From 43ab9abbe3f38d20dacadf113a1b11b80102a937 Mon Sep 17 00:00:00 2001 From: Jake Heath Date: Mon, 21 Oct 2024 15:19:14 -0700 Subject: [PATCH 01/20] chore: making the values skipAuth added to skip-auth flags --- stack/templates/oidc_proxy.yaml | 3 +++ stack/tests/oidc_test.yaml | 33 +++++++++++++++++++++++---------- 2 files changed, 26 insertions(+), 10 deletions(-) diff --git a/stack/templates/oidc_proxy.yaml b/stack/templates/oidc_proxy.yaml index 8ccae11..f52964e 100644 --- a/stack/templates/oidc_proxy.yaml +++ b/stack/templates/oidc_proxy.yaml @@ -59,6 +59,9 @@ spec: - --pass-authorization-header=true - --reverse-proxy - --skip-jwt-bearer-tokens + {{- range .Values.oidcProxy.skipAuth }} + - --skip-auth-route={{ .method }}={{ .path }} + {{- end -}} {{- range $allHosts -}} {{- printf "- --whitelist-domain=%s" . | nindent 12 -}} {{- printf "- --cookie-domain=%s" . | nindent 12 -}} diff --git a/stack/tests/oidc_test.yaml b/stack/tests/oidc_test.yaml index 49b87b2..01f613d 100644 --- a/stack/tests/oidc_test.yaml +++ b/stack/tests/oidc_test.yaml @@ -101,26 +101,39 @@ tests: global: oidcProxy: enabled: true + skipAuth: + - method: GET + path: "/v1/api/docs2" + - method: POST + path: "/v1/api/docs3" extraArgs: - "--skip-auth-route=/v1/api/docs" - "--skip-auth-route=/v1/api/security/access_token" asserts: + - documentIndex: 0 + contains: + path: spec.template.spec.containers[0].args + content: "--skip-auth-route=GET=/v1/api/docs2" + - documentIndex: 0 + contains: + path: spec.template.spec.containers[0].args + content: "--skip-auth-route=POST=/v1/api/docs3" - documentIndex: 0 lengthEqual: path: spec.template.spec.containers[0].args - count: 15 + count: 17 - documentIndex: 0 - equal: - path: spec.template.spec.containers[0].args[12] - value: "--skip-jwt-bearer-tokens" + contains: + path: spec.template.spec.containers[0].args + content: "--skip-jwt-bearer-tokens" - documentIndex: 0 - equal: - path: spec.template.spec.containers[0].args[13] - value: "--skip-auth-route=/v1/api/docs" + contains: + path: spec.template.spec.containers[0].args + content: "--skip-auth-route=/v1/api/docs" - documentIndex: 0 - equal: - path: spec.template.spec.containers[0].args[14] - value: "--skip-auth-route=/v1/api/security/access_token" + contains: + path: spec.template.spec.containers[0].args + content: "--skip-auth-route=/v1/api/security/access_token" - it: overwrites the name set: global: From 458302f3385daa4ea1bd66b1befb6a623b207761 Mon Sep 17 00:00:00 2001 From: Jake Heath Date: Mon, 21 Oct 2024 15:28:14 -0700 Subject: [PATCH 02/20] regex on methods --- stack/templates/oidc_proxy.yaml | 4 ++++ stack/tests/oidc_test.yaml | 8 +++++++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/stack/templates/oidc_proxy.yaml b/stack/templates/oidc_proxy.yaml index f52964e..2797712 100644 --- a/stack/templates/oidc_proxy.yaml +++ b/stack/templates/oidc_proxy.yaml @@ -60,8 +60,12 @@ spec: - --reverse-proxy - --skip-jwt-bearer-tokens {{- range .Values.oidcProxy.skipAuth }} + {{ if contains "*" .method }} + - --skip-auth-route={{ .path }} + {{- else -}} - --skip-auth-route={{ .method }}={{ .path }} {{- end -}} + {{- end -}} {{- range $allHosts -}} {{- printf "- --whitelist-domain=%s" . | nindent 12 -}} {{- printf "- --cookie-domain=%s" . | nindent 12 -}} diff --git a/stack/tests/oidc_test.yaml b/stack/tests/oidc_test.yaml index 01f613d..ecb5619 100644 --- a/stack/tests/oidc_test.yaml +++ b/stack/tests/oidc_test.yaml @@ -106,10 +106,16 @@ tests: path: "/v1/api/docs2" - method: POST path: "/v1/api/docs3" + - path: "/v1/api/llm/*" + method: ".*" extraArgs: - "--skip-auth-route=/v1/api/docs" - "--skip-auth-route=/v1/api/security/access_token" asserts: + - documentIndex: 0 + contains: + path: spec.template.spec.containers[0].args + content: "--skip-auth-route=/v1/api/llm/.*" - documentIndex: 0 contains: path: spec.template.spec.containers[0].args @@ -121,7 +127,7 @@ tests: - documentIndex: 0 lengthEqual: path: spec.template.spec.containers[0].args - count: 17 + count: 19 - documentIndex: 0 contains: path: spec.template.spec.containers[0].args From 2cdfc66d50dd8a0b551f63c7632a67cf7f207896 Mon Sep 17 00:00:00 2001 From: Jake Heath Date: Mon, 21 Oct 2024 15:48:38 -0700 Subject: [PATCH 03/20] chore: add upstreams for all oidc protected hosts --- stack/templates/oidc_proxy.yaml | 15 +++++++++++++++ stack/tests/oidc_test.yaml | 21 ++++++++++++++++++--- 2 files changed, 33 insertions(+), 3 deletions(-) diff --git a/stack/templates/oidc_proxy.yaml b/stack/templates/oidc_proxy.yaml index 2797712..834ad82 100644 --- a/stack/templates/oidc_proxy.yaml +++ b/stack/templates/oidc_proxy.yaml @@ -1,5 +1,6 @@ {{ $global := . }} {{- $allHosts := list -}} +{{- $allOIDCProtectedServces := list -}} {{ range $serviceName, $serviceValues := .Values.services }} {{- $globalValuesDict := $global.Values.global | toYaml -}} {{- $values := fromYaml $globalValuesDict -}} @@ -8,9 +9,16 @@ {{- with $values -}} {{- if .ingress.oidcProtected -}} + + {{- $allOIDCProtectedServces = append + $allOIDCProtectedServces + (printf "http://%s.%s.svc.cluster.local:%d" $serviceName $global.Release.Namespace ($values.service.port | int)) + -}} + {{ range $i, $rule := .ingress.rules }} {{- $allHosts = append $allHosts $rule.host }} {{- end -}} + {{- end -}} {{- end -}} {{- end -}} @@ -59,13 +67,20 @@ spec: - --pass-authorization-header=true - --reverse-proxy - --skip-jwt-bearer-tokens + + {{- range $allOIDCProtectedServces }} + - --upstream={{ . }} + {{ end -}} + {{- range .Values.oidcProxy.skipAuth }} + # for backwards compatibility, could also just be provided using extraArgs {{ if contains "*" .method }} - --skip-auth-route={{ .path }} {{- else -}} - --skip-auth-route={{ .method }}={{ .path }} {{- end -}} {{- end -}} + {{- range $allHosts -}} {{- printf "- --whitelist-domain=%s" . | nindent 12 -}} {{- printf "- --cookie-domain=%s" . | nindent 12 -}} diff --git a/stack/tests/oidc_test.yaml b/stack/tests/oidc_test.yaml index ecb5619..3e72f4c 100644 --- a/stack/tests/oidc_test.yaml +++ b/stack/tests/oidc_test.yaml @@ -106,7 +106,7 @@ tests: path: "/v1/api/docs2" - method: POST path: "/v1/api/docs3" - - path: "/v1/api/llm/*" + - path: "/v1/api/llm/.