[installer] Remove OIDC secret from public-api

Author: easyCZ

components/public-api/go/config/config.go

@@ -20,9 +20,6 @@ type Configuration struct {
 	// StripeWebhookSigningSecretPath is a filepath to a secret used to validate incoming webhooks from Stripe
 	StripeWebhookSigningSecretPath string `json:"stripeWebhookSigningSecretPath"`
 
-	// OIDCClientJWTSigningSecretPath is a filepath to a secret used to sign and validate JWTs used for OIDC flows
-	OIDCClientJWTSigningSecretPath string `json:"oidcClientJWTSigningSecretPath"`
-
 	// Path to file which contains personal access token singing key
 	PersonalAccessTokenSigningKeyPath string `json:"personalAccessTokenSigningKeyPath"`
 

install/installer/pkg/components/public-api-server/configmap.go

@@ -28,15 +28,9 @@ const (
 )
 
 func configmap(ctx *common.RenderContext) ([]runtime.Object, error) {
-	var oidcClientJWTSigningSecretPath string
 	var stripeSecretPath string
 	var personalAccessTokenSigningKeyPath string
 
-	_ = ctx.WithExperimental(func(cfg *experimental.Config) error {
-		_, _, oidcClientJWTSigningSecretPath, _ = getOIDCClientJWTSecretConfig(cfg)
-		return nil
-	})
-
 	_ = ctx.WithExperimental(func(cfg *experimental.Config) error {
 		_, _, stripeSecretPath, _ = getStripeConfig(cfg)
 		return nil
@@ -54,7 +48,6 @@ func configmap(ctx *common.RenderContext) ([]runtime.Object, error) {
 	cfg := config.Configuration{
 		PublicURL:                         fmt.Sprintf("https://api.%s", ctx.Config.Domain),
 		GitpodServiceURL:                  common.ClusterURL("ws", server.Component, ctx.Namespace, server.ContainerPort),
-		OIDCClientJWTSigningSecretPath:    oidcClientJWTSigningSecretPath,
 		StripeWebhookSigningSecretPath:    stripeSecretPath,
 		PersonalAccessTokenSigningKeyPath: personalAccessTokenSigningKeyPath,
 		BillingServiceAddress:             common.ClusterAddress(usage.Component, ctx.Namespace, usage.GRPCServicePort),
@@ -137,38 +130,6 @@ func getStripeConfig(cfg *experimental.Config) (corev1.Volume, corev1.VolumeMoun
 	return volume, mount, path, true
 }
 
-func getOIDCClientJWTSecretConfig(cfg *experimental.Config) (corev1.Volume, corev1.VolumeMount, string, bool) {
-	var volume corev1.Volume
-	var mount corev1.VolumeMount
-	var path string
-
-	if cfg == nil || cfg.WebApp == nil || cfg.WebApp.PublicAPI == nil || cfg.WebApp.PublicAPI.OIDCClientJWTSigningKeySecretName == "" {
-		return volume, mount, path, false
-	}
-
-	oidcClientJWTSigningKeySecretName := cfg.WebApp.PublicAPI.OIDCClientJWTSigningKeySecretName
-	path = oidcClientJWTSigningKeyMountPath
-
-	volume = corev1.Volume{
-		Name: "oidc-client-jwt-signing-key",
-		VolumeSource: corev1.VolumeSource{
-			Secret: &corev1.SecretVolumeSource{
-				SecretName: oidcClientJWTSigningKeySecretName,
-				Optional:   pointer.Bool(true),
-			},
-		},
-	}
-
-	mount = corev1.VolumeMount{
-		Name:      "oidc-client-jwt-signing-key",
-		MountPath: oidcClientJWTSigningKeyMountPath,
-		SubPath:   "oidc-client-jwt-signing-key",
-		ReadOnly:  true,
-	}
-
-	return volume, mount, path, true
-}
-
 func getPersonalAccessTokenSigningKey(cfg *experimental.Config) (corev1.Volume, corev1.VolumeMount, string, bool) {
 	var volume corev1.Volume
 	var mount corev1.VolumeMount

install/installer/pkg/components/public-api-server/configmap_test.go

@@ -33,12 +33,6 @@ func TestConfigMap(t *testing.T) {
 		return nil
 	})
 
-	var oidcClientJWTSigningSecretPath string
-	_ = ctx.WithExperimental(func(ucfg *experimental.Config) error {
-		_, _, oidcClientJWTSigningSecretPath, _ = getOIDCClientJWTSecretConfig(ucfg)
-		return nil
-	})
-
 	var personalAccessTokenSigningKeyPath string
 	_ = ctx.WithExperimental(func(ucfg *experimental.Config) error {
 		_, _, personalAccessTokenSigningKeyPath, _ = getPersonalAccessTokenSigningKey(ucfg)
@@ -50,7 +44,6 @@ func TestConfigMap(t *testing.T) {
 		GitpodServiceURL:                  fmt.Sprintf("ws://server.%s.svc.cluster.local:3000", ctx.Namespace),
 		BillingServiceAddress:             fmt.Sprintf("usage.%s.svc.cluster.local:9001", ctx.Namespace),
 		SessionServiceAddress:             fmt.Sprintf("server.%s.svc.cluster.local:9876", ctx.Namespace),
-		OIDCClientJWTSigningSecretPath:    oidcClientJWTSigningSecretPath,
 		StripeWebhookSigningSecretPath:    stripeSecretPath,
 		PersonalAccessTokenSigningKeyPath: personalAccessTokenSigningKeyPath,
 		DatabaseConfigPath:                "/secrets/database-config",

install/installer/pkg/components/public-api-server/deployment.go

@@ -59,17 +59,6 @@ func deployment(ctx *common.RenderContext) ([]runtime.Object, error) {
 		databaseSecretMount,
 	}
 
-	_ = ctx.WithExperimental(func(cfg *experimental.Config) error {
-		volume, mount, _, ok := getOIDCClientJWTSecretConfig(cfg)
-		if !ok {
-			return nil
-		}
-
-		volumes = append(volumes, volume)
-		volumeMounts = append(volumeMounts, mount)
-		return nil
-	})
-
 	_ = ctx.WithExperimental(func(cfg *experimental.Config) error {
 		volume, mount, _, ok := getStripeConfig(cfg)
 		if !ok {

install/installer/pkg/components/public-api-server/objects_test.go

@@ -30,7 +30,6 @@ func renderContextWithPublicAPI(t *testing.T) *common.RenderContext {
 			WebApp: &experimental.WebAppConfig{
 				PublicAPI: &experimental.PublicAPIConfig{
 					StripeSecretName:                        "stripe-webhook-secret",
-					OIDCClientJWTSigningKeySecretName:       "oidc-client-jwt-signing-key",
 					PersonalAccessTokenSigningKeySecretName: "personal-access-token-signing-key",
 				},
 			},

install/installer/pkg/config/v1/experimental/experimental.go

@@ -301,9 +301,6 @@ type PublicAPIConfig struct {
 	// Name of the kubernetes secret to use for Stripe secrets
 	StripeSecretName string `json:"stripeSecretName"`
 
-	// Name of the kubernetes secret to use for signing JWTs
-	OIDCClientJWTSigningKeySecretName string `json:"oidcClientJWTSigningKeySecretName"`
-
 	// Name of the kubernetes secret to use for signature of Personal Access Tokens
 	PersonalAccessTokenSigningKeySecretName string `json:"personalAccessTokenSigningKeySecretName"`
 }