From 38691fbaae60673d967d1cd790551f05cdc1e95c Mon Sep 17 00:00:00 2001 From: Patrick Dodgen Date: Thu, 6 Feb 2025 20:25:43 -0700 Subject: [PATCH 1/2] allow users to provide their own hqproperties secret for improved security over sensitive information --- charts/intel/README.md | 2 +- charts/intel/templates/deployment.yaml | 8 +++++++- charts/intel/templates/secret-properties.yaml | 14 ++++---------- charts/intel/values.yaml | 8 ++------ 4 files changed, 14 insertions(+), 18 deletions(-) diff --git a/charts/intel/README.md b/charts/intel/README.md index bafd7a8..db1a667 100644 --- a/charts/intel/README.md +++ b/charts/intel/README.md @@ -31,6 +31,7 @@ The following table lists configurable parameters of the CodeTogether Intel char | `imageCredentials.password` | Docker registry password | `my-customer-password` | | `imageCredentials.email` | Docker registry email | `unused` | | `codetogether.url` | Full URL for the CodeTogether Intel server | `https://` | +| `hqproperties.secretRef` | (Optional) Name of a Kubernetes secret containing the hqproperties secret. If provided, will override the other values in the hqproperties section | `kubernetes-secret-name` | | `hqproperties.hq.sso.client.id` | Client ID for Single Sign-On (SSO) | `CLIENTID.apps.googleusercontent.com` | | `hqproperties.hq.sso.client.secret` | Client Secret for Single Sign-On (SSO) | `CLIENTSECRET` | | `hqproperties.hq.sso.client.issuer.url` | Issuer URL for Single Sign-On (SSO) | `https://accounts.google.com` | @@ -51,7 +52,6 @@ The following table lists configurable parameters of the CodeTogether Intel char | `java.customCacerts.enabled` | Enables mounting a custom Java trust store (cacerts) | `false` | | `java.customCacerts.cacertsSecretName` | Name of the Kubernetes secret containing the `cacerts` file | `custom-java-cacerts` | | `java.customCacerts.trustStorePasswordKey` | (Optional) Key inside the Kubernetes secret containing the trust store password | `trustStorePassword` | -| `cassandra.passwordSecret` | (Optional) Name of a Kubernetes secret containing the Cassandra database password. | | | `ingress.enabled` | Enables ingress controller resource | `true` | | `ingress.annotations` | Annotations for ingress | `{}` | | `ingress.tls.secretName` | TLS secret name for ingress | `codetogether-intel-tls` | diff --git a/charts/intel/templates/deployment.yaml b/charts/intel/templates/deployment.yaml index a15aec4..b8ef0e3 100644 --- a/charts/intel/templates/deployment.yaml +++ b/charts/intel/templates/deployment.yaml @@ -107,7 +107,13 @@ spec: volumes: - name: properties-volume secret: - secretName: {{ if .Values.fullnameOverride }}{{ .Values.fullnameOverride }}-hqproperties{{ else }}hqproperties{{ end }} + secretName: {{- if .Values.hqproperties.secretRef }} + {{- .Values.hqproperties.secretRef }} + {{- else if .Values.fullnameOverride }} + {{- printf "%s-hqproperties" .Values.fullnameOverride }} + {{- else }} + {{- "hqproperties" }} + {{- end }} {{- if .Values.java.customCacerts.enabled }} - name: java-cacerts secret: diff --git a/charts/intel/templates/secret-properties.yaml b/charts/intel/templates/secret-properties.yaml index 998c94b..d735ece 100644 --- a/charts/intel/templates/secret-properties.yaml +++ b/charts/intel/templates/secret-properties.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.hqproperties.secretRef }} apiVersion: v1 kind: Secret metadata: @@ -5,14 +6,7 @@ metadata: type: Opaque stringData: cthq.properties: |- - {{- $cassandraPassword := "" }} - {{- if and (hasKey .Values "cassandra") (hasKey .Values.cassandra "passwordSecret") .Values.cassandra.passwordSecret (lookup "v1" "Secret" .Release.Namespace .Values.cassandra.passwordSecret) }} - {{- $cassandraPassword := (lookup "v1" "Secret" .Release.Namespace .Values.cassandra.passwordSecret).data.cassandraPassword | b64dec }} - {{- end }} {{- range $key, $value := .Values.hqproperties }} - {{- if and (eq $key "hq.cassandra.db.password") $cassandraPassword }} - {{ $key }}={{ $cassandraPassword }} - {{- else }} - {{ $key }}={{ $value }} - {{- end }} - {{- end }} \ No newline at end of file + {{ $key }}={{ $value }} + {{- end }} +{{- end }} diff --git a/charts/intel/values.yaml b/charts/intel/values.yaml index ba8cf44..df879e7 100644 --- a/charts/intel/values.yaml +++ b/charts/intel/values.yaml @@ -40,6 +40,8 @@ codetogether: url: https:// hqproperties: + # Optional property, if provided the value from the secret will be used as the hqproperties secret + secretRef: "" hq.sso.client.id: CLIENTID.apps.googleusercontent.com hq.sso.client.secret: CLIENTSECRET hq.sso.client.issuer.url: https://accounts.google.com @@ -59,12 +61,6 @@ hqproperties: # default datacenter name is 'datacenter1' # hq.cassandra.db.localdatacenter: datacenter1 -# Optional property, if provided the value from the secret will be used as the cassandra DB password -# This will overwrite the value in the hqproperties hq.cassandra.db.password -# The secret must have a key named 'cassandraPassword' -cassandra: - passwordSecret: "" - java: customCacerts: enabled: false # Set to 'true' to enable custom Java trust store (cacerts) support. From 1fe445cbd77d49e483d824f9a7206a8107400b93 Mon Sep 17 00:00:00 2001 From: Patrick Dodgen Date: Fri, 7 Feb 2025 16:49:39 -0700 Subject: [PATCH 2/2] PR feedback. cleaner value structure and using an explicit hqpropertiessecret.enabled value to toggle whether the secret is read --- charts/intel/README.md | 3 ++- charts/intel/templates/deployment.yaml | 4 ++-- charts/intel/templates/secret-properties.yaml | 2 +- charts/intel/values.yaml | 7 +++++-- 4 files changed, 10 insertions(+), 6 deletions(-) diff --git a/charts/intel/README.md b/charts/intel/README.md index db1a667..a0aa20f 100644 --- a/charts/intel/README.md +++ b/charts/intel/README.md @@ -31,7 +31,8 @@ The following table lists configurable parameters of the CodeTogether Intel char | `imageCredentials.password` | Docker registry password | `my-customer-password` | | `imageCredentials.email` | Docker registry email | `unused` | | `codetogether.url` | Full URL for the CodeTogether Intel server | `https://` | -| `hqproperties.secretRef` | (Optional) Name of a Kubernetes secret containing the hqproperties secret. If provided, will override the other values in the hqproperties section | `kubernetes-secret-name` | +| `hqpropertiessecret.enabled` | (Optional) If true, the value in hqpropertiessecret.ref will be used in place of the hqproperties values | `false` | +| `hqpropertiessecret.ref` | (Optional) Name of a Kubernetes secret containing the hqproperties secret. If provided, will override the other values in the hqproperties section | `kubernetes-secret-name` | | `hqproperties.hq.sso.client.id` | Client ID for Single Sign-On (SSO) | `CLIENTID.apps.googleusercontent.com` | | `hqproperties.hq.sso.client.secret` | Client Secret for Single Sign-On (SSO) | `CLIENTSECRET` | | `hqproperties.hq.sso.client.issuer.url` | Issuer URL for Single Sign-On (SSO) | `https://accounts.google.com` | diff --git a/charts/intel/templates/deployment.yaml b/charts/intel/templates/deployment.yaml index b8ef0e3..573af19 100644 --- a/charts/intel/templates/deployment.yaml +++ b/charts/intel/templates/deployment.yaml @@ -107,8 +107,8 @@ spec: volumes: - name: properties-volume secret: - secretName: {{- if .Values.hqproperties.secretRef }} - {{- .Values.hqproperties.secretRef }} + secretName: {{- if .Values.hqpropertiessecret.enabled }} + {{- .Values.hqpropertiessecret.ref }} {{- else if .Values.fullnameOverride }} {{- printf "%s-hqproperties" .Values.fullnameOverride }} {{- else }} diff --git a/charts/intel/templates/secret-properties.yaml b/charts/intel/templates/secret-properties.yaml index d735ece..a1d1746 100644 --- a/charts/intel/templates/secret-properties.yaml +++ b/charts/intel/templates/secret-properties.yaml @@ -1,4 +1,4 @@ -{{- if not .Values.hqproperties.secretRef }} +{{- if not .Values.hqpropertiessecret.enabled }} apiVersion: v1 kind: Secret metadata: diff --git a/charts/intel/values.yaml b/charts/intel/values.yaml index df879e7..c33abdb 100644 --- a/charts/intel/values.yaml +++ b/charts/intel/values.yaml @@ -40,8 +40,6 @@ codetogether: url: https:// hqproperties: - # Optional property, if provided the value from the secret will be used as the hqproperties secret - secretRef: "" hq.sso.client.id: CLIENTID.apps.googleusercontent.com hq.sso.client.secret: CLIENTSECRET hq.sso.client.issuer.url: https://accounts.google.com @@ -61,6 +59,11 @@ hqproperties: # default datacenter name is 'datacenter1' # hq.cassandra.db.localdatacenter: datacenter1 +# Optional properties, if enabled is true, the values in the secret will be used as the hqproperties secret +hqpropertiessecret: + enabled: false + ref: "intel-test-hqproperties-arbitrary" + java: customCacerts: enabled: false # Set to 'true' to enable custom Java trust store (cacerts) support.