From 2f42b136d8c2effd442ba0a3b85afdfeb422ac25 Mon Sep 17 00:00:00 2001 From: Jake Heath Date: Thu, 5 Sep 2024 11:22:37 -0700 Subject: [PATCH] fix: unique domain names for oidcProxy per stack --- stack/templates/_helpers.tpl | 8 ++++++-- stack/templates/oidc_proxy.yaml | 2 +- stack/tests/ingress_test.yaml | 2 +- stack/tests/oidc_test.yaml | 16 +++++++++++++++- stack/values.yaml | 2 +- 5 files changed, 24 insertions(+), 6 deletions(-) diff --git a/stack/templates/_helpers.tpl b/stack/templates/_helpers.tpl index 113207f..e186274 100644 --- a/stack/templates/_helpers.tpl +++ b/stack/templates/_helpers.tpl @@ -177,13 +177,17 @@ app.kubernetes.io/instance: {{ .Release.Name }} {{- end -}} {{- end -}} -{{ define "oidcProxy.envFrom"}} +{{- define "oidcProxy.envFrom" -}} {{- include "oidcProxy.envFromArgusSecrets" . }} {{- include "oidcProxy.additionalSecrets" . }} {{- end -}} +{{- define "oidcProxy.authDomain" -}} +{{ join "." (list (include "oidcProxy.name" .) (include "clusterBaseDomain" .)) }} +{{- end -}} + {{- define "oidcProxy.nginxAuthAnnotations" -}} nginx.ingress.kubernetes.io/auth-url: "http://{{ include "oidcProxy.name" . }}.{{ .Release.Namespace }}.svc.cluster.local:4180/oauth2/auth" -nginx.ingress.kubernetes.io/auth-signin: "https://auth.{{- include "clusterBaseDomain" . }}/oauth2/start?rd=https://$host$escaped_request_uri" +nginx.ingress.kubernetes.io/auth-signin: "https://{{- include "oidcProxy.authDomain" . }}/oauth2/start?rd=https://$host$escaped_request_uri" nginx.ingress.kubernetes.io/auth-response-headers: Authorization {{- end -}} \ No newline at end of file diff --git a/stack/templates/oidc_proxy.yaml b/stack/templates/oidc_proxy.yaml index ec314c6..c7016af 100644 --- a/stack/templates/oidc_proxy.yaml +++ b/stack/templates/oidc_proxy.yaml @@ -80,7 +80,7 @@ metadata: spec: ingressClassName: nginx rules: - - host: auth.{{- include "clusterBaseDomain" . }} + - host: {{ include "oidcProxy.authDomain" . }} http: paths: - path: /oauth2 diff --git a/stack/tests/ingress_test.yaml b/stack/tests/ingress_test.yaml index 9a3e8f4..098fef9 100644 --- a/stack/tests/ingress_test.yaml +++ b/stack/tests/ingress_test.yaml @@ -24,7 +24,7 @@ tests: - documentIndex: 0 equal: path: metadata.annotations["nginx.ingress.kubernetes.io/auth-signin"] - value: "https://auth.play.dev.czi.team/oauth2/start?rd=https://$host$escaped_request_uri" + value: "https://release-name-stack-oidc-proxy.play.dev.czi.team/oauth2/start?rd=https://$host$escaped_request_uri" - documentIndex: 0 equal: path: metadata.annotations["nginx.ingress.kubernetes.io/auth-response-headers"] diff --git a/stack/tests/oidc_test.yaml b/stack/tests/oidc_test.yaml index f195fcf..af5aece 100644 --- a/stack/tests/oidc_test.yaml +++ b/stack/tests/oidc_test.yaml @@ -11,7 +11,11 @@ tests: asserts: - hasDocuments: count: 0 - - it: is enabled by default + - it: make the appropriate resources when enabled + set: + global: + oidcProxy: + enabled: true asserts: - hasDocuments: count: 3 @@ -30,10 +34,15 @@ tests: kind: Ingress apiVersion: networking.k8s.io/v1 name: release-name-stack-oidc-proxy + - it: disabled by default + asserts: + - hasDocuments: + count: 0 - it: sets additionalSecrets in envFrom set: global: oidcProxy: + enabled: true additionalSecrets: - secretRef: name: blah1 @@ -57,6 +66,7 @@ tests: clusterSecret: secretName: blah5 oidcProxy: + enabled: true additionalSecrets: - secretRef: name: blah1 @@ -70,6 +80,10 @@ tests: path: spec.template.spec.containers[0].envFrom count: 5 - it: defaults to 0 envFrom object + set: + global: + oidcProxy: + enabled: true asserts: - documentIndex: 0 equal: diff --git a/stack/values.yaml b/stack/values.yaml index 8b1243f..fc178c8 100644 --- a/stack/values.yaml +++ b/stack/values.yaml @@ -185,7 +185,7 @@ global: existingClaim: "" mountPath: "" oidcProxy: - enabled: true + enabled: false image: repository: quay.io/oauth2-proxy/oauth2-proxy tag: v7.6.0