Basic auth now matches justice-gov-uk

ministryofjustice · Jul 12, 2024 · 724baa2 · 724baa2
1 parent 9824773
commit 724baa2
Show file tree

Hide file tree

Showing 7 changed files with 39 additions and 7 deletions.
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -51,10 +51,26 @@ jobs:
           export AWS_CLOUDFRONT_PUBLIC_KEY_BASE64=$(echo -n "$AWS_CLOUDFRONT_PUBLIC_KEY" | base64 -w 0)
           export AWS_CLOUDFRONT_PRIVATE_KEY_BASE64=$(echo -n "$AWS_CLOUDFRONT_PRIVATE_KEY" | base64 -w 0)
           # export AWS_CLOUDFRONT_PUBLIC_KEY_EXPIRING_BASE64=$(echo -n "$AWS_CLOUDFRONT_PUBLIC_KEY_EXPIRING" | base64 -w 0)
-          export BASIC_AUTH_BASE64=$(htpasswd -nbm "$BASIC_AUTH_USER" "$BASIC_AUTH_PASS" | base64)
+          
+          BASIC_AUTH_BASE64=""
+          
+          ## Prevent errors when basic auth isn't used
+          ## Nb.the BASIC_AUTH_USER secret in GH production environment should
+          ## be set to `no-basic-auth` if not being used
+          
+          if [ "$BASIC_AUTH_USER" != "no-basic-auth" ]; then
+            BASIC_AUTH_BASE64=$(htpasswd -nbm "$BASIC_AUTH_USER" "$BASIC_AUTH_PASS" | base64 -w 0)
+          fi
+          
+          export BASIC_AUTH_BASE64
 
-          cat $TPL_PATH/secret.tpl | envsubst > $TPL_PATH/secret.yaml
-          cat $TPL_PATH/deployment.tpl | envsubst > $TPL_PATH/deployment.yaml
+          ## Perform find/replace
+          < "$TPL_PATH"/secret.tpl.yml envsubst > "$TPL_PATH"/secret.yaml
+          < "$TPL_PATH"/deployment.tpl.yml envsubst > "$TPL_PATH"/deployment.yaml
+          
+          ## Remove template files before apply
+          rm "$TPL_PATH"/secret.tpl.yml
+          rm "$TPL_PATH"/deployment.tpl.yml
 
       - name: "Authenticate to the cluster"
         env:

diff --git a/deploy/demo/deployment.tpl → deploy/demo/deployment.tpl.yml b/deploy/demo/deployment.tpl → deploy/demo/deployment.tpl.yml
@@ -91,7 +91,7 @@ spec:
             - name: BASIC_AUTH
               valueFrom:
                 secretKeyRef:
-                  name: intranet-basic-auth
+                  name: basic-auth-secret
                   key: auth          
           envFrom:
             - configMapRef:

diff --git a/deploy/demo/ingress.yml b/deploy/demo/ingress.yml
@@ -7,7 +7,7 @@ metadata:
     external-dns.alpha.kubernetes.io/set-identifier: intranet-demo-ingress-intranet-demo-green
     external-dns.alpha.kubernetes.io/aws-weight: "100"
     nginx.ingress.kubernetes.io/auth-type: basic
-    nginx.ingress.kubernetes.io/auth-secret: intranet-basic-auth
+    nginx.ingress.kubernetes.io/auth-secret: basic-auth-secret
     nginx.ingress.kubernetes.io/auth-realm: 'Demo User | Authentication Required'
     nginx.ingress.kubernetes.io/server-snippet: |
       location = /health {

diff --git a/deploy/demo/secret.tpl → deploy/demo/secret.tpl.yml b/deploy/demo/secret.tpl → deploy/demo/secret.tpl.yml
@@ -36,3 +36,11 @@ type: Opaque
 data:
   AWS_CLOUDFRONT_PUBLIC_KEY: "${AWS_CLOUDFRONT_PUBLIC_KEY_BASE64}"
   # AWS_CLOUDFRONT_PUBLIC_KEY_EXPIRING: "${AWS_CLOUDFRONT_PUBLIC_KEY_EXPIRING_BASE64}"
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: basic-auth-secret
+type: Opaque
+data:
+  auth: "${BASIC_AUTH_BASE64}"
diff --git a/deploy/development/deployment.tpl → deploy/development/deployment.tpl.yml b/deploy/development/deployment.tpl → deploy/development/deployment.tpl.yml
@@ -91,7 +91,7 @@ spec:
             - name: BASIC_AUTH
               valueFrom:
                 secretKeyRef:
-                  name: intranet-basic-auth
+                  name: basic-auth-secret
                   key: auth          
           envFrom:
             - configMapRef:

diff --git a/deploy/development/ingress.yml b/deploy/development/ingress.yml
@@ -7,7 +7,7 @@ metadata:
     external-dns.alpha.kubernetes.io/set-identifier: intranet-dev-ingress-intranet-dev-green
     external-dns.alpha.kubernetes.io/aws-weight: "100"
     nginx.ingress.kubernetes.io/auth-type: basic
-    nginx.ingress.kubernetes.io/auth-secret: intranet-basic-auth
+    nginx.ingress.kubernetes.io/auth-secret: basic-auth-secret
     nginx.ingress.kubernetes.io/auth-realm: 'Development Access | Authentication Required'
     nginx.ingress.kubernetes.io/server-snippet: |
       if ($host = 'dev-intranet.apps.live.cloud-platform.service.justice.gov.uk') {

diff --git a/deploy/development/secret.tpl → deploy/development/secret.tpl.yml b/deploy/development/secret.tpl → deploy/development/secret.tpl.yml
@@ -36,3 +36,11 @@ type: Opaque
 data:
   AWS_CLOUDFRONT_PUBLIC_KEY: "${AWS_CLOUDFRONT_PUBLIC_KEY_BASE64}"
   # AWS_CLOUDFRONT_PUBLIC_KEY_EXPIRING: "${AWS_CLOUDFRONT_PUBLIC_KEY_EXPIRING_BASE64}"
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: basic-auth-secret
+type: Opaque
+data:
+  auth: "${BASIC_AUTH_BASE64}"