fix secrets draft

packages/system/keycloak-configure/templates/configure-kk.yaml

@@ -1,9 +1,67 @@
 {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
 {{- $host := index $cozyConfig.data "root-host" }}
-{{- $k8sClient := randAlphaNum 32 -}}
-{{- $kubeappsClient := randAlphaNum 32 -}}
 {{- $rootSaConfigMap := lookup "v1" "ConfigMap" "kube-system" "kube-root-ca.crt" }}
-{{- $k8sCa := index $rootSaConfigMap.data "ca.crt" | b64enc  }}
+{{- $k8sCa := index $rootSaConfigMap.data "ca.crt" | b64enc }}
+
+{{- $existingK8sSecret := lookup "v1" "Secret" .Release.Namespace "k8s-client" }}
+{{- $existingKubeappsSecret := lookup "v1" "Secret" .Release.Namespace "kubeapps-client" }}
+{{- $existingAuthConfig := lookup "v1" "Secret" "cozy-dashboard" "kubeapps-auth-config" }}
+
+{{ $k8sClient := "" }}
+{{- if $existingK8sSecret }}
+  {{- $k8sClient := index $existingK8sSecret.data "client-secret-key" | b64dec }}
+{{- else }}
+  {{- $k8sClient := randAlphaNum 32 }}
+{{- end }}
+
+{{ $kubeappsClient := "" }}
+{{- if $existingKubeappsSecret }}
+  {{- $kubeappsClient := index $existingKubeappsSecret.data "client-secret-key" | b64dec }}
+{{- else }}
+  {{- $kubeappsClient := randAlphaNum 32 }}
+{{- end }}
+
+{{ $cookieSecret := "" }}
+{{- if $existingAuthConfig }}
+  {{- $cookieSecret := index $existingAuthConfig.data "cookieSecret" | b64dec }}
+{{- else }}
+  {{- $cookieSecret := randAlphaNum 16 }}
+{{- end }}
+
+---
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: k8s-client
+  namespace: {{ .Release.Namespace }}
+type: Opaque
+data:
+  client-secret-key: {{ $k8sClient | b64enc }}
+
+---
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: kubeapps-client
+  namespace: {{ .Release.Namespace }}
+type: Opaque
+data:
+  client-secret-key: {{ $kubeappsClient | b64enc }}
+
+---
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: kubeapps-auth-config
+  namespace: cozy-dashboard
+type: Opaque
+data:
+  cookieSecret: {{ $cookieSecret | b64enc }}
+
+---
 
 apiVersion: v1.edp.epam.com/v1alpha1
 kind: ClusterKeycloak
@@ -54,81 +112,6 @@ spec:
 
 ---
 
-apiVersion: v1
-kind: Secret
-metadata:
-  name: k8s-client
-type: Opaque
-stringData:
-  client-secret-key: {{ $k8sClient }}
-
----
-
-apiVersion: v1.edp.epam.com/v1
-kind: KeycloakClient
-metadata:
-  name: keycloakclient
-spec:
-  serviceAccount:
-    enabled: true
-  realmRef:
-    name: keycloakrealm-cozy
-    kind: ClusterKeycloakRealm
-  secret: $k8s-client:client-secret-key
-  advancedProtocolMappers: true
-  authorizationServicesEnabled: true
-  name: kubernetes
-  clientId: kubernetes
-  directAccess: true
-  public: false
-  webUrl: https://localhost:8000/oauth2/callback
-  webOrigins:
-    - /*
-  defaultClientScopes:
-    - groups
-  redirectUris:
-    - http://localhost:18000
-    - http://localhost:8000
-
----
-
-apiVersion: v1.edp.epam.com/v1
-kind: KeycloakClientScope
-metadata:
-  name: kubernetes-client
-spec:
-  name: kubernetes-client
-  realmRef:
-    name: keycloakrealm-cozy
-    kind: ClusterKeycloakRealm
-  description: "kubernetes-client"
-  protocol: openid-connect
-  default: true
-  attributes:
-    "include.in.token.scope": "true"
-  protocolMappers:
-    - name: audience
-      protocol: openid-connect
-      protocolMapper: "oidc-audience-mapper"
-      config:
-        "included.client.audience": "kubernetes"
-        "id.token.claim": "true"
-        "access.token.claim": "true"
-        "lightweight.claim": "false"
-        "introspection.token.claim": "true"
-
----
-
-apiVersion: v1
-kind: Secret
-metadata:
-  name: kubeapps-client
-type: Opaque
-stringData:
-  client-secret-key: {{ $kubeappsClient }}
-
----
-
 apiVersion: v1.edp.epam.com/v1
 kind: KeycloakClient
 metadata:
@@ -168,7 +151,7 @@ data:
         provider: "oidc"
         clientID: "kubeapps"
         clientSecret: {{ $kubeappsClient }}
-        cookieSecret: {{ randAlphaNum 16 | b64enc | quote }}
+        cookieSecret: {{ $cookieSecret }}
         extraFlags:
           - --ssl-insecure-skip-verify
           - --cookie-secure=false