From e9433c3a1bb5a7081dc886368dd364722b669661 Mon Sep 17 00:00:00 2001
From: Travis Groth <travisgroth@users.noreply.github.com>
Date: Fri, 28 Jan 2022 10:11:23 -0500
Subject: [PATCH] [pomerium] clean up `pomerium-cache` and shared secret
 location (#254)

---
 charts/pomerium-console/Chart.yaml            |  2 +-
 charts/pomerium-console/README.md             |  4 +-
 charts/pomerium-console/values.yaml           |  2 +-
 charts/pomerium/Chart.yaml                    |  2 +-
 charts/pomerium/README.md                     | 16 +++++++
 charts/pomerium/templates/_helpers.tpl        | 21 ---------
 charts/pomerium/templates/cache-service.yaml  | 45 -------------------
 charts/pomerium/templates/servicemonitor.yaml |  6 ---
 charts/pomerium/templates/tls-secrets.yaml    |  2 +-
 charts/pomerium/values.yaml                   |  4 --
 10 files changed, 22 insertions(+), 82 deletions(-)
 delete mode 100644 charts/pomerium/templates/cache-service.yaml

diff --git a/charts/pomerium-console/Chart.yaml b/charts/pomerium-console/Chart.yaml
index fd137bb7..3b904992 100644
--- a/charts/pomerium-console/Chart.yaml
+++ b/charts/pomerium-console/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 7.0.1
+version: 7.0.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
diff --git a/charts/pomerium-console/README.md b/charts/pomerium-console/README.md
index 08c7aee6..729f0749 100644
--- a/charts/pomerium-console/README.md
+++ b/charts/pomerium-console/README.md
@@ -1,6 +1,6 @@
 # pomerium-console
 
-![Version: 7.0.0](https://img.shields.io/badge/Version-7.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.15.0](https://img.shields.io/badge/AppVersion-0.15.0-informational?style=flat-square)
+![Version: 7.0.2](https://img.shields.io/badge/Version-7.0.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.15.3](https://img.shields.io/badge/AppVersion-0.15.3-informational?style=flat-square)
 
 Pomerium Enterprise Console
 
@@ -43,7 +43,7 @@ helm install pomerium-enterprise/pomerium-console \
 | config.audience | string | `""` | **Required** console's external URL.  This should match the `from` in Pomerium Core's config. |
 | config.customerId | string | `""` | Override default customerId |
 | config.databaseEncryptionKey | string | `""` | **Required** encryption key for protecting sensitive data in the database |
-| config.databrokerServiceUrl | string | `https://pomerium-databroker.[release namespace].svc.cluster.local` | Override the URL default to the Pomerium Cache service |
+| config.databrokerServiceUrl | string | `https://pomerium-databroker.[release namespace].svc.cluster.local` | Override the URL default to the Pomerium Databroker service |
 | config.prometheusUrl | string | `""` | Set URL for external prometheus server.  An embedded server is used if left unset. |
 | config.sharedSecret | string | `""` | **Required** Secures communication with the databroker.  Must match Pomerium `shared_secret` parameter. |
 | config.signingKey | string | `""` | **Required** Set the public key for verifying the Pomerium attestation JWT header |
diff --git a/charts/pomerium-console/values.yaml b/charts/pomerium-console/values.yaml
index b2c36d6d..7bcec8a0 100644
--- a/charts/pomerium-console/values.yaml
+++ b/charts/pomerium-console/values.yaml
@@ -177,7 +177,7 @@ config:
   administrators: ""
   # config.customerId -- Override default customerId
   customerId: ""
-  # config.databrokerServiceUrl -- Override the URL default to the Pomerium Cache service
+  # config.databrokerServiceUrl -- Override the URL default to the Pomerium Databroker service
   # @default -- `https://pomerium-databroker.[release namespace].svc.cluster.local`
   databrokerServiceUrl: ""
   # config.sharedSecret -- **Required** Secures communication with the databroker.  Must match Pomerium `shared_secret` parameter.
diff --git a/charts/pomerium/Chart.yaml b/charts/pomerium/Chart.yaml
index aee7e982..cae38d9a 100644
--- a/charts/pomerium/Chart.yaml
+++ b/charts/pomerium/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: pomerium
-version: 27.0.2
+version: 28.0.0
 appVersion: 0.16.1
 home: http://www.pomerium.com/
 icon: https://www.pomerium.com/img/icon.svg
diff --git a/charts/pomerium/README.md b/charts/pomerium/README.md
index 125daed3..93640b0c 100644
--- a/charts/pomerium/README.md
+++ b/charts/pomerium/README.md
@@ -20,6 +20,7 @@
   - [Redis Subchart](#redis-subchart)
   - [Configuration](#configuration)
   - [Changelog](#changelog)
+    - [28.0.0](#2800)
     - [27.0.0](#2700)
     - [26.0.0](#2600)
     - [25.0.1](#2501)
@@ -56,6 +57,7 @@
     - [3.0.0](#300)
     - [2.0.0](#200)
   - [Upgrading](#upgrading)
+    - [28.0.0](#2800-1)
     - [27.0.0](#2700-1)
     - [25.0.0](#2500-1)
     - [23.0.0](#2300-1)
@@ -440,6 +442,11 @@ A full listing of Pomerium's configuration variables can be found on the [config
 
