From 724baa2890c076e52d25f620a4667b139a6aa5a9 Mon Sep 17 00:00:00 2001 From: EarthlingDavey <15802017+EarthlingDavey@users.noreply.github.com> Date: Fri, 12 Jul 2024 15:40:38 +0100 Subject: [PATCH] Basic auth now matches justice-gov-uk --- .github/workflows/deploy.yml | 22 ++++++++++++++++--- .../{deployment.tpl => deployment.tpl.yml} | 2 +- deploy/demo/ingress.yml | 2 +- deploy/demo/{secret.tpl => secret.tpl.yml} | 8 +++++++ .../{deployment.tpl => deployment.tpl.yml} | 2 +- deploy/development/ingress.yml | 2 +- .../{secret.tpl => secret.tpl.yml} | 8 +++++++ 7 files changed, 39 insertions(+), 7 deletions(-) rename deploy/demo/{deployment.tpl => deployment.tpl.yml} (98%) rename deploy/demo/{secret.tpl => secret.tpl.yml} (89%) rename deploy/development/{deployment.tpl => deployment.tpl.yml} (98%) rename deploy/development/{secret.tpl => secret.tpl.yml} (89%) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index c7eb2aebd..0caff11b0 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -51,10 +51,26 @@ jobs: export AWS_CLOUDFRONT_PUBLIC_KEY_BASE64=$(echo -n "$AWS_CLOUDFRONT_PUBLIC_KEY" | base64 -w 0) export AWS_CLOUDFRONT_PRIVATE_KEY_BASE64=$(echo -n "$AWS_CLOUDFRONT_PRIVATE_KEY" | base64 -w 0) # export AWS_CLOUDFRONT_PUBLIC_KEY_EXPIRING_BASE64=$(echo -n "$AWS_CLOUDFRONT_PUBLIC_KEY_EXPIRING" | base64 -w 0) - export BASIC_AUTH_BASE64=$(htpasswd -nbm "$BASIC_AUTH_USER" "$BASIC_AUTH_PASS" | base64) + + BASIC_AUTH_BASE64="" + + ## Prevent errors when basic auth isn't used + ## Nb.the BASIC_AUTH_USER secret in GH production environment should + ## be set to `no-basic-auth` if not being used + + if [ "$BASIC_AUTH_USER" != "no-basic-auth" ]; then + BASIC_AUTH_BASE64=$(htpasswd -nbm "$BASIC_AUTH_USER" "$BASIC_AUTH_PASS" | base64 -w 0) + fi + + export BASIC_AUTH_BASE64 - cat $TPL_PATH/secret.tpl | envsubst > $TPL_PATH/secret.yaml - cat $TPL_PATH/deployment.tpl | envsubst > $TPL_PATH/deployment.yaml + ## Perform find/replace + < "$TPL_PATH"/secret.tpl.yml envsubst > "$TPL_PATH"/secret.yaml + < "$TPL_PATH"/deployment.tpl.yml envsubst > "$TPL_PATH"/deployment.yaml + + ## Remove template files before apply + rm "$TPL_PATH"/secret.tpl.yml + rm "$TPL_PATH"/deployment.tpl.yml - name: "Authenticate to the cluster" env: diff --git a/deploy/demo/deployment.tpl b/deploy/demo/deployment.tpl.yml similarity index 98% rename from deploy/demo/deployment.tpl rename to deploy/demo/deployment.tpl.yml index 14ce56f69..e5d99ce0b 100644 --- a/deploy/demo/deployment.tpl +++ b/deploy/demo/deployment.tpl.yml @@ -91,7 +91,7 @@ spec: - name: BASIC_AUTH valueFrom: secretKeyRef: - name: intranet-basic-auth + name: basic-auth-secret key: auth envFrom: - configMapRef: diff --git a/deploy/demo/ingress.yml b/deploy/demo/ingress.yml index 6392000b2..dd1280082 100644 --- a/deploy/demo/ingress.yml +++ b/deploy/demo/ingress.yml @@ -7,7 +7,7 @@ metadata: external-dns.alpha.kubernetes.io/set-identifier: intranet-demo-ingress-intranet-demo-green external-dns.alpha.kubernetes.io/aws-weight: "100" nginx.ingress.kubernetes.io/auth-type: basic - nginx.ingress.kubernetes.io/auth-secret: intranet-basic-auth + nginx.ingress.kubernetes.io/auth-secret: basic-auth-secret nginx.ingress.kubernetes.io/auth-realm: 'Demo User | Authentication Required' nginx.ingress.kubernetes.io/server-snippet: | location = /health { diff --git a/deploy/demo/secret.tpl b/deploy/demo/secret.tpl.yml similarity index 89% rename from deploy/demo/secret.tpl rename to deploy/demo/secret.tpl.yml index 1337679df..d112c57e3 100644 --- a/deploy/demo/secret.tpl +++ b/deploy/demo/secret.tpl.yml @@ -36,3 +36,11 @@ type: Opaque data: AWS_CLOUDFRONT_PUBLIC_KEY: "${AWS_CLOUDFRONT_PUBLIC_KEY_BASE64}" # AWS_CLOUDFRONT_PUBLIC_KEY_EXPIRING: "${AWS_CLOUDFRONT_PUBLIC_KEY_EXPIRING_BASE64}" +--- +apiVersion: v1 +kind: Secret +metadata: + name: basic-auth-secret +type: Opaque +data: + auth: "${BASIC_AUTH_BASE64}" \ No newline at end of file diff --git a/deploy/development/deployment.tpl b/deploy/development/deployment.tpl.yml similarity index 98% rename from deploy/development/deployment.tpl rename to deploy/development/deployment.tpl.yml index cd3c5d600..ac4de15db 100644 --- a/deploy/development/deployment.tpl +++ b/deploy/development/deployment.tpl.yml @@ -91,7 +91,7 @@ spec: - name: BASIC_AUTH valueFrom: secretKeyRef: - name: intranet-basic-auth + name: basic-auth-secret key: auth envFrom: - configMapRef: diff --git a/deploy/development/ingress.yml b/deploy/development/ingress.yml index 8dbd2c4e0..5d6511de5 100644 --- a/deploy/development/ingress.yml +++ b/deploy/development/ingress.yml @@ -7,7 +7,7 @@ metadata: external-dns.alpha.kubernetes.io/set-identifier: intranet-dev-ingress-intranet-dev-green external-dns.alpha.kubernetes.io/aws-weight: "100" nginx.ingress.kubernetes.io/auth-type: basic - nginx.ingress.kubernetes.io/auth-secret: intranet-basic-auth + nginx.ingress.kubernetes.io/auth-secret: basic-auth-secret nginx.ingress.kubernetes.io/auth-realm: 'Development Access | Authentication Required' nginx.ingress.kubernetes.io/server-snippet: | if ($host = 'dev-intranet.apps.live.cloud-platform.service.justice.gov.uk') { diff --git a/deploy/development/secret.tpl b/deploy/development/secret.tpl.yml similarity index 89% rename from deploy/development/secret.tpl rename to deploy/development/secret.tpl.yml index a12938ac0..783e499d5 100644 --- a/deploy/development/secret.tpl +++ b/deploy/development/secret.tpl.yml @@ -36,3 +36,11 @@ type: Opaque data: AWS_CLOUDFRONT_PUBLIC_KEY: "${AWS_CLOUDFRONT_PUBLIC_KEY_BASE64}" # AWS_CLOUDFRONT_PUBLIC_KEY_EXPIRING: "${AWS_CLOUDFRONT_PUBLIC_KEY_EXPIRING_BASE64}" +--- +apiVersion: v1 +kind: Secret +metadata: + name: basic-auth-secret +type: Opaque +data: + auth: "${BASIC_AUTH_BASE64}" \ No newline at end of file