It did not make too much sense for the chart to create a random clien…

…tSecret since this should be provided by the auth server in use. so this changes make it so that when a clientSecret is not provided the chart installation will fail Signed-off-by: Alfredo Gutierrez <[email protected]>
hashgraph · Apr 3, 2024 · 7219ea2 · 7219ea2
1 parent f58e47d
commit 7219ea2
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 20 deletions.
diff --git a/charts/auth-layer-proxy/README.md b/charts/auth-layer-proxy/README.md
@@ -15,7 +15,7 @@ Is based on the project [auth-layer-proxy](link) and is a proxy that adds authen
 To install the Authentication Layer Proxy, run the following commands:
 
 ```bash
-helm install htg-auth-proxy .
+helm install htg-auth-proxy . --set configSecrets.clientSecret="<your-client-secret>"
 ```
 
 
@@ -43,13 +43,31 @@ The following table lists the configurable parameters of the chart and their def
 | `configEnv.CLIENT_ID` | OAuth Client ID, provided by the auth server | `htg-auth-layer` |
 | `configEnv.TOKEN_INTROSPECTION_URL` | OAuth Token Introspection URL, provided by the auth server | `http://host.docker.internal:8080/realms/HederaTheGraph/protocol/openid-connect/token/introspect` |
 | `configSecrets.clientSecret` | OAuth Client Secret, provided by the auth server | `` |
+| `global.auth.clientSecret` | Global OAuth Client Secret, provided by the auth server, has precedence over `configSecrets.clientSecret` | `` |
 
-Is also possible to use the global alternative to override `clientSecret` value, global has precendence over `configSecrets.clientSecret`, and if neither is provided a random 32 length value will be generated. Using the global alternative is useful when deploying multiple charts that share the same `clientSecret` value, otherwise, the `configSecrets.clientSecret` should be used.
+*It is important to note that if the downstream service that we are protecting (in this case TheGraph) will be accessed by the proxy using a FQDN, the `SERVICE_TYPE` should be set to `LOGICAL_DNS` and the `SERVICE_ADDRESS` should be set to the FQDN of the service. Otherwise, if the downstream service is accessed by the proxy using an IP address, the `SERVICE_TYPE` should be set to `STATIC` and the `SERVICE_ADDRESS` should be set to the IP address of the service.*
 
-Using the following command:
+### Client Secret Configuration
+`auth-layer-proxy` needs a valid `clientSecret` to be able to authenticate with the auth server. This can be provided as a `configSecrets.clientSecret` or as a global `global.auth.clientSecret`.
+
+`global.auth.clientSecret` has precedence over `configSecrets.clientSecret`.
+
+#### Install with Client Secret
 ```bash
-helm install <releaseName> . --set global.auth.clientSecret=your-client-secret
+helm install htg-auth-proxy . --set configSecrets.clientSecret="<your-client-secret>"
 ```
 
-
-It is important to note that if the downstream service that we are protecting (in this case TheGraph) will be accessed by the proxy using a FQDN, the `SERVICE_TYPE` should be set to `LOGICAL_DNS` and the `SERVICE_ADDRESS` should be set to the FQDN of the service. Otherwise, if the downstream service is accessed by the proxy using an IP address, the `SERVICE_TYPE` should be set to `STATIC` and the `SERVICE_ADDRESS` should be set to the IP address of the service.
+#### Install with Global Client Secret
+```bash
+helm install htg-auth-proxy . --set global.auth.clientSecret="<your-client-secret>"
+```
+### None Provided
+If none is provided, the installation will fail with the following error:
+```
+A valid client secret must be provided either via .Values.global.auth.clientSecret or .Values.configSecrets.clientSecret
+```
+#### Update Client Secret
+*Once the chart is installed, the `clientSecret` can be updated using the following command:*
+```bash
+helm upgrade <releaseName> . --set configSecrets.clientSecret="<your-client-secret>"
+```
diff --git a/charts/auth-layer-proxy/templates/_helpers.tpl b/charts/auth-layer-proxy/templates/_helpers.tpl
@@ -60,16 +60,3 @@ Create the name of the service account to use
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}
 {{- end }}
-
-{{/*
-Define a function to choose a value from .Values.global.auth.clientSecret, .Values.configSecrets.clientSecret, or generate a random string.
-*/}}
-{{- define "auth-layer-proxy.clientSecret" -}}
-{{- if .Values.global.auth.clientSecret -}}
-  {{- .Values.global.auth.clientSecret -}}
-{{- else if .Values.configSecrets.clientSecret -}}
-  {{- .Values.configSecrets.clientSecret -}}
-{{- else -}}
-  {{- randAlphaNum 32 -}}
-{{- end -}}
-{{- end -}}
diff --git a/charts/auth-layer-proxy/templates/secret.yaml b/charts/auth-layer-proxy/templates/secret.yaml
@@ -1,6 +1,8 @@
+{{- $clientSecret := .Values.global.auth.clientSecret | default .Values.configSecrets.clientSecret -}}
 apiVersion: v1
 kind: Secret
 metadata:
   name: {{ include "auth-layer-proxy.fullname" . }}-secret
+type: Opaque
 data:
-  CLIENT_SECRET: {{ include "auth-layer-proxy.clientSecret" . | b64enc }}
+  CLIENT_SECRET: {{ $clientSecret | required "A valid client secret must be provided either via .Values.global.auth.clientSecret or .Values.configSecrets.clientSecret" | b64enc }}
diff --git a/charts/auth-layer-proxy/values.yaml b/charts/auth-layer-proxy/values.yaml
@@ -11,7 +11,9 @@ configEnv:
   SERVICE_TYPE: "LOGICAL_DNS"
   TOKEN_INTROSPECTION_URL: "http://host.docker.internal:8080/realms/HederaTheGraph/protocol/openid-connect/token/introspect"
 
+
 configSecrets:
+  # If not provided, the helm chart will fail to render the templates
   clientSecret: ""
 
 fullnameOverride: ""