From 168687532113f328438c5b3288dbe5c15aab2853 Mon Sep 17 00:00:00 2001
From: David Luong <32136994+rh-dluong@users.noreply.github.com>
Date: Wed, 13 Apr 2022 19:42:07 -0400
Subject: [PATCH] Customize CSRF options (#825)

---
 README.md                                     | 32 +++++++++++++++++++
 config/crd/bases/awx.ansible.com_awxs.yaml    |  6 ++++
 .../awx-operator.clusterserviceversion.yaml   | 10 ++++++
 roles/installer/defaults/main.yml             |  4 +++
 roles/installer/templates/config.yaml.j2      |  4 +--
 5 files changed, 54 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index aa6cf9eb..233c356c 100644
--- a/README.md
+++ b/README.md
@@ -34,6 +34,8 @@ An [Ansible AWX](https://github.com/ansible/awx) operator for Kubernetes built w
          * [Default execution environments from private registries](#default-execution-environments-from-private-registries)
             * [Control plane ee from private registry](#control-plane-ee-from-private-registry)
          * [Exporting Environment Variables to Containers](#exporting-environment-variables-to-containers)
+         * [CSRF Cookie Secure](#csrf-cookie-secure-setting)
+         * [Session Cookie Secure](#session-cookie-secure-setting)
          * [Extra Settings](#extra-settings)
          * [Service Account](#service-account)
       * [Uninstall](#uninstall)
@@ -836,6 +838,36 @@ Example configuration of environment variables
         value: foo
 ```
 
+#### CSRF Cookie Secure Setting
+
+With `csrf_cookie_secure`, you can pass the value for `CSRF_COOKIE_SECURE` to `/etc/tower/settings.py`
+
+| Name               | Description        | Default |
+| ------------------ | ------------------ | ------- |
+| csrf_cookie_secure | CSRF Cookie Secure | ''      |
+
+Example configuration of the `csrf_cookie_secure` setting:
+
+```yaml
+  spec:
+    csrf_cookie_secure: 'False'
+```
+
+#### Session Cookie Secure Setting
+
+With `session_cookie_secure`, you can pass the value for `SESSION_COOKIE_SECURE` to `/etc/tower/settings.py`
+
+| Name                  | Description           | Default |
+| --------------------- | --------------------- | ------- |
+| session_cookie_secure | Session Cookie Secure | ''      |
+
+Example configuration of the `session_cookie_secure` setting:
+
+```yaml
+  spec:
+    session_cookie_secure: 'False'
+```
+
 #### Extra Settings
 
 With`extra_settings`, you can pass multiple custom settings via the `awx-operator`. The parameter `extra_settings`  will be appended to the `/etc/tower/settings.py` and can be an alternative to the `extra_volumes` parameter.
diff --git a/config/crd/bases/awx.ansible.com_awxs.yaml b/config/crd/bases/awx.ansible.com_awxs.yaml
index fe93f647..9e2b5579 100644
--- a/config/crd/bases/awx.ansible.com_awxs.yaml
+++ b/config/crd/bases/awx.ansible.com_awxs.yaml
@@ -432,6 +432,12 @@ spec:
                   description: AccessMode for the /var/lib/projects PersistentVolumeClaim
                   default: ReadWriteMany
                   type: string
+                csrf_cookie_secure:
+                  description: Set csrf cookie secure mode for web
+                  type: string
+                session_cookie_secure:
+                  description: Set session cookie secure mode for web
+                  type: string
                 extra_settings:
                   description: Extra settings to specify for the API
                   items:
diff --git a/config/manifests/bases/awx-operator.clusterserviceversion.yaml b/config/manifests/bases/awx-operator.clusterserviceversion.yaml
index 9ffbbb2d..41d0bfd3 100644
--- a/config/manifests/bases/awx-operator.clusterserviceversion.yaml
+++ b/config/manifests/bases/awx-operator.clusterserviceversion.yaml
@@ -554,6 +554,16 @@ spec:
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:advanced
         - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: CSRF cookie secure setting
+        path: csrf_cookie_secure
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
+      - displayName: Session cookie secure setting
+        path: session_cookie_secure
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:advanced
+        - urn:alm:descriptor:com.tectonic.ui:hidden
       - displayName: API Extra Settings
         path: extra_settings
         x-descriptors:
diff --git a/roles/installer/defaults/main.yml b/roles/installer/defaults/main.yml
index 7dbc2bbf..6e1537b3 100644
--- a/roles/installer/defaults/main.yml
+++ b/roles/installer/defaults/main.yml
@@ -182,6 +182,10 @@ ee_resource_requirements:
     cpu: 500m
     memory: 1Gi
 
+# Customize CSRF options
+csrf_cookie_secure: False
+session_cookie_secure: False
+
 # Add extra environment variables to the AWX task/web containers. Specify as
 # literal block. E.g.:
 # task_extra_env: |
diff --git a/roles/installer/templates/config.yaml.j2 b/roles/installer/templates/config.yaml.j2
index 10944be9..6fb5b42d 100644
--- a/roles/installer/templates/config.yaml.j2
+++ b/roles/installer/templates/config.yaml.j2
@@ -60,8 +60,8 @@ data:
     CLUSTER_HOST_ID = socket.gethostname()
     SYSTEM_UUID = os.environ.get('MY_POD_UID', '00000000-0000-0000-0000-000000000000')
     
-    CSRF_COOKIE_SECURE = False
-    SESSION_COOKIE_SECURE = False
+    CSRF_COOKIE_SECURE = '{{ csrf_cookie_secure }}'
+    SESSION_COOKIE_SECURE = '{{ session_cookie_secure }}'
     
     SERVER_EMAIL = 'root@localhost'
     DEFAULT_FROM_EMAIL = 'webmaster@localhost'