From 3b0b0964279c3d2a43d38556518b8b425ff467fd Mon Sep 17 00:00:00 2001 From: Mark McWhirter <8041254+mcmarkj@users.noreply.github.com> Date: Tue, 24 Nov 2020 14:15:11 +0000 Subject: [PATCH] [traefik-forward-auth] Add cookie secret to values (#197) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: ᗪєνιη ᗷυнʟ --- charts/traefik-forward-auth/Chart.yaml | 2 +- charts/traefik-forward-auth/README.md | 1 + charts/traefik-forward-auth/templates/deployment.yaml | 7 +++++++ charts/traefik-forward-auth/templates/secret.yaml | 9 +++++++-- charts/traefik-forward-auth/values.yaml | 2 ++ 5 files changed, 18 insertions(+), 3 deletions(-) diff --git a/charts/traefik-forward-auth/Chart.yaml b/charts/traefik-forward-auth/Chart.yaml index 7274784b..0abd3e69 100644 --- a/charts/traefik-forward-auth/Chart.yaml +++ b/charts/traefik-forward-auth/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: traefik-forward-auth description: A minimal forward authentication service that provides OAuth/SSO login and authentication for the traefik reverse proxy/load balancer type: application -version: 1.0.2 +version: 1.0.3 appVersion: 2.2.0 keywords: - traefik diff --git a/charts/traefik-forward-auth/README.md b/charts/traefik-forward-auth/README.md index dff29181..4cf33483 100644 --- a/charts/traefik-forward-auth/README.md +++ b/charts/traefik-forward-auth/README.md @@ -61,6 +61,7 @@ helm install traefik-forward-auth k8s-at-home/traefik-forward-auth --values valu | cookie.domain | string | `""` | Domain(s) to set auth cookie on. (Comma delimited) | | cookie.insecure | string | `""` | Use insecure cookies | | cookie.name | string | `""` | Cookie Name (default: _forward_auth) | +| cookie.secret | string| `""` | Cookie Secret - useful when running multiple instances | | default.action | string | `""` | [auth|allow] Default action (default: auth) | | default.provider | string | `""` | [google|oidc|generic-oauth] Default provider (default: google) | | env | list | `[]` | | diff --git a/charts/traefik-forward-auth/templates/deployment.yaml b/charts/traefik-forward-auth/templates/deployment.yaml index 7a34ac98..d3cf9566 100644 --- a/charts/traefik-forward-auth/templates/deployment.yaml +++ b/charts/traefik-forward-auth/templates/deployment.yaml @@ -95,6 +95,13 @@ spec: - name: URL_PATH value: {{ .Values.urlPath | quote }} {{- end }} + {{- if .Values.cookie.secret }} + - name: COOKIE_SECRET + valueFrom: + secretKeyRef: + name: {{ $fullName }} + key: cookie-secret + {{- end }} {{- if ne .Values.secret "-" }} - name: SECRET {{- if .Values.secret }} diff --git a/charts/traefik-forward-auth/templates/secret.yaml b/charts/traefik-forward-auth/templates/secret.yaml index 04f9b9bd..72e7998f 100644 --- a/charts/traefik-forward-auth/templates/secret.yaml +++ b/charts/traefik-forward-auth/templates/secret.yaml @@ -1,4 +1,4 @@ -{{- if and (ne .Values.secret "-") (not .Values.secret) }} +{{- if or (and (ne .Values.secret "-") (not .Values.secret)) .Values.cookie.secret }} apiVersion: v1 kind: Secret metadata: @@ -7,5 +7,10 @@ metadata: {{- include "traefik-forward-auth.labels" . | nindent 4 }} type: Opaque data: + {{- if not .Values.secret }} secret: {{ randAlphaNum 16 | b64enc | quote }} - {{- end }} \ No newline at end of file + {{- end }} + {{- if .Values.cookie.secret }} + cookie-secret: {{ .Values.cookie.secret | b64enc | quote }} + {{- end }} + {{- end }} diff --git a/charts/traefik-forward-auth/values.yaml b/charts/traefik-forward-auth/values.yaml index e8ddd5a1..157ebefb 100644 --- a/charts/traefik-forward-auth/values.yaml +++ b/charts/traefik-forward-auth/values.yaml @@ -35,6 +35,8 @@ cookie: name: "" # cookie.csrfName -- CSRF Cookie Name (default: _forward_auth_csrf) csrfName: "" + # cookie.secret -- Cookie Secret used for authentication across multiple instances / clusters (default: randomly generated) + secret: "" default: # default.action -- [auth|allow] Default action (default: auth) action: ""