chore(base-cluster/monitoring): fix oidc configuration

feat(base-cluster/oauth-proxy): roll pods on secret change fix(base-cluster/oauth-proxy): set missing default '*' for emailDomains
teutonet · Nov 23, 2023 · e0418da · e0418da
1 parent 5fac149
commit e0418da
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 3 deletions.
diff --git a/charts/base-cluster/templates/monitoring/kube-prometheus-stack/_helpers.yaml b/charts/base-cluster/templates/monitoring/kube-prometheus-stack/_helpers.yaml
@@ -44,7 +44,7 @@ privileged: false
   {{- if not $ingress -}}
     {{- $ingress = include (printf "base-cluster.%s.ingress" .name) .context | fromYaml -}}
   {{- end -}}
-  {{- and (empty .Values.global.authentication.config.clientId) $ingress.enabled | ternary true "" -}}
+  {{- and (empty .Values.global.authentication.config.clientId) (dig "enabled" false $ingress) | ternary true "" -}}
 {{- end -}}
 
 {{- define "base-cluster.monitoring.authenticated-ingress.enabled" -}}
@@ -53,5 +53,5 @@ privileged: false
   {{- if not $ingress -}}
     {{- $ingress = include (printf "base-cluster.%s.ingress" .name) .context | fromYaml -}}
   {{- end -}}
-  {{- and .Values.global.authentication.config.clientId (dig "enabled" true $ingress) | ternary true "" -}}
+  {{- and (not (empty .Values.global.authentication.config.clientId)) (dig "enabled" true $ingress) | ternary true "" -}}
 {{- end -}}
diff --git a/charts/base-cluster/templates/monitoring/kube-prometheus-stack/oauth-proxy-secret.yaml b/charts/base-cluster/templates/monitoring/kube-prometheus-stack/oauth-proxy-secret.yaml
@@ -11,7 +11,7 @@ metadata:
 type: Opaque
 data:
   # This might change on every `template` call, this can be ignored
-  cookie-secret: {{ include "common.secrets.passwords.manage" (dict "secret" $name "key" "cookie-secret" "providedValues" (list "global.authentication.oauthProxy.cookieSecret") "context" (dict "Values" .Values "Release" ((dict "IsUpgrade" false "IsInstall" true "Namespace" "monitoring") | mergeOverwrite (deepCopy .Release)))) }}
+  cookie-secret: {{ include "common.secrets.passwords.manage" (dict "secret" $name "key" "cookie-secret" "length" 32 "strong" true "providedValues" (list "global.authentication.oauthProxy.cookieSecret") "context" (dict "Values" .Values "Release" ((dict "IsUpgrade" false "IsInstall" true "Namespace" "monitoring") | mergeOverwrite (deepCopy .Release)))) }}
   client-id: {{ $.Values.global.authentication.config.clientId | b64enc | quote }}
   client-secret: {{ $.Values.global.authentication.config.clientSecret | b64enc | quote }}
 {{- end }}
diff --git a/charts/base-cluster/templates/monitoring/kube-prometheus-stack/oauth-proxy.yaml b/charts/base-cluster/templates/monitoring/kube-prometheus-stack/oauth-proxy.yaml
@@ -55,8 +55,13 @@ spec:
         skip_provider_button = true
         {{- if $.Values.global.authentication.oauthProxy.emailDomains }}
         email_domains = [ "{{ $.Values.global.authentication.oauthProxy.emailDomains | join "\", \"" }}" ]
+        {{- else }}
+        email_domains = "*"
         {{- end }}
         upstreams = [ {{ printf "http://%s:%d" $targetServiceName $port | quote }} ]
+    podAnnotations:
+      # This might change on every `template` call, this can be ignored
+      checksum/secret: {{ include "common.utils.checksumTemplate" (dict "path" "/monitoring/kube-prometheus-stack/oauth-proxy-secret.yaml" "context" $) }}
 {{- if eq (include "common.networkPolicy.type" $) "cilium" }}
 ---
 apiVersion: cilium.io/v2