Release 1.0

Attempt at supporting new image parameters

.vscode/settings.json

@@ -0,0 +1 @@
+{}

charts/console/Chart.yaml

@@ -5,7 +5,7 @@ description: A Helm chart for Kubernetes
 type: application
 
 # This is the chart version.
-version: 0.6.0
+version: 1.0.0
 
 # This is the version number of the application being deployed.
-appVersion: "4.11.0" # https://access.redhat.com/support/policy/updates/openshift # paragraph "OpenShift Support Matrix"
+appVersion: "4.16.0" # https://access.redhat.com/support/policy/updates/openshift # paragraph "OpenShift Support Matrix"

charts/console/templates/_helpers.tpl

@@ -50,6 +50,34 @@ app.kubernetes.io/name: {{ include "openshift-console.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 
+{{- define "openshift-console.authnKey" -}}
+{{- $existing := lookup "v1" "Secret" .Release.Namespace (include "openshift-console.fullname" . ) -}}
+{{- $authnKey := default (randAlphaNum 32 | b64enc) .Values.secrets.oidcCookiesEncryption.authnKey -}}
+{{- if $existing.data -}}
+  {{- if $existing.data.authnKey -}}
+    {{ " " $existing.data.authnKey }}
+  {{- else -}}
+    {{- $authnKey | indent 1 }}
+  {{- end }}
+{{- else -}}
+  {{- $authnKey | indent 1  }}
+{{- end }}
+{{- end }}
+
+{{- define "openshift-console.encryptKey" -}}
+{{- $existing := lookup "v1" "Secret" .Release.Namespace (include "openshift-console.fullname" . ) -}}
+{{- $encryptKey := default (randAlphaNum 32 | b64enc) .Values.secrets.oidcCookiesEncryption.encryptKey -}}
+{{- if $existing.data -}}
+  {{- if $existing.data.encryptKey -}}
+    {{- $existing.data.encryptKey }}
+  {{- else -}}
+    {{- $encryptKey | indent 1 }}
+  {{- end }}
+{{- else -}}
+  {{- $encryptKey | indent 1 }}
+{{- end }}
+{{- end }}
+
 {{/*
 Create the name of the service account to use
 */}}

charts/console/templates/deployment.yaml

@@ -34,6 +34,13 @@ spec:
             {{- toYaml .Values.securityContext | nindent 12 }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          volumeMounts:
+            - name: oidc-cookie-encryption
+              mountPath: /etc/bridge/oidc-authnKey
+              subPath: authnKey
+            - name: oidc-cookie-encryption
+              mountPath: /etc/bridge/oidc-encryptKey
+              subPath: encryptKey
           ports:
             - name: http
               containerPort: {{ .Values.service.port }}
@@ -63,12 +70,18 @@ spec:
             - name: BRIDGE_USER_AUTH_OIDC_CLIENT_SECRET
               valueFrom:
                 secretKeyRef: 
-                  name: {{ .Values.secret.secretName }}
+                  name: {{ .Values.secrets.idpSecret.secretName }}
                   key: clientSecret
             - name: BRIDGE_USER_AUTH_OIDC_ISSUER_URL
               value: {{ .Values.bridgeEnvironmentVariables.BRIDGE_USER_AUTH_OIDC_ISSUER_URL }}
             - name: BRIDGE_V
               value: {{ .Values.verbosity | quote }}
+            {{- if eq .Values.bridgeEnvironmentVariables.BRIDGE_USER_AUTH "oidc" }}
+            - name: BRIDGE_COOKIE_ENCRYPTION_KEY_FILE
+              value: "/etc/bridge/oidc-encryptKey"
+            - name: BRIDGE_COOKIE_AUTHENTICATION_KEY_FILE
+              value: "/etc/bridge/oidc-authnKey"
+            {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -81,3 +94,10 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if eq .Values.bridgeEnvironmentVariables.BRIDGE_USER_AUTH "oidc" }}
+      volumes:
+        - name: oidc-cookie-encryption
+          secret:
+            secretName: {{ .Values.secrets.oidcCookiesEncryption.secretName }}
+      {{- end }}
+

charts/console/templates/idp-secret.yaml

@@ -1,10 +1,11 @@
-{{- if .Values.secret.create -}}
+{{- if .Values.secrets.idpSecret.create -}}
+
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ .Values.secret.secretName }}
+  name: {{ .Values.secrets.idpSecret.secretName }}
   namespace: default
 type: Opaque
 data:
-  clientSecret: {{ .Values.secret.clientSecret }}
+  clientSecret: {{ .Values.secrets.idpSecret.clientSecret }}
 {{- end }}

charts/console/templates/oidc-cookies-encryption-secret.yaml

@@ -0,0 +1,12 @@
+{{- if .Values.secrets.oidcCookiesEncryption.create -}}
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.secrets.oidcCookiesEncryption.secretName }}
+  namespace: default
+type: Opaque
+data:
+  authnKey: {{- include "openshift-console.authnKey" . }}
+  encryptKey: {{- include "openshift-console.encryptKey" . }}
+{{- end }}

charts/console/values.yaml

@@ -8,7 +8,7 @@ image:
   repository: quay.io/openshift/origin-console
   pullPolicy: IfNotPresent
   # Overrides the image tag whose default is the chart appVersion.
-  tag: "4.11.0" # 4.11.0 introduces 'dark mode' by default.
+  tag: ""
 
 imagePullSecrets: []
 nameOverride: ""
@@ -36,10 +36,17 @@ securityContext: {}
   # runAsNonRoot: true
   # runAsUser: 1000
 
-secret:
-  secretName: idp-secret
-  create: true
-  clientSecret: 
+secrets:
+  idpSecret:
+    secretName: idp-secret
+    create: true
+    clientSecret:
+  oidcCookiesEncryption:
+    secretName: oidc-cookies-encryption
+    create: true
+    # base64 encoded string
+    # authnKey:
+    # encryptKey:
 oidcIdentityProvider: ""
 
 # only modify the string elements, not the claim keys
@@ -59,7 +66,7 @@ bridgeEnvironmentVariables:
   BRIDGE_BASE_ADDRESS: # "https://my-console.cluster.example.com"
   BRIDGE_USER_AUTH_OIDC_CLIENT_ID: # BRIDGE_USER_AUTH_OIDC_CLIENT_ID
   BRIDGE_USER_AUTH_OIDC_ISSUER_URL: # https://my-oidc-prodiver.okta.jumpcloud.example.com
-  # BRIDGE_USER_AUTH_OIDC_CLIENT_SECRET defaults to consuming vaule from values.secret.secretName
+  # BRIDGE_USER_AUTH_OIDC_CLIENT_SECRET defaults to consuming vaule from values.secrets.idpSecret.secretName
 
 extraEnv: ""
   # - name: BRIDGE_INACTIVITY_TIMEOUT