Skip to content

Commit

Permalink
Merge pull request #532 from goshlanguage/bug-chart-bypass-secrets-logic
Browse files Browse the repository at this point in the history 
chart: bugfix for bypassSecrets
  • Loading branch information
@yolossn
yolossn authored Jan 12, 2022
2 parents cd296e5 + 74d12ef commit 3d8d0e4
Show file tree
Hide file tree
Showing 5 changed files with 34 additions and 12 deletions.
2 changes: 1 addition & 1 deletion charts/nebraska/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ sources:
maintainers:
- name: kinvolk
url: https://kinvolk.io/
version: 0.1.10
version: 0.1.11
appVersion: "2.5.1"

dependencies:
Expand Down
3 changes: 2 additions & 1 deletion charts/nebraska/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,9 +70,9 @@ $ helm install my-nebraska nebraska/nebraska
| `config.hostFlatcarPackages.persistence.accessModes` | PVC Access Mode for PostgreSQL volume | `["ReadWriteOnce"]` |
| `config.hostFlatcarPackages.persistence.size` | PVC Storage Request for PostgreSQL volume | `10Gi` |
| `config.auth.mode` | Authentication mode, available modes: `noop`, `github`, `oidc` | `noop` |
| `config.auth.bypassSecrets` | Bypass secrets skips secrets creation so you can bring your own. Be sure to set the appropriate env vars in `extraEnv` if this is enabled. |`false` | |
| `config.auth.github.clientID` | GitHub client ID used for authentication | `nil` |
| `config.auth.github.clientSecret` | GitHub client secret used for authentication | `nil` |
| `config.auth.github.existingSecret` | existingSecret will mount a given secret to the container. Be sure to match the expected keys in [deployment.yaml](./templates/deployment.yaml) |`nil` | |
| `config.auth.github.sessionAuthKey` | Session secret used for authenticating sessions in cookies used for storing GitHub info , will be generated if none is passed | `nil` |
| `config.auth.github.sessionCryptKey` | Session key used for encrypting sessions in cookies used for storing GitHub info, will be generated if none is passed | `nil` |
| `config.auth.github.webhookSecret` | GitHub webhook secret used for validing webhook messages | `nil` |
Expand All @@ -81,6 +81,7 @@ $ helm install my-nebraska nebraska/nebraska
| `config.auth.github.enterpriseURL` | Base URL of the enterprise instance if using GHE | `nil` |
| `config.auth.oidc.clientID` | OIDC client ID used for authentication | `nil` |
| `config.auth.oidc.clientSecret` | OIDC client Secret used for authentication | `nil` |
| `config.auth.oidc.existingSecret` | existingSecret will mount a given secret to the container. Be sure to match the expected keys in [deployment.yaml](./templates/deployment.yaml). |`nil` | |
| `config.auth.oidc.issuerURL` | OIDC issuer URL used for authentication | `nil` |
| `config.auth.oidc.validRedirectURLs` | comma-separated list of valid Redirect URLs | `nil` |
| `config.auth.oidc.managementURL` | OIDC management url for managing the account | `nil` |
Expand Down
28 changes: 24 additions & 4 deletions charts/nebraska/templates/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -144,17 +144,29 @@ spec:
- name: "NEBRASKA_GITHUB_OAUTH_CLIENT_SECRET"
valueFrom:
secretKeyRef:
{{- if not .Values.config.auth.github.existingSecret }}
name: {{ include "nebraska.fullname" . }}
{{- else }}
name: {{ .Values.config.auth.github.existingSecret }}
{{- end }}
key: ghClientSecret
- name: "NEBRASKA_GITHUB_SESSION_SECRET"
valueFrom:
secretKeyRef:
{{- if not .Values.config.auth.github.existingSecret }}
name: {{ include "nebraska.fullname" . }}
{{- else }}
name: {{ .Values.config.auth.github.existingSecret }}
{{- end }}
key: ghSessionAuthKey
- name: "NEBRASKA_GITHUB_SESSION_CRYPT_KEY"
valueFrom:
secretKeyRef:
{{- if not .Values.config.auth.github.existingSecret }}
name: {{ include "nebraska.fullname" . }}
{{- else }}
