chore: checking in

Author: jmgilman

playground/cli/deps.py

@@ -12,6 +12,8 @@
 import os
 from pathlib import Path
 from typing import Any, Dict, Optional
+import subprocess
+import requests
 
 from .config import ConfigState
 from .db.base import DatabaseConfig, DatabaseRoot
@@ -27,6 +29,7 @@ class Deps:
     _db: Optional[DatabaseRoot] = None
     _k8s_loaded: bool = False
     _k8s_clients: Dict[str, Any] | None = None
+    _http_session: Optional[requests.Session] = None
 
     @property
     def runner(self) -> CommandRunner:
@@ -106,3 +109,35 @@ def k8s(self) -> Dict[str, Any]:
             }
             self._k8s_loaded = True
         return self._k8s_clients or {}
+
+    @property
+    def requests_session(self) -> requests.Session:
+        """Return a requests Session configured to trust the local mkcert root CA.
+
+        We assume the repository generates and stores the CA at `.certs/rootCA.pem`.
+        This path is resolved relative to the repository root inferred from the
+        known config path at `playground/config.cue`.
+        """
+        if self._http_session is None:
+            # Derive repo root from the config path (…/playground/config.cue)
+            cfg_path = self.state.path.resolve()
+            repo_root = cfg_path.parent.parent
+            ca_path = repo_root / ".certs/rootCA.pem"
+
+            sess = requests.Session()
+            if ca_path.exists():
+                sess.verify = str(ca_path)
+            else:
+                # Fallback: try mkcert -CAROOT/rootCA.pem
+                try:
+                    out = subprocess.run(
+                        ["mkcert", "-CAROOT"], check=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True
+                    )
+                    ca_dir = Path((out.stdout or "").strip())
+                    alt = ca_dir / "rootCA.pem"
+                    if alt.exists():
+                        sess.verify = str(alt)
+                except Exception:
+                    pass
+            self._http_session = sess
+        return self._http_session

playground/cli/setup/hydra.py

@@ -5,6 +5,11 @@
 import subprocess
 import time
 from typing import Mapping as TypingMapping
+from datetime import datetime, timedelta, timezone
+import tempfile
+from pathlib import Path
+from kubernetes.client import V1Secret, V1ObjectMeta  # type: ignore
+from kubernetes.client.exceptions import ApiException  # type: ignore
 
 import requests  # type: ignore[import-not-found,import-untyped]
 
@@ -34,14 +39,17 @@ class HydraClientConfig(BaseModel):
 
 class HydraTaskConfig(BaseModel):
     clients: dict[str, HydraClientConfig] = Field(default_factory=dict)
+    trusted_jwt_grant_issuers: list[dict] = Field(default_factory=list)
 
 
 class HydraSetup(SetupTask):
     """Register/update Hydra OAuth2 clients based on typed config."""
 
-    def __init__(self, clients: TypingMapping[str, HydraClientConfig], runner) -> None:
+    def __init__(self, clients: TypingMapping[str, HydraClientConfig], runner, trusted: list[dict], deps) -> None:
         self.clients = dict(clients)
         self.runner = runner
+        self.trusted = list(trusted)
+        self.deps = deps
 
     def _port_forward(self) -> subprocess.Popen[bytes]:
         return subprocess.Popen(
@@ -68,6 +76,30 @@ def run(self) -> None:
 