 ## Changelog
 
+### 28.0.0
+
+- A previous breaking change from 25.0.0 was fully completed.
+- The deprecated `cache` service has been completely removed.
+
 ### 27.0.0
 
 - Add better support for terminating TLS at the edge of a service mesh via `config.insecureProxy` and additional logic when `config.insecure` is set.
@@ -594,6 +601,15 @@ A full listing of Pomerium's configuration variables can be found on the [config
 
 ## Upgrading
 
+### 28.0.0
+
+- Users should ensure they no longer depend on the `pomerium-cache` service name for telemetry or other operations.  Migrate any configuration referencing the `pomerium-cache` service to consume the `pomerium-databroker` service.  `pomerium-cache` has been deprecated since (#2000-1)
+- Ensure the upgrade steps for (#2500-1) were fully completed.  This chart version includes breaking changes that were unintentionally omitted from 25.0.0.
+
+  Specifically:
+
+  Users of `config.existingSecret` should move `cookie_secret` and `shared_secret` to be explicitly set in your helm values OR put into a secondary secret as `COOKIE_SECRET` and `SHARED_SECRET` and referenced by `config.existingSharedSecret`.  As a third option, you may remove the values from your current secret and let new ones be generated and persisted for you.
+
 ### 27.0.0
 
 - Users of `config.insecure=true` in a service mesh:
diff --git a/charts/pomerium/templates/_helpers.tpl b/charts/pomerium/templates/_helpers.tpl
index 8799a87d..fd2ea893 100644
--- a/charts/pomerium/templates/_helpers.tpl
+++ b/charts/pomerium/templates/_helpers.tpl
@@ -25,11 +25,6 @@
 {{- default (printf "%s-databroker" .Chart.Name) .Values.databroker.nameOverride | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
-{{/*DEPRECATED Expand the name of the cache-service.*/}}
-{{- define "pomerium.cache.name" -}}
-{{- default (printf "%s-cache" .Chart.Name) .Values.cache.nameOverride | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
-
 {{/*Expand the name of the ingressController .*/}}
 {{- define "pomerium.ingressController.name" -}}
 {{- default (printf "%s-ingress-controller" .Chart.Name) .Values.ingressController.nameOverride | trunc 63 | trimSuffix "-" -}}
@@ -100,20 +95,6 @@ If release name contains chart name it will be used as a full name.
 {{- end -}}
 {{- end -}}
 
