From 5927f5deead3368851bed191d3b3faa3b66b0e8b Mon Sep 17 00:00:00 2001 From: Peter Sutter Date: Mon, 22 Apr 2024 16:44:38 +0200 Subject: [PATCH] Make OIDC clientSecret optional --- backend/__fixtures__/config.js | 1 - backend/lib/config/gardener.js | 1 - charts/__fixtures__/gardener-dashboard.js | 1 - .../__snapshots__/deployment.spec.js.snap | 130 ++++++++++++++---- .../__snapshots__/secrets.spec.js.snap | 8 +- .../runtime/dashboard/deployment.spec.js | 36 ++++- .../runtime/dashboard/secrets.spec.js | 16 +++ .../templates/dashboard/deployment.yaml | 2 + .../templates/dashboard/secret-oidc.yaml | 2 + 9 files changed, 162 insertions(+), 35 deletions(-) diff --git a/backend/__fixtures__/config.js b/backend/__fixtures__/config.js index 2a7606e604..c93f9af93e 100644 --- a/backend/__fixtures__/config.js +++ b/backend/__fixtures__/config.js @@ -38,7 +38,6 @@ const defaultConfig = { rejectUnauthorized: true, ca, client_id: 'dashboard', - client_secret: toHex('dashboard-secret'), redirect_uris: [ 'http://localhost:8080/auth/callback' ], diff --git a/backend/lib/config/gardener.js b/backend/lib/config/gardener.js index f86d7ea545..806300b392 100644 --- a/backend/lib/config/gardener.js +++ b/backend/lib/config/gardener.js @@ -111,7 +111,6 @@ module.exports = { requiredConfigurationProperties.push( 'oidc.issuer', 'oidc.client_id', - 'oidc.client_secret', 'oidc.redirect_uris' ) } diff --git a/charts/__fixtures__/gardener-dashboard.js b/charts/__fixtures__/gardener-dashboard.js index 1d2cd253e7..88a33291e0 100644 --- a/charts/__fixtures__/gardener-dashboard.js +++ b/charts/__fixtures__/gardener-dashboard.js @@ -42,7 +42,6 @@ const defaults = { oidc: { issuerUrl: 'https://identity.garden.example.org', clientId: 'dashboard', - clientSecret: 'dashboardSecret', ca: getCertificate('...') }, frontendConfig: { diff --git a/charts/__tests__/gardener-dashboard/runtime/dashboard/__snapshots__/deployment.spec.js.snap b/charts/__tests__/gardener-dashboard/runtime/dashboard/__snapshots__/deployment.spec.js.snap index b7f3374a6b..b7a64d4b9a 100644 --- a/charts/__tests__/gardener-dashboard/runtime/dashboard/__snapshots__/deployment.spec.js.snap +++ b/charts/__tests__/gardener-dashboard/runtime/dashboard/__snapshots__/deployment.spec.js.snap @@ -20,15 +20,6 @@ Array [ }, }, }, - Object { - "name": "OIDC_CLIENT_SECRET", - "valueFrom": Object { - "secretKeyRef": Object { - "key": "client_secret", - "name": "gardener-dashboard-oidc", - }, - }, - }, Object { "name": "GITHUB_AUTHENTICATION_APP_ID", "valueFrom": Object { @@ -179,6 +170,109 @@ Array [ ] `; +exports[`gardener-dashboard deployment should render the template w/ \`client_secret\` 1`] = ` +Array [ + Object { + "name": "SESSION_SECRET", + "valueFrom": Object { + "secretKeyRef": Object { + "key": "keyValue", + "name": "gardener-dashboard-sessionsecret", + }, + }, + }, + Object { + "name": "OIDC_CLIENT_ID", + "valueFrom": Object { + "secretKeyRef": Object { + "key": "client_id", + "name": "gardener-dashboard-oidc", + }, + }, + }, + Object { + "name": "OIDC_CLIENT_SECRET", + "valueFrom": Object { + "secretKeyRef": Object { + "key": "client_secret", + "name": "gardener-dashboard-oidc", + }, + }, + }, + Object { + "name": "GARDENER_CONFIG", + "value": "/etc/gardener-dashboard/config.yaml", + }, + Object { + "name": "METRICS_PORT", + "value": "9050", + }, + Object { + "name": "POD_NAME", + "valueFrom": Object { + "fieldRef": Object { + "fieldPath": "metadata.name", + }, + }, + }, + Object { + "name": "POD_NAMESPACE", + "valueFrom": Object { + "fieldRef": Object { + "fieldPath": "metadata.namespace", + }, + }, + }, +] +`; + +exports[`gardener-dashboard