From 7a30170f58890a95ca938982f9b7d1e2367cd2ab Mon Sep 17 00:00:00 2001 From: miha-jancar-shastacloud Date: Thu, 6 Feb 2025 16:05:34 +0100 Subject: [PATCH] Improvement on secret management --- helm/Chart.yaml | 2 +- helm/README.md | 7 +- helm/templates/deployment.yaml | 11 +-- helm/templates/secret-certs.yaml | 9 ++- helm/templates/secret-db-cert.yaml | 20 ++++++ helm/templates/secret-env.yaml | 8 ++- helm/values.yaml | 108 +++++++++++++++++++---------- 7 files changed, 112 insertions(+), 53 deletions(-) create mode 100644 helm/templates/secret-db-cert.yaml diff --git a/helm/Chart.yaml b/helm/Chart.yaml index 706c442..8467bba 100644 --- a/helm/Chart.yaml +++ b/helm/Chart.yaml @@ -2,4 +2,4 @@ apiVersion: v2 appVersion: "1.0.0" description: A CGW Helm chart for Kubernetes name: cgw -version: 0.1.0 +version: 0.2.0 diff --git a/helm/README.md b/helm/README.md index 863b68e..3770433 100644 --- a/helm/README.md +++ b/helm/README.md @@ -70,8 +70,11 @@ The following table lists the configurable parameters of the chart and their def | persistence.size | string | Defines PV size | `'10Gi'` | | public\_env\_variables | hash | Defines list of environment variables to be passed to the Gateway via ConfigMaps | | | secret\_env\_variables | hash | Defines list of secret environment variables to be passed to the Gateway via secrets | | -| existingCertsSecret | string | Existing Kubernetes secret containing all required certificates and private keys for microservice operation. If set, certificates from `certs` key are ignored | `""` | -| certs | hash | Defines files (keys and certificates) that should be passed to the Gateway (PEM format is adviced to be used) (see `volumes.cgw` on where it is mounted). If `existingCertsSecret` is set, certificates passed this way will not be used. | | +| existingEnvSecret | hash | Defines list of secret environment variables to be passed to the Gateway via secrets | | +| cgw\_certs | hash | Defines files (keys and certificates) that should be passed to the Gateway (PEM format is adviced to be used) (see `volumes.cgw` on where it is mounted). If `existingCgwCertsSecret` is set, certificates passed this way will not be used. | | +| existingCgwCertsSecret | string | Existing Kubernetes secret containing all environment variables to the Gateway. If set, environment variables from `secret_env_variables` key are ignored | `""` | +| db\_cert | hash | Defines root certificate which should be passed to Gateway to postgres via SSL `(see volumes.cgw` on where it is mounted). If `existingDBCertsSecret` is set, certificates passed this way will not be used. Required if `CGW_DB_TLS = "yes"` or `CGW_REDIS_TLS: "yes"` | | +| existingDBCertsSecret | string | Existing Kubernetes secret containing root certificate required for microservice to connect to postgres database. If set, certificates from `db_cert` key are ignored. Required if `CGW_DB_TLS = "yes"` or `CGW_REDIS_TLS: "yes"` | `""` | | certsCAs | hash | Defines files with CAs that should be passed to the Gateway (see `volumes.cgw` on where it is mounted) | | diff --git a/helm/templates/deployment.yaml b/helm/templates/deployment.yaml index f229524..a4c8ca8 100644 --- a/helm/templates/deployment.yaml +++ b/helm/templates/deployment.yaml @@ -51,14 +51,9 @@ spec: - name: {{ $key }} value: {{ $value | quote }} {{- end }} - {{- range $key, $value := .Values.secret_env_variables }} - - name: {{ $key }} - valueFrom: - secretKeyRef: - name: {{ include "cgw.fullname" $root }}-env - key: {{ $key }} - {{- end }} - + envFrom: + - secretRef: + name: {{ .Values.existingEnvSecret | default (printf "%s-env" (include "cgw.fullname" .)) }} ports: {{- range $port, $portValue := .Values.services.cgw.ports }} - name: {{ $port }} diff --git a/helm/templates/secret-certs.yaml b/helm/templates/secret-certs.yaml index 3bf34db..1b3404f 100644 --- a/helm/templates/secret-certs.yaml +++ b/helm/templates/secret-certs.yaml @@ -1,4 +1,8 @@ ---- +{{- if not (or .Values.cgw_certs .Values.existingCgwCertsSecret) }} +{{- fail "Either cgw_certs or existingCgwCertsSecret must be set." }} +{{- end }} + +{{- if not (.Values.existingCgwCertsSecret) }} apiVersion: v1 metadata: labels: @@ -10,6 +14,7 @@ metadata: kind: Secret type: Opaque data: - {{- range $key, $value := .Values.certs }} + {{- range $key, $value := .Values.cgw_certs }} {{ $key }}: {{ $value | b64enc | quote }} {{- end }} +{{- end}} diff --git a/helm/templates/secret-db-cert.yaml b/helm/templates/secret-db-cert.yaml new file mode 100644 index 0000000..67eedca --- /dev/null +++ b/helm/templates/secret-db-cert.yaml @@ -0,0 +1,20 @@ +{{- if and (hasKey .Values.public_env_variables "CGW_DB_TLS") (eq .Values.public_env_variables.CGW_DB_TLS "yes") }} + {{- if not (or .Values.db_cert .Values.existingDBCertsSecret) }} + {{- fail "Either db_cert or existingDBCertsSecret must be set when CGW_DB_TLS is 'yes'." }} + {{- end }} +{{- end }} + +{{- if and (not .Values.existingDBCertsSecret) (hasKey .Values.public_env_variables "CGW_DB_TLS") (eq .Values.public_env_variables.CGW_DB_TLS "yes") }} +apiVersion: v1 +metadata: + labels: + app.kubernetes.io/name: {{ include "cgw.name" . }} + helm.sh/chart: {{ include "cgw.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + name: {{ include "cgw.fullname" . }}-db-cert +kind: Secret +type: Opaque +data: + cert.pem: {{ .Values.db_cert | b64enc | quote }} +{{- end}} diff --git a/helm/templates/secret-env.yaml b/helm/templates/secret-env.yaml index 21c8405..be4c83a 100644 --- a/helm/templates/secret-env.yaml +++ b/helm/templates/secret-env.yaml @@ -1,4 +1,8 @@ ---- +{{- if not (or .Values.secret_env_variables .Values.existingEnvSecret) }} +{{- fail "Either secret_env_variables or existingEnvSecret must be set." }} +{{- end }} + +{{- if not (.Values.existingEnvSecret) }} apiVersion: v1 metadata: labels: @@ -14,4 +18,4 @@ data: {{- range $key, $value := .Values.secret_env_variables }} {{ $key }}: {{ $value | b64enc | quote }} {{- end }} - +{{- end}} diff --git a/helm/values.yaml b/helm/values.yaml index f8cb772..d55b097 100644 --- a/helm/values.yaml +++ b/helm/values.yaml @@ -21,22 +21,22 @@ services: ports: # this port doesn't actually exist in cgw ... yet # It is needed however, as the ALB requires at least one ssl port - restapi: - servicePort: 16002 - targetPort: 16002 - protocol: TCP - websocket: - servicePort: 15002 - targetPort: 15002 - protocol: TCP - metrics: - servicePort: 15003 - targetPort: 8080 - protocol: TCP - grpc: - servicePort: 15051 - targetPort: 50051 - protocol: TCP + #restapi: + # servicePort: 16002 + # targetPort: 16002 + # protocol: TCP + #websocket: + # servicePort: 15002 + # targetPort: 15002 + # protocol: TCP + #metrics: + # servicePort: 15003 + # targetPort: 8080 + # protocol: TCP + #grpc: + # servicePort: 15051 + # targetPort: 50051 + # protocol: TCP checks: cgw: @@ -51,13 +51,18 @@ checks: ingresses: {} -volumes: - cgw: - - name: certs - mountPath: /etc/cgw/certs - volumeDefinition: | - secret: - secretName: {{ if .Values.existingCertsSecret }}{{ .Values.existingCertsSecret }}{{ else }}{{ include "cgw.fullname" . }}-certs{{ end }} +volumes: {} +# cgw: +# - name: db-certificate +# mountPath: /etc/cgw/nb_infra/certs +# volumeDefinition: | +# secret: +# secretName: cgw-db-cert +# - name: cgw-certificates +# mountPath: /etc/cgw/certs +# volumeDefinition: | +# secret: +# secretName: cgw-certs resources: {} # We usually recommend not to specify default resources and to leave this as a conscious @@ -99,28 +104,55 @@ public_env_variables: CGW_WSS_CAS: "cas.pem" CGW_WSS_CERT: "websocket-cert.pem" CGW_WSS_KEY: "websocket-key.pem" - CGW_DB_HOST: "pgsql" - CGW_DB_PORT: "5432" - CGW_DB_NAME: "cgw" - CGW_DB_USERNAME: "cgw" - CGW_KAFKA_HOST: "kafka" - CGW_KAFKA_PORT: "9092" - CGW_REDIS_HOST: "redis" - CGW_REDIS_PORT: "6379" CGW_LOG_LEVEL: "info" # or debug CGW_KAFKA_CONSUME_TOPIC: "CnC" CGW_KAFKA_PRODUCE_TOPIC: "CnC_Res" # set to (#cpus * 2) - 2 DEFAULT_WSS_THREAD_NUM: "6" +# CGW_DB_TLS: "yes" +# CGW_REDIS_TLS: "yes" +# CGW_KAFKA_TLS: "yes" +#Set secret_env_variables or existingEnvSecret variable secret_env_variables: - CGW_DB_PASSWORD: "123" +# CGW_DB_PASSWORD: "cgw123" +# CGW_DB_HOST: "pgsql" +# CGW_DB_PORT: "5432" +# CGW_DB_NAME: "cgw" +# CGW_DB_USERNAME: "cgw" +# CGW_KAFKA_HOST: "kafka" +# CGW_KAFKA_PORT: "9092" +# CGW_REDIS_HOST: "redis" +# CGW_REDIS_PORT: "6379" +# CGW_DB_PASSWORD: "123" + +existingEnvSecret: # NOTE: List of required certificates may be found in "certs" key. Alternative way to pass required certificates is to create external secret with all required certificates and set secret name in "existingCertsSecret" key. Details may be found in https://github.com/Telecominfraproject/wlan-cloud-ucentral-deploy/tree/main/cgwchart#tldr -existingCertsSecret: "" -certs: - root.pem: "" - websocket-cert.pem: "" - websocket-key.pem: "" - cas.pem: "" +#if CGW_DB_TLS is enabled set db_cert or existingDBCertsSecret variable +db_cert: +#db_cert: | +# -----BEGIN CERTIFICATE----- +# ....... +# -----END CERTIFICATE----- + +existingDBCertsSecret: + + +#Set cgw_certs or existingCgwCertsSecret variable +#cgw_certs: +# websocket-cert.pem: | +# -----BEGIN CERTIFICATE----- +# ....... +# -----END CERTIFICATE----- +# websocket-key.pem: | +# -----BEGIN PRIVATE KEY----- +# ....... +# -----END PRIVATE KEY----- +# cas.pem: | +# -----BEGIN CERTIFICATE----- +# ....... +# -----END CERTIFICATE----- + +existingCgwCertsSecret: \ No newline at end of file