feat: allow for overwritting the cookie-domain flag on the oidc proxy

stack/templates/oidc_proxy.yaml

@@ -74,17 +74,29 @@ spec:
             {{- end -}}
 
             {{- range .Values.oidcProxy.skipAuth }}
-            # for backwards compatibility, could also just be provided using extraArgs
             {{ if contains "*" .method }}
+            # for backwards compatibility, could also just be provided using extraArgs
             - --skip-auth-route={{ .path }}
             {{- else -}}
             - --skip-auth-route={{ .method }}={{ .path }}
             {{- end -}}
             {{- end -}}
 
+            {{ $cookiePrefix := list }}
+            {{ range .Values.oidcProxy.extraArgs }}
+            {{ if (hasPrefix "--cookie-domain" . ) }}
+              {{ $cookiePrefix = append $cookiePrefix . }}
+            {{ end }}
+            {{ end }} 
             {{- range $allHosts -}}
             {{- printf "- --whitelist-domain=%s" . | nindent 12 -}}
+
+            {{ if eq (len $cookiePrefix) 0 }}
+            # if a user provides a cookie-domain flag, we want to use that instead of the 
+            # default cookie-domain
             {{- printf "- --cookie-domain=%s" . | nindent 12 -}}
+            {{ end }}
+
             {{- end -}}
             {{- if gt (len .Values.oidcProxy.extraArgs) 0 }}
             {{- toYaml .Values.oidcProxy.extraArgs | nindent 12}}

stack/tests/oidc_test.yaml

@@ -411,3 +411,54 @@ tests:
         contains:
           path: spec.template.spec.containers[0].args
           content: --cookie-domain=stack2.com
+  - it: should allow for overwriting the cookie-domain flag
+    set:
+      global:
+        ingress:
+          host: "stack.play.dev.czi.team"
+        oidcProxy:
+          enabled: true
+          extraArgs:
+            - "--cookie-domain=someparent.domain"
+      services:
+        service1:
+          ingress:
+            oidcProtected: true
+            paths:
+              - path: "/service1"
+                pathType: Prefix
+            rules:
+              - host: "app1.someparent.domain"
+        service2:
+          ingress:
+            oidcProtected: true
+            paths:
+              - path: "/service2"
+                pathType: Prefix
+            rules:
+              - host: "app2.someparent.domain"
+    asserts:
+      - documentIndex: 0
+        contains:
+          path: spec.template.spec.containers[0].args
+          content: --whitelist-domain=app1.someparent.domain
+      - documentIndex: 0
+        contains:
+          path: spec.template.spec.containers[0].args
+          content: --whitelist-domain=app2.someparent.domain
+      - documentIndex: 0
+        contains:
+          path: spec.template.spec.containers[0].args
+          content: --whitelist-domain=.czi.team
+      - documentIndex: 0
+        notContains:
+          path: spec.template.spec.containers[0].args
+          content: --cookie-domain=app1.someparent.domain
+      - documentIndex: 0
+        notContains:
+          path: spec.template.spec.containers[0].args
+          content: --cookie-domain=app2.someparent.domain
+      - documentIndex: 0
+        contains:
+          path: spec.template.spec.containers[0].args
+          content: --cookie-domain=someparent.domain