*" method: ".*" extraArgs: - "--skip-auth-route=/v1/api/docs" @@ -127,7 +127,7 @@ tests: - documentIndex: 0 lengthEqual: path: spec.template.spec.containers[0].args - count: 19 + count: 18 - documentIndex: 0 contains: path: spec.template.spec.containers[0].args @@ -188,6 +188,8 @@ tests: - it: oidc proxy has volumes mounted set: global: + service: + port: 2222 ingress: host: "stack.play.dev.czi.team" oidcProxy: @@ -202,6 +204,11 @@ tests: name: oauth2-proxy-sign-in-template services: service1: + service: + port: 4123 + ingress: + oidcProtected: true + service2: ingress: oidcProtected: true asserts: @@ -209,6 +216,14 @@ tests: equal: path: spec.template.spec.containers[0].volumeMounts[0].mountPath value: /templates/oauth2-proxy/sign_in.html + - documentIndex: 0 + contains: + path: spec.template.spec.containers[0].args + content: --upstream=http://service1.NAMESPACE.svc.cluster.local:4123 + - documentIndex: 0 + contains: + path: spec.template.spec.containers[0].args + content: --upstream=http://service2.NAMESPACE.svc.cluster.local:2222 - documentIndex: 0 equal: path: spec.template.spec.containers[0].volumeMounts[0].name @@ -356,7 +371,7 @@ tests: - documentIndex: 0 lengthEqual: path: spec.template.spec.containers[0].args - count: 19 + count: 22 - documentIndex: 0 contains: path: spec.template.spec.containers[0].args From bdc3d7a62b2a9a1f3fa4bacb2c7aa4343c63882a Mon Sep 17 00:00:00 2001 From: Vivian Shao Date: Tue, 22 Oct 2024 14:22:36 -0700 Subject: [PATCH 04/20] feat: conditional logic to ingress --- stack/templates/_helpers.tpl | 34 +++++++++++++------------- stack/templates/oidc_proxy.yaml | 42 --------------------------------- 2 files changed, 17 insertions(+), 59 deletions(-) diff --git a/stack/templates/_helpers.tpl b/stack/templates/_helpers.tpl index 4a29460..caa8941 100644 --- a/stack/templates/_helpers.tpl +++ b/stack/templates/_helpers.tpl @@ -205,21 +205,21 @@ if ( ${{ $var_name }} ) { {{- end -}} {{- define "oidcProxy.nginxAuthAnnotations" -}} -nginx.ingress.kubernetes.io/auth-url: "http://{{ include "oidcProxy.name" . }}.{{ .Release.Namespace }}.svc.cluster.local:4180/oauth2/auth" -nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/sign_in?rd=https://$host$escaped_request_uri" -nginx.ingress.kubernetes.io/auth-response-headers: {{join "," (concat (list "Authorization" "X-Auth-Request-User" "X-Auth-Request-Groups" "X-Auth-Request-Email" "X-Auth-Request-Preferred-Username") .Values.oidcProxy.additionalHeaders) }} -nginx.ingress.kubernetes.io/auth-snippet: | -{{- include "oidcProxy.skipAuthConfig" . | nindent 4 }} -nginx.ingress.kubernetes.io/configuration-snippet: | - auth_request_set $email $upstream_http_x_auth_request_email; - auth_request_set $user $upstream_http_x_auth_request_user; - auth_request_set $groups $upstream_http_x_auth_request_groups; - auth_request_set $preferred_username $upstream_http_x_auth_request_preferred_username; - - proxy_set_header X-Forwarded-Email $email; - proxy_set_header X-Forwarded-User $user; - proxy_set_header X-Forwarded-Groups $groups; - proxy_set_header X-Forwarded-Preferred-Username $preferred_username; - proxy_set_header Authorization $http_authorization; - proxy_pass_header Authorization; +# nginx.ingress.kubernetes.io/auth-url: "http://{{ include "oidcProxy.name" . }}.{{ .Release.Namespace }}.svc.cluster.local:4180/oauth2/auth" +# nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/sign_in?rd=https://$host$escaped_request_uri" +# nginx.ingress.kubernetes.io/auth-response-headers: {{join "," (concat (list "Authorization" "X-Auth-Request-User" "X-Auth-Request-Groups" "X-Auth-Request-Email" "X-Auth-Request-Preferred-Username") .Values.oidcProxy.additionalHeaders) }} +# nginx.ingress.kubernetes.io/auth-snippet: | +# {{- include "oidcProxy.skipAuthConfig" . | nindent 4 }} +# nginx.ingress.kubernetes.io/configuration-snippet: | +# auth_request_set $email $upstream_http_x_auth_request_email; +# auth_request_set $user $upstream_http_x_auth_request_user; +# auth_request_set $groups $upstream_http_x_auth_request_groups; +# auth_request_set $preferred_username $upstream_http_x_auth_request_preferred_username; + +# proxy_set_header X-Forwarded-Email $email; +# proxy_set_header X-Forwarded-User $user; +# proxy_set_header X-Forwarded-Groups $groups; +# proxy_set_header X-Forwarded-Preferred-Username $preferred_username; +# proxy_set_header Authorization $http_authorization; +# proxy_pass_header Authorization; {{- end -}} diff --git a/stack/templates/oidc_proxy.yaml b/stack/templates/oidc_proxy.yaml index 834ad82..3cc86a6 100644 --- a/stack/templates/oidc_proxy.yaml +++ b/stack/templates/oidc_proxy.yaml @@ -130,47 +130,5 @@ spec: {{- include "oidcProxy.selectorLabels" . | nindent 4 }} --- -{{- if .Values.ingress.enabled }} -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: {{ include "oidcProxy.name" . }} - {{- $certManagerAnnotations := (fromYaml (include "certManagerAnnotations" . )) }} - annotations: - {{- with (mergeOverwrite - (dict) - ($certManagerAnnotations) - (.Values.annotations) - (.Values.oidcProxy.annotations) - ) -}} - {{ toYaml . | nindent 4 }} - {{- end }} -spec: - ingressClassName: nginx - rules: - - host: {{ include "oidcProxy.authDomain" . }} - http: - paths: - - path: /oauth2 - pathType: Prefix - backend: - service: - name: {{ include "oidcProxy.name" . }} - port: - number: {{ include "oidcProxy.port" . }} - {{- $scope := . }} - {{- range $i, $host := $allHosts }} - - host: {{ $host }} - http: - paths: - - path: /oauth2 - pathType: Prefix - backend: - service: - name: {{ include "oidcProxy.name" $scope }} - port: - number: {{ include "oidcProxy.port" $scope }} - {{- end }} -{{- end -}} {{- end -}} {{- end -}} From 4353d972bc45bb3da05ad6d63c16dbfcea36b347 Mon Sep 17 00:00:00 2001 From: Jake Heath Date: Tue, 22 Oct 2024 15:06:58 -0700 Subject: [PATCH 05/20] conditional for sending to the proxy --- stack/templates/_helpers.tpl | 40 ++-------------- stack/templates/ingress.yaml | 16 ++++--- stack/templates/oidc_proxy.yaml | 13 +++--- stack/tests/ingress_test.yaml | 59 ------------------------ stack/tests/oidc_test.yaml | 82 ++++++++------------------------- stack/values.yaml | 1 - 6 files changed, 38 insertions(+), 173 deletions(-) diff --git a/stack/templates/_helpers.tpl b/stack/templates/_helpers.tpl index caa8941..9a58eba 100644 --- a/stack/templates/_helpers.tpl +++ b/stack/templates/_helpers.tpl @@ -183,43 +183,9 @@ app.kubernetes.io/instance: {{ .Release.Name }} {{- end -}} {{- define "oidcProxy.skipAuthConfig" -}} -{{- $letsEncryptVerifySkip := (dict "path" "/.well-known/*" "method" "GET") -}} -{{- range $k, $v := append .Values.oidcProxy.skipAuth $letsEncryptVerifySkip -}} -{{- $id := printf "%s_%s" ($v.method |lower) ($v.path | replace "/" "")}} -{{- $id := regexReplaceAll "\\W+" $id "_" -}} -{{- $var_name := printf "%s_%s" "skip_auth" $id }} -set ${{ $var_name }} 1; - -if ( $request_uri !~ "{{$v.path}}" ) { - set ${{ $var_name }} 0; -} - -if ( $request_method !~ "{{$v.method}}" ) { - set ${{ $var_name }} 0; -} - -if ( ${{ $var_name }} ) { - return 200; -} -{{- end -}} + {{- end -}} {{- define "oidcProxy.nginxAuthAnnotations" -}} -# nginx.ingress.kubernetes.io/auth-url: "http://{{ include "oidcProxy.name" . }}.{{ .Release.Namespace }}.svc.cluster.local:4180/oauth2/auth" -# nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/sign_in?rd=https://$host$escaped_request_uri" -# nginx.ingress.kubernetes.io/auth-response-headers: {{join "," (concat (list "Authorization" "X-Auth-Request-User" "X-Auth-Request-Groups" "X-Auth-Request-Email" "X-Auth-Request-Preferred-Username") .Values.oidcProxy.additionalHeaders) }} -# nginx.ingress.kubernetes.io/auth-snippet: | -# {{- include "oidcProxy.skipAuthConfig" . | nindent 4 }} -# nginx.ingress.kubernetes.io/configuration-snippet: | -# auth_request_set $email $upstream_http_x_auth_request_email; -# auth_request_set $user $upstream_http_x_auth_request_user; -# auth_request_set $groups $upstream_http_x_auth_request_groups; -# auth_request_set $preferred_username $upstream_http_x_auth_request_preferred_username; - -# proxy_set_header X-Forwarded-Email $email; -# proxy_set_header X-Forwarded-User $user; -# proxy_set_header X-Forwarded-Groups $groups; -# proxy_set_header X-Forwarded-Preferred-Username $preferred_username; -# proxy_set_header Authorization $http_authorization; -# proxy_pass_header Authorization; -{{- end -}} + +{{- end -}} \ No newline at end of file diff --git a/stack/templates/ingress.yaml b/stack/templates/ingress.yaml index a236605..263cf0e 100644 --- a/stack/templates/ingress.yaml +++ b/stack/templates/ingress.yaml @@ -45,15 +45,19 @@ spec: {{- end }} backend: service: + {{- if $service.Values.ingress.oidcProtected }} + name: {{ include "oidcProxy.name" $service }} + {{ else -}} name: {{ $fullName }} + {{- end -}} port: number: {{ $svcPort }} {{- end }} - {{ $customHosts := list}} - {{ range $i, $rule := .Values.ingress.rules }} + {{- $customHosts := list -}} + {{- range $i, $rule := .Values.ingress.rules -}} {{- $ruleValues := mergeOverwrite (dict "host" $service.Values.ingress.host "paths" $service.Values.ingress.paths) $rule -}} {{ $customHosts = append $customHosts $ruleValues.host }} - - host: {{ $ruleValues.host | quote }} + - host: {{ $ruleValues.host }} http: paths: {{- range $ruleValues.paths }} @@ -65,9 +69,9 @@ spec: service: name: {{ $fullName }} port: - number: {{ $svcPort }} - {{- end }} - {{ end }} + number: {{ $svcPort | int}} + {{ end -}} + {{- end }} tls: - hosts: - {{ $service.Values.ingress.host }} diff --git a/stack/templates/oidc_proxy.yaml b/stack/templates/oidc_proxy.yaml index 3cc86a6..853dc75 100644 --- a/stack/templates/oidc_proxy.yaml +++ b/stack/templates/oidc_proxy.yaml @@ -9,11 +9,12 @@ {{- with $values -}} {{- if .ingress.oidcProtected -}} - - {{- $allOIDCProtectedServces = append - $allOIDCProtectedServces - (printf "http://%s.%s.svc.cluster.local:%d" $serviceName $global.Release.Namespace ($values.service.port | int)) - -}} + {{ range $i, $path := .ingress.paths }} + {{- $allOIDCProtectedServces = append + $allOIDCProtectedServces + (printf "http://%s.%s.svc.cluster.local:%d%s" $serviceName $global.Release.Namespace ($values.service.port | int) ($path.path)) + -}} + {{- end -}} {{ range $i, $rule := .ingress.rules }} {{- $allHosts = append $allHosts $rule.host }} @@ -70,7 +71,7 @@ spec: {{- range $allOIDCProtectedServces }} - --upstream={{ . }} - {{ end -}} + {{- end -}} {{- range .Values.oidcProxy.skipAuth }} # for backwards compatibility, could also just be provided using extraArgs diff --git a/stack/tests/ingress_test.yaml b/stack/tests/ingress_test.yaml index f4e0c91..7764249 100644 --- a/stack/tests/ingress_test.yaml +++ b/stack/tests/ingress_test.yaml @@ -17,18 +17,6 @@ tests: asserts: - isKind: of: Ingress - - documentIndex: 0 - equal: - path: metadata.annotations["nginx.ingress.kubernetes.io/auth-url"] - value: "http://release-name-stack-oidc-proxy.NAMESPACE.svc.cluster.local:4180/oauth2/auth" - - documentIndex: 0 - equal: - path: metadata.annotations["nginx.ingress.kubernetes.io/auth-signin"] - value: "https://$host/oauth2/sign_in?rd=https://$host$escaped_request_uri" - - documentIndex: 0 - equal: - path: metadata.annotations["nginx.ingress.kubernetes.io/auth-response-headers"] - value: "Authorization,X-Auth-Request-User,X-Auth-Request-Groups,X-Auth-Request-Email,X-Auth-Request-Preferred-Username" - it: adds additional nginx auth headers when using additionalHeaders set: global: @@ -46,10 +34,6 @@ tests: asserts: - isKind: of: Ingress - - documentIndex: 0 - equal: - path: metadata.annotations["nginx.ingress.kubernetes.io/auth-response-headers"] - value: "Authorization,X-Auth-Request-User,X-Auth-Request-Groups,X-Auth-Request-Email,X-Auth-Request-Preferred-Username,X-Forwarded-User,blahblahblah" - it: adds auth-snippet with using skipAuth set: global: @@ -69,49 +53,6 @@ tests: asserts: - isKind: of: Ingress - - documentIndex: 0 - equal: - path: metadata.annotations["nginx.ingress.kubernetes.io/auth-snippet"] - value: | - set $skip_auth_get_healthz 1; - - if ( $request_uri !~ "/healthz" ) { - set $skip_auth_get_healthz 0; - } - - if ( $request_method !~ "GET" ) { - set $skip_auth_get_healthz 0; - } - - if ( $skip_auth_get_healthz ) { - return 200; - } - set $skip_auth___api_ 1; - - if ( $request_uri !~ "/api/*" ) { - set $skip_auth___api_ 0; - } - - if ( $request_method !~ "*" ) { - set $skip_auth___api_ 0; - } - - if ( $skip_auth___api_ ) { - return 200; - } - set $skip_auth_get__well_known_ 1; - - if ( $request_uri !~ "/.well-known/*" ) { - set $skip_auth_get__well_known_ 0; - } - - if ( $request_method !~ "GET" ) { - set $skip_auth_get__well_known_ 0; - } - - if ( $skip_auth_get__well_known_ ) { - return 200; - } - it: adds adds certManager annotations set: global: diff --git a/stack/tests/oidc_test.yaml b/stack/tests/oidc_test.yaml index 3e72f4c..d01715e 100644 --- a/stack/tests/oidc_test.yaml +++ b/stack/tests/oidc_test.yaml @@ -18,7 +18,7 @@ tests: enabled: true asserts: - hasDocuments: - count: 3 + count: 2 - documentIndex: 0 containsDocument: kind: Deployment @@ -29,11 +29,6 @@ tests: kind: Service apiVersion: v1 name: release-name-stack-oidc-proxy - - documentIndex: 2 - containsDocument: - kind: Ingress - apiVersion: networking.k8s.io/v1 - name: release-name-stack-oidc-proxy - it: disabled by default asserts: - hasDocuments: @@ -169,22 +164,6 @@ tests: - equal: path: metadata.name value: "overwrittenfull-oidc-proxy" - - it: oidc proxy ingress matches the ingress host domain - set: - global: - ingress: - host: "stack.play.dev.czi.team" - oidcProxy: - enabled: true - services: - service1: - ingress: - oidcProtected: true - asserts: - - documentIndex: 2 - equal: - path: spec.rules[0].host - value: stack.play.dev.czi.team - it: oidc proxy has volumes mounted set: global: @@ -208,9 +187,15 @@ tests: port: 4123 ingress: oidcProtected: true + paths: + - path: /test1 + pathType: Prefix service2: ingress: oidcProtected: true + paths: + - path: /test2 + pathType: Prefix asserts: - documentIndex: 0 equal: @@ -219,11 +204,11 @@ tests: - documentIndex: 0 contains: path: spec.template.spec.containers[0].args - content: --upstream=http://service1.NAMESPACE.svc.cluster.local:4123 + content: --upstream=http://service1.NAMESPACE.svc.cluster.local:4123/test1 - documentIndex: 0 contains: path: spec.template.spec.containers[0].args - content: --upstream=http://service2.NAMESPACE.svc.cluster.local:2222 + content: --upstream=http://service2.NAMESPACE.svc.cluster.local:2222/test2 - documentIndex: 0 equal: path: spec.template.spec.containers[0].volumeMounts[0].name @@ -299,22 +284,6 @@ tests: equal: path: .metadata.annotations.test3 value: test3 - - documentIndex: 2 - containsDocument: - kind: Ingress - apiVersion: networking.k8s.io/v1 - name: release-name-stack-oidc-proxy - - documentIndex: 2 - equal: - path: .metadata.annotations.test1 - value: test1 - - documentIndex: 2 - notExists: - path: .metadata.annotations.test2 - - documentIndex: 2 - equal: - path: .metadata.annotations.test3 - value: test3 - it: should have multiple ingress rules for the stack hosts set: global: @@ -328,15 +297,24 @@ tests: service1: ingress: oidcProtected: true + paths: + - path: "/service1" + pathType: Prefix rules: - host: "service1.stack2.com" service2: ingress: oidcProtected: true + paths: + - path: "/service2" + pathType: Prefix rules: - host: "service2.stack2.com" service3: ingress: + paths: + - path: "/service3" + pathType: Prefix oidcProtected: true service4: ingress: @@ -344,30 +322,6 @@ tests: rules: - host: "service4.stack2.com" asserts: - - documentIndex: 2 - containsDocument: - kind: Ingress - apiVersion: networking.k8s.io/v1 - name: release-name-stack-oidc-proxy - - documentIndex: 2 - equal: - path: .spec.rules[0].host - value: stack.play.dev.czi.team - - documentIndex: 2 - equal: - path: .spec.rules[1].host - value: service1.stack2.com - - documentIndex: 2 - equal: - path: .spec.rules[2].host - value: service2.stack2.com - - documentIndex: 2 - equal: - path: .spec.rules[3].host - value: stack2.com - - documentIndex: 2 - notExists: - path: .spec.rules[4] - documentIndex: 0 lengthEqual: path: spec.template.spec.containers[0].args diff --git a/stack/values.yaml b/stack/values.yaml index 54161d5..b74d371 100644 --- a/stack/values.yaml +++ b/stack/values.yaml @@ -125,7 +125,6 @@ global: rules: [] oidcProtected: false annotations: - infra: "true" nginx.ingress.kubernetes.io/proxy-connect-timeout: "60" nginx.ingress.kubernetes.io/proxy-send-timeout: "60" nginx.ingress.kubernetes.io/proxy-read-timeout: "60" From 987d1baa230ac4fdca51736a837b3b440b12871e Mon Sep 17 00:00:00 2001 From: Jake Heath Date: Tue, 22 Oct 2024 15:07:46 -0700 Subject: [PATCH 06/20] remove old annotations --- stack/templates/_helpers.tpl | 8 -------- 1 file changed, 8 deletions(-) diff --git a/stack/templates/_helpers.tpl b/stack/templates/_helpers.tpl index 9a58eba..c648f35 100644 --- a/stack/templates/_helpers.tpl +++ b/stack/templates/_helpers.tpl @@ -180,12 +180,4 @@ app.kubernetes.io/instance: {{ .Release.Name }} {{- define "oidcProxy.authDomain" -}} {{ .Values.ingress.host }} -{{- end -}} - -{{- define "oidcProxy.skipAuthConfig" -}} - -{{- end -}} - -{{- define "oidcProxy.nginxAuthAnnotations" -}} - {{- end -}} \ No newline at end of file From 9e672b1acc811606466602c51c231036519e5962 Mon Sep 17 00:00:00 2001 From: Jake Heath Date: Tue, 22 Oct 2024 15:11:50 -0700 Subject: [PATCH 07/20] custom host conditional as well --- stack/templates/ingress.yaml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/stack/templates/ingress.yaml b/stack/templates/ingress.yaml index 263cf0e..068794b 100644 --- a/stack/templates/ingress.yaml +++ b/stack/templates/ingress.yaml @@ -17,15 +17,10 @@ metadata: name: {{ $fullName }} labels: {{- include "service.labels" . | nindent 4 }} - {{- $nginxAuthAnnotations := dict}} - {{- if .Values.ingress.oidcProtected }} - {{- $nginxAuthAnnotations = (fromYaml (include "oidcProxy.nginxAuthAnnotations" . )) -}} - {{- end}} {{- $certManagerAnnotations := (fromYaml (include "certManagerAnnotations" . )) }} annotations: {{- with (mergeOverwrite (dict) - ($nginxAuthAnnotations) ($certManagerAnnotations) (.Values.annotations) (.Values.ingress.annotations) @@ -51,7 +46,7 @@ spec: name: {{ $fullName }} {{- end -}} port: - number: {{ $svcPort }} + number: {{ $svcPort | int}} {{- end }} {{- $customHosts := list -}} {{- range $i, $rule := .Values.ingress.rules -}} @@ -67,7 +62,11 @@ spec: {{- end }} backend: service: + {{- if $service.Values.ingress.oidcProtected }} + name: {{ include "oidcProxy.name" $service }} + {{ else -}} name: {{ $fullName }} + {{- end -}} port: number: {{ $svcPort | int}} {{ end -}} From bfdbd346c1f0d333f2124168194cee5340599d7e Mon Sep 17 00:00:00 2001 From: Jake Heath Date: Tue, 22 Oct 2024 15:23:07 -0700 Subject: [PATCH 08/20] spacing! --- stack/templates/_helpers.tpl | 2 +- stack/templates/ingress.yaml | 21 ++++++++++----------- stack/tests/ingress_test.yaml | 19 +++++++++++++++++++ 3 files changed, 30 insertions(+), 12 deletions(-) diff --git a/stack/templates/_helpers.tpl b/stack/templates/_helpers.tpl index c648f35..480dc8b 100644 --- a/stack/templates/_helpers.tpl +++ b/stack/templates/_helpers.tpl @@ -147,7 +147,7 @@ Container probes cannot have both httpGet and tcpSocket fields, so we use omit t {{- define "oidcProxy.name" -}} {{ include "stack.fullname" . | lower }}-oidc-proxy -{{- end }} +{{- end -}} {{- define "oidcProxy.port" -}} {{ .Values.oidcProxy.port | default 4180 | int }} diff --git a/stack/templates/ingress.yaml b/stack/templates/ingress.yaml index 068794b..e04e142 100644 --- a/stack/templates/ingress.yaml +++ b/stack/templates/ingress.yaml @@ -1,4 +1,4 @@ -{{ $global := . }} +{{- $global := . -}} {{ range $serviceName, $serviceValues := .Values.services }} {{- $globalValuesDict := $global.Values.global | toYaml -}} {{- $values := fromYaml $globalValuesDict -}} @@ -7,10 +7,10 @@ {{- $service := dict "Chart" $global.Chart "Release" $global.Release "Capabilities" $global.Capabilities "Values" $values -}} {{- with $service }} +{{- if .Values.ingress.enabled -}} --- -{{ if .Values.ingress.enabled }} -{{- $fullName := include "service.fullname" . -}} -{{- $svcPort := .Values.service.port -}} +{{ $fullName := include "service.fullname" . -}} +{{ $svcPort := .Values.service.port -}} apiVersion: networking.k8s.io/v1 kind: Ingress metadata: @@ -42,9 +42,9 @@ spec: service: {{- if $service.Values.ingress.oidcProtected }} name: {{ include "oidcProxy.name" $service }} - {{ else -}} + {{- else }} name: {{ $fullName }} - {{- end -}} + {{- end }} port: number: {{ $svcPort | int}} {{- end }} @@ -64,9 +64,9 @@ spec: service: {{- if $service.Values.ingress.oidcProtected }} name: {{ include "oidcProxy.name" $service }} - {{ else -}} + {{- else }} name: {{ $fullName }} - {{- end -}} + {{- end }} port: number: {{ $svcPort | int}} {{ end -}} @@ -86,8 +86,7 @@ spec: {{- toYaml $customHosts | nindent 6 }} {{- $secretName := printf "%s-%s-%s" "custom-hosts" (include "stack.fullname" .) "tls-secret" }} secretName: {{ regexReplaceAll "[^a-zA-Z0-9-]" $secretName "-" }} - {{- end -}} -{{- end }} ---- + {{ end }} +{{ end }} {{- end }} {{- end }} diff --git a/stack/tests/ingress_test.yaml b/stack/tests/ingress_test.yaml index 7764249..b3f713d 100644 --- a/stack/tests/ingress_test.yaml +++ b/stack/tests/ingress_test.yaml @@ -73,6 +73,9 @@ tests: rules: - host: cellxgene.cziscience.com - host: api.cellxgene.cziscience.com + unprotected-service: + ingress: + oidcProtected: false asserts: - isKind: of: Ingress @@ -135,3 +138,19 @@ tests: lengthEqual: path: spec.tls[1].hosts count: 2 + - documentIndex: 0 + equal: + path: spec.rules[0].http.paths[0].backend.service.name + value: missing-otter-oidc-proxy + - documentIndex: 0 + equal: + path: spec.rules[1].http.paths[0].backend.service.name + value: missing-otter-oidc-proxy + - documentIndex: 0 + equal: + path: spec.rules[2].http.paths[0].backend.service.name + value: missing-otter-oidc-proxy + - documentIndex: 1 + equal: + path: spec.rules[0].http.paths[0].backend.service.name + value: missing-otter-unprotected-service From b6adef9e235c130bd809ca92685728ce631e2a2a Mon Sep 17 00:00:00 2001 From: Jake Heath Date: Tue, 22 Oct 2024 15:28:56 -0700 Subject: [PATCH 09/20] add back in the ingress --- stack/templates/oidc_proxy.yaml | 43 +++++++++++++++++++++++++++++++++ stack/tests/oidc_test.yaml | 7 +++++- 2 files changed, 49 insertions(+), 1 deletion(-) diff --git a/stack/templates/oidc_proxy.yaml b/stack/templates/oidc_proxy.yaml index 853dc75..780b179 100644 --- a/stack/templates/oidc_proxy.yaml +++ b/stack/templates/oidc_proxy.yaml @@ -131,5 +131,48 @@ spec: {{- include "oidcProxy.selectorLabels" . | nindent 4 }} --- + +{{- if .Values.ingress.enabled }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ include "oidcProxy.name" . }} + {{- $certManagerAnnotations := (fromYaml (include "certManagerAnnotations" . )) }} + annotations: + {{- with (mergeOverwrite + (dict) + ($certManagerAnnotations) + (.Values.annotations) + (.Values.oidcProxy.annotations) + ) -}} + {{ toYaml . | nindent 4 }} + {{- end }} +spec: + ingressClassName: nginx + rules: + - host: {{ include "oidcProxy.authDomain" . }} + http: + paths: + - path: /oauth2 + pathType: Prefix + backend: + service: + name: {{ include "oidcProxy.name" . }} + port: + number: {{ include "oidcProxy.port" . }} + {{- $scope := . }} + {{- range $i, $host := $allHosts }} + - host: {{ $host }} + http: + paths: + - path: /oauth2 + pathType: Prefix + backend: + service: + name: {{ include "oidcProxy.name" $scope }} + port: + number: {{ include "oidcProxy.port" $scope }} + {{- end }} +{{- end -}} {{- end -}} {{- end -}} diff --git a/stack/tests/oidc_test.yaml b/stack/tests/oidc_test.yaml index d01715e..0199893 100644 --- a/stack/tests/oidc_test.yaml +++ b/stack/tests/oidc_test.yaml @@ -18,7 +18,7 @@ tests: enabled: true asserts: - hasDocuments: - count: 2 + count: 3 - documentIndex: 0 containsDocument: kind: Deployment @@ -29,6 +29,11 @@ tests: kind: Service apiVersion: v1 name: release-name-stack-oidc-proxy + - documentIndex: 2 + containsDocument: + kind: Ingress + apiVersion: networking.k8s.io/v1 + name: release-name-stack-oidc-proxy - it: disabled by default asserts: - hasDocuments: From 0a208c8fa70e5c24b725c9c1fe5a25387b2c2e50 Mon Sep 17 00:00:00 2001 From: Jake Heath Date: Tue, 22 Oct 2024 15:31:19 -0700 Subject: [PATCH 10/20] add back ingress tests --- stack/tests/oidc_test.yaml | 56 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) diff --git a/stack/tests/oidc_test.yaml b/stack/tests/oidc_test.yaml index 0199893..93d9b5e 100644 --- a/stack/tests/oidc_test.yaml +++ b/stack/tests/oidc_test.yaml @@ -169,6 +169,22 @@ tests: - equal: path: metadata.name value: "overwrittenfull-oidc-proxy" + - it: oidc proxy ingress matches the ingress host domain + set: + global: + ingress: + host: "stack.play.dev.czi.team" + oidcProxy: + enabled: true + services: + service1: + ingress: + oidcProtected: true + asserts: + - documentIndex: 2 + equal: + path: spec.rules[0].host + value: stack.play.dev.czi.team - it: oidc proxy has volumes mounted set: global: @@ -289,6 +305,22 @@ tests: equal: path: .metadata.annotations.test3 value: test3 + - documentIndex: 2 + containsDocument: + kind: Ingress + apiVersion: networking.k8s.io/v1 + name: release-name-stack-oidc-proxy + - documentIndex: 2 + equal: + path: .metadata.annotations.test1 + value: test1 + - documentIndex: 2 + notExists: + path: .metadata.annotations.test2 + - documentIndex: 2 + equal: + path: .metadata.annotations.test3 + value: test3 - it: should have multiple ingress rules for the stack hosts set: global: @@ -327,6 +359,30 @@ tests: rules: - host: "service4.stack2.com" asserts: + - documentIndex: 2 + containsDocument: + kind: Ingress + apiVersion: networking.k8s.io/v1 + name: release-name-stack-oidc-proxy + - documentIndex: 2 + equal: + path: .spec.rules[0].host + value: stack.play.dev.czi.team + - documentIndex: 2 + equal: + path: .spec.rules[1].host + value: service1.stack2.com + - documentIndex: 2 + equal: + path: .spec.rules[2].host + value: service2.stack2.com + - documentIndex: 2 + equal: + path: .spec.rules[3].host + value: stack2.com + - documentIndex: 2 + notExists: + path: .spec.rules[4] - documentIndex: 0 lengthEqual: path: spec.template.spec.containers[0].args From 579d8974197b93e9199604780186ca8b896d856f Mon Sep 17 00:00:00 2001 From: Jake Heath Date: Wed, 23 Oct 2024 13:20:11 -0700 Subject: [PATCH 11/20] fix the port to oidc proxy --- stack/templates/ingress.yaml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/stack/templates/ingress.yaml b/stack/templates/ingress.yaml index e04e142..bb1314e 100644 --- a/stack/templates/ingress.yaml +++ b/stack/templates/ingress.yaml @@ -42,11 +42,13 @@ spec: service: {{- if $service.Values.ingress.oidcProtected }} name: {{ include "oidcProxy.name" $service }} + port: + number: {{ include "oidcProxy.port" . }} {{- else }} name: {{ $fullName }} - {{- end }} port: number: {{ $svcPort | int}} + {{- end }} {{- end }} {{- $customHosts := list -}} {{- range $i, $rule := .Values.ingress.rules -}} @@ -64,11 +66,13 @@ spec: service: {{- if $service.Values.ingress.oidcProtected }} name: {{ include "oidcProxy.name" $service }} + port: + number: {{ include "oidcProxy.port" . }} {{- else }} name: {{ $fullName }} - {{- end }} port: number: {{ $svcPort | int}} + {{- end }} {{ end -}} {{- end }} tls: From d72af026c878e043493aa01d51b0187b1b82b761 Mon Sep 17 00:00:00 2001 From: Jake Heath Date: Wed, 23 Oct 2024 13:21:24 -0700 Subject: [PATCH 12/20] service not dot --- stack/templates/ingress.