             url_base = "http://127.0.0.1:8445/admin/clients"
             headers = {"content-type": "application/json"}
+
+            # Ensure a persistent signing key secret exists for mock-oidc
+            secret_ns = "oidc"
+            secret_name = "mock-oidc-github-signing"
+            core = self.deps.k8s["core"]
+
+            try:
+                core.read_namespaced_secret(name=secret_name, namespace=secret_ns)
+                log(f"Signing key secret exists: {secret_ns}/{secret_name}")
+            except ApiException as e:  # pragma: no cover
+                if getattr(e, "status", None) != 404:
+                    raise
+                with tempfile.TemporaryDirectory() as td:
+                    key_path = Path(td) / "signing_key.pem"
+                    self.runner.run(["openssl", "genrsa", "-out", str(key_path), "2048"])
+                    pem = key_path.read_text()
+                sec = V1Secret(
+                    metadata=V1ObjectMeta(name=secret_name),
+                    type="Opaque",
+                    string_data={"signing_key.pem": pem},
+                )
+                core.create_namespaced_secret(namespace=secret_ns, body=sec)
+                log(f"Created signing key secret: {secret_ns}/{secret_name}")
+
             for key, spec in self.clients.items():
                 client_id = spec.client_id or key
                 resp = requests.post(url_base, json=spec.model_dump(), headers=headers)
@@ -81,6 +113,92 @@ def run(self) -> None:
                     )
                     raise SystemExit(1)
                 log(f"Hydra client upserted: {client_id}")
+
+            # Configure trusted JWT grant issuers (RFC 7523) for JWT-bearer assertions
+            for entry in self.trusted:
+                issuer = entry.get("issuer")
+                jwks_uri = entry.get("jwks_uri") or entry.get("jwks_url")
+                allow_any_subject = bool(entry.get("allow_any_subject", True))
+                scope = entry.get("scope")  # optional
+                subject = entry.get("subject")  # optional
+                expires_at = entry.get("expires_at")  # optional RFC3339 string
+                jwks_kid = entry.get("jwks_kid")  # optional: filter a specific key
+                if not issuer or not jwks_uri:
+                    err("trusted_jwt_grant_issuers entry missing 'issuer' or 'jwks_uri'")
+                    raise SystemExit(1)
+                # Fetch JWKS and create one trust record per key (or the selected kid)
+                try:
+                    sess = self.deps.requests_session
+                    jwks_resp = sess.get(jwks_uri, timeout=10)
+                    jwks = jwks_resp.json()
+                    keys = jwks.get("keys", []) if isinstance(jwks, dict) else []
+                except Exception as e:  # pragma: no cover
+                    err(f"Failed to fetch JWKS from {jwks_uri}: {e}")
+                    raise SystemExit(1)
+
+                if not keys:
+                    err(f"JWKS from {jwks_uri} contained no keys")
+                    raise SystemExit(1)
+
+                created = 0
+                for jwk in keys:
+                    kid = jwk.get("kid")
+                    if jwks_kid and kid != jwks_kid:
+                        continue
+
+                    payload = {
+                        "issuer": issuer,
+                        "jwk": jwk,
+                        "allow_any_subject": allow_any_subject,
+                    }
+                    if scope:
+                        payload["scope"] = scope
+                    if subject:
+                        payload["subject"] = subject
+                    if not expires_at:
+                        one_year = datetime.now(timezone.utc) + timedelta(days=365)
+                        expires_at = one_year.strftime("%Y-%m-%dT%H:%M:%SZ")
+                    payload["expires_at"] = expires_at
+
+                    resp = requests.post(
+                        "http://127.0.0.1:8445/admin/trust/grants/jwt-bearer/issuers",
+                        json=payload,
+                        headers=headers,
+                    )
+                    # Accept 201 Created or 409 Conflict (already exists for this kid)
+                    if resp.status_code not in (201, 409):
+                        err(
+                            f"Failed to trust issuer '{issuer}' (kid={kid}): {resp.status_code} {resp.text}"
+                        )
+                        raise SystemExit(1)
+                    created += 1
+                if created == 0 and jwks_kid:
+                    err(f"No JWKS key with kid={jwks_kid} found at {jwks_uri}")
+                    raise SystemExit(1)
+                log(f"Trusted JWT grant issuer configured: {issuer} (keys={created})")
+
+            # Verification: list trusted issuers from Hydra and log summaries
+            try:
+                resp = requests.get(
+                    "http://127.0.0.1:8445/admin/trust/grants/jwt-bearer/issuers",
+                    headers=headers,
+                    timeout=10,
+                )
+                if resp.status_code == 200:
+                    items = resp.json()
+                    count = len(items) if isinstance(items, list) else 0
+                    log(f"Hydra trusted JWT issuers: {count}")
+                    if isinstance(items, list):
+                        for it in items:
+                            iss = it.get("issuer")
+                            subj = it.get("subject")
+                            anysub = it.get("allow_any_subject")
+                            kid = (it.get("public_key") or {}).get("kid") if isinstance(it.get("public_key"), dict) else None
+                            log(f" - issuer={iss} subject={subj} allow_any_subject={anysub} kid={kid}")
+                else:
+                    err(f"Failed to list trusted issuers: {resp.status_code} {resp.text}")
+            except Exception as e:
+                err(f"List trusted issuers error: {e}")
         finally:
             try:
                 os.kill(pf.pid, signal.SIGTERM)
@@ -92,14 +210,14 @@ def run(self) -> None:
     name="hydra",
     description="Register/update Hydra OAuth2 clients from tasks.hydra",
     priority=50,
-    dependencies=("runner",),
+    dependencies=("runner", "k8s"),
 )
 def _factory(ctx: ConfigState, deps) -> HydraSetup | None:
     raw_tasks = (ctx.raw or {}).get("tasks", {})
     raw_hydra = raw_tasks.get("hydra") if isinstance(raw_tasks, dict) else None
     if not raw_hydra:
         return None
     typed = HydraTaskConfig.model_validate(raw_hydra)
-    if not typed.clients:
+    if not typed.clients and not typed.trusted_jwt_grant_issuers:
         return None
-    return HydraSetup(typed.clients, deps.runner)
+    return HydraSetup(typed.clients, deps.runner, typed.trusted_jwt_grant_issuers, deps)

