From 0846d4aa99c27de954748f05739020b272130474 Mon Sep 17 00:00:00 2001 From: Klaus Thorn Date: Tue, 16 Jul 2024 10:04:22 +0200 Subject: [PATCH] update default OAuth2 clients (#55) default OAuth2 client changed from web-client to fylr-web-frontend; adding optional clients to values.yaml --- charts/fylr/Chart.yaml | 2 +- charts/fylr/README.md | 21 ++++++++++++------- charts/fylr/templates/_helpers.tpl | 4 ---- charts/fylr/templates/configmap.yaml | 6 +++--- charts/fylr/templates/deployment.yaml | 10 --------- charts/fylr/templates/secrets.yaml | 19 ----------------- charts/fylr/values.yaml | 30 ++++++++++++++++++++++++++- 7 files changed, 47 insertions(+), 45 deletions(-) diff --git a/charts/fylr/Chart.yaml b/charts/fylr/Chart.yaml index b506b20..bc8c148 100644 --- a/charts/fylr/Chart.yaml +++ b/charts/fylr/Chart.yaml @@ -7,7 +7,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.93 +version: 0.1.94 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/charts/fylr/README.md b/charts/fylr/README.md index 732c426..5ed0cee 100644 --- a/charts/fylr/README.md +++ b/charts/fylr/README.md @@ -118,23 +118,30 @@ Depending on your configuration, you can deploy fylr with a persistent volume. I ### Secrets -- `-fylr-oauth2` -- `-fylr-utils` +- `fylr*utils` -These two secrets are used by the fylr installation to sign, encrypt, and configure the OAuth2 client and server. The values are generated during installation and are not updated during upgrades or deleted during uninstallation. If you want to change the values, you must adjust them manually. +This secret is used by the fylr installation for the OAuth2 server. The value is generated during installation and not updated during upgrades or deleted during uninstallation. If you want to change the values, you must adjust them manually. -So if you want to know the secret to connect as "web-client", the default OAuth2 clientID: +How to read out a secret: -Get the secret name: +Get secret names: ```bash kubectl -n ${NAMESPACE} get secrets ``` -Choose the secret name ending in `-fylr-oauth2`. For this example, we assume the name is `example-fylr-oauth2`. +Choose the secret name with `fylr*utils`. For this example, we assume the name is `fylr-helm-test-utils`. + +view the structure: + +```bash +kubectl -n ${NAMESPACE} get secrets fylr-helm-test-utils -o json +``` + +output one string of the secret: ```bash -kubectl -n ${NAMESPACE} get secrets example-fylr-oauth2 -o go-template={{.data.oauth2WebappClientSecret}} | base64 -d;echo +kubectl -n ${NAMESPACE} get secrets fylr-helm-test-utils -o go-template={{.data.encryptionKey}} | base64 -d;echo ``` ## Configuration diff --git a/charts/fylr/templates/_helpers.tpl b/charts/fylr/templates/_helpers.tpl index 2235a99..551c2c1 100644 --- a/charts/fylr/templates/_helpers.tpl +++ b/charts/fylr/templates/_helpers.tpl @@ -111,10 +111,6 @@ Secret names {{- printf "%s-%s" (include "fylr.fullname" .) "init" | trunc 63 | trimSuffix "-" }} {{- end }} -{{- define "fylr.secret.oauth2.name" -}} -{{- printf "%s-%s" (include "fylr.fullname" .) "oauth2" | trunc 63 | trimSuffix "-" }} -{{- end }} - {{- define "fylr.secret.utils" -}} {{- printf "%s-%s" (include "fylr.fullname" .) "utils" | trunc 63 | trimSuffix "-" }} {{- end }} diff --git a/charts/fylr/templates/configmap.yaml b/charts/fylr/templates/configmap.yaml index 230ec90..5b45132 100644 --- a/charts/fylr/templates/configmap.yaml +++ b/charts/fylr/templates/configmap.yaml @@ -84,7 +84,7 @@ data: webapp: addr: :8080 oauth2: - clientID: "web-client" + clientID: "fylr-web-frontend" internalURL: "http://{{ include "fylr.service-api-name" . }}.