Remove of-client-secret as env var from edge-auth

Edge-auth now only uses the mounted secret to read the of-client-secret
for Oauth2. This is to reduce complexity in the chart and deployments.

Signed-off-by: Alistair Hey <[email protected]>

Author: Waterdrips

chart/README.md

@@ -7,7 +7,6 @@ to install OpenFaaS Cloud clusters.
 
 This is mainly for configuration documentation for developers wishing to use this chart in `ofc-bootstrap`.
 
-
 ## Configuration
 
 | Parameter | Description | Default|
@@ -20,10 +19,9 @@ This is mainly for configuration documentation for developers wishing to use thi
 | `edgeAuth.replicas` | `Number of replicas of edge-auth to run` | `1` |
 | `edgeAuth.enableOauth2` | `If OAuth2 is enabled in the installation` | `true` |
 | `edgeAuth.oauthProvider` | `The OAuth provider, github or gitlab` | `github` |
-| `edgeAuth.oauthProviderBaseURL` | `The OAuth2 base URL, required if using gitlab as OAuth2 provider` | `` |
+| `edgeAuth.oauthProviderBaseURL` | `The OAuth2 base URL, required if using gitlab as OAuth2 provider` | `""` |
 | `edgeAuth.clientId` | `The client ID provided by your OAuth provider` | `""` |
 | `edgeAuth.writeDebug` | `If Debug logging is enabled in edge-auth` | `false` |
-| `edgeAuth.clientSecret` | `The client secret provided by your OAuth2 provider` | `""` |
 | `edgeRouter.image` | `The container image for the OpenFaaS Cloud edge-router` | `openfaas/edge-router:0.7.4` |
 | `tls.enabled` | `If we are using TLS, certificated provided by LEtsEncrypt` | `true` |
 | `tls.email` | `The email for the LetsEncrypt TLS certificates. Required if TLS is enabled` | `[email protected]` |
@@ -36,7 +34,6 @@ This is mainly for configuration documentation for developers wishing to use thi
 | `tls.clouddns.projectID` | `If using Clouddns set this to your project ID` | `` |
 | `ingress.class` | `The ingress class used for ingress. Set to traefik if using traefik for ingress for example` | `nginx` |
 | `ingress.maxConnections` | `The max connections allowed for OpenFaaS Cloud Functions` | `` |
-| `ingress.requestsPerMinute` | `The max number of connections for ingress when using nginx for ingress class` | `20` |
 | `ingesss.requestsPerMinute` | `The max requests per minute when using nginx for the inress class` | `600` |
 | `customers.url` | `The public URL to a customers file, it should be unformatted with 1 username per line` | `""` |
 | `customers.customersSecret` | `If set to ture we use a secret for our customers list rather than a public URL` | `false` |

chart/openfaas-cloud/templates/ofc-core/edge-auth-dep.yaml

@@ -70,8 +70,6 @@ spec:
             - name: customers_path
               value: "/var/secrets/of-customers/of-customers"
             {{- end }}
-            - name: client_secret
-              value: {{ required "A valid .Values.edgeAuth.clientSecret entry required!" .Values.edgeAuth.clientSecret | quote }}
             - name: client_id
               value: {{ required "A valid .Values.edgeAuth.clientId entry required!" .Values.edgeAuth.clientId | quote }}
             - name: oauth_provider_base_url

chart/openfaas-cloud/values.yaml

@@ -20,8 +20,6 @@ edgeAuth:
   ## clientId is generated by your Oauth App, and needs to be set to connect correctly
   clientId: ""
   writeDebug: false
-  ## clientSecret is the value from your OAuth application
-  clientSecret: ""
 
 edgeRouter:
   image: openfaas/edge-router:0.7.4

chart/test/core_edge_auth_dep_test.go

@@ -143,7 +143,6 @@ func makeContainerEnv(customersSecret, secureCookie bool) []Environment {
 	if customersSecret {
 		environ = append(environ, Environment{Name: "customers_path", Value: "/var/secrets/of-customers/of-customers"})
 	}
-	environ = append(environ, Environment{Name: "client_secret", Value: "client-secret"})
 	environ = append(environ, Environment{Name: "client_id", Value: "client-id"})
 	environ = append(environ, Environment{Name: "oauth_provider_base_url", Value: ""})
 	environ = append(environ, Environment{Name: "oauth_provider", Value: "github"})

edge-auth/handlers/config.go

@@ -8,8 +8,7 @@ type Config struct {
 	OAuthProvider          string
 	OAuthProviderBaseURL   string
 	ClientID               string
-	ClientSecret           string
-	OAuthClientSecretPath  string // OAuthClientSecretPath when given overrides the ClientSecret env-var
+	OAuthClientSecretPath  string
 	ExternalRedirectDomain string
 	Scope                  string
 	CookieRootDomain       string

edge-auth/handlers/oauth2.go

@@ -33,14 +33,16 @@ func MakeOAuth2Handler(config *Config) func(http.ResponseWriter, *http.Request)
 		log.Fatalf("unable to parse private key: %s", keyErr.Error())
 	}
 
-	clientSecret := config.ClientSecret
+	var clientSecret string
 
 	if len(config.OAuthClientSecretPath) > 0 {
 		clientSecretBytes, err := ioutil.ReadFile(config.OAuthClientSecretPath)
 		if err != nil {
 			log.Fatalf("OAuthClientSecretPath, unable to read path: %s, error: %s", config.OAuthClientSecretPath, err.Error())
 		}
 		clientSecret = strings.TrimSpace(string(clientSecretBytes))
+	} else {
+		log.Fatalf("OauthClientSecretPath should be set to load the secret")
 	}
 
 	return func(w http.ResponseWriter, r *http.Request) {

edge-auth/main.go

@@ -52,10 +52,6 @@ func main() {
 		clientID = val
 	}
 
-	if val, exists := os.LookupEnv("client_secret"); exists {
-		clientSecret = val
-	}
-
 	if val, exists := os.LookupEnv("external_redirect_domain"); exists {
 		externalRedirectDomain = val
 	}

yaml/core/edge-auth-dep.yml

@@ -53,8 +53,6 @@ spec:
           - name: customers_path
             value: "/var/secrets/of-customers/of-customers"
 # Update for your configuration:
-          - name: client_secret # this can also be provided via a secret named of-client-secret
-            value: ""
           - name: client_id
             value: ""
           - name: oauth_provider_base_url