playground/config.cue

@@ -87,6 +87,13 @@ deployments: {
 						name: "\(registry)/\(deployments.oidc.image.name)"
 						tag:  deployments.oidc.image.tag
 					}
+					mounts: {
+						key: {
+							ref: secret: name: "mock-oidc-github-signing"
+							path:    "/keys/signing.pem"
+							subPath: "signing_key.pem"
+						}
+					}
 				}
 				#config: {
 					base_url: "https://oidc.projectcatalyst.dev"
@@ -114,6 +121,26 @@ deployments: {
 								}
 							}
 						},
+						{
+							id:                   "github"
+							public:               true
+							override:             false
+							signing_key_pem_path: "/keys/signing.pem"
+							issuer_override:      "https://token.actions.githubusercontent.com"
+							default_audience: ["https://auth.projectcatalyst.dev/hydra/public/oauth2/token"]
+							personas: {
+								default: {
+									sub: "repo:acme/repo:ref:refs/heads/main"
+									claims: {
+										repository:  "acme/repo"
+										ref:         "refs/heads/main"
+										sha:         "deadbeef"
+										actor:       "runner"
+										environment: "dev"
+									}
+								}
+							}
+						},
 					]
 				}
 				dns: {
@@ -194,6 +221,24 @@ tasks: {
 					"http://127.0.0.1:49152/logout",
 				]
 			}
+			gha_ci: {
+				client_id:   "gha-ci"
+				client_name: "GitHub Actions (dev)"
+				scope:       "openid"
+				grant_types: ["urn:ietf:params:oauth:grant-type:jwt-bearer"]
+				token_endpoint_auth_method: "none"
+				redirect_uris: []
+				audience: [
+					"https://forge.projectcatalyst.dev/api",
+				]
+			}
 		}
+		trusted_jwt_grant_issuers: [
+			{
+				issuer:            "https://token.actions.githubusercontent.com"
+				jwks_uri:          "https://oidc.projectcatalyst.dev/github/jwks"
+				allow_any_subject: true
+			},
+		]
 	}
 }

playground/helmfile/helmfile.yaml

@@ -398,10 +398,13 @@ releases:
         args: ["apply", "-f", "platform/envoy/hydra-routes.yaml"]
         showlogs: true
       - events: ["postsync"]
-        command: kubectl
-        args: ["create", "namespace", "oidc"]
+        command: sh
+        args:
+          - -c
+          - |
+            set -euo pipefail
+            kubectl create namespace oidc --dry-run=client -o yaml | kubectl apply -f -
         showlogs: true
-      # Oathkeeper is now deployed as a Helm release below
   - name: oathkeeper
     namespace: auth
     chart: ory/oathkeeper

playground/helmfile/platform/mock-oidc/deployment.yaml

@@ -28,7 +28,8 @@ oathkeeper:
         config:
           headers:
             X-Subject: "{{ print .Subject }}"
-            X-Email: "{{ .Extra.ext.email }}"
+            # Render email only if present to avoid template errors when ext is missing
+            X-Email: "{{ with .Extra.ext }}{{ .email }}{{ end }}"
 
 deployment:
   extraVolumes:

playground/helmfile/platform/mock-oidc/namespace.yaml

@@ -37,9 +37,9 @@ hydra:
       access_token: jwt
       scope: exact
     ttl:
-      access_token: 30m
+      access_token: 1h
       id_token: 30m
-      refresh_token: 720h
+      refresh_token: 8h
 
   deployment:
     extraEnv: