Improvement on secret management

2025-10-29 09:22:22 +00:00 · 2025-02-06 16:05:34 +01:00
parent fb1b8455df
commit 7a30170f58
7 changed files with 112 additions and 53 deletions
--- a/helm/Chart.yaml
+++ b/helm/Chart.yaml
@@ -2,4 +2,4 @@ apiVersion: v2
 appVersion: "1.0.0"
 description: A CGW Helm chart for Kubernetes
 name: cgw
-version: 0.1.0
+version: 0.2.0
--- a/helm/README.md
+++ b/helm/README.md
@@ -70,8 +70,11 @@ The following table lists the configurable parameters of the chart and their def
 | persistence.size | string | Defines PV size | `'10Gi'` |
 | public\_env\_variables | hash | Defines list of environment variables to be passed to the Gateway via ConfigMaps | |
 | secret\_env\_variables | hash | Defines list of secret environment variables to be passed to the Gateway via secrets | |
-| existingCertsSecret | string | Existing Kubernetes secret containing all required certificates and private keys for microservice operation. If set, certificates from `certs` key are ignored | `""` |
-| certs | hash | Defines files (keys and certificates) that should be passed to the Gateway (PEM format is adviced to be used) (see `volumes.cgw` on where it is mounted). If `existingCertsSecret` is set, certificates passed this way will not be used. |  |
+| existingEnvSecret | hash | Defines list of secret environment variables to be passed to the Gateway via secrets | |
+| cgw\_certs | hash | Defines files (keys and certificates) that should be passed to the Gateway (PEM format is adviced to be used) (see `volumes.cgw` on where it is mounted). If `existingCgwCertsSecret` is set, certificates passed this way will not be used. |  |
+| existingCgwCertsSecret | string | Existing Kubernetes secret containing all environment variables to the Gateway. If set, environment variables from `secret_env_variables` key are ignored | `""` |
+| db\_cert | hash | Defines root certificate which should be passed to Gateway to postgres via SSL `(see volumes.cgw` on where it is mounted). If `existingDBCertsSecret` is set, certificates passed this way will not be used. Required if `CGW_DB_TLS = "yes"` or `CGW_REDIS_TLS: "yes"` |  |
+| existingDBCertsSecret | string | Existing Kubernetes secret containing root certificate required for microservice to connect to postgres database. If set, certificates from `db_cert` key are ignored. Required if `CGW_DB_TLS = "yes"` or `CGW_REDIS_TLS: "yes"` | `""` |
 | certsCAs | hash | Defines files with CAs that should be passed to the Gateway (see `volumes.cgw` on where it is mounted) |  |


--- a/helm/templates/deployment.yaml
+++ b/helm/templates/deployment.yaml
@@ -51,14 +51,9 @@ spec:
            - name: {{ $key }}
              value: {{ $value | quote }}
          {{- end }}
-          {{- range $key, $value := .Values.secret_env_variables }}
-            - name: {{ $key }}
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "cgw.fullname" $root }}-env
-                  key: {{ $key }}
-          {{- end }}
-
+          envFrom:
+            - secretRef:
+                name: {{ .Values.existingEnvSecret | default (printf "%s-env" (include "cgw.fullname" .)) }}
          ports:
          {{- range $port, $portValue := .Values.services.cgw.ports }}
            - name: {{ $port }}
--- a/helm/templates/secret-certs.yaml
+++ b/helm/templates/secret-certs.yaml
@@ -1,4 +1,8 @@
---
+{{- if not (or .Values.cgw_certs .Values.existingCgwCertsSecret) }}
+{{- fail "Either cgw_certs or existingCgwCertsSecret must be set." }}
+{{- end }}
+
+{{- if not (.Values.existingCgwCertsSecret) }}
 apiVersion: v1
 metadata:
  labels:
@@ -10,6 +14,7 @@ metadata:
 kind: Secret
 type: Opaque
 data:
-  {{- range $key, $value := .Values.certs }}
+  {{- range $key, $value := .Values.cgw_certs }}
  {{ $key }}: {{ $value | b64enc | quote }}
  {{- end }}
+{{- end}}
--- a/helm/templates/secret-db-cert.yaml
+++ b/helm/templates/secret-db-cert.yaml
@@ -0,0 +1,20 @@
+{{- if and (hasKey .Values.public_env_variables "CGW_DB_TLS") (eq .Values.public_env_variables.CGW_DB_TLS "yes") }}
+  {{- if not (or .Values.db_cert .Values.existingDBCertsSecret) }}
+    {{- fail "Either db_cert or existingDBCertsSecret must be set when CGW_DB_TLS is 'yes'." }}
+  {{- end }}
+{{- end }}
+
+{{- if and (not .Values.existingDBCertsSecret) (hasKey .Values.public_env_variables "CGW_DB_TLS") (eq .Values.public_env_variables.CGW_DB_TLS "yes") }}
+apiVersion: v1
+metadata:
+  labels:
+    app.kubernetes.io/name: {{ include "cgw.name" . }}
+    helm.sh/chart: {{ include "cgw.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+  name: {{ include "cgw.fullname" . }}-db-cert
+kind: Secret
+type: Opaque
+data:
+  cert.pem: {{ .Values.db_cert | b64enc | quote }}
+{{- end}}
--- a/helm/templates/secret-env.yaml
+++ b/helm/templates/secret-env.yaml
@@ -1,4 +1,8 @@
---
+{{- if not (or .Values.secret_env_variables .Values.existingEnvSecret) }}
+{{- fail "Either secret_env_variables or existingEnvSecret must be set." }}
+{{- end }}
+
+{{- if not (.Values.existingEnvSecret) }}
 apiVersion: v1
 metadata:
  labels:
@@ -14,4 +18,4 @@ data:
  {{- range $key, $value := .Values.secret_env_variables }}
  {{ $key }}: {{ $value | b64enc | quote }}
  {{- end }}
-
+{{- end}}
--- a/helm/values.yaml
+++ b/helm/values.yaml
@@ -21,22 +21,22 @@ services:
    ports:
      # this port doesn't actually exist in cgw ... yet
      # It is needed however, as the ALB requires at least one ssl port
-      restapi:
-        servicePort: 16002
-        targetPort: 16002
-        protocol: TCP
-      websocket:
-        servicePort: 15002
-        targetPort: 15002
-        protocol: TCP
-      metrics:
-        servicePort: 15003
-        targetPort: 8080
-        protocol: TCP
-      grpc:
-        servicePort: 15051
-        targetPort: 50051
-        protocol: TCP
+      #restapi:
+      #  servicePort: 16002
+      #  targetPort: 16002
+      #  protocol: TCP
+      #websocket:
+      #  servicePort: 15002
+      #  targetPort: 15002
+      #  protocol: TCP
+      #metrics:
+      #  servicePort: 15003
+      #  targetPort: 8080
+      #  protocol: TCP
+      #grpc:
+      #  servicePort: 15051
+      #  targetPort: 50051
+      #  protocol: TCP

 checks:
  cgw:
@@ -51,13 +51,18 @@ checks:

 ingresses: {}

-volumes:
-  cgw:
-    - name: certs
-      mountPath: /etc/cgw/certs
-      volumeDefinition: |
-        secret:
-          secretName: {{ if .Values.existingCertsSecret }}{{ .Values.existingCertsSecret }}{{ else }}{{ include "cgw.fullname" . }}-certs{{ end }}
+volumes: {}
+#  cgw:
+#    - name: db-certificate
+#      mountPath: /etc/cgw/nb_infra/certs
+#      volumeDefinition: |
+#        secret:
+#          secretName: cgw-db-cert
+#    - name: cgw-certificates
+#      mountPath: /etc/cgw/certs
+#      volumeDefinition: |
+#        secret:
+#          secretName: cgw-certs

 resources: {}
  # We usually recommend not to specify default resources and to leave this as a conscious
@@ -99,28 +104,55 @@ public_env_variables:
  CGW_WSS_CAS: "cas.pem"
  CGW_WSS_CERT: "websocket-cert.pem"
  CGW_WSS_KEY: "websocket-key.pem"
-  CGW_DB_HOST: "pgsql"
-  CGW_DB_PORT: "5432"
-  CGW_DB_NAME: "cgw"
-  CGW_DB_USERNAME: "cgw"
-  CGW_KAFKA_HOST: "kafka"
-  CGW_KAFKA_PORT: "9092"
-  CGW_REDIS_HOST: "redis"
-  CGW_REDIS_PORT: "6379"
  CGW_LOG_LEVEL: "info"  # or debug
  CGW_KAFKA_CONSUME_TOPIC: "CnC"
  CGW_KAFKA_PRODUCE_TOPIC: "CnC_Res"
  # set to (#cpus * 2) - 2
  DEFAULT_WSS_THREAD_NUM: "6"
+#  CGW_DB_TLS: "yes"
+#  CGW_REDIS_TLS: "yes"
+#  CGW_KAFKA_TLS: "yes"

+#Set secret_env_variables or existingEnvSecret variable
 secret_env_variables:
-  CGW_DB_PASSWORD: "123"
+#  CGW_DB_PASSWORD: "cgw123"
+#  CGW_DB_HOST: "pgsql"
+#  CGW_DB_PORT: "5432"
+#  CGW_DB_NAME: "cgw"
+#  CGW_DB_USERNAME: "cgw"
+#  CGW_KAFKA_HOST: "kafka"
+#  CGW_KAFKA_PORT: "9092"
+#  CGW_REDIS_HOST: "redis"
+#  CGW_REDIS_PORT: "6379"
+#  CGW_DB_PASSWORD: "123"
+
+existingEnvSecret:

 # NOTE: List of required certificates may be found in "certs" key. Alternative way to pass required certificates is to create external secret with all required certificates and set secret name in "existingCertsSecret" key. Details may be found in https://github.com/Telecominfraproject/wlan-cloud-ucentral-deploy/tree/main/cgwchart#tldr
-existingCertsSecret: ""

-certs:
-  root.pem: ""
-  websocket-cert.pem: ""
-  websocket-key.pem: ""
-  cas.pem: ""
+#if CGW_DB_TLS is enabled set db_cert or existingDBCertsSecret variable
+db_cert:
+#db_cert: |
+#  -----BEGIN CERTIFICATE-----
+#  .......
+#  -----END CERTIFICATE-----
+
+existingDBCertsSecret:
+
+
+#Set cgw_certs or existingCgwCertsSecret variable
+#cgw_certs:
+#  websocket-cert.pem: |
+#    -----BEGIN CERTIFICATE-----
+#    .......
+#    -----END CERTIFICATE-----
+#  websocket-key.pem: |
+#    -----BEGIN PRIVATE KEY-----
+#    .......
+#    -----END PRIVATE KEY-----
+#  cas.pem: |
+#    -----BEGIN CERTIFICATE-----
+#    .......
+#    -----END CERTIFICATE-----
+
+existingCgwCertsSecret: