[POLICY] add env passwords to api/pap/xacml/dist

keystore and truststore passwords are now stored as
secrets to be accessed by environment variables.

Issue-ID: POLICY-2575
Signed-off-by: jhh <jorge.hernandez-herrero@att.com>
Change-Id: I5831f5c7bc040d036c38c321b5cc87848e80ca48

diff --git a/kubernetes/policy/charts/pap/templates/deployment.yaml b/kubernetes/policy/charts/pap/templates/deployment.yaml
index 39ac8a8..6925d77 100644 (file)
--- a/kubernetes/policy/charts/pap/templates/deployment.yaml
+++ b/kubernetes/policy/charts/pap/templates/deployment.yaml
@@ -68,6 +68,11 @@ spec:
           imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
           command: ["/opt/app/policy/pap/bin/policy-pap.sh"]
           args: ["/opt/app/policy/pap/etc/mounted/config.json"]
+          env:
+          - name: KEYSTORE_PASSWD
+            {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keystore-password" "key" "password") | indent 12 }}
+          - name: TRUSTSTORE_PASSWD
+            {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-password" "key" "password") | indent 12 }}
           ports:
           - containerPort: {{ .Values.service.internalPort }}
           # disable liveness probe when breakpoints set in debugger

diff --git a/kubernetes/policy/charts/pap/values.yaml b/kubernetes/policy/charts/pap/values.yaml
index dc7a58d..47597f0 100644 (file)
--- a/kubernetes/policy/charts/pap/values.yaml
+++ b/kubernetes/policy/charts/pap/values.yaml
@@ -54,6 +54,17 @@ secrets:
     login: '{{ .Values.healthCheckRestClient.distribution.user }}'
     password: '{{ .Values.healthCheckRestClient.distribution.password }}'
     passwordPolicy: required
+  - uid: keystore-password
+    type: password
+    externalSecret: '{{ tpl (default "" .Values.certStores.keyStorePasswordExternalSecret) . }}'
+    password: '{{ .Values.certStores.keyStorePassword }}'
+    passwordPolicy: required
+  - uid: truststore-password
+    type: password
+    externalSecret: '{{ tpl (default "" .Values.certStores.trustStorePasswordExternalSecret) . }}'
+    password: '{{ .Values.certStores.trustStorePassword }}'
+    passwordPolicy: required
+
 
 #################################################################
 # Application configuration defaults.
@@ -81,6 +92,9 @@ healthCheckRestClient:
   distribution:
     user: healthcheck
     password: zb!XztG34
+certStores:
+  keyStorePassword: Pol1cy_0nap
+  trustStorePassword: Pol1cy_0nap
 
 # default number of instances
 replicaCount: 1

diff --git a/kubernetes/policy/charts/policy-api/templates/deployment.yaml b/kubernetes/policy/charts/policy-api/templates/deployment.yaml
index e1f699e..53f232a 100644 (file)
--- a/kubernetes/policy/charts/policy-api/templates/deployment.yaml
+++ b/kubernetes/policy/charts/policy-api/templates/deployment.yaml
@@ -61,6 +61,11 @@ spec:
           imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
           command: ["/opt/app/policy/api/bin/policy-api.sh"]
           args: ["/opt/app/policy/api/etc/mounted/config.json"]
+          env:
+          - name: KEYSTORE_PASSWD
+            {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keystore-password" "key" "password") | indent 12 }}
+          - name: TRUSTSTORE_PASSWD
+            {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-password" "key" "password") | indent 12 }}
           ports:
           - containerPort: {{ .Values.service.internalPort }}
           # disable liveness probe when breakpoints set in debugger

diff --git a/kubernetes/policy/charts/policy-api/values.yaml b/kubernetes/policy/charts/policy-api/values.yaml
index ba12db2..0067539 100644 (file)
--- a/kubernetes/policy/charts/policy-api/values.yaml
+++ b/kubernetes/policy/charts/policy-api/values.yaml
@@ -40,6 +40,16 @@ secrets:
     login: '{{ .Values.restServer.user }}'
     password: '{{ .Values.restServer.password }}'
     passwordPolicy: required
+  - uid: keystore-password
+    type: password
+    externalSecret: '{{ tpl (default "" .Values.certStores.keyStorePasswordExternalSecret) . }}'
+    password: '{{ .Values.certStores.keyStorePassword }}'
+    passwordPolicy: required
+  - uid: truststore-password
+    type: password
+    externalSecret: '{{ tpl (default "" .Values.certStores.trustStorePasswordExternalSecret) . }}'
+    password: '{{ .Values.certStores.trustStorePassword }}'
+    passwordPolicy: required
 
 #################################################################
 # Application configuration defaults.
@@ -59,6 +69,9 @@ db:
 restServer:
   user: healthcheck
   password: zb!XztG34
+certStores:
+  keyStorePassword: Pol1cy_0nap
+  trustStorePassword: Pol1cy_0nap
 
 # default number of instances
 replicaCount: 1

diff --git a/kubernetes/policy/charts/policy-distribution/templates/deployment.yaml b/kubernetes/policy/charts/policy-distribution/templates/deployment.yaml
index b3b017a..b0dbac9 100644 (file)
--- a/kubernetes/policy/charts/policy-distribution/templates/deployment.yaml
+++ b/kubernetes/policy/charts/policy-distribution/templates/deployment.yaml
@@ -53,6 +53,11 @@ spec:
           imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
           command: ["/opt/app/policy/distribution/bin/policy-dist.sh"]
           args: ["/opt/app/policy/distribution/etc/mounted/config.json"]
+          env:
+          - name: KEYSTORE_PASSWD
+            {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keystore-password" "key" "password") | indent 12 }}
+          - name: TRUSTSTORE_PASSWD
+            {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-password" "key" "password") | indent 12 }}
           ports:
           - containerPort: {{ .Values.service.internalPort }}
           # disable liveness probe when breakpoints set in debugger

diff --git a/kubernetes/policy/charts/policy-distribution/values.yaml b/kubernetes/policy/charts/policy-distribution/values.yaml
index 73c9e99..dfed764 100644 (file)
--- a/kubernetes/policy/charts/policy-distribution/values.yaml
+++ b/kubernetes/policy/charts/policy-distribution/values.yaml
@@ -45,6 +45,16 @@ secrets:
     login: '{{ .Values.sdcBe.user }}'
     password: '{{ .Values.sdcBe.password }}'
     passwordPolicy: required
+  - uid: keystore-password
+    type: password
+    externalSecret: '{{ tpl (default "" .Values.certStores.keyStorePasswordExternalSecret) . }}'
+    password: '{{ .Values.certStores.keyStorePassword }}'
+    passwordPolicy: required
+  - uid: truststore-password
+    type: password
+    externalSecret: '{{ tpl (default "" .Values.certStores.trustStorePasswordExternalSecret) . }}'
+    password: '{{ .Values.certStores.trustStorePassword }}'
+    passwordPolicy: required
 
 #################################################################
 # Global configuration defaults.
@@ -78,6 +88,9 @@ papParameters:
 sdcBe:
   user: policy
   password: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U
+certStores:
+  keyStorePassword: Pol1cy_0nap
+  trustStorePassword: Pol1cy_0nap
 
 # default number of instances
 replicaCount: 1

diff --git a/kubernetes/policy/charts/policy-xacml-pdp/templates/deployment.yaml b/kubernetes/policy/charts/policy-xacml-pdp/templates/deployment.yaml
index bd126b8..eb2c776 100644 (file)
--- a/kubernetes/policy/charts/policy-xacml-pdp/templates/deployment.yaml
+++ b/kubernetes/policy/charts/policy-xacml-pdp/templates/deployment.yaml
@@ -63,6 +63,11 @@ spec:
           imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
           command: ["/opt/app/policy/pdpx/bin/policy-pdpx.sh"]
           args: ["/opt/app/policy/pdpx/etc/mounted/config.json"]
+          env:
+          - name: KEYSTORE_PASSWD
+            {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keystore-password" "key" "password") | indent 12 }}
+          - name: TRUSTSTORE_PASSWD
+            {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-password" "key" "password") | indent 12 }}
           ports:
           - containerPort: {{ .Values.service.internalPort }}
           # disable liveness probe when breakpoints set in debugger

diff --git a/kubernetes/policy/charts/policy-xacml-pdp/values.yaml b/kubernetes/policy/charts/policy-xacml-pdp/values.yaml
index c9ced1f..e3feeab 100644 (file)
--- a/kubernetes/policy/charts/policy-xacml-pdp/values.yaml
+++ b/kubernetes/policy/charts/policy-xacml-pdp/values.yaml
@@ -45,6 +45,16 @@ secrets:
     login: '{{ .Values.apiServer.user }}'
     password: '{{ .Values.apiServer.password }}'
     passwordPolicy: required
+  - uid: keystore-password
+    type: password
+    externalSecret: '{{ tpl (default "" .Values.certStores.keyStorePasswordExternalSecret) . }}'
+    password: '{{ .Values.certStores.keyStorePassword }}'
+    passwordPolicy: required
+  - uid: truststore-password
+    type: password
+    externalSecret: '{{ tpl (default "" .Values.certStores.trustStorePasswordExternalSecret) . }}'
+    password: '{{ .Values.certStores.trustStorePassword }}'
+    passwordPolicy: required
 
 #################################################################
 # Application configuration defaults.
@@ -68,6 +78,9 @@ restServer:
 apiServer:
   user: healthcheck
   password: zb!XztG34
+certStores:
+  keyStorePassword: Pol1cy_0nap
+  trustStorePassword: Pol1cy_0nap
 
 # default number of instances
 replicaCount: 1