diff --git a/charts/nebraska/Chart.yaml b/charts/nebraska/Chart.yaml index 36b5e2c03..bcc09d6c3 100644 --- a/charts/nebraska/Chart.yaml +++ b/charts/nebraska/Chart.yaml @@ -19,7 +19,7 @@ sources: maintainers: - name: kinvolk url: https://kinvolk.io/ -version: 0.1.9 +version: 0.1.10 appVersion: "2.5.1" dependencies: diff --git a/charts/nebraska/README.md b/charts/nebraska/README.md index 019b9c5f5..f1f9cd94b 100644 --- a/charts/nebraska/README.md +++ b/charts/nebraska/README.md @@ -70,9 +70,9 @@ $ helm install my-nebraska nebraska/nebraska | `config.hostFlatcarPackages.persistence.accessModes` | PVC Access Mode for PostgreSQL volume | `["ReadWriteOnce"]` | | `config.hostFlatcarPackages.persistence.size` | PVC Storage Request for PostgreSQL volume | `10Gi` | | `config.auth.mode` | Authentication mode, available modes: `noop`, `github`, `oidc` | `noop` | -| `config.auth.bypassSecrets` | Bypass secrets skips secrets creation so you can bring your own. Be sure to set the appropriate env vars in `extraEnv` if this is enabled. |`false` | | | `config.auth.github.clientID` | GitHub client ID used for authentication | `nil` | | `config.auth.github.clientSecret` | GitHub client secret used for authentication | `nil` | +| `config.auth.github.exisingSecret` | existingSecret will mount a given secret to the container. Be sure to match the expected keys in [deployment.yaml](./templates/deployment.yaml) |`nil` | | | `config.auth.github.sessionAuthKey` | Session secret used for authenticating sessions in cookies used for storing GitHub info , will be generated if none is passed | `nil` | | `config.auth.github.sessionCryptKey` | Session key used for encrypting sessions in cookies used for storing GitHub info, will be generated if none is passed | `nil` | | `config.auth.github.webhookSecret` | GitHub webhook secret used for validing webhook messages | `nil` | @@ -81,6 +81,7 @@ $ helm install my-nebraska nebraska/nebraska | `config.auth.github.enterpriseURL` | Base URL of the enterprise instance if using GHE | `nil` | | `config.auth.oidc.clientID` | OIDC client ID used for authentication | `nil` | | `config.auth.oidc.clientSecret` | OIDC client Secret used for authentication | `nil` | +| `config.auth.oidc.exisingSecret` | existingSecret will mount a given secret to the container. Be sure to match the expected keys in [deployment.yaml](./templates/deployment.yaml). If supplying anything but the `clientID` and `clientSecret`, be sure to mount your secrets using `extraVars` and set the appropriate environment variables. |`nil` | | | `config.auth.oidc.issuerURL` | OIDC issuer URL used for authentication | `nil` | | `config.auth.oidc.validRedirectURLs` | comma-separated list of valid Redirect URLs | `nil` | | `config.auth.oidc.managementURL` | OIDC management url for managing the account | `nil` | diff --git a/charts/nebraska/templates/deployment.yaml b/charts/nebraska/templates/deployment.yaml index b158acc3d..a3c31b202 100644 --- a/charts/nebraska/templates/deployment.yaml +++ b/charts/nebraska/templates/deployment.yaml @@ -144,17 +144,29 @@ spec: - name: "NEBRASKA_GITHUB_OAUTH_CLIENT_SECRET" valueFrom: secretKeyRef: + {{- if not .Values.config.auth.github.existingSecret }} name: {{ include "nebraska.fullname" . }} + {{- else }} + name: {{ .Values.config.auth.github.existingSecret }} + {{- end }} key: ghClientSecret - name: "NEBRASKA_GITHUB_SESSION_SECRET" valueFrom: secretKeyRef: + {{- if not .Values.config.auth.github.existingSecret }} name: {{ include "nebraska.fullname" . }} + {{- else }} + name: {{ .Values.config.auth.github.existingSecret }} + {{- end }} key: ghSessionAuthKey - name: "NEBRASKA_GITHUB_SESSION_CRYPT_KEY" valueFrom: secretKeyRef: + {{- if not .Values.config.auth.github.existingSecret }} name: {{ include "nebraska.fullname" . }} + {{- else }} + name: {{ .Values.config.auth.github.existingSecret }} + {{- end }} key: ghSessionCryptKey - name: "NEBRASKA_GITHUB_WEBHOOK_SECRET" valueFrom: @@ -170,27 +182,35 @@ spec: - name: "NEBRASKA_OIDC_CLIENT_ID" valueFrom: secretKeyRef: + {{- if not .Values.config.auth.oidc.existingSecret }} name: {{ include "nebraska.fullname" . }} + {{- else }} + name: {{ .Values.config.auth.oidc.existingSecret }} + {{- end }} key: oidcClientID - name: "NEBRASKA_OIDC_CLIENT_SECRET" valueFrom: secretKeyRef: + {{- if not .Values.config.auth.oidc.existingSecret }} name: {{ include "nebraska.fullname" . }} + {{- else }} + name: {{ .Values.config.auth.oidc.existingSecret }} + {{- end }} key: oidcClientSecret - {{- if .Values.config.auth.oidc.sessionAuthKey }} + {{- if .Values.config.auth.oidc.sessionAuthKey }} - name: "NEBRASKA_OIDC_SESSION_SECRET" valueFrom: secretKeyRef: name: {{ include "nebraska.fullname" . }} key: oidcSessionAuthKey - {{- end }} - {{- if .Values.config.auth.oidc.sessionCryptKey }} + {{- end }} + {{- if .Values.config.auth.oidc.sessionCryptKey }} - name: "NEBRASKA_OIDC_SESSION_CRYPT_KEY" valueFrom: secretKeyRef: name: {{ include "nebraska.fullname" . }} key: oidcSessionCryptKey - {{- end }} + {{- end }} {{- end }} {{- range $key, $value := .Values.extraEnvVars }} - name: {{ $key }} diff --git a/charts/nebraska/templates/secrets.yaml b/charts/nebraska/templates/secrets.yaml index 322d37690..d00e3be6c 100644 --- a/charts/nebraska/templates/secrets.yaml +++ b/charts/nebraska/templates/secrets.yaml @@ -1,5 +1,5 @@ -{{- $useGhAuth := eq .Values.config.auth.mode "github" }} -{{- $useOidcAuth := eq .Values.config.auth.mode "oidc" }} +{{- $useGhAuth := and (eq .Values.config.auth.mode "github") (not .Values.config.auth.github.existingSecret) }} +{{- $useOidcAuth := and (eq .Values.config.auth.mode "oidc") (not .Values.config.auth.oidc.existingSecret) }} {{- $useDbPassword := not .Values.config.database.passwordExistingSecret.enabled }} {{- if or $useDbPassword $useOidcAuth $useGhAuth }} apiVersion: v1 @@ -13,8 +13,8 @@ data: {{- if $useDbPassword }} dbPassword: {{ (tpl .Values.config.database.password .) | b64enc }} {{- end }} - {{- if and ($useOidcAuth) (ne .Values.config.auth.bypassSecrets true) }} - oidcClientID: {{ required "A valid 'clientId' is required when using oidc authentication" .Values.config.auth.oidc.clientID | toString | b64enc }} + {{- if $useOidcAuth }} + oidcClientID: {{ required "A valid 'clientID' is required when using oidc authentication" .Values.config.auth.oidc.clientID | toString | b64enc }} oidcClientSecret: {{ required "A valid 'clientSecret' is required when using oidc authentication" .Values.config.auth.oidc.clientSecret | toString | b64enc }} {{- with .Values.config.auth.oidc.sessionAuthKey }} oidcSessionAuthKey: {{ . | toString | b64enc }} @@ -23,7 +23,7 @@ data: oidcSessionCryptKey: {{ . | toString | b64enc }} {{- end }} {{- end }} - {{- if and ($useGhAuth) (ne .Values.config.auth.bypassSecrets true) }} + {{- if $useGhAuth }} ghClientSecret: {{ required "A valid 'clientSecret' is required when using github authentication." .Values.config.auth.github.clientSecret | toString | b64enc }} ghSessionAuthKey: {{ required "A valid 'sessionAuthKey' is required when using github authentication." .Values.config.auth.github.sessionAuthKey | toString | b64enc }} ghSessionCryptKey: {{ required "A valid 'sessionCryptKey' is required when using github authentication." .Values.config.auth.github.sessionCryptKey | toString | b64enc }} diff --git a/charts/nebraska/values.yaml b/charts/nebraska/values.yaml index 89c92ece4..54dc9e267 100644 --- a/charts/nebraska/values.yaml +++ b/charts/nebraska/values.yaml @@ -42,10 +42,10 @@ config: auth: mode: noop - bypassSecrets: false oidc: clientID: clientSecret: + existingSecret: issuerURL: validRedirectURLs: managementURL: @@ -59,6 +59,7 @@ config: github: clientID: clientSecret: + existingSecret: sessionAuthKey: sessionCryptKey: webhookSecret: