chore: add new node envs and secrets

hacks/values/kratos-selfservice-ui-node.yaml

@@ -20,3 +20,6 @@ test:
   busybox:
     repository: docker.io/library/busybox
     tag: 1.36
+
+config:
+  csrfCookieName: "some-random-cookie-name"

helm/charts/kratos-selfservice-ui-node/templates/_helpers.tpl

@@ -43,3 +43,14 @@ app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end -}}
+
+{{/*
+Create a secret name which can be overridden.
+*/}}
+{{- define "kratos-selfservice-ui-node.secretname" -}}
+{{- if .Values.secret.nameOverride -}}
+{{- .Values.secret.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{ include "kratos-selfservice-ui-node.fullname" . }}
+{{- end -}}
+{{- end -}}

helm/charts/kratos-selfservice-ui-node/templates/deployment.yaml

@@ -6,7 +6,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   {{- end }}
   labels:
-{{ include "kratos-selfservice-ui-node.labels" . | indent 4 }}
+    {{- include "kratos-selfservice-ui-node.labels" . | nindent 4 }}
     {{- with .Values.deployment.labels }}
       {{- toYaml . | nindent 4 }}
     {{- end }}
@@ -24,7 +24,7 @@ spec:
   template:
     metadata:
       labels:
-{{ include "kratos-selfservice-ui-node.labels" . | indent 8 }}
+        {{- include "kratos-selfservice-ui-node.labels" . | nindent 8 }}
         {{- with .Values.deployment.labels }}
           {{- toYaml . | nindent 8 }}
         {{- end }}
@@ -40,7 +40,7 @@ spec:
       automountServiceAccountToken: {{ .Values.deployment.automountServiceAccountToken }}
       {{- with .Values.deployment.extraVolumes }}
       volumes:
-{{ toYaml . | indent 6}}
+        {{- toYaml . | nindent 6 }}
       {{- end }}
       containers:
         - name: {{ .Chart.Name }}
@@ -61,8 +61,20 @@ spec:
             value: {{ .Values.kratosAdminUrl | quote }}
           - name: SECURITY_MODE
             value: {{ .Values.securityMode | quote }}
+          - name: COOKIE_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "kratos-selfservice-ui-node.secretname" . }}
+                key: secretsCookie
+          - name: CSRF_COOKIE_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "kratos-selfservice-ui-node.secretname" . }}
+                key: secretsCSRFCookie
+          - name: CSRF_COOKIE_NAME
+            value: {{ .Values.config.csrfCookieName | quote }}
           {{- if .Values.deployment.extraEnv }}
-{{ toYaml .Values.deployment.extraEnv | indent 10 }}
+            {{- toYaml .Values.deployment.extraEnv | nindent 10 }}
           {{- end }}
           {{- with .Values.deployment.extraVolumeMounts }}
           volumeMounts:

helm/charts/kratos-selfservice-ui-node/templates/secret.yaml

@@ -0,0 +1,20 @@
+{{- if .Values.secret.enabled -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "kratos-selfservice-ui-node.secretname" . }}
+  {{- if .Release.Namespace }}
+  namespace: {{ .Release.Namespace }}
+  {{- end }}
+  labels:
+    {{- include "kratos-selfservice-ui-node.labels" . | nindent 4 }}
+  annotations:
+    {{- with .Values.secret.secretAnnotations }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+type: Opaque
+data:
+  # Generate a random secret if the user doesn't give one. User given secret has priority
+  secretsCookie: {{ ( .Values.config.secrets.cookie | default ( randAlphaNum 32 )) | required "Value config.secrets.cookie can not be empty!" | b64enc | quote }}
+  secretsCSRFCookie: {{ ( .Values.config.secrets.csrfCookie | default ( randAlphaNum 32 )) | required "Value config.secrets.csrfCookie can not be empty!" | b64enc | quote }}
+{{- end }}

helm/charts/kratos-selfservice-ui-node/values.yaml

@@ -18,6 +18,11 @@ imagePullSecrets: []
 nameOverride: ""
 fullnameOverride: ""
 
+# -- Application config
+config:
+  csrfCookieName: ""
+  secrets: {}
+
 # -- Service configuration
 service:
   type: ClusterIP
@@ -27,6 +32,23 @@ service:
   # -- The service port name. Useful to set a custom service port name if it must follow a scheme (e.g. Istio)
   name: http
 
+secret:
+  # -- switch to false to prevent creating the secret
+  enabled: true
+  # -- Provide custom name of existing secret, or custom name of secret to be created
+  nameOverride: ""
+  # nameOverride: "myCustomSecret"
+  # -- Annotations to be added to secret. Annotations are added only when secret is being created. Existing secret will not be modified.
+  secretAnnotations:
+    # Create the secret before installation, and only then. This saves the secret from regenerating during an upgrade
+    # pre-upgrade is needed to upgrade from 0.7.0 to newer. Can be deleted afterwards.
+    helm.sh/hook-weight: "0"
+    helm.sh/hook: "pre-install, pre-upgrade"
+    helm.sh/hook-delete-policy: "before-hook-creation"
+    helm.sh/resource-policy: "keep"
+  # -- switch to false to prevent checksum annotations being maintained and propogated to the pods
+  hashSumEnabled: true
+
 # -- Ingress configration
 ingress:
   enabled: false