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stack/templates/ingress.yaml b/stack/templates/ingress.yaml index bb1314e..3036189 100644 --- a/stack/templates/ingress.yaml +++ b/stack/templates/ingress.yaml @@ -67,7 +67,7 @@ spec: {{- if $service.Values.ingress.oidcProtected }} name: {{ include "oidcProxy.name" $service }} port: - number: {{ include "oidcProxy.port" . }} + number: {{ include "oidcProxy.port" $service }} {{- else }} name: {{ $fullName }} port: From 106c4afcc8e732b01b22fcba0b41fde8693636d1 Mon Sep 17 00:00:00 2001 From: Jake Heath Date: Wed, 23 Oct 2024 13:30:47 -0700 Subject: [PATCH 13/20] service not dot --- stack/templates/ingress.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stack/templates/ingress.yaml b/stack/templates/ingress.yaml index 3036189..3ed850a 100644 --- a/stack/templates/ingress.yaml +++ b/stack/templates/ingress.yaml @@ -43,7 +43,7 @@ spec: {{- if $service.Values.ingress.oidcProtected }} name: {{ include "oidcProxy.name" $service }} port: - number: {{ include "oidcProxy.port" . }} + number: {{ include "oidcProxy.port" $service }} {{- else }} name: {{ $fullName }} port: From 9e283b3d5bb710c47635d427a532ed2ebf358f21 Mon Sep 17 00:00:00 2001 From: Jake Heath Date: Wed, 23 Oct 2024 13:43:52 -0700 Subject: [PATCH 14/20] real subdomain --- stack/templates/oidc_proxy.yaml | 3 ++- stack/tests/oidc_test.yaml | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/stack/templates/oidc_proxy.yaml b/stack/templates/oidc_proxy.yaml index 780b179..58e91d3 100644 --- a/stack/templates/oidc_proxy.yaml +++ b/stack/templates/oidc_proxy.yaml @@ -8,11 +8,12 @@ {{- $values := mergeOverwrite $values $serviceValues -}} {{- with $values -}} + {{ $serviceScope := dict "Chart" $global.Chart "Release" $global.Release "Capabilities" $global.Capabilities "Values" .}} {{- if .ingress.oidcProtected -}} {{ range $i, $path := .ingress.paths }} {{- $allOIDCProtectedServces = append $allOIDCProtectedServces - (printf "http://%s.%s.svc.cluster.local:%d%s" $serviceName $global.Release.Namespace ($values.service.port | int) ($path.path)) + (printf "http://%s.%s.svc.cluster.local:%d%s" (include "service.fullname" $serviceScope) $global.Release.Namespace ($values.service.port | int) ($path.path)) -}} {{- end -}} diff --git a/stack/tests/oidc_test.yaml b/stack/tests/oidc_test.yaml index 93d9b5e..cbb1eb7 100644 --- a/stack/tests/oidc_test.yaml +++ b/stack/tests/oidc_test.yaml @@ -225,11 +225,11 @@ tests: - documentIndex: 0 contains: path: spec.template.spec.containers[0].args - content: --upstream=http://service1.NAMESPACE.svc.cluster.local:4123/test1 + content: --upstream=http://release-name-stack-service1.NAMESPACE.svc.cluster.local:4123/test1 - documentIndex: 0 contains: path: spec.template.spec.containers[0].args - content: --upstream=http://service2.NAMESPACE.svc.cluster.local:2222/test2 + content: --upstream=http://release-name-stack-service2.NAMESPACE.svc.cluster.local:2222/test2 - documentIndex: 0 equal: path: spec.template.spec.containers[0].volumeMounts[0].name From 201776fa4eedbdd791707d8bcfe9344d9f5bea99 Mon Sep 17 00:00:00 2001 From: Jake Heath Date: Wed, 23 Oct 2024 13:59:14 -0700 Subject: [PATCH 15/20] remove the browser authorization header --- stack/templates/oidc_proxy.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/stack/templates/oidc_proxy.yaml b/stack/templates/oidc_proxy.yaml index 58e91d3..f02e67c 100644 --- a/stack/templates/oidc_proxy.yaml +++ b/stack/templates/oidc_proxy.yaml @@ -61,7 +61,6 @@ spec: - --provider=oidc - --email-domain=* - --cookie-secure=true - - --set-authorization-header - --set-xauthrequest - --cookie-domain={{- include "baseDomain" . }} - --whitelist-domain=.{{- include "baseDomain" . }} From 1de980be21b375b5f5519b6a506fee508336f855 Mon Sep 17 00:00:00 2001 From: Jake Heath Date: Wed, 23 Oct 2024 14:15:16 -0700 Subject: [PATCH 16/20] fix tests --- stack/tests/oidc_test.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/stack/tests/oidc_test.yaml b/stack/tests/oidc_test.yaml index cbb1eb7..a339a24 100644 --- a/stack/tests/oidc_test.yaml +++ b/stack/tests/oidc_test.yaml @@ -127,7 +127,7 @@ tests: - documentIndex: 0 lengthEqual: path: spec.template.spec.containers[0].args - count: 18 + count: 17 - documentIndex: 0 contains: path: spec.template.spec.containers[0].args @@ -386,7 +386,7 @@ tests: - documentIndex: 0 lengthEqual: path: spec.template.spec.containers[0].args - count: 22 + count: 21 - documentIndex: 0 contains: path: spec.template.spec.containers[0].args From f65726427474d21bbf96215db30e9902c76067fd Mon Sep 17 00:00:00 2001 From: Jake Heath Date: Thu, 24 Oct 2024 10:14:14 -0700 Subject: [PATCH 17/20] DRY --- stack/templates/_helpers.tpl | 17 +++++++++++++++-- stack/templates/ingress.yaml | 24 +++--------------------- 2 files changed, 18 insertions(+), 23 deletions(-) diff --git a/stack/templates/_helpers.tpl b/stack/templates/_helpers.tpl index 480dc8b..f990b1f 100644 --- a/stack/templates/_helpers.tpl +++ b/stack/templates/_helpers.tpl @@ -3,11 +3,24 @@ Expand the name of the chart. */}} {{- define "stack.name" -}} {{- default .Chart.Name .nameOverride | trunc 63 | trimSuffix "-" }} -{{- end }} +{{- end -}} {{- define "service.name" -}} {{- .Values.name | trunc 63 | trimSuffix "-" }} -{{- end }} +{{- end -}} + +{{- define "service.backend" -}} +{{- if .Values.ingress.oidcProtected -}} +name: {{ include "oidcProxy.name" . }} +port: + number: {{ include "oidcProxy.port" .