diff --git a/charts/nebraska/Chart.yaml b/charts/nebraska/Chart.yaml index 36b5e2c03..b9b112ac0 100644 --- a/charts/nebraska/Chart.yaml +++ b/charts/nebraska/Chart.yaml @@ -19,7 +19,7 @@ sources: maintainers: - name: kinvolk url: https://kinvolk.io/ -version: 0.1.9 +version: 0.1.11 appVersion: "2.5.1" dependencies: diff --git a/charts/nebraska/README.md b/charts/nebraska/README.md index 019b9c5f5..ad8581a82 100644 --- a/charts/nebraska/README.md +++ b/charts/nebraska/README.md @@ -70,7 +70,6 @@ $ helm install my-nebraska nebraska/nebraska | `config.hostFlatcarPackages.persistence.accessModes` | PVC Access Mode for PostgreSQL volume | `["ReadWriteOnce"]` | | `config.hostFlatcarPackages.persistence.size` | PVC Storage Request for PostgreSQL volume | `10Gi` | | `config.auth.mode` | Authentication mode, available modes: `noop`, `github`, `oidc` | `noop` | -| `config.auth.bypassSecrets` | Bypass secrets skips secrets creation so you can bring your own. Be sure to set the appropriate env vars in `extraEnv` if this is enabled. |`false` | | | `config.auth.github.clientID` | GitHub client ID used for authentication | `nil` | | `config.auth.github.clientSecret` | GitHub client secret used for authentication | `nil` | | `config.auth.github.sessionAuthKey` | Session secret used for authenticating sessions in cookies used for storing GitHub info , will be generated if none is passed | `nil` | @@ -81,6 +80,7 @@ $ helm install my-nebraska nebraska/nebraska | `config.auth.github.enterpriseURL` | Base URL of the enterprise instance if using GHE | `nil` | | `config.auth.oidc.clientID` | OIDC client ID used for authentication | `nil` | | `config.auth.oidc.clientSecret` | OIDC client Secret used for authentication | `nil` | +| `config.auth.oidc.exisingSecret` | existingSecret will mount a given secret to the container. Be sure to match the expected keys. If supplying anything but the `clientID` and `clientSecret`, be sure to mount your secrets using `extraVars` and set the appropriate environment variables. |`false` | | | `config.auth.oidc.issuerURL` | OIDC issuer URL used for authentication | `nil` | | `config.auth.oidc.validRedirectURLs` | comma-separated list of valid Redirect URLs | `nil` | | `config.auth.oidc.managementURL` | OIDC management url for managing the account | `nil` | diff --git a/charts/nebraska/templates/deployment.yaml b/charts/nebraska/templates/deployment.yaml index b158acc3d..80f569508 100644 --- a/charts/nebraska/templates/deployment.yaml +++ b/charts/nebraska/templates/deployment.yaml @@ -166,7 +166,7 @@ spec: value: "{{ .Values.config.auth.github.enterpriseURL }}" {{- end }} {{- end }} - {{- if eq .Values.config.auth.mode "oidc" }} + {{- if and (eq .Values.config.auth.mode "oidc") (not .Values.config.auth.oidc.existingSecret) }} - name: "NEBRASKA_OIDC_CLIENT_ID" valueFrom: secretKeyRef: @@ -177,20 +177,32 @@ spec: secretKeyRef: name: {{ include "nebraska.fullname" . }} key: oidcClientSecret - {{- if .Values.config.auth.oidc.sessionAuthKey }} + {{- end }} + {{- if and (eq .Values.config.auth.mode "oidc") .Values.config.auth.oidc.existingSecret }} + - name: "NEBRASKA_OIDC_CLIENT_ID" + valueFrom: + secretKeyRef: + name: {{ .Values.config.auth.oidc.existingSecret }} + key: oidcClientID + - name: "NEBRASKA_OIDC_CLIENT_SECRET" + valueFrom: + secretKeyRef: + name: {{ .Values.config.auth.oidc.existingSecret }} + key: oidcClientSecret + {{- end }} + {{- if .Values.config.auth.oidc.sessionAuthKey }} - name: "NEBRASKA_OIDC_SESSION_SECRET" valueFrom: secretKeyRef: name: {{ include "nebraska.fullname" . }} key: oidcSessionAuthKey - {{- end }} - {{- if .Values.config.auth.oidc.sessionCryptKey }} + {{- end }} + {{- if .Values.config.auth.oidc.sessionCryptKey }} - name: "NEBRASKA_OIDC_SESSION_CRYPT_KEY" valueFrom: secretKeyRef: name: {{ include "nebraska.fullname" . }} key: oidcSessionCryptKey - {{- end }} {{- end }} {{- range $key, $value := .Values.extraEnvVars }} - name: {{ $key }} diff --git a/charts/nebraska/templates/secrets.yaml b/charts/nebraska/templates/secrets.yaml index 322d37690..107d84a4b 100644 --- a/charts/nebraska/templates/secrets.yaml +++ b/charts/nebraska/templates/secrets.yaml @@ -1,5 +1,5 @@ {{- $useGhAuth := eq .Values.config.auth.mode "github" }} -{{- $useOidcAuth := eq .Values.config.auth.mode "oidc" }} +{{- $useOidcAuth := and (eq .Values.config.auth.mode "oidc") (not .Values.config.auth.oidc.existingSecret) }} {{- $useDbPassword := not .Values.config.database.passwordExistingSecret.enabled }} {{- if or $useDbPassword $useOidcAuth $useGhAuth }} apiVersion: v1 @@ -13,8 +13,8 @@ data: {{- if $useDbPassword }} dbPassword: {{ (tpl .Values.config.database.password .) | b64enc }} {{- end }} - {{- if and ($useOidcAuth) (ne .Values.config.auth.bypassSecrets true) }} - oidcClientID: {{ required "A valid 'clientId' is required when using oidc authentication" .Values.config.auth.oidc.clientID | toString | b64enc }} + {{- if $useOidcAuth }} + oidcClientID: {{ required "A valid 'clientID' is required when using oidc authentication" .Values.config.auth.oidc.clientID | toString | b64enc }} oidcClientSecret: {{ required "A valid 'clientSecret' is required when using oidc authentication" .Values.config.auth.oidc.clientSecret | toString | b64enc }} {{- with .Values.config.auth.oidc.sessionAuthKey }} oidcSessionAuthKey: {{ . | toString | b64enc }} @@ -23,7 +23,7 @@ data: oidcSessionCryptKey: {{ . | toString | b64enc }} {{- end }} {{- end }} - {{- if and ($useGhAuth) (ne .Values.config.auth.bypassSecrets true) }} + {{- if $useGhAuth }} ghClientSecret: {{ required "A valid 'clientSecret' is required when using github authentication." .Values.config.auth.github.clientSecret | toString | b64enc }} ghSessionAuthKey: {{ required "A valid 'sessionAuthKey' is required when using github authentication." .Values.config.auth.github.sessionAuthKey | toString | b64enc }} ghSessionCryptKey: {{ required "A valid 'sessionCryptKey' is required when using github authentication." .Values.config.auth.github.sessionCryptKey | toString | b64enc }} diff --git a/charts/nebraska/values.yaml b/charts/nebraska/values.yaml index 89c92ece4..b1bd8d041 100644 --- a/charts/nebraska/values.yaml +++ b/charts/nebraska/values.yaml @@ -42,10 +42,10 @@ config: auth: mode: noop - bypassSecrets: false oidc: clientID: clientSecret: + existingSecret: issuerURL: validRedirectURLs: managementURL: