Store OAuth2 sensitive configuration data in a secret (#2436)

* Store OAuth2 sensitive configuration data in a secret * Typo * Minor review
vmware-tanzu · Feb 23, 2021 · 1ac6795 · 1ac6795
1 parent 496dcc3
commit 1ac6795
Show file tree

Hide file tree

Showing 4 changed files with 39 additions and 4 deletions.
diff --git a/chart/kubeapps/Chart.yaml b/chart/kubeapps/Chart.yaml
@@ -20,4 +20,4 @@ maintainers:
 name: kubeapps
 sources:
   - https://github.com/kubeapps/kubeapps
-version: 5.2.0
+version: 5.2.1
diff --git a/chart/kubeapps/templates/_helpers.tpl b/chart/kubeapps/templates/_helpers.tpl
@@ -175,6 +175,13 @@ Create name for the secrets related to an app repository
 apprepo-{{ .name }}-secrets
 {{- end -}}
 
+{{/*
+Create name for the secrets related to oauth2_proxy
+*/}}
+{{- define "kubeapps.oauth2_proxy-secret.name" -}}
+{{ template "kubeapps.fullname" . }}-oauth2
+{{- end -}}
+
 {{/*
 Create name for pinniped-proxy based on the fullname.
 Currently used for a service name only.

diff --git a/chart/kubeapps/templates/kubeapps-frontend-deployment.yaml b/chart/kubeapps/templates/kubeapps-frontend-deployment.yaml
@@ -58,9 +58,6 @@ spec:
         - name: auth-proxy
           args:
             - --provider={{ required "You must fill \".Values.authProxy.provider\" with the provider. Valid values at https://pusher.github.io/oauth2_proxy/auth-configuration" .Values.authProxy.provider }}
-            - --client-id={{ required "You must fill \".Values.authProxy.clientID\" with the Client ID of the provider" .Values.authProxy.clientID }}
-            - --client-secret={{ required "You must fill \".Values.authProxy.clientSecret\" with the Client Secret of the provider" .Values.authProxy.clientSecret }}
-            - --cookie-secret={{ required "You must fill \".Values.authProxy.cookieSecret\" with a 16, 24 or 32 byte base64 encoded seed string for secure cookies" .Values.authProxy.cookieSecret }}
             - --upstream=http://localhost:8080/
             - --http-address=0.0.0.0:3000
             - --email-domain={{ .Values.authProxy.emailDomain }}
@@ -79,6 +76,22 @@ spec:
             {{- end }}
           image: {{ template "kubeapps.image" (list .Values.authProxy.image .Values.global) }}
           imagePullPolicy: {{ .Values.authProxy.image.pullPolicy | quote }}
+          env:
+            - name: OAUTH2_PROXY_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "kubeapps.oauth2_proxy-secret.name" . }}
+                  key: clientID
+            - name: OAUTH2_PROXY_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "kubeapps.oauth2_proxy-secret.name" . }}
+                  key: clientSecret
+            - name: OAUTH2_PROXY_COOKIE_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "kubeapps.oauth2_proxy-secret.name" . }}
+                  key: cookieSecret
           ports:
             - name: proxy
               containerPort: 3000

diff --git a/chart/kubeapps/templates/oauth2-secret.yaml b/chart/kubeapps/templates/oauth2-secret.yaml
@@ -0,0 +1,15 @@
+{{- if and .Values.authProxy.enabled (not .Values.authProxy.external) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "kubeapps.oauth2_proxy-secret.name" . }}
+  {{- if .namespace }}
+  namespace: {{ .namespace }}
+  {{- end }}
+  labels:{{ include "kubeapps.labels" $ | nindent 4 }}
+data:
+  clientID: {{ required "You must fill \".Values.authProxy.clientID\" with the Client ID of the provider" .Values.authProxy.clientID | b64enc }}
+  clientSecret: {{ required "You must fill \".Values.authProxy.clientSecret\" with the Client Secret of the provider" .Values.authProxy.clientSecret | b64enc }}
+  cookieSecret: {{ required "You must fill \".Values.authProxy.cookieSecret\". More info at https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/overview/#generating-a-cookie-secret" .Values.authProxy.cookieSecret | b64enc }}
+---
+{{- end }}