{{ .Release.Namespace }}.svc:{{ .Values.services.api.port }}" reverseProxy: api: "http://{{ include "fylr.service-api-name" . }}.{{ .Release.Namespace }}.svc:{{ .Values.services.api.port }}" @@ -98,7 +98,7 @@ data: addr: :8081 oauth2Server: clients: - web-client: + fylr-web-frontend: redirectURIs: - {{ .Values.fylr.externalURL }}/oauth2/callback scopes: @@ -108,7 +108,7 @@ data: public: true # add custom clients {{- if .Values.fylr.services.api.oauth2Server.clients }} - {{- toYaml .Values.fylr.services.api.oauth2Server.clients | nindent 12 }} + {{- toYaml .Values.fylr.services.api.oauth2Server.clients | nindent 14 }} {{- end }} backend: addr: :8082 diff --git a/charts/fylr/templates/deployment.yaml b/charts/fylr/templates/deployment.yaml index d658dd3..0774870 100644 --- a/charts/fylr/templates/deployment.yaml +++ b/charts/fylr/templates/deployment.yaml @@ -147,16 +147,6 @@ spec: secretKeyRef: name: {{ include "fylr.secret.elastic.name" . }} key: "hosts" - - name: CFG_FYLR_SERVICES_API_OAUTH2SERVER_CLIENTS_web-client_SECRET - valueFrom: - secretKeyRef: - name: {{ include "fylr.secret.oauth2.name" . }} - key: "oauth2ServerClientSecret" - - name: CFG_FYLR_SERVICES_WEBAPP_OAUTH2_CLIENTSECRET - valueFrom: - secretKeyRef: - name: {{ include "fylr.secret.oauth2.name" . }} - key: "oauth2WebappClientSecret" - name: CFG_FYLR_ENCRYPTIONKEY valueFrom: secretKeyRef: diff --git a/charts/fylr/templates/secrets.yaml b/charts/fylr/templates/secrets.yaml index 268f46c..73790da 100644 --- a/charts/fylr/templates/secrets.yaml +++ b/charts/fylr/templates/secrets.yaml @@ -42,25 +42,6 @@ stringData: --- apiVersion: v1 kind: Secret -metadata: - name: {{ include "fylr.secret.oauth2.name" . }} - labels: - {{- include "fylr.labels" . | nindent 4 }} - annotations: - helm.sh/hook: pre-install - helm.sh/hook-weight: "1" - helm.sh/resource-policy: keep -type: Opaque -stringData: - {{ $placeholderuser := "placeholder" }} - {{ $plaintextpassword := (randAlphaNum 32) }} - {{/* generate the bcrypt hash and remove the username: prefix from the string */}} - {{ $oauth2_webapp_client_secret := trimPrefix (printf "%s:" $placeholderuser) (htpasswd $placeholderuser $plaintextpassword) }} - oauth2ServerClientSecret: {{ $oauth2_webapp_client_secret | quote }} - oauth2WebappClientSecret: {{ $plaintextpassword | quote }} ---- -apiVersion: v1 -kind: Secret metadata: name: {{ include "fylr.secret.utils" . }} labels: diff --git a/charts/fylr/values.yaml b/charts/fylr/values.yaml index fd41e36..8ed77e4 100644 --- a/charts/fylr/values.yaml +++ b/charts/fylr/values.yaml @@ -456,7 +456,35 @@ fylr: oauth2Server: # -- (object) additional oauth2 clients to be added to the oauth2 server. # For the web application, we automatically generate a key pair and assign it to the oauth2 client. - clients: {} + clients: + fylr-mobile-app: + public: true + redirectURIs: + - "fylr.app.scheme:///" + scopes: + - "read" + - "write" + - "offline" + ci-hub: + public: true + redirectURIs: + - "https://ci-hub.azurewebsites.net/api/v1/auth/login/fylr" + - "https://ci-hub-beta.azurewebsites.net/api/v1/auth/login/fylr" + - "https://ci-hub-test.azurewebsites.net/api/v1/auth/login/fylr" + - "http://localhost:8080/api/v1/auth/login/fylr" + scopes: + - "read" + - "write" + - "offline" + santa-cruz: + public: true + redirectURIs: + - "https://fylr.linkrui.com/oauth" + - "https://stage-fylr.linkrui.com/oauth" + scopes: + - "read" + - "write" + - "offline" # my-client-id: # # secret must be given as bcrypt hash # secret: $2y$04$81xGNnm8PS1uiIzjbos6Le3NzFaNB0goNqnBpOx7S/EyrayzJCNAq # foo