feat: skipAuth values

chanzuckerberg · Sep 13, 2024 · 3fe70ae · 3fe70ae
1 parent 7fd5262
commit 3fe70ae
Show file tree

Hide file tree

Showing 3 changed files with 66 additions and 0 deletions.
diff --git a/stack/templates/_helpers.tpl b/stack/templates/_helpers.tpl
@@ -186,10 +186,37 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{ join "." (list (include "oidcProxy.name" .) (include "clusterBaseDomain" .)) }}
 {{- end -}}
 
+{{- define "oidcProxy.skipAuth" -}}
+{{- $id := printf "%s_%s"   (.method |lower) (.path | replace "/" "") }}
+{{ $id }}
+{{- end -}}
+
+{{- define "oidcProxy.skipAuthConfig" -}}
+{{- range  $k, $v := .Values.global.oidcProxy.skipAuth -}}
+{{- $id := printf "%s_%s" ($v.method |lower) ($v.path | replace "/" "")}}
+{{- $var_name := printf "%s_%s" "skip_auth" $id }}
+set {{ $var_name }} 1;
+
+if ( $request_uri !~ "{{$v.path}}" ) {
+    set {{ $var_name }}  0;
+}
+
+if ( $request_method != "{{$v.method}}" ) {
+    set {{ $var_name }}  0;
+}
+
+if ( {{ $var_name }} ) {
+    return 200;
+}
+{{- end -}}
+{{- end -}}
+
 {{- define "oidcProxy.nginxAuthAnnotations" -}}
 nginx.ingress.kubernetes.io/auth-url: "http://{{ include "oidcProxy.name" . }}.{{ .Release.Namespace }}.svc.cluster.local:4180/oauth2/auth"
 nginx.ingress.kubernetes.io/auth-signin: "https://{{- include "oidcProxy.authDomain" . }}/oauth2/start?rd=https://$host$escaped_request_uri"
 nginx.ingress.kubernetes.io/auth-response-headers: {{join "," (concat (list "Authorization" "X-Auth-Request-User" "X-Auth-Request-Groups" "X-Auth-Request-Email" "X-Auth-Request-Preferred-Username") .Values.global.oidcProxy.additionalHeaders) }}
+nginx.ingress.kubernetes.io/auth-snippet: |
+{{- include "oidcProxy.skipAuthConfig" . | nindent 4 }}
 nginx.ingress.kubernetes.io/configuration-snippet: |
     auth_request_set $email $upstream_http_x_auth_request_email;
     auth_request_set $user $upstream_http_x_auth_request_user;

diff --git a/stack/tests/ingress_test.yaml b/stack/tests/ingress_test.yaml
@@ -50,3 +50,37 @@ tests:
         equal:
           path: metadata.annotations["nginx.ingress.kubernetes.io/auth-response-headers"]
           value: "Authorization,X-Auth-Request-User,X-Auth-Request-Groups,X-Auth-Request-Email,X-Auth-Request-Preferred-Username,X-Forwarded-User,blahblahblah"
+  - it: adds auth-snippet with using skipAuth
+    set:
+      global:
+        ingress:
+          host: "stack.play.dev.czi.team"
+        oidcProxy:
+          enabled: true
+          skipAuth:
+            - path: /healthz
+              method: GET
+      services:
+        service1:
+          ingress:
+            oidcProtected: true
+    asserts:
+      - isKind:
+          of: Ingress
+      - documentIndex: 0
+        equal:
+          path: metadata.annotations["nginx.ingress.kubernetes.io/auth-snippet"]
+          value: |
+            set skip_auth_get_healthz 1;
+
+            if ( $request_uri !~ "/healthz" ) {
+                set skip_auth_get_healthz  0;
+            }
+
+            if ( $request_method != "GET" ) {
+                set skip_auth_get_healthz  0;
+            }
+
+            if ( skip_auth_get_healthz ) {
+                return 200;
+            }
diff --git a/stack/values.yaml b/stack/values.yaml
@@ -194,6 +194,11 @@ global:
     replicaCount: 2
     additionalSecrets: []
     additionalHeaders: []
+    skipAuth: []
+    # skipAuth:
+    #   - path: "/healthz"
+    #     method: GET
+
     extraArgs: []
     # extraArgs:
     #   - --flag