App ID instance name change

- renamed the instance of App ID to `sfsappid`
- updated the annotation for the ingress plugin to latest

Author: dprosper

app/generate_yaml.sh

@@ -26,10 +26,13 @@ if [[ -z "$TARGET_NAMESPACE" ]]; then
   export TARGET_NAMESPACE=default
 fi
 
+if [[ -z "$APPID_INSTANCE" ]]; then
+  export APPID_INSTANCE=sfsappid
+fi
 
 if [[ -z "$PUBLIC_CERT_ID" ]] && [[ -z "$SECRETS_MANAGER_API_URL" ]] && [[ -z "$MYDOMAIN" ]]; then
   cat secure-file-storage.template.yaml | \
-    envsubst '$IMAGE_NAME $INGRESS_SECRET $INGRESS_SUBDOMAIN $IMAGE_PULL_SECRET $IMAGE_REPOSITORY $TARGET_NAMESPACE $BASENAME' > secure-file-storage.yaml
+    envsubst '$APPID_INSTANCE $IMAGE_NAME $INGRESS_SECRET $INGRESS_SUBDOMAIN $IMAGE_PULL_SECRET $IMAGE_REPOSITORY $TARGET_NAMESPACE $BASENAME' > secure-file-storage.yaml
   exit
 fi
 
@@ -50,4 +53,4 @@ fi
 
 cat secure-file-storage.template.yaml | \
   sed -e 's/^# //' |
-  envsubst '$PUBLIC_CERT_ID $SECRETS_MANAGER_API_URL $MYDOMAIN $IMAGE_NAME $INGRESS_SECRET $INGRESS_SUBDOMAIN $IMAGE_PULL_SECRET $IMAGE_REPOSITORY $TARGET_NAMESPACE $BASENAME' > secure-file-storage.yaml
+  envsubst '$APPID_INSTANCE $PUBLIC_CERT_ID $SECRETS_MANAGER_API_URL $MYDOMAIN $IMAGE_NAME $INGRESS_SECRET $INGRESS_SUBDOMAIN $IMAGE_PULL_SECRET $IMAGE_REPOSITORY $TARGET_NAMESPACE $BASENAME' > secure-file-storage.yaml

app/secure-file-storage.template.yaml

@@ -27,7 +27,7 @@ spec:
       labels:
         app: secure-file-storage
     spec:
-## Uncomment only if you are not deploying to the default namespace, remove ##
+## Uncomment only if you aren't deploying to the default namespace, remove ##
 ## In this case, make sure to create a Docker registry secret
 ##      imagePullSecrets:
 ##        - name: $IMAGE_PULL_SECRET
@@ -44,26 +44,30 @@ spec:
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: ingress-for-secure-file-storage
+  name: ingress-for-sfs
   namespace: $TARGET_NAMESPACE
   annotations:
     kubernetes.io/ingress.class: "public-iks-k8s-nginx"
-    nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2-$BASENAME-appid/auth
-    nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2-$BASENAME-appid/start?rd=$escaped_request_uri
+    nginx.ingress.kubernetes.io/auth-url: https://oauth2-$APPID_INSTANCE.default.svc.cluster.local/oauth2-$APPID_INSTANCE/auth
+    nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2-$APPID_INSTANCE/start?rd=$escaped_request_uri
     nginx.ingress.kubernetes.io/configuration-snippet: |
+      auth_request_set $_oauth2_${APPID_INSTANCE}_upstream_1 $upstream_cookie__oauth2_${APPID_INSTANCE}_1;
       auth_request_set $access_token $upstream_http_x_auth_request_access_token;
       auth_request_set $id_token $upstream_http_authorization;
       access_by_lua_block {
+        if ngx.var._oauth2_${APPID_INSTANCE}_upstream_1 ~= "" then
+          ngx.header["Set-Cookie"] = "_oauth2_${APPID_INSTANCE}_1=" .. ngx.var._oauth2_${APPID_INSTANCE}_upstream_1 .. ngx.var.auth_cookie:match("(; .*)")
+        end
         if ngx.var.id_token ~= "" and ngx.var.access_token ~= "" then
           ngx.req.set_header("Authorization", "Bearer " .. ngx.var.access_token .. " " .. ngx.var.id_token:match("%s*Bearer%s*(.*)"))
         end
-      }
+      }      
 spec:
   tls:
   - hosts:
     - secure-file-storage.$INGRESS_SUBDOMAIN
     secretName: $INGRESS_SECRET
-## Uncomment below if you are using a custom domain.  Remove '# '
+## Uncomment below if you are using a custom domain. Remove '# '
 #   - hosts:
 #     - secure-file-storage.$MYDOMAIN
 #     secretName: secure-file-storage-certificate

terraform/main.tf

@@ -27,7 +27,7 @@ resource "ibm_iam_service_policy" "registry-policy" {
 }
 
 resource "ibm_resource_instance" "app_id" {
-  name              = "${var.basename}-appid"
+  name              = "sfsappid"
   service           = "appid"
   plan              = var.appid_plan
   location          = var.region