Merge pull request #147 from DVPE-cloud/deployment/secrets-and-certs

Deployment/secrets and certs

charts/dvpe-deployment-gloo/CHANGELOG.md

@@ -6,6 +6,15 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 ## [Unreleased]
 
+## [5.2.0]
+### Added
+- Support for multiple external secrets via `externalSecrets.service.keys`
+- Deprecated `externalSecrets.service.key` in favor of `externalSecrets.service.keys`
+- Added `externalSecrets.oauth2.refreshInterval` to control the refresh/sync interval. Default is 15 minutes.
+### Changed
+- Certificates now get created with non-changeable values for the subject to increase compatibility with clients.
+  (Before no subject was set at all, which lead to some clients to complain and not accepting the Certificate.)
+
 ## [5.1.0]
 ### Added
 - Added `deployment.spec.labels`

charts/dvpe-deployment-gloo/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 appVersion: "1.4"
 description: Deprecated by Q4/24! Helm chart for installing microservices as gloo enabled VirtualService definitions.
 name: dvpe-deployment-gloo
-version: 5.1.0
+version: 5.2.0
 home: https://github.com/dvpe-cloud/dvpe-helm
 keywords:
   - dvpe-helm

charts/dvpe-deployment-gloo/README.md

@@ -1,6 +1,6 @@
 # dvpe-deployment-gloo
 
-![Version: 5.1.0](https://img.shields.io/badge/Version-5.1.0-informational?style=flat-square)
+![Version: 5.2.0](https://img.shields.io/badge/Version-5.2.0-informational?style=flat-square)
 
 Deprecated by Q4/24! Helm chart for installing microservices as gloo enabled VirtualService definitions.
 
@@ -186,6 +186,7 @@ The following table lists the configurable parameters of the chart and its defau
 |-----|------|---------|-------------|
 | additionalparameters | object | `{"configMapApplied":false,"customConfigMapReference":null,"secrets":{},"yamlConfigFileApplied":false}` | -----------------------------------# |
 | additionalparameters.configMapApplied | bool | `false` | Set to `true` if you want to add a custom `ConfigMap` for your deployment. |
+| additionalparameters.customConfigMapReference | string | `nil` | Set name of a custom config-map from which additional values are injected as env-variables into container / deployments. If empty, nothin will be applied. |
 | additionalparameters.secrets | object | `{}` | Object in the format { <environmentVariable>: secretKeyRef: { name: "", key: "" }, <environmentVariable>: secretKeyRef: { nameRef: "", key: "" }, ...} to reference existing secrets and inject them as environment variables. The first secret name (given with "name") gets prefixed by "$Release.Name". The second secret name (given with "nameRef") will be used as is. |
 | additionalparameters.yamlConfigFileApplied | bool | `false` | Set to `true` if you want to add a custom yaml configuration for your deployment. |
 | autoscaling | object | `{"enabled":true,"maxReplicas":5,"metrics":{"resource":{"cpu":{"targetAverageUtilization":100},"memory":{"targetAverageUtilization":null}}},"minReplicas":1}` | ------------------------------# |
@@ -231,15 +232,18 @@ The following table lists the configurable parameters of the chart and its defau
 | deployment.spec.securityContext.groupId | string | `nil` | The Group ID number of process running inside the container. |
 | deployment.spec.securityContext.userId | string | `nil` | The User ID number of process running inside the container. |
 | deployment.spec.serviceAccountName | string | `nil` | The ServiceAccount this service will be associated with. If empty, `serviceAccountName` will be `<namespace>-sa` |
-| externalSecrets | object | `{"oauth2":{"key":null},"service":{"key":null,"refreshInterval":"15m"}}` | -----------------------------# |
-| externalSecrets.oauth2.key | string | `nil` | `Key` to AWS Secret Manager object where the client secret for OAuth2 provider should be stored. The key in the Secret Manager Object has to be named as the given `gloo.authConfig.spec.configs.oauth2.clientId`. The value has to be formatted as `clientSecret: <secret>`. **This definition is exclusive to `gloo.authConfig.spec.configs.oauth.clientSecretRef`. If defined, `gloo.authConfig.spec.configs.oauth.clientSecretRef` is ignored.** |
-| externalSecrets.service.key | string | `nil` | `Key` to AWS Secret Manager object where all sensitive application data should be stored. Each key in the Secret Manager Object should be named like your needed environment variable |
+| externalSecrets | object | `{"oauth2":{"key":"","refreshInterval":"15m"},"service":{"key":"","keys":[],"refreshInterval":"15m"}}` | -----------------------------# |
+| externalSecrets.oauth2.key | string | `""` | `Key` to AWS Secret Manager object where the client secret for OAuth2 provider should be stored. The key in the Secret Manager Object has to be named as the given `gloo.authConfig.spec.configs.oauth2.clientId`. The value has to be formatted as `clientSecret: <secret>`. **This definition is exclusive to `gloo.authConfig.spec.configs.oauth.clientSecretRef`. If defined, `gloo.authConfig.spec.configs.oauth.clientSecretRef` is ignored.** |
+| externalSecrets.oauth2.refreshInterval | string | `"15m"` | `refreshInterval` set the sync time range from AWS Secret Manager. Default is set to 15m |
+| externalSecrets.service.key | string | `""` | DEPRECATED, Use Keys instead. Name of AWS Secret Manager object where all sensitive application data should be stored. Each key in the Secret Manager Object should be named like your needed environment variables. |
+| externalSecrets.service.keys | list | `[]` | List of AWS Secret Manager Secret Names to fetch sensitive data from. Note: all data inside the secret will be fetched. Each key in the referenced Secret Manager Objects should be named like your needed environment variables. |
 | externalSecrets.service.refreshInterval | string | `"15m"` | `refreshInterval` set the sync time range from AWS Secret Manager. Default is set to 15m |
 | gloo | object | `{"authConfig":{"name":"auth-plugin","namespace":null,"spec":{"configs":{"additionalPlugins":null,"authExtensionPlugin":{"config":{"enableAccessTokenForwarding":false,"enableJwtContentForwarding":false,"enableQAccountMatching":false,"enableSubjectForwarding":false,"enableUserInfoForwarding":false,"grpcAddress":"auth-passthrough-extension.gloo-system.svc.cluster.local:9001","oidcUrl":null},"enabled":false},"authInterceptorPlugin":{"config":{"grpcAddress":"auth-passthrough-oauth-session-interceptor.gloo-system.svc.cluster.local:9001","oidcUrl":null},"enabled":false},"clientCredentialsPlugin":{"config":{"allowedClientIds":[],"grpcAddress":"auth-passthrough-client-credentials.gloo-system.svc.cluster.local:9001","oidcUrl":null},"enabled":false},"oauth":{"cache":{"cookieName":"auth0-session","enabled":true,"host":"redis.gloo-system.svc.cluster.local:6379"},"clientId":null,"clientSecretRef":{"name":"webeam-oidc","namespace":null},"cookieDomain":null,"enabled":false,"issuerUrl":null,"maxAge":0,"sameSite":0,"scopes":[],"strongAuthenticationLevel":null},"tokenValidationPlugin":{"config":{"allowedClientIds":null,"grpcAddress":"auth-passthrough-token-validation.gloo-system.svc.cluster.local:9001","oidcUrl":null,"strongAuthenticationLevel":null},"enabled":false}}}},"enabled":true,"ingress":{"scope":null},"upstream":{"fds":false},"virtualservice":{"spec":{"sslConfig":{"minimumProtocolVersion":"TLSv1_2","secretRef":{"name":null,"namespace":null}},"virtualHost":{"cors":{"allowCredentials":false,"allowHeaders":["origin"],"allowMethods":["GET","POST","PUT","DELETE"],"allowOrigin":[],"allowSubdomain":[],"exposeHeaders":["origin"],"maxAge":"1d"},"domains":[],"enableCsrf":false,"responseHeadersToAdd":[{"name":"X-Content-Type-Options","value":"nosniff"},{"name":"Strict-Transport-Security","value":"max-age=31536000; includeSubDomains"},{"name":"Content-Security-Policy","value":"frame-ancestors 'self' *.bmwgroup.net *.bmw.com;"}],"routes":{"additionalRoutes":[],"appPath":"/api","appPathRewrite":null,"appPathTimeout":null,"appPathWithAuthConfig":true,"callbackUrlPath":null,"rootPath":{"authConfigName":null,"timeout":null,"upstream":null,"withAuthConfig":false},"swagger":{"alternativePath":"/docs","enabled":false,"path":"/swagger-ui.html"}}}}}}` | -----------------------------------# |
