PUC-752: reading OIDCCryptoPassphrase from a secret

Author: haseebsyed12

Diff for: components/keystone/aio-values.yaml

@@ -228,10 +228,18 @@ pod:
           - name: keystone-sso
             mountPath: /etc/keystone-sso
             readOnly: true
+          - name: oidc-secret
+            mountPath: /etc/oidc-secret
+            readOnly: true
         volumes:
           - name: keystone-sso
             secret:
               secretName: keystone-sso
+          - name: oidc-secret
+            secret:
+              secretName: sso-passphrase
+  replicas:
+    api: 1
   lifecycle:
     disruption_budget:
       api:
@@ -287,7 +295,7 @@ conf:
         OIDCProviderMetadataURL http://dex.dex.svc:5556/.well-known/openid-configuration
         OIDCClientID keystone
         OIDCClientSecret "exec:/bin/cat /etc/keystone-sso/client-secret"
-        OIDCCryptoPassphrase "exec:/bin/cat /etc/keystone-sso/oidc-crypto-passphrase"
+        OIDCCryptoPassphrase "exec:/bin/cat /etc/oidc-secret/password"
         OIDCClaimDelimiter ;
 
         # avoid redirect issues per the following

Diff for: scripts/gitops-secrets-gen.sh

@@ -218,14 +218,12 @@ mkdir -p "${DEST_DIR}/dex/"
 for client in nautobot argo argocd keystone grafana; do
     if [ ! -f "${DEST_DIR}/dex/secret-${client}-sso-dex.yaml" ]; then
         SSO_SECRET=$("${SCRIPTS_DIR}/pwgen.sh")
-        SSO_CRYPTO_PASSPHRASE=$("${SCRIPTS_DIR}/pwgen.sh")
         kubectl --namespace dex \
             create secret generic "${client}-sso" \
             --dry-run=client \
             -o yaml \
             --type Opaque \
             --from-literal=client-secret="$SSO_SECRET" \
-            --from-literal=oidc-crypto-passphrase="$SSO_CRYPTO_PASSPHRASE" \
             --from-literal=client-id="${client}" \
             --from-literal=issuer="https://dex.${DNS_ZONE}" \
             | secret-seal-stdin "${DEST_DIR}/dex/secret-${client}-sso-dex.yaml"
@@ -263,10 +261,20 @@ convert_to_var_name() {
 convert_to_secret_name() {
     echo "$1" | tr '[:upper:]' '[:lower:]' | tr '_' '-'
 }
+# Default password generator using pwgen.sh
+default_pwgen() {
+    "${SCRIPTS_DIR}/pwgen.sh" 2>/dev/null
+}
+
+# Custom password generator with only alphabets
+alpha_only_pwgen() {
+    head /dev/urandom | tr -dc A-Za-z | head -c 32
+}
 
 load_or_gen_os_secret() {
     local data_var=$1
     local secret_var=$2
+    local gen_func=${3:-default_pwgen}
 
     if kubectl -n openstack get secret "${secret_var}" &>/dev/null; then
         data="$(kubectl -n openstack get secret "${secret_var}" -o jsonpath='{.data.password}' | base64 -d)"
@@ -276,7 +284,7 @@ load_or_gen_os_secret() {
         return 1
     else
         echo "Generating ${secret_var}"
-        data="$("${SCRIPTS_DIR}/pwgen.sh" 2>/dev/null)"
+        data="$(${gen_func})"
         # good ol' bash 3 compat for macOS
         eval "${data_var}=\"${data}\""
         # return 0 because we need to write this out
@@ -369,4 +377,18 @@ find "${DEST_DIR}" -maxdepth 1 -mindepth 1 -type d | while read -r component; do
     fi
 done
 
+echo "Checking keystone oidc passphrase Sealed Secret"
+mkdir -p "${DEST_DIR}/keystone"
+
+# Generate or retrieve passphrase
+VARNAME_PASSPHRASE="OS_SSO_PASSPHRASE"
+SECRET_PASSPHRASE="sso-passphrase"
+
+load_or_gen_os_secret "${VARNAME_PASSPHRASE}" "${SECRET_PASSPHRASE}" alpha_only_pwgen && \
+    create_os_secret "PASSPHRASE" "keystone" "passphrase"
+
+# Export for Helm templating if needed
+export OS_SSO_PASSPHRASE
+
+
 exit 0