
+          {{- if .Values.settings.cookie.clientSecretName }}
+          - name: settings__cookie__clientSecret
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.settings.cookie.clientSecretName }}
+                key: {{ .Values.settings.cookie.clientSecretKey }}
+          {{- end }}
+          - name: settings__name
+            value: {{ include "oidc-guard.fullname" . }}
+          - name: settings__namespace
+            value: {{ .Release.Namespace }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          ports:
+            - name: http
+              containerPort: 8080
+              protocol: TCP
+            - name: https
+              containerPort: 8443
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: http
+          readinessProbe:
+            httpGet:
+              path: /health
+              port: http
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          volumeMounts:
+            - mountPath: /tmp
+              name: tmp-volume
+            - name: appsettings-volume
+              mountPath: /app/appsettings.Production.json
+              subPath: appsettings.Production.json
+              readOnly: true
+            {{- if .Values.settings.sslCertSecretName }}
+            - name: appsettings-ssl
+              mountPath: /app/ssl/
+              readOnly: true
+            {{- end }}
+      volumes:
+        - name: tmp-volume
+          emptyDir: {}
+        - name: appsettings-volume
+          secret:
+            secretName: {{ include "oidc-guard.fullname" . }}
+        {{- if .Values.settings.sslCertSecretName }}
+        - name: appsettings-ssl
+          secret:
+            secretName: "{{ .Values.settings.sslCertSecretName }}"
+        {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

charts/oidc-guard/templates/permissions.yaml

@@ -0,0 +1,21 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "oidc-guard.fullname" . }}
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["list", "create", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "oidc-guard.fullname" . }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "oidc-guard.fullname" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "oidc-guard.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}

charts/oidc-guard/templates/serviceaccount.yaml

@@ -1,12 +1,10 @@
-{{- if .Values.serviceAccount.create -}}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ include "oidc-guard.serviceAccountName" . }}
-  labels:
-    {{- include "oidc-guard.labels" . | nindent 4 }}
-  {{- with .Values.serviceAccount.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-{{- end }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "oidc-guard.serviceAccountName" . }}
+  labels:
+    {{- include "oidc-guard.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}

charts/oidc-guard/values.yaml

@@ -137,8 +137,6 @@ settings:
     appendToWWWAuthenticateHeader: ""
 
 serviceAccount:
-  # Specifies whether a service account should be created
-  create: true
   # Annotations to add to the service account
   annotations: {}
   # The name of the service account to use.