Make OIDC clientSecret optional

gardener · Apr 22, 2024 · 5927f5d · 5927f5d
1 parent df00b67
commit 5927f5d
Show file tree

Hide file tree

Showing 9 changed files with 162 additions and 35 deletions.
diff --git a/backend/__fixtures__/config.js b/backend/__fixtures__/config.js
@@ -38,7 +38,6 @@ const defaultConfig = {
     rejectUnauthorized: true,
     ca,
     client_id: 'dashboard',
-    client_secret: toHex('dashboard-secret'),
     redirect_uris: [
       'http://localhost:8080/auth/callback'
     ],

diff --git a/backend/lib/config/gardener.js b/backend/lib/config/gardener.js
@@ -111,7 +111,6 @@ module.exports = {
       requiredConfigurationProperties.push(
         'oidc.issuer',
         'oidc.client_id',
-        'oidc.client_secret',
         'oidc.redirect_uris'
       )
     }

diff --git a/charts/__fixtures__/gardener-dashboard.js b/charts/__fixtures__/gardener-dashboard.js
@@ -42,7 +42,6 @@ const defaults = {
       oidc: {
         issuerUrl: 'https://identity.garden.example.org',
         clientId: 'dashboard',
-        clientSecret: 'dashboardSecret',
         ca: getCertificate('...')
       },
       frontendConfig: {

diff --git a/charts/__tests__/gardener-dashboard/runtime/dashboard/__snapshots__/deployment.spec.js.snap b/charts/__tests__/gardener-dashboard/runtime/dashboard/__snapshots__/deployment.spec.js.snap
@@ -20,15 +20,6 @@ Array [
       },
     },
   },
-  Object {
-    "name": "OIDC_CLIENT_SECRET",
-    "valueFrom": Object {
-      "secretKeyRef": Object {
-        "key": "client_secret",
-        "name": "gardener-dashboard-oidc",
-      },
-    },
-  },
   Object {
     "name": "GITHUB_AUTHENTICATION_APP_ID",
     "valueFrom": Object {
@@ -179,6 +170,109 @@ Array [
 ]
 `;
 
+exports[`gardener-dashboard deployment should render the template w/ \`client_secret\` 1`] = `
+Array [
+  Object {
+    "name": "SESSION_SECRET",
+    "valueFrom": Object {
+      "secretKeyRef": Object {
+        "key": "keyValue",
+        "name": "gardener-dashboard-sessionsecret",
+      },
+    },
+  },
+  Object {
+    "name": "OIDC_CLIENT_ID",
+    "valueFrom": Object {
+      "secretKeyRef": Object {
+        "key": "client_id",
+        "name": "gardener-dashboard-oidc",
+      },
+    },
+  },
+  Object {
+    "name": "OIDC_CLIENT_SECRET",
+    "valueFrom": Object {
+      "secretKeyRef": Object {
+        "key": "client_secret",
+        "name": "gardener-dashboard-oidc",
+      },
+    },
+  },
+  Object {
+    "name": "GARDENER_CONFIG",
+    "value": "/etc/gardener-dashboard/config.yaml",
+  },
+  Object {
+    "name": "METRICS_PORT",
+    "value": "9050",
+  },
+  Object {
+    "name": "POD_NAME",
+    "valueFrom": Object {
+      "fieldRef": Object {
+        "fieldPath": "metadata.name",
+      },
+    },
+  },
+  Object {
+    "name": "POD_NAMESPACE",
+    "valueFrom": Object {
+      "fieldRef": Object {
+        "fieldPath": "metadata.namespace",
+      },
+    },
+  },
+]
+`;
+
+exports[`gardener-dashboard deployment should render the template w/o \`client_secret\` 1`] = `
+Array [
+  Object {
+    "name": "SESSION_SECRET",
+    "valueFrom": Object {
+      "secretKeyRef": Object {
+        "key": "keyValue",
+        "name": "gardener-dashboard-sessionsecret",
+      },
+    },
+  },
+  Object {
+    "name": "OIDC_CLIENT_ID",
+    "valueFrom": Object {
+      "secretKeyRef": Object {
+        "key": "client_id",
+        "name": "gardener-dashboard-oidc",
+      },
+    },
+  },
+  Object {
+    "name": "GARDENER_CONFIG",
+    "value": "/etc/gardener-dashboard/config.yaml",
+  },
+  Object {
+    "name": "METRICS_PORT",
+    "value": "9050",
+  },
+  Object {
+    "name": "POD_NAME",
+    "valueFrom": Object {
+      "fieldRef": Object {
+        "fieldPath": "metadata.name",
+      },
+    },
+  },
+  Object {
+    "name": "POD_NAMESPACE",
+    "valueFrom": Object {
+      "fieldRef": Object {
+        "fieldPath": "metadata.namespace",
+      },
+    },
+  },
+]
+`;
+
 exports[`gardener-dashboard deployment should render the template with default values 1`] = `
 Object {
   "apiVersion": "apps/v1",
@@ -247,15 +341,6 @@ Object {
                   },
                 },
               },
-              Object {
-                "name": "OIDC_CLIENT_SECRET",
-                "valueFrom": Object {
-                  "secretKeyRef": Object {
-                    "key": "client_secret",
-                    "name": "gardener-dashboard-oidc",
-                  },
-                },
-              },
               Object {
                 "name": "GARDENER_CONFIG",
                 "value": "/etc/gardener-dashboard/config.yaml",
@@ -420,15 +505,6 @@ Array [
       },
     },
   },
-  Object {
-    "name": "OIDC_CLIENT_SECRET",
-    "valueFrom": Object {
-      "secretKeyRef": Object {
-        "key": "client_secret",
-        "name": "gardener-dashboard-oidc",
-      },
-    },
-  },
   Object {
     "name": "GITHUB_AUTHENTICATION_TOKEN",
     "valueFrom": Object {

diff --git a/charts/__tests__/gardener-dashboard/runtime/dashboard/__snapshots__/secrets.spec.js.snap b/charts/__tests__/gardener-dashboard/runtime/dashboard/__snapshots__/secrets.spec.js.snap
@@ -61,7 +61,6 @@ Object {
   "apiVersion": "v1",
   "data": Object {
     "client_id": "ZGFzaGJvYXJk",
-    "client_secret": "ZGFzaGJvYXJkU2VjcmV0",
   },
   "kind": "Secret",
   "metadata": Object {
@@ -79,6 +78,13 @@ Object {
 }
 `;
 
+exports[`gardener-dashboard secret-oidc should render the template w/ \`client_secret\` 1`] = `
+Object {
+  "client_id": "ZGFzaGJvYXJk",
+  "client_secret": "ZGFzaGJvYXJkU2VjcmV0",
+}
+`;
+
 exports[`gardener-dashboard secret-sessionSecret should render the template with default values 1`] = `
 Object {
   "apiVersion": "v1",

diff --git a/charts/__tests__/gardener-dashboard/runtime/dashboard/deployment.spec.js b/charts/__tests__/gardener-dashboard/runtime/dashboard/deployment.spec.js
@@ -40,6 +40,34 @@ describe('gardener-dashboard', function () {
       })
     })
 
