fix(authproxy): cookie secret creation and reference using env valueFrom

charts/cryostat/templates/_helpers.tpl

@@ -116,23 +116,22 @@ Get or generate a default secret key for object storage.
 {{- end -}}
 
 {{/*
-Generate or retrieve a default value for cookieSecret.
+Get or generate a default secret key for auth proxy cookies.
 */}}
 {{- define "cryostat.cookieSecret" -}}
 {{- $secret := (lookup "v1" "Secret" .Release.Namespace (printf "%s-cookie-secret" .Release.Name)) -}}
 {{- if $secret -}}
 {{/*
-   Use the current secret. Do not regenerate.
+   Use current secret. Do not regenerate.
 */}}
-{{- $secret.data.COOKIE_SECRET | b64dec | quote -}}
+{{- $secret.data.COOKIE_SECRET -}}
 {{- else -}}
 {{/*
-    Generate a new secret.
+    Generate new secret
 */}}
-{{- $newSecret := randAlphaNum 24 | b64enc -}}
-{{- $newSecret | quote -}}
-{{- end }}
-{{- end }}
+{{- (randAlphaNum 32) | b64enc | quote -}}
+{{- end -}}
+{{- end -}}
 
 {{/*
     Get sanitized list or defaults (if not disabled) as comma-separated list.

charts/cryostat/templates/_oauth2Proxy.tpl

@@ -13,7 +13,11 @@ Create OAuth2 Proxy container. Configurations defined in alpha_config.yaml
     - name: OAUTH2_PROXY_REDIRECT_URL
       value: "http://localhost:4180/oauth2/callback"
     - name: OAUTH2_PROXY_COOKIE_SECRET
-      value: {{ include "cryostat.cookieSecret" . }}
+      valueFrom:
+        secretKeyRef:
+          name: {{ .Release.Name }}-cookie-secret
+          key: COOKIE_SECRET
+          optional: false
     - name: OAUTH2_PROXY_EMAIL_DOMAINS
       value: "*"
     {{- if .Values.authentication.basicAuth.enabled }}

charts/cryostat/templates/_openshiftOauthProxy.tpl

@@ -6,6 +6,13 @@ Create OpenShift OAuth Proxy container.
   securityContext:
     {{- toYaml .Values.openshiftOauthProxy.securityContext | nindent 4 }}
   image: "{{ .Values.openshiftOauthProxy.image.repository }}:{{ .Values.openshiftOauthProxy.image.tag }}"
+  env:
+    - name: COOKIE_SECRET
+      valueFrom:
+        secretKeyRef:
+          name: {{ .Release.Name }}-cookie-secret
+          key: COOKIE_SECRET
+          optional: false
   args:
     - --skip-provider-button={{ not .Values.authentication.basicAuth.enabled }}
     - --pass-access-token=false
@@ -14,7 +21,7 @@ Create OpenShift OAuth Proxy container.
     - --upstream=http://localhost:8181/
     - --upstream=http://localhost:3000/grafana/
     - --upstream=http://localhost:8333/storage/
-    - --cookie-secret={{ include "cryostat.cookieSecret" . }}
+    - --cookie-secret="$(COOKIE_SECRET)"
     - --openshift-service-account={{ include "cryostat.serviceAccountName" . }}
     - --proxy-websockets=true
     - --http-address=0.0.0.0:4180

charts/cryostat/templates/cookie_secret.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-cookie-secret
+type: Opaque
+data:
+  COOKIE_SECRET: {{ include "cryostat.cookieSecret" . }}

charts/cryostat/tests/cookie_secret_test.yaml

@@ -0,0 +1,20 @@
+suite: test cookie_secret.yaml
+templates:
+  - cookie_secret.yaml
+
+tests:
+  - it: should create a Cookie Secret with correct settings
+    asserts:
+      - hasDocuments:
+          count: 1
+      - equal:
+          path: kind
+          value: Secret
+      - equal:
+          path: metadata.name
+          value: RELEASE-NAME-cookie-secret
+      - equal:
+          path: type
+          value: Opaque
+      - exists:
+          path: data.COOKIE_SECRET