rename oauth2 to xoauth2, and use enable option in manager-role, manager-binding

okapusty-virtru · okapusty-virtru · commit aa11eb029aaf · 2025-03-19T10:58:06.000+02:00
diff --git a/gateway/templates/configmap-base.yaml b/gateway/templates/configmap-base.yaml
@@ -57,9 +57,9 @@ data:
   {{- if eq .Values.additionalConfig.dkimSigning.enabled true }}
   GATEWAY_DKIM_DOMAINS: {{ .Values.additionalConfig.dkimSigning.selector }}._domainkey.{{ .Values.standardConfig.primaryMailingDomain }}
   {{- end }}
-  {{- if .Values.additionalConfig.oauth2.enabled }}
+  {{- if .Values.additionalConfig.xoauth2.enabled }}
   GATEWAY_SMTP_SASL_ENABLED_XOAUTH2: "1"
-  GATEWAY_OAUTH2_CLIENT_ID: {{ .Values.additionalConfig.oauth2.clientId }}
+  GATEWAY_XOAUTH2_CLIENT_ID: {{ .Values.additionalConfig.xoauth2.clientId }}
   {{- end }}
 
 
diff --git a/gateway/templates/oauth2-secret.yaml b/gateway/templates/oauth2-secret.yaml
diff --git a/gateway/templates/xoauth2-secret-manager-binding.yaml b/gateway/templates/xoauth2-secret-manager-binding.yaml
@@ -1,7 +1,8 @@
+{{- if .Values.additionalConfig.xoauth2.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: {{ .Release.Name }}-oauth-secret-manager-binding
+  name: {{ .Release.Name }}-xoauth2-secret-manager-binding
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: {{ .Release.Name }}
@@ -13,4 +14,5 @@ subjects:
 roleRef:
     apiGroup: rbac.authorization.k8s.io
     kind: Role
-    name: {{ .Release.Name }}-oauth-secret-manager-role
+    name: {{ .Release.Name }}-xoauth2-secret-manager-role
+{{- end }}
diff --git a/gateway/templates/xoauth2-secret-manager-role.yaml b/gateway/templates/xoauth2-secret-manager-role.yaml
@@ -1,7 +1,8 @@
+{{- if .Values.additionalConfig.xoauth2.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: {{ .Release.Name }}-oauth-secret-manager-role
+  name: {{ .Release.Name }}-xoauth2-secret-manager-role
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: {{ .Release.Name }}
@@ -10,3 +11,4 @@ rules:
   - apiGroups: [""]
     resources: ["secrets"]
     verbs: ["get", "update", "patch"]
+{{- end }}
diff --git a/gateway/templates/xoauth2-secret.yaml b/gateway/templates/xoauth2-secret.yaml
@@ -0,0 +1,14 @@
+{{- if .Values.additionalConfig.xoauth2.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-xoauth2-secret
+  labels:
+    app.kubernetes.io/name: {{ .Release.Name }}
+    app.kubernetes.io/component: gateway
+type: Opaque
+data:
+  xoauth2-refresh-token: {{ .Values.appSecrets.xoauth2.refreshToken | b64enc | quote }}
+  xoauth2-client-secret: {{ .Values.appSecrets.xoauth2.clientSecret | b64enc | quote }}
+  xoauth2-access-token: {{ .Values.appSecrets.xoauth2.accessToken | b64enc | quote }}
+{{- end }}
diff --git a/gateway/templates/xoauth2-token-refresher.yaml b/gateway/templates/xoauth2-token-refresher.yaml
@@ -1,8 +1,8 @@
-{{- if .Values.additionalConfig.oauth2.enabled }}
+{{- if .Values.additionalConfig.xoauth2.enabled }}
 apiVersion: batch/v1
 kind: CronJob
 metadata:
-  name: {{ .Release.Name }}-oauth2-token-refresher
+  name: {{ .Release.Name }}-xoauth2-token-refresher
   labels:
     app.kubernetes.io/name: {{ .Release.Name }}
     app.kubernetes.io/component: gateway
@@ -14,17 +14,17 @@ spec:
         spec:
           serviceAccountName: {{ include "gateway.serviceAccountName" . }}
           containers:
-            - name: oauth2-token-refresher
+            - name: xoauth2-token-refresher
               image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
               command:
                 - "/bin/sh"
                 - "-c"
                 - |
                   echo "Starting Token Refresher"
-                  java -cp "/usr/local/smtp-proxy/smtp-proxy/target/lib/smtp-proxy-{{ .Values.appVersion }}.jar:/usr/local/smtp-proxy/smtp-proxy/target/lib/*" com.virtru.gateway.smtpproxy.oauth2.TokenRefresher
+                  java -cp "/usr/local/smtp-proxy/smtp-proxy/target/lib/smtp-proxy-{{ .Values.appVersion }}.jar:/usr/local/smtp-proxy/smtp-proxy/target/lib/*" com.virtru.gateway.smtpproxy.xoauth2.TokenRefresher
                   echo "Token Refresher Finished"
               volumeMounts:
-                - mountPath: "/etc/oauth2"
+                - mountPath: "/etc/xoauth2"
                   readOnly: true
                   name: oauth2-secret-volume
               env:
@@ -33,12 +33,12 @@ spec:
                     fieldRef:
                       fieldPath: metadata.namespace
                 - name: KUBE_SECRET_NAME
-                  value: "{{ .Release.Name }}-oauth2-secret"
-                - name: GATEWAY_OAUTH2_CLIENT_ID
-                  value: "{{ .Values.additionalConfig.oauth2.clientId }}"
+                  value: "{{ .Release.Name }}-xoauth2-secret"
+                - name: GATEWAY_XOAUTH2_CLIENT_ID
+                  value: "{{ .Values.additionalConfig.xoauth2.clientId }}"
           volumes:
-            - name: oauth2-secret-volume
+            - name: xoauth2-secret-volume
               secret:
-                secretName: {{ .Release.Name }}-oauth2-secret
+                secretName: {{ .Release.Name }}-xoauth2-secret
           restartPolicy: OnFailure
 {{- end }}
diff --git a/gateway/values.yaml b/gateway/values.yaml
@@ -135,10 +135,10 @@ appSecrets:
       <dkim-private-key>
   abac:
     oidcClientSecret: <oidc-client-secret> # The client secret used when authenticating against platform services.
-  oauth2:
-    clientSecret: <oauth2-client-secret>
-    refreshToken: <oauth2-refresh-token>
-    accessToken: <oauth2-access-token
+  xoauth2:
+    clientSecret: <xoauth2-client-secret>
+    refreshToken: <xoauth2-refresh-token>
+    accessToken: <xoauth2-access-token
 
 additionalConfig:
   saslAuth:
@@ -180,9 +180,9 @@ additionalConfig:
   dkimSigning:
     enabled: false
     selector: gw
-  oauth2:
+  xoauth2:
     enabled: false
-    clientId: <oauth2-client-id>
+    clientId: <xoauth2-client-id>
 
 istioIngress:
   enabled: false
