Skip to content

Commit d7bc0ae

Browse files
committed
chore: Add OIDC config only when needed
1 parent 15d30fc commit d7bc0ae

1 file changed

Lines changed: 59 additions & 56 deletions

File tree

api/v1alpha1/amaltheasession_children.go

Lines changed: 59 additions & 56 deletions
Original file line numberDiff line numberDiff line change
@@ -778,66 +778,69 @@ func (as *AmaltheaSession) Secret() v1.Secret {
778778
return secret
779779
}
780780

781-
pathPrefix := as.ingressPathPrefix()
782-
sessionURL := as.GetURL()
783-
pathPrefixURL := url.URL{Host: sessionURL.Host, Path: pathPrefix, Scheme: sessionURL.Scheme}
784-
cookieSecret := make([]byte, 32)
785-
_, err := rand.Read(cookieSecret)
786-
if err != nil {
787-
// NOTE: Read cannot panic except for on legacy Linux systems
788-
// See: https://pkg.go.dev/crypto/rand#Read
789-
panic(err)
790-
}
791-
oldConfigLines := []string{
792-
"session_cookie_minimal = true",
793-
"skip_provider_button = true",
794-
fmt.Sprintf("redirect_url = \"%s\"", pathPrefixURL.JoinPath("oauth2/callback").String()),
795-
fmt.Sprintf("cookie_path = \"%s\"", pathPrefix),
796-
fmt.Sprintf("proxy_prefix = \"%soauth2\"", pathPrefix),
797-
"authenticated_emails_file = \"/authorized_emails\"",
798-
fmt.Sprintf("cookie_secret = \"%s\"", base64.URLEncoding.EncodeToString(cookieSecret)),
799-
}
800-
upstreamPort := secondProxyPort
801-
upstreamConfig := map[string]any{
802-
"upstreams": []map[string]any{
803-
{
804-
"id": "amalthea-upstream",
805-
"path": pathPrefix,
806-
"uri": fmt.Sprintf("http://127.0.0.1:%d", upstreamPort),
807-
"insecureSkipTLSVerify": true,
808-
"passHostHeader": true,
809-
"proxyWebSockets": true,
781+
// Skip the 'oidc' configuration if it is not needed
782+
if as.Spec.Authentication.Type == Oidc {
783+
pathPrefix := as.ingressPathPrefix()
784+
sessionURL := as.GetURL()
785+
pathPrefixURL := url.URL{Host: sessionURL.Host, Path: pathPrefix, Scheme: sessionURL.Scheme}
786+
cookieSecret := make([]byte, 32)
787+
_, err := rand.Read(cookieSecret)
788+
if err != nil {
789+
// NOTE: Read cannot panic except for on legacy Linux systems
790+
// See: https://pkg.go.dev/crypto/rand#Read
791+
panic(err)
792+
}
793+
oldConfigLines := []string{
794+
"session_cookie_minimal = true",
795+
"skip_provider_button = true",
796+
fmt.Sprintf("redirect_url = \"%s\"", pathPrefixURL.JoinPath("oauth2/callback").String()),
797+
fmt.Sprintf("cookie_path = \"%s\"", pathPrefix),
798+
fmt.Sprintf("proxy_prefix = \"%soauth2\"", pathPrefix),
799+
"authenticated_emails_file = \"/authorized_emails\"",
800+
fmt.Sprintf("cookie_secret = \"%s\"", base64.URLEncoding.EncodeToString(cookieSecret)),
801+
}
802+
upstreamPort := secondProxyPort
803+
upstreamConfig := map[string]any{
804+
"upstreams": []map[string]any{
805+
{
806+
"id": "amalthea-upstream",
807+
"path": pathPrefix,
808+
"uri": fmt.Sprintf("http://127.0.0.1:%d", upstreamPort),
809+
"insecureSkipTLSVerify": true,
810+
"passHostHeader": true,
811+
"proxyWebSockets": true,
812+
},
810813
},
811-
},
812-
}
813-
newConfig := map[string]any{
814-
"providers": []map[string]any{
815-
{
816-
"clientID": "${OIDC_CLIENT_ID}",
817-
"clientSecret": "${OIDC_CLIENT_SECRET}",
818-
"id": "amalthea-oidc",
819-
"provider": "oidc",
820-
"oidcConfig": map[string]any{
821-
"insecureSkipNonce": false,
822-
"issuerURL": "${OIDC_ISSUER_URL}",
823-
"insecureAllowUnverifiedEmail": "${ALLOW_UNVERIFIED_EMAILS}",
824-
"emailClaim": "email",
825-
"audienceClaims": []string{"aud"},
814+
}
815+
newConfig := map[string]any{
816+
"providers": []map[string]any{
817+
{
818+
"clientID": "${OIDC_CLIENT_ID}",
819+
"clientSecret": "${OIDC_CLIENT_SECRET}",
820+
"id": "amalthea-oidc",
821+
"provider": "oidc",
822+
"oidcConfig": map[string]any{
823+
"insecureSkipNonce": false,
824+
"issuerURL": "${OIDC_ISSUER_URL}",
825+
"insecureAllowUnverifiedEmail": "${ALLOW_UNVERIFIED_EMAILS}",
826+
"emailClaim": "email",
827+
"audienceClaims": []string{"aud"},
828+
},
826829
},
827830
},
828-
},
829-
"server": map[string]string{
830-
"bindAddress": fmt.Sprintf("0.0.0.0:%d", authenticatedPort),
831-
},
832-
"upstreamConfig": upstreamConfig,
833-
}
834-
newConfigStr, err := yaml.Marshal(newConfig)
835-
if err != nil {
836-
panic(err)
837-
}
831+
"server": map[string]string{
832+
"bindAddress": fmt.Sprintf("0.0.0.0:%d", authenticatedPort),
833+
},
834+
"upstreamConfig": upstreamConfig,
835+
}
836+
newConfigStr, err := yaml.Marshal(newConfig)
837+
if err != nil {
838+
panic(err)
839+
}
838840

839-
secret.StringData["oauth2-proxy-alpha-config.yaml"] = string(newConfigStr)
840-
secret.StringData["oauth2-proxy-config.yaml"] = strings.Join(oldConfigLines, "\n")
841+
secret.StringData["oauth2-proxy-alpha-config.yaml"] = string(newConfigStr)
842+
secret.StringData["oauth2-proxy-config.yaml"] = strings.Join(oldConfigLines, "\n")
843+
}
841844

842845
if tunnelSecret != "" {
843846
secret.StringData["WSTUNNEL_SECRET"] = tunnelSecret

0 commit comments

Comments
 (0)