name: {{ .Values.config.auth.github.existingSecret }}
{{- end }}
key: ghSessionCryptKey
- name: "NEBRASKA_GITHUB_WEBHOOK_SECRET"
valueFrom:
Expand All @@ -170,27 +182,35 @@ spec:
- name: "NEBRASKA_OIDC_CLIENT_ID"
valueFrom:
secretKeyRef:
{{- if not .Values.config.auth.oidc.existingSecret }}
name: {{ include "nebraska.fullname" . }}
{{- else }}
name: {{ .Values.config.auth.oidc.existingSecret }}
{{- end }}
key: oidcClientID
- name: "NEBRASKA_OIDC_CLIENT_SECRET"
valueFrom:
secretKeyRef:
{{- if not .Values.config.auth.oidc.existingSecret }}
name: {{ include "nebraska.fullname" . }}
{{- else }}
name: {{ .Values.config.auth.oidc.existingSecret }}
{{- end }}
key: oidcClientSecret
{{- if .Values.config.auth.oidc.sessionAuthKey }}
{{- if .Values.config.auth.oidc.sessionAuthKey }}
- name: "NEBRASKA_OIDC_SESSION_SECRET"
valueFrom:
secretKeyRef:
name: {{ include "nebraska.fullname" . }}
key: oidcSessionAuthKey
{{- end }}
{{- if .Values.config.auth.oidc.sessionCryptKey }}
{{- end }}
{{- if .Values.config.auth.oidc.sessionCryptKey }}
- name: "NEBRASKA_OIDC_SESSION_CRYPT_KEY"
valueFrom:
secretKeyRef:
name: {{ include "nebraska.fullname" . }}
key: oidcSessionCryptKey
{{- end }}
{{- end }}
{{- end }}
{{- range $key, $value := .Values.extraEnvVars }}
- name: {{ $key }}
Expand Down
10 changes: 5 additions & 5 deletions charts/nebraska/templates/secrets.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{{- $useGhAuth := eq .Values.config.auth.mode "github" }}
{{- $useOidcAuth := eq .Values.config.auth.mode "oidc" }}
{{- $useGhAuth := and (eq .Values.config.auth.mode "github") (not .Values.config.auth.github.existingSecret) }}
{{- $useOidcAuth := and (eq .Values.config.auth.mode "oidc") (not .Values.config.auth.oidc.existingSecret) }}
{{- $useDbPassword := not .Values.config.database.passwordExistingSecret.enabled }}
{{- if or $useDbPassword $useOidcAuth $useGhAuth }}
apiVersion: v1
Expand All @@ -13,8 +13,8 @@ data:
{{- if $useDbPassword }}
dbPassword: {{ (tpl .Values.config.database.password .) | b64enc }}
{{- end }}
{{- if and ($useOidcAuth) (ne .Values.config.auth.bypassSecrets true) }}
oidcClientID: {{ required "A valid 'clientId' is required when using oidc authentication" .Values.config.auth.oidc.clientID | toString | b64enc }}
{{- if $useOidcAuth }}
oidcClientID: {{ required "A valid 'clientID' is required when using oidc authentication" .Values.config.auth.oidc.clientID | toString | b64enc }}
oidcClientSecret: {{ required "A valid 'clientSecret' is required when using oidc authentication" .Values.config.auth.oidc.clientSecret | toString | b64enc }}
{{- with .Values.config.auth.oidc.sessionAuthKey }}
oidcSessionAuthKey: {{ . | toString | b64enc }}
Expand All @@ -23,7 +23,7 @@ data:
oidcSessionCryptKey: {{ . | toString | b64enc }}
{{- end }}
{{- end }}
{{- if and ($useGhAuth) (ne .Values.config.auth.bypassSecrets true) }}
{{- if $useGhAuth }}
ghClientSecret: {{ required "A valid 'clientSecret' is required when using github authentication." .Values.config.auth.github.clientSecret | toString | b64enc }}
ghSessionAuthKey: {{ required "A valid 'sessionAuthKey' is required when using github authentication." .Values.config.auth.github.sessionAuthKey | toString | b64enc }}
ghSessionCryptKey: {{ required "A valid 'sessionCryptKey' is required when using github authentication." .Values.config.auth.github.sessionCryptKey | toString | b64enc }}
Expand Down
3 changes: 2 additions & 1 deletion charts/nebraska/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,10 +42,10 @@ config:

auth:
mode: noop
bypassSecrets: false
oidc:
clientID:
clientSecret:
existingSecret:
issuerURL:
validRedirectURLs:
managementURL:
Expand All @@ -59,6 +59,7 @@ config:
github:
clientID:
clientSecret:
existingSecret:
sessionAuthKey:
sessionCryptKey:
webhookSecret:
Expand Down

0 comments on commit 3d8d0e4

Please sign in to comment.