deployment should render the template w/o \`client_secret\` 1`] = ` +Array [ + Object { + "name": "SESSION_SECRET", + "valueFrom": Object { + "secretKeyRef": Object { + "key": "keyValue", + "name": "gardener-dashboard-sessionsecret", + }, + }, + }, + Object { + "name": "OIDC_CLIENT_ID", + "valueFrom": Object { + "secretKeyRef": Object { + "key": "client_id", + "name": "gardener-dashboard-oidc", + }, + }, + }, + Object { + "name": "GARDENER_CONFIG", + "value": "/etc/gardener-dashboard/config.yaml", + }, + Object { + "name": "METRICS_PORT", + "value": "9050", + }, + Object { + "name": "POD_NAME", + "valueFrom": Object { + "fieldRef": Object { + "fieldPath": "metadata.name", + }, + }, + }, + Object { + "name": "POD_NAMESPACE", + "valueFrom": Object { + "fieldRef": Object { + "fieldPath": "metadata.namespace", + }, + }, + }, +] +`; + exports[`gardener-dashboard deployment should render the template with default values 1`] = ` Object { "apiVersion": "apps/v1", @@ -247,15 +341,6 @@ Object { }, }, }, - Object { - "name": "OIDC_CLIENT_SECRET", - "valueFrom": Object { - "secretKeyRef": Object { - "key": "client_secret", - "name": "gardener-dashboard-oidc", - }, - }, - }, Object { "name": "GARDENER_CONFIG", "value": "/etc/gardener-dashboard/config.yaml", @@ -420,15 +505,6 @@ Array [ }, }, }, - Object { - "name": "OIDC_CLIENT_SECRET", - "valueFrom": Object { - "secretKeyRef": Object { - "key": "client_secret", - "name": "gardener-dashboard-oidc", - }, - }, - }, Object { "name": "GITHUB_AUTHENTICATION_TOKEN", "valueFrom": Object { diff --git a/charts/__tests__/gardener-dashboard/runtime/dashboard/__snapshots__/secrets.spec.js.snap b/charts/__tests__/gardener-dashboard/runtime/dashboard/__snapshots__/secrets.spec.js.snap index 9a5e7d9d59..1e1d0f1a10 100644 --- a/charts/__tests__/gardener-dashboard/runtime/dashboard/__snapshots__/secrets.spec.js.snap +++ b/charts/__tests__/gardener-dashboard/runtime/dashboard/__snapshots__/secrets.spec.js.snap @@ -61,7 +61,6 @@ Object { "apiVersion": "v1", "data": Object { "client_id": "ZGFzaGJvYXJk", - "client_secret": "ZGFzaGJvYXJkU2VjcmV0", }, "kind": "Secret", "metadata": Object { @@ -79,6 +78,13 @@ Object { } `; +exports[`gardener-dashboard secret-oidc should render the template w/ \`client_secret\` 1`] = ` +Object { + "client_id": "ZGFzaGJvYXJk", + "client_secret": "ZGFzaGJvYXJkU2VjcmV0", +} +`; + exports[`gardener-dashboard secret-sessionSecret should render the template with default values 1`] = ` Object { "apiVersion": "v1", diff --git a/charts/__tests__/gardener-dashboard/runtime/dashboard/deployment.spec.js b/charts/__tests__/gardener-dashboard/runtime/dashboard/deployment.spec.js index 799048d466..f80c51a7cc 100644 --- a/charts/__tests__/gardener-dashboard/runtime/dashboard/deployment.spec.js +++ b/charts/__tests__/gardener-dashboard/runtime/dashboard/deployment.spec.js @@ -40,6 +40,34 @@ describe('gardener-dashboard', function () { }) }) + it('should render the template w/ `client_secret`', async function () { + const values = { + global: { + dashboard: { + oidc: { + clientSecret: 'client-secret' + } + } + } + } + const documents = await renderTemplates(templates, values) + expect(documents).toHaveLength(1) + const [deployment] = documents + const dashboardContainer = deployment.spec.template.spec.containers[0] + expect(dashboardContainer.name).toEqual('gardener-dashboard') + expect(dashboardContainer.env).toMatchSnapshot() + }) + + it('should render the template w/o `client_secret`', async function () { + const values = {} + const documents = await renderTemplates(templates, values) + expect(documents).toHaveLength(1) + const [deployment] = documents + const dashboardContainer = deployment.spec.template.spec.containers[0] + expect(dashboardContainer.name).toEqual('gardener-dashboard') + expect(dashboardContainer.env).toMatchSnapshot() + }) + it('should render the template with a sha256 tag', async function () { const tag = 'sha256:4d529c1' const values = { @@ -184,8 +212,8 @@ describe('gardener-dashboard', function () { expect(container.volumeMounts).toHaveLength(4) const [, , , kubeconfigVolumeMount] = container.volumeMounts expect(kubeconfigVolumeMount).toMatchSnapshot() - expect(container.env).toHaveLength(8) - const [, , , , kubeconfigEnv] = container.env + expect(container.env).toHaveLength(7) + const [, , , kubeconfigEnv] = container.env expect(kubeconfigEnv).toMatchSnapshot() }) }) @@ -292,8 +320,8 @@ describe('gardener-dashboard', function () { expect(container.volumeMounts).toHaveLength(4) const [, , , kubeconfigVolumeMount] = container.volumeMounts expect(kubeconfigVolumeMount).toMatchSnapshot() - expect(container.env).toHaveLength(8) - const [, , , , kubeconfigEnv] = container.env + expect(container.env).toHaveLength(7) + const [, , , kubeconfigEnv] = container.env expect(kubeconfigEnv).toMatchSnapshot() }) }) diff --git a/charts/__tests__/gardener-dashboard/runtime/dashboard/secrets.spec.js b/charts/__tests__/gardener-dashboard/runtime/dashboard/secrets.spec.js index 53b64f21c4..25f2f777db 100644 --- a/charts/__tests__/gardener-dashboard/runtime/dashboard/secrets.spec.js +++ b/charts/__tests__/gardener-dashboard/runtime/dashboard/secrets.spec.js @@ -122,6 +122,22 @@ describe('gardener-dashboard', function () { const [oidcSecret] = documents expect(oidcSecret).toMatchSnapshot() }) + + it('should render the template w/ `client_secret`', async function () { + const values = { + global: { + dashboard: { + oidc: { + clientSecret: 'dashboardSecret' + } + } + } + } + const documents = await renderTemplates(templates, values) + expect(documents).toHaveLength(1) + const [oidcSecret] = documents + expect(oidcSecret.data).toMatchSnapshot() + }) }) describe('secret-sessionSecret', function () { diff --git a/charts/gardener-dashboard/charts/runtime/templates/dashboard/deployment.yaml b/charts/gardener-dashboard/charts/runtime/templates/dashboard/deployment.yaml index 20e0a7bfb6..51c1c45c6b 100644 --- a/charts/gardener-dashboard/charts/runtime/templates/dashboard/deployment.yaml +++ b/charts/gardener-dashboard/charts/runtime/templates/dashboard/deployment.yaml @@ -170,11 +170,13 @@ spec: secretKeyRef: name: gardener-dashboard-oidc key: client_id + {{- if .Values.global.dashboard.oidc.clientSecret }} - name: OIDC_CLIENT_SECRET valueFrom: secretKeyRef: name: gardener-dashboard-oidc key: client_secret + {{- end }} {{- if .Values.global.dashboard.oidc.caSecretKeyRef }} - name: OIDC_CA valueFrom: diff --git a/charts/gardener-dashboard/charts/runtime/templates/dashboard/secret-oidc.yaml b/charts/gardener-dashboard/charts/runtime/templates/dashboard/secret-oidc.yaml index f86f5e57f2..450aa3f8bf 100644 --- a/charts/gardener-dashboard/charts/runtime/templates/dashboard/secret-oidc.yaml +++ b/charts/gardener-dashboard/charts/runtime/templates/dashboard/secret-oidc.yaml @@ -14,6 +14,8 @@ metadata: type: Opaque data: client_id: {{ required ".Values.global.dashboard.oidc.clientId is required" (b64enc .Values.global.dashboard.oidc.clientId) }} + {{- if .Values.global.dashboard.oidc.clientSecret }} client_secret: {{ required ".Values.global.dashboard.oidc.clientSecret is required" (b64enc .Values.global.dashboard.oidc.clientSecret) }} + {{- end }} {{- end }} {{- end }}