+    it('should render the template w/ `client_secret`', async function () {
+      const values = {
+        global: {
+          dashboard: {
+            oidc: {
+              clientSecret: 'client-secret'
+            }
+          }
+        }
+      }
+      const documents = await renderTemplates(templates, values)
+      expect(documents).toHaveLength(1)
+      const [deployment] = documents
+      const dashboardContainer = deployment.spec.template.spec.containers[0]
+      expect(dashboardContainer.name).toEqual('gardener-dashboard')
+      expect(dashboardContainer.env).toMatchSnapshot()
+    })
+
+    it('should render the template w/o `client_secret`', async function () {
+      const values = {}
+      const documents = await renderTemplates(templates, values)
+      expect(documents).toHaveLength(1)
+      const [deployment] = documents
+      const dashboardContainer = deployment.spec.template.spec.containers[0]
+      expect(dashboardContainer.name).toEqual('gardener-dashboard')
+      expect(dashboardContainer.env).toMatchSnapshot()
+    })
+
     it('should render the template with a sha256 tag', async function () {
       const tag = 'sha256:4d529c1'
       const values = {
@@ -184,8 +212,8 @@ describe('gardener-dashboard', function () {
         expect(container.volumeMounts).toHaveLength(4)
         const [, , , kubeconfigVolumeMount] = container.volumeMounts
         expect(kubeconfigVolumeMount).toMatchSnapshot()
-        expect(container.env).toHaveLength(8)
-        const [, , , , kubeconfigEnv] = container.env
+        expect(container.env).toHaveLength(7)
+        const [, , , kubeconfigEnv] = container.env
         expect(kubeconfigEnv).toMatchSnapshot()
       })
     })
@@ -292,8 +320,8 @@ describe('gardener-dashboard', function () {
         expect(container.volumeMounts).toHaveLength(4)
         const [, , , kubeconfigVolumeMount] = container.volumeMounts
         expect(kubeconfigVolumeMount).toMatchSnapshot()
-        expect(container.env).toHaveLength(8)
-        const [, , , , kubeconfigEnv] = container.env
+        expect(container.env).toHaveLength(7)
+        const [, , , kubeconfigEnv] = container.env
         expect(kubeconfigEnv).toMatchSnapshot()
       })
     })

diff --git a/charts/__tests__/gardener-dashboard/runtime/dashboard/secrets.spec.js b/charts/__tests__/gardener-dashboard/runtime/dashboard/secrets.spec.js
@@ -122,6 +122,22 @@ describe('gardener-dashboard', function () {
       const [oidcSecret] = documents
       expect(oidcSecret).toMatchSnapshot()
     })
+
+    it('should render the template w/ `client_secret`', async function () {
+      const values = {
+        global: {
+          dashboard: {
+            oidc: {
+              clientSecret: 'dashboardSecret'
+            }
+          }
+        }
+      }
+      const documents = await renderTemplates(templates, values)
+      expect(documents).toHaveLength(1)
+      const [oidcSecret] = documents
+      expect(oidcSecret.data).toMatchSnapshot()
+    })
   })
 
   describe('secret-sessionSecret', function () {

diff --git a/charts/gardener-dashboard/charts/runtime/templates/dashboard/deployment.yaml b/charts/gardener-dashboard/charts/runtime/templates/dashboard/deployment.yaml
@@ -170,11 +170,13 @@ spec:
               secretKeyRef:
                 name: gardener-dashboard-oidc
                 key: client_id
+          {{- if .Values.global.dashboard.oidc.clientSecret }}
           - name: OIDC_CLIENT_SECRET
             valueFrom:
               secretKeyRef:
                 name: gardener-dashboard-oidc
                 key: client_secret
+          {{- end }}
           {{- if .Values.global.dashboard.oidc.caSecretKeyRef }}
           - name: OIDC_CA
             valueFrom:

diff --git a/charts/gardener-dashboard/charts/runtime/templates/dashboard/secret-oidc.yaml b/charts/gardener-dashboard/charts/runtime/templates/dashboard/secret-oidc.yaml
@@ -14,6 +14,8 @@ metadata:
 type: Opaque
 data:
   client_id: {{ required ".Values.global.dashboard.oidc.clientId is required" (b64enc .Values.global.dashboard.oidc.clientId) }}
+  {{- if .Values.global.dashboard.oidc.clientSecret }}
   client_secret: {{ required ".Values.global.dashboard.oidc.clientSecret is required" (b64enc .Values.global.dashboard.oidc.clientSecret) }}
+  {{- end }}
 {{- end }}
 {{- end }}