FIX login loop FIX singelogout not working

Login loop fix required setting the secure cookie flag, which requires the addition of the SIMPLESAMLPHP_BASEURLPATH env var. This env var tells SimpleSAMLphp that it's operating under https even though it's serving http requests due to ingress. Logout wasn't working since Shib requires singlelogout requests to be signed, and the wiki wasn't able to sign them due to not having the sp certs. I switched to mounting the sp certs into /var/www/simplesamlphp-base/cert so that they'll get copied into the shared nfs mount that the wiki pod does have access to. This didn't work initially because mounting as a dir (not using subpath) resulted in the files being symlinks. And the symlinks are, of course, invalid in the wiki pod. Mounting them as individual files using subpath created actual files, which does allow them to be copied into the nfs shared volume. Instead of making the SP entity ID depend on the baseurlpath, I've realize that it's probably better to make it its own config, since the SP entity ID can remain stable even if the base url changes. So now there's a new simplesamlphp.sp.entityId values config.
ubc · Jul 22, 2024 · c7a4f1e · c7a4f1e
1 parent 7f008fa
commit c7a4f1e
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 6 deletions.
diff --git a/mediawiki/templates/_helpers.tpl b/mediawiki/templates/_helpers.tpl
@@ -59,7 +59,10 @@ build_id: "{{ .Values.CI_BUILD_ID }}"
 {{- index .Values.ingress.hosts 0 | default .Values.CI_ENVIRONMENT_HOSTNAME | default "localhost" -}}
 {{- end -}}
 {{- define "simplesamlphp.baseurl" -}}
-https://{{ template "simplesamlphp.domain" . }}/_saml2/
+https://{{ template "simplesamlphp.domain" . }}
+{{- end -}}
+{{- define "simplesamlphp.baseurlpath" -}}
+{{ template "simplesamlphp.baseurl" . }}/_saml2/
 {{- end -}}
 
 {{- define "simplesamlphp.app.spec.env" }}
@@ -75,8 +78,10 @@ https://{{ template "simplesamlphp.domain" . }}/_saml2/
   value: {{ template "simplesamlphp.domain" . }}
 - name: SIMPLESAMLPHP_BASEURL
   value: {{ template "simplesamlphp.baseurl" . }}
+- name: SIMPLESAMLPHP_BASEURLPATH
+  value: {{ template "simplesamlphp.baseurlpath" . }}
 - name: SIMPLESAMLPHP_SP_ENTITY_ID
-  value: {{  template "simplesamlphp.baseurl" . }}
+  value: {{ .Values.simplesamlphp.sp.entityId | quote }}
 - name: SIMPLESAMLPHP_IDP_ENTITY_ID
   value: {{ .Values.simplesamlphp.idp.entityId | quote }}
 - name: SIMPLESAMLPHP_IDP_METADATA_URL

diff --git a/mediawiki/templates/deployment-simplesamlphp.yaml b/mediawiki/templates/deployment-simplesamlphp.yaml
@@ -48,13 +48,15 @@ spec:
         volumeMounts:
           - name: simplesamlphp-code
             mountPath: /var/www/simplesamlphp
+          # we're mounting the certs as a subpath cause that give us actual
+          # files, mounting as a dir results in the files being symlinks. The
+          # symlinks doesn't work when copied over to the nfs mount shared with
+          # the wiki pod
           - name: simplesamlphp-crt
-            mountPath: /var/www/simplesamlphp/cert/wiki-sp.crt
-            # subPath cause we're mounting into a pvc, and that didn't work as
-            # a dir but worked as a single file
+            mountPath: /var/www/simplesamlphp-base/cert/wiki-sp.crt
             subPath: wiki-sp.crt
           - name: simplesamlphp-pem
-            mountPath: /var/www/simplesamlphp/cert/wiki-sp.pem
+            mountPath: /var/www/simplesamlphp-base/cert/wiki-sp.pem
             subPath: wiki-sp.pem
       volumes:
         - name: simplesamlphp-code

diff --git a/mediawiki/values.yaml b/mediawiki/values.yaml
@@ -310,6 +310,7 @@ simplesamlphp:
         server: some-nfs-server
         path: "/wikistg-simplesamlphp"
     sp:
+      entityId: ''
       certs:
         crt: |
           -----BEGIN CERTIFICATE-----