From 61cf6a015f182c333b87a2ed385fc787746aee10 Mon Sep 17 00:00:00 2001
From: elias-gb <elias@ardoq.com>
Date: Mon, 12 Aug 2024 21:58:55 +0200
Subject: [PATCH] fix(authproxy): cookie secret creation and reference using
 env valueFrom (#180)

* Added a cookie secret.

* Added test for creation of cookie secret.

* fix(authproxy): reference cookie secret using env valueFrom

* don't recreate secret on upgrade

* restore helper

---------

Co-authored-by: Andrew Azores <aazores@redhat.com>
---
 charts/cryostat/templates/_helpers.tpl        | 15 +++++++-------
 charts/cryostat/templates/_oauth2Proxy.tpl    |  6 +++++-
 .../templates/_openshiftOauthProxy.tpl        |  9 ++++++++-
 charts/cryostat/templates/cookie_secret.yaml  |  7 +++++++
 charts/cryostat/tests/cookie_secret_test.yaml | 20 +++++++++++++++++++
 5 files changed, 47 insertions(+), 10 deletions(-)
 create mode 100644 charts/cryostat/templates/cookie_secret.yaml
 create mode 100644 charts/cryostat/tests/cookie_secret_test.yaml

diff --git a/charts/cryostat/templates/_helpers.tpl b/charts/cryostat/templates/_helpers.tpl
index a9c302bf..e760fa27 100644
--- a/charts/cryostat/templates/_helpers.tpl
+++ b/charts/cryostat/templates/_helpers.tpl
@@ -116,23 +116,22 @@ Get or generate a default secret key for object storage.
 {{- end -}}
 
 {{/*
-Generate or retrieve a default value for cookieSecret.
+Get or generate a default secret key for auth proxy cookies.
 */}}
 {{- define "cryostat.cookieSecret" -}}
 {{- $secret := (lookup "v1" "Secret" .Release.Namespace (printf "%s-cookie-secret" .Release.Name)) -}}
 {{- if $secret -}}
 {{/*
-   Use the current secret. Do not regenerate.
+   Use current secret. Do not regenerate.
 */}}
-{{- $secret.data.COOKIE_SECRET | b64dec | quote -}}
+{{- $secret.data.COOKIE_SECRET -}}
 {{- else -}}
 {{/*
-    Generate a new secret.
+    Generate new secret
 */}}
-{{- $newSecret := randAlphaNum 24 | b64enc -}}
-{{- $newSecret | quote -}}
-{{- end }}
-{{- end }}
+{{- (randAlphaNum 32) | b64enc | quote -}}
+{{- end -}}
+{{- end -}}
 
 {{/*
     Get sanitized list or defaults (if not disabled) as comma-separated list.
diff --git a/charts/cryostat/templates/_oauth2Proxy.tpl b/charts/cryostat/templates/_oauth2Proxy.tpl
index 8e8a9671..3e686125 100644
--- a/charts/cryostat/templates/_oauth2Proxy.tpl
+++ b/charts/cryostat/templates/_oauth2Proxy.tpl
@@ -13,7 +13,11 @@ Create OAuth2 Proxy container. Configurations defined in alpha_config.yaml
     - name: OAUTH2_PROXY_REDIRECT_URL
       value: "http://localhost:4180/oauth2/callback"
     - name: OAUTH2_PROXY_COOKIE_SECRET
-      value: {{ include "cryostat.cookieSecret" . }}
+      valueFrom:
+        secretKeyRef:
+          name: {{ .Release.Name }}-cookie-secret
+          key: COOKIE_SECRET
+          optional: false
     - name: OAUTH2_PROXY_EMAIL_DOMAINS
       value: "*"
     {{- if .Values.authentication.basicAuth.enabled }}
diff --git a/charts/cryostat/templates/_openshiftOauthProxy.tpl b/charts/cryostat/templates/_openshiftOauthProxy.tpl
index 1b01b59c..6af23010 100644
--- a/charts/cryostat/templates/_openshiftOauthProxy.tpl
+++ b/charts/cryostat/templates/_openshiftOauthProxy.tpl
@@ -6,6 +6,13 @@ Create OpenShift OAuth Proxy container.
   securityContext:
     {{- toYaml .Values.openshiftOauthProxy.securityContext | nindent 4 }}
   image: "{{ .Values.openshiftOauthProxy.image.repository }}:{{ .Values.openshiftOauthProxy.image.tag }}"
+  env:
+    - name: COOKIE_SECRET
+      valueFrom:
+        secretKeyRef:
+          name: {{ .Release.Name }}-cookie-secret
+          key: COOKIE_SECRET
+          optional: false
   args:
     - --skip-provider-button={{ not .Values.authentication.basicAuth.enabled }}
     - --pass-access-token=false
@@ -14,7 +21,7 @@ Create OpenShift OAuth Proxy container.
     - --upstream=http://localhost:8181/
     - --upstream=http://localhost:3000/grafana/
     - --upstream=http://localhost:8333/storage/
-    - --cookie-secret={{ include "cryostat.cookieSecret" . }}
+    - --cookie-secret="$(COOKIE_SECRET)"
     - --openshift-service-account={{ include "cryostat.serviceAccountName" . }}
     - --proxy-websockets=true
     - --http-address=0.0.0.0:4180
diff --git a/charts/cryostat/templates/cookie_secret.yaml b/charts/cryostat/templates/cookie_secret.yaml
new file mode 100644
index 00000000..fe2ade86
--- /dev/null
+++ b/charts/cryostat/templates/cookie_secret.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-cookie-secret
+type: Opaque
+data:
+  COOKIE_SECRET: {{ include "cryostat.cookieSecret" . }}
diff --git a/charts/cryostat/tests/cookie_secret_test.yaml b/charts/cryostat/tests/cookie_secret_test.yaml
new file mode 100644
index 00000000..de947995
--- /dev/null
+++ b/charts/cryostat/tests/cookie_secret_test.yaml
@@ -0,0 +1,20 @@
+suite: test cookie_secret.yaml
+templates:
+  - cookie_secret.yaml
+
+tests:
+  - it: should create a Cookie Secret with correct settings
+    asserts:
+      - hasDocuments:
+          count: 1
+      - equal:
+          path: kind
+          value: Secret
+      - equal:
+          path: metadata.name
+          value: RELEASE-NAME-cookie-secret
+      - equal:
+          path: type
+          value: Opaque
+      - exists:
+          path: data.COOKIE_SECRET