Merge pull request #72 from opf/feature/oidc-existing-secret

Add existing secret for OIDC
opf · Jan 10, 2024 · 55fc0c0 · 55fc0c0
2 parents 3bb8f19 + 1f2594c
commit 55fc0c0
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 3 deletions.
diff --git a/.changeset/dull-brooms-wash.md b/.changeset/dull-brooms-wash.md
@@ -0,0 +1,5 @@
+---
+"@openproject/helm-charts": minor
+---
+
+Add existingSecret for OIDC
diff --git a/charts/openproject/templates/secret_oidc.yaml b/charts/openproject/templates/secret_oidc.yaml
@@ -12,7 +12,11 @@ stringData:
   {{ $oidc_prefix }}_DISPLAY__NAME: {{ .Values.openproject.oidc.displayName | quote }}
   {{ $oidc_prefix }}_HOST: {{ .Values.openproject.oidc.host | quote }}
   {{ $oidc_prefix }}_IDENTIFIER: {{ .Values.openproject.oidc.identifier | quote }}
-  {{ $oidc_prefix }}_SECRET: {{ .Values.openproject.oidc.secret | quote }}
+  {{/* Fall back to '_' as secret name if the name is not given. This way `lookup` will return null (since secrets with this name will and cannot exist) which it doesn't with an empty string. */}}
+  {{ $secret := (lookup "v1" "Secret" .Release.Namespace (default "_" .Values.openproject.oidc.existingSecret)) | default (dict "data" dict) -}}
+  {{ $oidc_prefix }}_SECRET: {{ 
+    default .Values.openproject.oidc.secret (get $secret.data .Values.openproject.oidc.secretKeys.secret | b64dec) | quote
+  }}
   {{ $oidc_prefix }}_AUTHORIZATION__ENDPOINT: {{ .Values.openproject.oidc.authorizationEndpoint | quote }}
   {{ $oidc_prefix }}_TOKEN__ENDPOINT: {{ .Values.openproject.oidc.tokenEndpoint | quote }}
   {{ $oidc_prefix }}_USERINFO__ENDPOINT: {{ .Values.openproject.oidc.userinfoEndpoint | quote }}

diff --git a/charts/openproject/values.yaml b/charts/openproject/values.yaml
@@ -284,9 +284,20 @@ openproject:
     userinfoEndpoint: ""
     endSessionEndpoint: ""
     scope: "[openid]"
+
     # Optional attribute mappings from the id token
     attribute_map: {}
 
+
+    ## To avoid having sensitive credentials in your values.yaml, the preferred way is to
+    ## use an existing secret containing the OIDC compatible access credentials.
+    ## Specify the name of this existing secret here.
+    existingSecret:
+
+    ## In case your secret does not use the default keys in the secret, you can adjust them here.
+    secretKeys:
+      secret: "oidcSecret"
+
   ## Modify PostgreSQL statement timout.
   ## Increase in case you get errors such as "ERROR: canceling statement due to statement timeout".
   ##
@@ -349,9 +360,8 @@ s3:
     secretAccessKey:
 
     ## To avoid having sensitive credentials in your values.yaml, the preferred way is to
-    ## use an existing secret containing the PostgreSQL credentials.
+    ## use an existing secret containing the S3 compatible access credentials.
     ## Specify the name of this existing secret here.
-    #
     existingSecret:
 
     ## In case your secret does not use the default keys in the secret, you can adjust them here.