-{{/* DEPRECATED cache services fully qualified name. Truncated at 63 chars. */}}
-{{- define "pomerium.cache.fullname" -}}
-{{- if .Values.cache.fullnameOverride -}}
-{{- .Values.cache.fullnameOverride | trunc 63 | trimSuffix "-" -}}
-{{- else -}}
-{{- $name := default .Chart.Name .Values.nameOverride -}}
-{{- if contains $name .Release.Name -}}
-{{- printf "%s-cache" .Release.Name | trunc 63 | trimSuffix "-" -}}
-{{- else -}}
-{{- printf "%s-%s-cache" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
-{{- end -}}
-{{- end -}}
-
 {{/* authenticate services fully qualified name. Truncated at 63 chars. */}}
 {{- define "pomerium.authenticate.fullname" -}}
 {{- if .Values.authenticate.fullnameOverride -}}
@@ -487,8 +468,6 @@ forward_auth_url: {{ printf "%s://%s" ( include "pomerium.httpTrafficPort.name"
 {{- else if .Values.forwardAuth.enabled }}
 forward_auth_url: {{ printf "https://%s" ( include "pomerium.forwardAuth.name" . ) }}
 {{- end }}
-cookie_secret: {{ default (randAscii 32 | b64enc) .Values.config.cookieSecret }}
-shared_secret: {{ default (randAscii 32 | b64enc) .Values.config.sharedSecret }}
 idp_client_id: {{ .Values.authenticate.idp.clientID }}
 idp_client_secret: {{ .Values.authenticate.idp.clientSecret }}
 {{- if or .Values.authenticate.idp.serviceAccount .Values.authenticate.idp.serviceAccountYAML }}
diff --git a/charts/pomerium/templates/cache-service.yaml b/charts/pomerium/templates/cache-service.yaml
deleted file mode 100644
index 05539b84..00000000
--- a/charts/pomerium/templates/cache-service.yaml
+++ /dev/null
@@ -1,45 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ template "pomerium.cache.fullname" . }}
-  labels:
-    app.kubernetes.io/name: {{ template "pomerium.cache.name" . }}
-    helm.sh/chart: {{ template "pomerium.chart" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-    app.kubernetes.io/component: cache
-{{- if .Values.service.labels }}
-{{ toYaml .Values.service.labels | indent 4 }}
-{{- end }}
-{{- if or .Values.databroker.service.annotations .Values.service.annotations }}
-  annotations:
-  {{- if .Values.databroker.service.annotations }}
-  {{- range $key, $value := .Values.databroker.service.annotations }}
-    {{ $key }}: {{ $value | quote }}
-  {{- end }}
-  {{- else if .Values.service.annotations }}
-  {{- range $key, $value := .Values.service.annotations }}
-    {{ $key }}: {{ $value | quote }}
-  {{- end }}
-  {{- end }}
-{{- end }}
-spec:
-{{- if .Values.databroker.service.clusterIP }}
-  clusterIP: {{ .Values.databroker.service.clusterIP }}
-{{- end }}
-  type: {{ .Values.databroker.service.type }}
-  ports:
-    - port: {{ template "pomerium.service.externalPort" . }}
-      targetPort: {{ template "pomerium.grpcTrafficPort.name" . }}
-      protocol: TCP
-      name: {{ template "pomerium.grpcTrafficPort.name" . }}
-    - name: metrics
-      port: {{ .Values.metrics.port }}
-      protocol: TCP
-      targetPort: metrics
-{{- if hasKey .Values.service "nodePort" }}
-    nodePort: {{ .Values.service.nodePort }}
-{{- end }}
-  selector:
-    app.kubernetes.io/name: {{ template "pomerium.databroker.name" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
diff --git a/charts/pomerium/templates/servicemonitor.yaml b/charts/pomerium/templates/servicemonitor.yaml
index 331ba238..3db25446 100644
--- a/charts/pomerium/templates/servicemonitor.yaml
+++ b/charts/pomerium/templates/servicemonitor.yaml
@@ -16,12 +16,6 @@ metadata:
 {{- end }}
 spec:
   selector:
-    # TODO remove when pomerium-cache service is removed
-    matchExpressions:
-      - key: app.kubernetes.io/name
-        operator: NotIn
-        values:
-          - pomerium-cache
     matchLabels:
       helm.sh/chart: {{ template "pomerium.chart" . }}
       app.kubernetes.io/instance: {{ .Release.Name }}
diff --git a/charts/pomerium/templates/tls-secrets.yaml b/charts/pomerium/templates/tls-secrets.yaml
index 509828e1..1ba8d62d 100644
--- a/charts/pomerium/templates/tls-secrets.yaml
+++ b/charts/pomerium/templates/tls-secrets.yaml
@@ -152,7 +152,7 @@ data:
 {{- $ca := genCA "default-ca" 3650 }}
 {{- $authenticateSN:= list (printf "authenticate.%s" .Values.config.rootDomain) (printf "%s.%s.svc.cluster.local" (include "pomerium.authenticate.fullname" .) .Release.Namespace )}}
 {{- $authorizeSN:= list (printf "authorize.%s" .Values.config.rootDomain) (printf "%s.%s.svc.cluster.local" (include "pomerium.authorize.fullname" .) .Release.Namespace )}}
-{{- $databrokerSN:= list (printf "databroker.%s" .Values.config.rootDomain) (printf "%s.%s.svc.cluster.local" (include "pomerium.databroker.fullname" .) .Release.Namespace ) (printf "cache.%s" .Values.config.rootDomain) (printf "%s.%s.svc.cluster.local" (include "pomerium.cache.fullname" .) .Release.Namespace )}}
+{{- $databrokerSN:= list (printf "databroker.%s" .Values.config.rootDomain) (printf "%s.%s.svc.cluster.local" (include "pomerium.databroker.fullname" .) .Release.Namespace ) }}
 {{- $proxySN:= list (printf "authenticate.%s" .Values.config.rootDomain) }}
 
 {{- $cn := default "example.com" .Values.config.rootDomain }}
diff --git a/charts/pomerium/values.yaml b/charts/pomerium/values.yaml
index 1e5b0bed..af45a583 100644
--- a/charts/pomerium/values.yaml
+++ b/charts/pomerium/values.yaml
@@ -114,10 +114,6 @@ authorize:
     annotations: {}
     nameOverride: ""
 
-cache:
-  fullnameOverride: ""
-  nameOverride: ""
-
 databroker:
   fullnameOverride: ""
   nameOverride: ""