initial commit

charts/saml-broker/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: saml-broker
+description: Minimal SAML IdP brokering to OIDC (Pocket ID) for Splunk
+type: application
+version: 0.1.0
+appVersion: "0.1.0"

charts/saml-broker/templates/NOTES.txt

@@ -0,0 +1,4 @@
+1. Get the service URL by running these commands:
+  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "saml-broker.name" . }}" -o jsonpath="{.items[0].metadata.name}")
+  kubectl port-forward $POD_NAME 8080:8080 &
+  echo "Visit http://127.0.0.1:8080/saml/metadata"

charts/saml-broker/templates/_helpers.tpl

@@ -0,0 +1,10 @@
+{{- define "saml-broker.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- define "saml-broker.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s" (include "saml-broker.name" .) | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}

charts/saml-broker/templates/configmap.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "saml-broker.fullname" . }}-config
+data:
+  config.yaml: |
+{{ toYaml .Values.config | indent 4 }}

charts/saml-broker/templates/deployment.yaml

@@ -0,0 +1,49 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "saml-broker.fullname" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "saml-broker.name" . }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "saml-broker.name" . }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: {{ include "saml-broker.name" . }}
+    spec:
+      containers:
+        - name: broker
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          env:
+            - name: CONFIG_PATH
+              value: /config/config.yaml
+            - name: OIDC_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.env.OIDC_CLIENT_SECRET_SECRET_NAME }}
+                  key: {{ .Values.env.OIDC_CLIENT_SECRET_KEY }}
+          ports:
+            - name: http
+              containerPort: 8080
+          volumeMounts:
+            - name: cfg
+              mountPath: /config
+              readOnly: true
+          readinessProbe:
+            httpGet:
+              path: /healthz
+              port: http
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: http
+          resources:
+{{ toYaml .Values.resources | indent 12 }}
+      volumes:
+        - name: cfg
+          configMap:
+            name: {{ include "saml-broker.fullname" . }}-config

charts/saml-broker/templates/ingress.yaml

@@ -0,0 +1,30 @@
+{{- if .Values.ingress.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ include "saml-broker.fullname" . }}
+  {{- with .Values.ingress.className }}
+  annotations:
+    kubernetes.io/ingress.class: {{ . }}
+  {{- end }}
+spec:
+  rules:
+  {{- range .Values.ingress.hosts }}
+    - host: {{ .host }}
+      http:
+        paths:
+        {{- range .paths }}
+          - path: {{ .path }}
+            pathType: {{ .pathType }}
+            backend:
+              service:
+                name: {{ include "saml-broker.fullname" $ }}
+                port:
+                  number: {{ $.Values.service.port }}
+        {{- end }}
+  {{- end }}
+  {{- if .Values.ingress.tls }}
+  tls:
+{{ toYaml .Values.ingress.tls | indent 4 }}
+  {{- end }}
+{{- end }}

charts/saml-broker/templates/service.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "saml-broker.fullname" . }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    app.kubernetes.io/name: {{ include "saml-broker.name" . }}

charts/saml-broker/values.yaml

@@ -0,0 +1,63 @@
+image:
+  repository: ghcr.io/your-org/broker
+  tag: dev
+  pullPolicy: IfNotPresent
+
+service:
+  type: ClusterIP
+  port: 80
+
+ingress:
+  enabled: false
+  className: ""
+  hosts:
+    - host: id.example.com
+      paths:
+        - path: /
+          pathType: Prefix
+  tls: []
+
+resources: {}
+
+env:
+  # OIDC client secret comes from a Secret
+  OIDC_CLIENT_SECRET_SECRET_NAME: oidc-secret
+  OIDC_CLIENT_SECRET_KEY: OIDC_CLIENT_SECRET
+
+config:
+  # Paste example.config.yaml here (without private key if you mount keys via secret)
+  server:
+    listen: ":8080"
+    external_url: "https://id.example.com"
+  crypto:
+    active_key: "k-2025-09"
+    keys: []
+  oidc_upstream:
+    issuer: "https://pocket-id.example"
+    client_id: "your-client-id"
+    redirect_path: "/oidc/callback"
+    scopes: ["email","profile"]
+  sps:
+    - name: "splunk"
+      entity_id: "https://splunk.example"
+      acs_url: "https://splunk.example/saml/acs"
+      audience: "https://splunk.example"
+      nameid_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+      attribute_mapping:
+        mail: "email"
+        realName: "name"
+        role: "role"
+      role_mapping:
+        admins: "admin"
+        power: "power"
+        "*": "user"
+  security:
+    skew_seconds: 120
+    assertion_ttl_seconds: 300
+    require_signed_authn_request: false
+    metadata_valid_until_days: 7
+    metadata_cache_duration_seconds: 86400
+  session:
+    cookie_name: "_saml_broker"
+    cookie_secure: true
+    cookie_domain: "id.example.com"