diff --git a/charts/cryostat/templates/_helpers.tpl b/charts/cryostat/templates/_helpers.tpl index a9c302bf..e760fa27 100644 --- a/charts/cryostat/templates/_helpers.tpl +++ b/charts/cryostat/templates/_helpers.tpl @@ -116,23 +116,22 @@ Get or generate a default secret key for object storage. {{- end -}} {{/* -Generate or retrieve a default value for cookieSecret. +Get or generate a default secret key for auth proxy cookies. */}} {{- define "cryostat.cookieSecret" -}} {{- $secret := (lookup "v1" "Secret" .Release.Namespace (printf "%s-cookie-secret" .Release.Name)) -}} {{- if $secret -}} {{/* - Use the current secret. Do not regenerate. + Use current secret. Do not regenerate. */}} -{{- $secret.data.COOKIE_SECRET | b64dec | quote -}} +{{- $secret.data.COOKIE_SECRET -}} {{- else -}} {{/* - Generate a new secret. + Generate new secret */}} -{{- $newSecret := randAlphaNum 24 | b64enc -}} -{{- $newSecret | quote -}} -{{- end }} -{{- end }} +{{- (randAlphaNum 32) | b64enc | quote -}} +{{- end -}} +{{- end -}} {{/* Get sanitized list or defaults (if not disabled) as comma-separated list. diff --git a/charts/cryostat/templates/_oauth2Proxy.tpl b/charts/cryostat/templates/_oauth2Proxy.tpl index 8e8a9671..3e686125 100644 --- a/charts/cryostat/templates/_oauth2Proxy.tpl +++ b/charts/cryostat/templates/_oauth2Proxy.tpl @@ -13,7 +13,11 @@ Create OAuth2 Proxy container. Configurations defined in alpha_config.yaml - name: OAUTH2_PROXY_REDIRECT_URL value: "http://localhost:4180/oauth2/callback" - name: OAUTH2_PROXY_COOKIE_SECRET - value: {{ include "cryostat.cookieSecret" . }} + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-cookie-secret + key: COOKIE_SECRET + optional: false - name: OAUTH2_PROXY_EMAIL_DOMAINS value: "*" {{- if .Values.authentication.basicAuth.enabled }} diff --git a/charts/cryostat/templates/_openshiftOauthProxy.tpl b/charts/cryostat/templates/_openshiftOauthProxy.tpl index 1b01b59c..6af23010 100644 --- a/charts/cryostat/templates/_openshiftOauthProxy.tpl +++ b/charts/cryostat/templates/_openshiftOauthProxy.tpl @@ -6,6 +6,13 @@ Create OpenShift OAuth Proxy container. securityContext: {{- toYaml .Values.openshiftOauthProxy.securityContext | nindent 4 }} image: "{{ .Values.openshiftOauthProxy.image.repository }}:{{ .Values.openshiftOauthProxy.image.tag }}" + env: + - name: COOKIE_SECRET + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-cookie-secret + key: COOKIE_SECRET + optional: false args: - --skip-provider-button={{ not .Values.authentication.basicAuth.enabled }} - --pass-access-token=false @@ -14,7 +21,7 @@ Create OpenShift OAuth Proxy container. - --upstream=http://localhost:8181/ - --upstream=http://localhost:3000/grafana/ - --upstream=http://localhost:8333/storage/ - - --cookie-secret={{ include "cryostat.cookieSecret" . }} + - --cookie-secret="$(COOKIE_SECRET)" - --openshift-service-account={{ include "cryostat.serviceAccountName" . }} - --proxy-websockets=true - --http-address=0.0.0.0:4180 diff --git a/charts/cryostat/templates/cookie_secret.yaml b/charts/cryostat/templates/cookie_secret.yaml new file mode 100644 index 00000000..fe2ade86 --- /dev/null +++ b/charts/cryostat/templates/cookie_secret.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-cookie-secret +type: Opaque +data: + COOKIE_SECRET: {{ include "cryostat.cookieSecret" . }} diff --git a/charts/cryostat/tests/cookie_secret_test.yaml b/charts/cryostat/tests/cookie_secret_test.yaml new file mode 100644 index 00000000..de947995 --- /dev/null +++ b/charts/cryostat/tests/cookie_secret_test.yaml @@ -0,0 +1,20 @@ +suite: test cookie_secret.yaml +templates: + - cookie_secret.yaml + +tests: + - it: should create a Cookie Secret with correct settings + asserts: + - hasDocuments: + count: 1 + - equal: + path: kind + value: Secret + - equal: + path: metadata.name + value: RELEASE-NAME-cookie-secret + - equal: + path: type + value: Opaque + - exists: + path: data.COOKIE_SECRET