 | gloo.authConfig | object | `{"name":"auth-plugin","namespace":null,"spec":{"configs":{"additionalPlugins":null,"authExtensionPlugin":{"config":{"enableAccessTokenForwarding":false,"enableJwtContentForwarding":false,"enableQAccountMatching":false,"enableSubjectForwarding":false,"enableUserInfoForwarding":false,"grpcAddress":"auth-passthrough-extension.gloo-system.svc.cluster.local:9001","oidcUrl":null},"enabled":false},"authInterceptorPlugin":{"config":{"grpcAddress":"auth-passthrough-oauth-session-interceptor.gloo-system.svc.cluster.local:9001","oidcUrl":null},"enabled":false},"clientCredentialsPlugin":{"config":{"allowedClientIds":[],"grpcAddress":"auth-passthrough-client-credentials.gloo-system.svc.cluster.local:9001","oidcUrl":null},"enabled":false},"oauth":{"cache":{"cookieName":"auth0-session","enabled":true,"host":"redis.gloo-system.svc.cluster.local:6379"},"clientId":null,"clientSecretRef":{"name":"webeam-oidc","namespace":null},"cookieDomain":null,"enabled":false,"issuerUrl":null,"maxAge":0,"sameSite":0,"scopes":[],"strongAuthenticationLevel":null},"tokenValidationPlugin":{"config":{"allowedClientIds":null,"grpcAddress":"auth-passthrough-token-validation.gloo-system.svc.cluster.local:9001","oidcUrl":null,"strongAuthenticationLevel":null},"enabled":false}}}}` | -----------------------------------# |
 | gloo.authConfig.name | string | `"auth-plugin"` | Prefix of the `Auth Config Plugin`. Final name will be <prefix>-<service-name> |
 | gloo.authConfig.namespace | string | `nil` | Namespace where the `Auth Config Plugin` is located. If empty, release namespace is used. |
 | gloo.authConfig.spec.configs.additionalPlugins | string | `nil` | List of plugins which should be added to the plugin chain. Expected format is a valid yaml with the `pluginAuth`. See [gloo Plugin Auth](https://docs.solo.io/gloo/latest/guides/security/auth/extauth/plugin_auth/#create-an-authconfig-resource) for details |
+| gloo.authConfig.spec.configs.authExtensionPlugin.config | object | `{"enableAccessTokenForwarding":false,"enableJwtContentForwarding":false,"enableQAccountMatching":false,"enableSubjectForwarding":false,"enableUserInfoForwarding":false,"grpcAddress":"auth-passthrough-extension.gloo-system.svc.cluster.local:9001","oidcUrl":null}` | `Name` of the auth code flow extension plugin |
 | gloo.authConfig.spec.configs.authExtensionPlugin.config.enableAccessTokenForwarding | bool | `false` | `enableAccessTokenForwarding` is a flag which tells whether the access_token should be forwarded or not |
 | gloo.authConfig.spec.configs.authExtensionPlugin.config.enableJwtContentForwarding | bool | `false` | `enableJwtContentForwarding` is a flag which tells whether the user roles should be forwarded or not |
 | gloo.authConfig.spec.configs.authExtensionPlugin.config.enableQAccountMatching | bool | `false` | `enableQAccountMatching` is a flag which forwards the user id (q-number) to the upstream. Only relevant if the user is using a different user id (e.g. c-number) for logging |
@@ -266,6 +270,7 @@ The following table lists the configurable parameters of the chart and its defau
 | gloo.authConfig.spec.configs.oauth.sameSite | int | `0` | The `sameSite` cookie property for restricting the site context. The default is set to 0 and will be ignored. Users of this property can overwrite this setting with numeric values according to https://docs.solo.io/gloo-network/latest/reference/api/auth_config/#usersession-cookieoptions-samesite. |
 | gloo.authConfig.spec.configs.oauth.scopes | list | `[]` | List of OIDC scopes. `openid` is set per default by Gloo and must not be added here |
 | gloo.authConfig.spec.configs.oauth.strongAuthenticationLevel | string | `nil` | The strong authentication level. Possible values are: 4000, 7000. If not set, there is no strong authentication. |
+| gloo.authConfig.spec.configs.tokenValidationPlugin.config | object | `{"allowedClientIds":null,"grpcAddress":"auth-passthrough-token-validation.gloo-system.svc.cluster.local:9001","oidcUrl":null,"strongAuthenticationLevel":null}` | `Name` of the auth token validation plugin |
 | gloo.authConfig.spec.configs.tokenValidationPlugin.config.allowedClientIds | string | `nil` | `allowedClientIds` **list (NOT string!)** of ids that are allowed by the plugin. If not given at all, all clients are allowed. If [], then no client is allowed. If [a, b], then a, b are allowed |
 | gloo.authConfig.spec.configs.tokenValidationPlugin.config.oidcUrl | string | `nil` | `oidcUrl` where the access token can be verified at the IDP |
 | gloo.authConfig.spec.configs.tokenValidationPlugin.config.strongAuthenticationLevel | string | `nil` | The strong authentication level. Possible values are: 4000, 7000. If not set, there is no strong authentication. |
@@ -291,6 +296,7 @@ The following table lists the configurable parameters of the chart and its defau
 | gloo.virtualservice.spec.virtualHost.routes.additionalRoutes | list | `[]` | List of route configurations for this `VirtualService`. See [gloo VirtualService Specification](https://docs.solo.io/gloo-edge/latest/introduction/architecture/concepts/#virtual-services) for details |
 | gloo.virtualservice.spec.virtualHost.routes.appPath | string | `"/api"` | Path to `appUrl` where the service can be accessed. Pre-defined route in `VirtualService`. |
 | gloo.virtualservice.spec.virtualHost.routes.appPathRewrite | string | `nil` | `prefixRewrite` of the appPath. If empty no rewrite is set. |
+| gloo.virtualservice.spec.virtualHost.routes.appPathTimeout | string | `nil` | Custom timeout for requests to appPath. For example `60s`. |
 | gloo.virtualservice.spec.virtualHost.routes.appPathWithAuthConfig | bool | `true` | If set to `true` the app path is secured with the default authConfig. |
 | gloo.virtualservice.spec.virtualHost.routes.callbackUrlPath | string | `nil` | Path to `callbackUrl` which needs to be registered at the Identity Provider. Pre-defined route in `VirtualService`. |
 | gloo.virtualservice.spec.virtualHost.routes.rootPath.authConfigName | string | `nil` | Name of the `auth config` for the secured root path. If not set, default auth config will be used. |

