changed the CLIENT_SECRET from the configEnv values property to a new…

… secretsEnv values, and included it on a secret.yaml template, that can come from global.auth.clientSecret or from secretsEnv.clientSecret, also added a fallback that generates a random secret in case none is provided.

Signed-off-by: Alfredo Gutierrez <[email protected]>

charts/auth-layer-proxy/README.md

@@ -41,7 +41,15 @@ The following table lists the configurable parameters of the chart and their def
 | `configEnv.ENVOY_ADMIN_PORT` | EnvoyProxy Configuration admin port | `15000` |
 | `configEnv.PROXY_PORT` | EnvoyProxy Configuration proxy port | `10000` |
 | `configEnv.CLIENT_ID` | OAuth Client ID, provided by the auth server | `htg-auth-layer` |
-| `configEnv.CLIENT_SECRET` | OAuth Client Secret, provided by the auth server | `` |
 | `configEnv.TOKEN_INTROSPECTION_URL` | OAuth Token Introspection URL, provided by the auth server | `http://host.docker.internal:8080/realms/HederaTheGraph/protocol/openid-connect/token/introspect` |
+| `configSecrets.clientSecret` | OAuth Client Secret, provided by the auth server | `` |
+
+Is also possible to use the global alternative to override `clientSecret` value, global has precendence over `configSecrets.clientSecret`, and if neither is provided a random 32 length value will be generated. Using the global alternative is useful when deploying multiple charts that share the same `clientSecret` value, otherwise, the `configSecrets.clientSecret` should be used.
+
+Using the following command:
+```bash
+helm install <releaseName> . --set global.auth.clientSecret=your-client-secret
+```
+
 
 It is important to note that if the downstream service that we are protecting (in this case TheGraph) will be accessed by the proxy using a FQDN, the `SERVICE_TYPE` should be set to `LOGICAL_DNS` and the `SERVICE_ADDRESS` should be set to the FQDN of the service. Otherwise, if the downstream service is accessed by the proxy using an IP address, the `SERVICE_TYPE` should be set to `STATIC` and the `SERVICE_ADDRESS` should be set to the IP address of the service.

charts/auth-layer-proxy/templates/_helpers.tpl

@@ -60,3 +60,16 @@ Create the name of the service account to use
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}
 {{- end }}
+
+{{/*
+Define a function to choose a value from .Values.global.auth.clientSecret, .Values.configSecrets.clientSecret, or generate a random string.
+*/}}
+{{- define "auth-layer-proxy.clientSecret" -}}
+{{- if .Values.global.auth.clientSecret -}}
+  {{- .Values.global.auth.clientSecret -}}
+{{- else if .Values.configSecrets.clientSecret -}}
+  {{- .Values.configSecrets.clientSecret -}}
+{{- else -}}
+  {{- randAlphaNum 32 -}}
+{{- end -}}
+{{- end -}}

charts/auth-layer-proxy/templates/deployment.yaml

@@ -25,6 +25,8 @@ spec:
           envFrom:
             - configMapRef:
                 name: {{ include "auth-layer-proxy.fullname" . }}-env
+            - secretRef:
+                name: {{ include "auth-layer-proxy.fullname" . }}-secret
           image: "{{ .Values.image.repository }}:{{ .Values.image.tagPrefix }}{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           livenessProbe:

charts/auth-layer-proxy/templates/secret.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "auth-layer-proxy.fullname" . }}-secret
+data:
+  CLIENT_SECRET: {{ include "auth-layer-proxy.clientSecret" . | b64enc }}

charts/auth-layer-proxy/values.yaml

@@ -4,16 +4,22 @@ command: ["/etc/envoy/start-envoy.sh"]
 
 configEnv:
   CLIENT_ID: "htg-auth-layer"
-  CLIENT_SECRET: "2IfFX7eqQvg2wY2hh1qjtS8RrUY9YqEg"
   ENVOY_ADMIN_PORT: "15000"
   PROXY_PORT: "10000"
   SERVICE_ADDRESS: "host.docker.internal"
   SERVICE_PORT: "8020"
   SERVICE_TYPE: "LOGICAL_DNS"
   TOKEN_INTROSPECTION_URL: "http://host.docker.internal:8080/realms/HederaTheGraph/protocol/openid-connect/token/introspect"
 
+configSecrets:
+  clientSecret: ""
+
 fullnameOverride: ""
 
+global:
+  auth:
+    clientSecret: ""
+
 image:
   pullPolicy: IfNotPresent
   repository: ghcr.io/hashgraph/hedera-the-graph