}} +{{- else }} +name: {{ include "service.fullname" . }} +port: + number: {{ .Values.service.port | int}} +{{- end -}} +{{- end -}} + {{/* Create a default fully qualified app name. diff --git a/stack/templates/ingress.yaml b/stack/templates/ingress.yaml index 3ed850a..d96ec01 100644 --- a/stack/templates/ingress.yaml +++ b/stack/templates/ingress.yaml @@ -9,12 +9,10 @@ {{- if .Values.ingress.enabled -}} --- -{{ $fullName := include "service.fullname" . -}} -{{ $svcPort := .Values.service.port -}} apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: {{ $fullName }} + name: {{ include "service.fullname" . }} labels: {{- include "service.labels" . | nindent 4 }} {{- $certManagerAnnotations := (fromYaml (include "certManagerAnnotations" . )) }} @@ -40,15 +38,7 @@ spec: {{- end }} backend: service: - {{- if $service.Values.ingress.oidcProtected }} - name: {{ include "oidcProxy.name" $service }} - port: - number: {{ include "oidcProxy.port" $service }} - {{- else }} - name: {{ $fullName }} - port: - number: {{ $svcPort | int}} - {{- end }} + {{- include "service.backend" $service | nindent 16}} {{- end }} {{- $customHosts := list -}} {{- range $i, $rule := .Values.ingress.rules -}} @@ -64,15 +54,7 @@ spec: {{- end }} backend: service: - {{- if $service.Values.ingress.oidcProtected }} - name: {{ include "oidcProxy.name" $service }} - port: - number: {{ include "oidcProxy.port" $service }} - {{- else }} - name: {{ $fullName }} - port: - number: {{ $svcPort | int}} - {{- end }} + {{- (include "service.backend" $service) | nindent 16 -}} {{ end -}} {{- end }} tls: From f76768f95f63158e4bd6b41b562d67420f7af765 Mon Sep 17 00:00:00 2001 From: Jake Heath Date: Thu, 24 Oct 2024 13:23:08 -0700 Subject: [PATCH 18/20] add testing for cookie domain overwrite --- stack/templates/oidc_proxy.yaml | 14 ++++++++- stack/tests/oidc_test.yaml | 51 +++++++++++++++++++++++++++++++++ 2 files changed, 64 insertions(+), 1 deletion(-) diff --git a/stack/templates/oidc_proxy.yaml b/stack/templates/oidc_proxy.yaml index f02e67c..af1d8f2 100644 --- a/stack/templates/oidc_proxy.yaml +++ b/stack/templates/oidc_proxy.yaml @@ -74,17 +74,29 @@ spec: {{- end -}} {{- range .Values.oidcProxy.skipAuth }} - # for backwards compatibility, could also just be provided using extraArgs {{ if contains "*" .method }} + # for backwards compatibility, could also just be provided using extraArgs - --skip-auth-route={{ .path }} {{- else -}} - --skip-auth-route={{ .method }}={{ .path }} {{- end -}} {{- end -}} + {{ $cookiePrefix := list }} + {{ range .Values.oidcProxy.extraArgs }} + {{ if (contains "--cookie-domain" . ) }} + {{ $cookiePrefix = append $cookiePrefix . }} + {{ end }} + {{ end }} {{- range $allHosts -}} {{- printf "- --whitelist-domain=%s" . | nindent 12 -}} + + {{ if eq (len $cookiePrefix) 0 }} + # if a user provides a cookie-domain flag, we want to use that instead of the + # default cookie {{- printf "- --cookie-domain=%s" . | nindent 12 -}} + {{ end }} + {{- end -}} {{- if gt (len .Values.oidcProxy.extraArgs) 0 }} {{- toYaml .Values.oidcProxy.extraArgs | nindent 12}} diff --git a/stack/tests/oidc_test.yaml b/stack/tests/oidc_test.yaml index a339a24..3ff94a7 100644 --- a/stack/tests/oidc_test.yaml +++ b/stack/tests/oidc_test.yaml @@ -411,3 +411,54 @@ tests: contains: path: spec.template.spec.containers[0].args content: --cookie-domain=stack2.com + - it: should allow for overwriting the cookie-domain flag + set: + global: + ingress: + host: "stack.play.dev.czi.team" + oidcProxy: + enabled: true + extraArgs: + - "--cookie-domain=someparent.domain" + services: + service1: + ingress: + oidcProtected: true + paths: + - path: "/service1" + pathType: Prefix + rules: + - host: "app1.someparent.domain" + service2: + ingress: + oidcProtected: true + paths: + - path: "/service2" + pathType: Prefix + rules: + - host: "app2.someparent.domain" + asserts: + - documentIndex: 0 + contains: + path: spec.template.spec.containers[0].args + content: --whitelist-domain=app1.someparent.domain + - documentIndex: 0 + contains: + path: spec.template.spec.containers[0].args + content: --whitelist-domain=app2.someparent.domain + - documentIndex: 0 + contains: + path: spec.template.spec.containers[0].args + content: --whitelist-domain=.czi.team + - documentIndex: 0 + notContains: + path: spec.template.spec.containers[0].args + content: --cookie-domain=app1.someparent.domain + - documentIndex: 0 + notContains: + path: spec.template.spec.containers[0].args + content: --cookie-domain=app2.someparent.domain + - documentIndex: 0 + contains: + path: spec.template.spec.containers[0].args + content: --cookie-domain=someparent.domain From 7a3176cefbe84536de94585be17546f4b119f0b3 Mon Sep 17 00:00:00 2001 From: Jake Heath Date: Thu, 24 Oct 2024 15:23:53 -0700 Subject: [PATCH 19/20] hasPrefix --- stack/templates/oidc_proxy.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stack/templates/oidc_proxy.yaml b/stack/templates/oidc_proxy.yaml index af1d8f2..5b4b8e6 100644 --- a/stack/templates/oidc_proxy.yaml +++ b/stack/templates/oidc_proxy.yaml @@ -84,7 +84,7 @@ spec: {{ $cookiePrefix := list }} {{ range .Values.oidcProxy.extraArgs }} - {{ if (contains "--cookie-domain" . ) }} + {{ if (hasPrefix "--cookie-domain" . ) }} {{ $cookiePrefix = append $cookiePrefix . }} {{ end }} {{ end }} From 6ae09d0abefd4270fdf3729dc7454a820fe9aec6 Mon Sep 17 00:00:00 2001 From: Jake Heath Date: Thu, 24 Oct 2024 15:24:49 -0700 Subject: [PATCH 20/20] typo --- stack/templates/oidc_proxy.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stack/templates/oidc_proxy.yaml b/stack/templates/oidc_proxy.yaml index 5b4b8e6..e7ba65b 100644 --- a/stack/templates/oidc_proxy.yaml +++ b/stack/templates/oidc_proxy.yaml @@ -93,7 +93,7 @@ spec: {{ if eq (len $cookiePrefix) 0 }} # if a user provides a cookie-domain flag, we want to use that instead of the - # default cookie + # default cookie-domain {{- printf "- --cookie-domain=%s" . | nindent 12 -}} {{ end }}