charts/dvpe-deployment-gloo/templates/certificate.yaml

@@ -48,6 +48,17 @@ spec:
   dnsNames:
     {{- $domains }}
   secretName: {{ $serviceName }}-crt
+  subject:
+    organizations:
+      - Bayerische Motoren Werke AG
+    organizationalUnits:
+      - PKI Services
+    countries:
+      - DE
+    provinces:
+      - Bavaria
+    localities:
+      - Munich
   secretTemplate:
     annotations:
       {{- with .cardsParameters }}

charts/dvpe-deployment-gloo/templates/deployment.yaml

@@ -69,7 +69,7 @@ spec:
           imagePullPolicy: {{ .image.pullPolicy }}
           image: {{ $imageUrl }}
           envFrom:
-            {{- if $.Values.externalSecrets.service.key }}
+            {{- if or $.Values.externalSecrets.service.key $.Values.externalSecrets.service.keys }}
             - secretRef:
                 name: "{{ $serviceName }}-service-secrets"
             {{- end }}

charts/dvpe-deployment-gloo/templates/secret.yaml

@@ -1,35 +1,42 @@
 {{- $serviceName := include "service.name" . -}}
+{{- with .Values.externalSecrets }}
 
-{{- if .Values.externalSecrets.service.key }}
+{{- if or .service.key .service.keys }}
 ---
 apiVersion: 'external-secrets.io/v1beta1'
 kind: ExternalSecret
 metadata:
   name: {{ $serviceName }}-service-secrets
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ $.Release.Namespace }}
 spec:
   secretStoreRef:
     kind: SecretStore
-    name: secret-store-{{ .Release.Namespace }}
+    name: secret-store-{{ $.Release.Namespace }}
   target:
     name: {{ $serviceName }}-service-secrets
   dataFrom:
+  {{- if .service.key }}
   - extract:
-      key: {{ .Values.externalSecrets.service.key }}
-  refreshInterval: {{ .Values.externalSecrets.service.refreshInterval }}
+      key: {{ .service.key }}
+  {{- end }}
+  {{- range .service.keys }}
+  - extract:
+      key: {{ . }}
+  {{- end }}
+  refreshInterval: {{ .service.refreshInterval }}
 {{- end }}
 
-{{- if and .Values.externalSecrets.oauth2.key .Values.gloo.authConfig.spec.configs.oauth.clientId }}
+{{- if and .oauth2.key $.Values.gloo.authConfig.spec.configs.oauth.clientId }}
 ---
 apiVersion: 'external-secrets.io/v1beta1'
 kind: ExternalSecret
 metadata:
   name: {{ $serviceName }}-oidc-secrets
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ $.Release.Namespace }}
 spec:
   secretStoreRef:
     kind: SecretStore
-    name: secret-store-{{ .Release.Namespace }}
+    name: secret-store-{{ $.Release.Namespace }}
   target:
     name: {{ $serviceName }}-oidc-secrets
     template:
@@ -39,28 +46,29 @@ spec:
   data:
     - secretKey: oauth
       remoteRef:
-        key: {{ .Values.externalSecrets.oauth2.key }}
-        property: {{ .Values.gloo.authConfig.spec.configs.oauth.clientId | quote }}
-  refreshInterval: {{ .Values.externalSecrets.service.refreshInterval }}
+        key: {{ .oauth2.key }}
+        property: {{ $.Values.gloo.authConfig.spec.configs.oauth.clientId | quote }}
+  refreshInterval: {{ .oauth2.refreshInterval }}
 {{- end }}
 
-{{- if and .Values.externalSecrets.oauth2.key .Values.gloo.authConfig.spec.configs.clientCredentialsPlugin.config.clientId }}
+{{- if and .oauth2.key $.Values.gloo.authConfig.spec.configs.clientCredentialsPlugin.config.clientId }}
 ---
 apiVersion: 'external-secrets.io/v1beta1'
 kind: ExternalSecret
 metadata:
   name: {{ $serviceName }}-oauth2-client-credentials-secrets
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ $.Release.Namespace }}
 spec:
   secretStoreRef:
     kind: SecretStore
-    name: secret-store-{{ .Release.Namespace }}
+    name: secret-store-{{ $.Release.Namespace }}
   target:
     name: {{ $serviceName }}-oauth2-client-credentials-secrets
   data:
     - secretKey: ClientCredentialsFlow
       remoteRef:
-        key: {{ .Values.externalSecrets.oauth2.key }}
-        property: {{ .Values.gloo.authConfig.spec.configs.clientCredentialsPlugin.config.clientId | quote }}
-  refreshInterval: {{ .Values.externalSecrets.service.refreshInterval }}
+        key: {{ .oauth2.key }}
+        property: {{ $.Values.gloo.authConfig.spec.configs.clientCredentialsPlugin.config.clientId | quote }}
+  refreshInterval: {{ .oauth2.refreshInterval }}
+{{- end }}
 {{- end }}

charts/dvpe-deployment-gloo/values.schema.json

@@ -7,6 +7,50 @@
     "gloo"
   ],
   "properties": {
+    "externalSecrets": {
+      "type": "object",
+      "required": [],
+      "properties": {
+        "service": {
+          "type": "object",
+          "required": [],
+          "properties": {
+            "key": {
+              "type": [
+                "string",
+                "null"
+              ],
+              "deprecated": true,
+              "deprecationMessage": "Please use 'keys' instead."
+            },
+            "keys": {
+              "type": "array",
+              "items": {
+                "type": "string"
+              }
+            },
+            "refreshInterval": {
+              "type": "string"
+            }
+          }
+        },
+        "oauth2": {
+          "type": "object",
+          "required": [],
+          "properties": {
+            "key": {
+              "type": [
+                "string",
+                "null"
+              ]
+            },
+            "refreshInterval": {
+              "type": "string"
+            }
+          }
+        }
+      }
+    },
     "gloo": {
       "type": "object",
       "required": [
@@ -82,7 +126,8 @@
           "issuerRef": {
             "type": "object",
             "required": [
-              "name", "kind"
+              "name",
+              "kind"
             ],
             "properties": {
               "name": {