fix: unique domain names for oidcProxy per stack

chanzuckerberg · Sep 5, 2024 · 2f42b13 · 2f42b13
1 parent d91e7ab
commit 2f42b13
Show file tree

Hide file tree

Showing 5 changed files with 24 additions and 6 deletions.
diff --git a/stack/templates/_helpers.tpl b/stack/templates/_helpers.tpl
@@ -177,13 +177,17 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}
 {{- end -}}
 
-{{ define "oidcProxy.envFrom"}}
+{{- define "oidcProxy.envFrom" -}}
 {{- include "oidcProxy.envFromArgusSecrets" . }}
 {{- include "oidcProxy.additionalSecrets" . }}
 {{- end -}}
 
+{{- define "oidcProxy.authDomain" -}}
+{{ join "." (list (include "oidcProxy.name" .) (include "clusterBaseDomain" .)) }}
+{{- end -}}
+
 {{- define "oidcProxy.nginxAuthAnnotations" -}}
 nginx.ingress.kubernetes.io/auth-url: "http://{{ include "oidcProxy.name" . }}.{{ .Release.Namespace }}.svc.cluster.local:4180/oauth2/auth"
-nginx.ingress.kubernetes.io/auth-signin: "https://auth.{{- include "clusterBaseDomain" . }}/oauth2/start?rd=https://$host$escaped_request_uri"
+nginx.ingress.kubernetes.io/auth-signin: "https://{{- include "oidcProxy.authDomain" . }}/oauth2/start?rd=https://$host$escaped_request_uri"
 nginx.ingress.kubernetes.io/auth-response-headers: Authorization
 {{- end -}}
diff --git a/stack/templates/oidc_proxy.yaml b/stack/templates/oidc_proxy.yaml
@@ -80,7 +80,7 @@ metadata:
 spec:
   ingressClassName: nginx
   rules:
-    - host: auth.{{- include "clusterBaseDomain" . }}
+    - host: {{ include "oidcProxy.authDomain" . }}
       http:
         paths:
           - path: /oauth2

diff --git a/stack/tests/ingress_test.yaml b/stack/tests/ingress_test.yaml
@@ -24,7 +24,7 @@ tests:
       - documentIndex: 0
         equal:
           path: metadata.annotations["nginx.ingress.kubernetes.io/auth-signin"]
-          value: "https://auth.play.dev.czi.team/oauth2/start?rd=https://$host$escaped_request_uri"
+          value: "https://release-name-stack-oidc-proxy.play.dev.czi.team/oauth2/start?rd=https://$host$escaped_request_uri"
       - documentIndex: 0
         equal:
           path: metadata.annotations["nginx.ingress.kubernetes.io/auth-response-headers"]

diff --git a/stack/tests/oidc_test.yaml b/stack/tests/oidc_test.yaml
@@ -11,7 +11,11 @@ tests:
     asserts:
       - hasDocuments:
           count: 0
-  - it: is enabled by default
+  - it: make the appropriate resources when enabled
+    set:
+      global:
+        oidcProxy:
+          enabled: true
     asserts:
       - hasDocuments:
           count: 3
@@ -30,10 +34,15 @@ tests:
           kind: Ingress
           apiVersion: networking.k8s.io/v1
           name: release-name-stack-oidc-proxy
+  - it: disabled by default
+    asserts:
+      - hasDocuments:
+          count: 0
   - it: sets additionalSecrets in envFrom
     set:
       global:
         oidcProxy:
+          enabled: true
           additionalSecrets:
             - secretRef:
               name: blah1
@@ -57,6 +66,7 @@ tests:
           clusterSecret:
             secretName: blah5
         oidcProxy:
+          enabled: true
           additionalSecrets:
             - secretRef:
               name: blah1
@@ -70,6 +80,10 @@ tests:
           path: spec.template.spec.containers[0].envFrom
           count: 5
   - it: defaults to 0 envFrom object
+    set:
+      global:
+        oidcProxy:
+          enabled: true
     asserts:
       - documentIndex: 0
         equal:

diff --git a/stack/values.yaml b/stack/values.yaml
@@ -185,7 +185,7 @@ global:
     existingClaim: ""
     mountPath: ""
   oidcProxy:
-    enabled: true
+    enabled: false
     image:
       repository: quay.io/oauth2-proxy/oauth2-proxy
       tag: v7.6.0