fix(secret): database secret should be immutable (#152)

* doc(values): add more descriptions for database secret option * fix(secret): database secret should be immutable * chore(secret): shorten storage secret name
cryostatio · Jun 13, 2024 · 89fb49e · 89fb49e
1 parent 28805a5
commit 89fb49e
Show file tree

Hide file tree

Showing 9 changed files with 50 additions and 63 deletions.
diff --git a/charts/cryostat/Chart.yaml b/charts/cryostat/Chart.yaml
@@ -6,7 +6,7 @@ type: application
 
 version: "0.5.0-dev"
 
-kubeVersion: ">= 1.19.0-0"
+kubeVersion: ">= 1.21.0-0"
 
 appVersion: "4.0.0-dev"
 

diff --git a/charts/cryostat/README.md b/charts/cryostat/README.md
diff --git a/charts/cryostat/templates/_helpers.tpl b/charts/cryostat/templates/_helpers.tpl
@@ -62,10 +62,10 @@ Create the name of the service account to use
 {{- end }}
 
 {{/*
-Get or generate a default connection key for credentials database
+Get or generate a default connection key for database
 */}}
 {{- define "cryostat.databaseConnectionKey" -}}
-{{- $secret := (lookup "v1" "Secret" .Release.Namespace (printf "%s-db-connection-key" .Release.Name)) -}}
+{{- $secret := (lookup "v1" "Secret" .Release.Namespace (printf "%s-db" .Release.Name)) -}}
 {{- if $secret -}}
 {{/*
    Use current key. Do not regenerate
@@ -80,10 +80,10 @@ Get or generate a default connection key for credentials database
 {{- end -}}
 
 {{/*
-Get or generate a default encryption key for credentials database
+Get or generate a default encryption key for database
 */}}
 {{- define "cryostat.databaseEncryptionKey" -}}
-{{- $secret := (lookup "v1" "Secret" .Release.Namespace (printf "%s-db-encryption-key" .Release.Name)) -}}
+{{- $secret := (lookup "v1" "Secret" .Release.Namespace (printf "%s-db" .Release.Name)) -}}
 {{- if $secret -}}
 {{/*
    Use current key. Do not regenerate
@@ -101,7 +101,7 @@ Get or generate a default encryption key for credentials database
 Get or generate a default secret key for object storage
 */}}
 {{- define "cryostat.objectStorageSecretKey" -}}
-{{- $secret := (lookup "v1" "Secret" .Release.Namespace (printf "%s-storage-secret-key" .Release.Name)) -}}
+{{- $secret := (lookup "v1" "Secret" .Release.Namespace (printf "%s-storage" .Release.Name)) -}}
 {{- if $secret -}}
 {{/*
    Use current secret. Do not regenerate

diff --git a/charts/cryostat/templates/db_connection_key_secret.yaml b/charts/cryostat/templates/db_connection_key_secret.yaml
diff --git a/...t/templates/db_encryption_key_secret.yaml → charts/cryostat/templates/db_secret.yaml b/...t/templates/db_encryption_key_secret.yaml → charts/cryostat/templates/db_secret.yaml
@@ -2,8 +2,10 @@
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ .Release.Name }}-db-encryption-key
+  name: {{ .Release.Name }}-db
 type: Opaque
+immutable: true
 data:
   ENCRYPTION_KEY: {{ include "cryostat.databaseEncryptionKey" . }}
+  CONNECTION_KEY: {{ include "cryostat.databaseConnectionKey" . }}
 {{- end -}}
diff --git a/charts/cryostat/templates/deployment.yaml b/charts/cryostat/templates/deployment.yaml
@@ -60,7 +60,7 @@ spec:
           - name: QUARKUS_DATASOURCE_PASSWORD
             valueFrom:
               secretKeyRef:
-                name: {{ printf "%s-db-connection-key" .Release.Name }}
+                name: {{ default (printf "%s-db" .Release.Name) .Values.core.databaseSecretName }}
                 key: CONNECTION_KEY
                 optional: false
           - name: QUARKUS_DATASOURCE_JDBC_URL
@@ -82,7 +82,7 @@ spec:
           - name: QUARKUS_S3_AWS_CREDENTIALS_STATIC_PROVIDER_SECRET_ACCESS_KEY
             valueFrom:
               secretKeyRef:
-                name: {{ printf "%s-storage-secret-key" .Release.Name }}
+                name: {{ printf "%s-storage" .Release.Name }}
                 key: SECRET_KEY
                 optional: false
           - name: AWS_SECRET_ACCESS_KEY
@@ -130,15 +130,15 @@ spec:
           - name: POSTGRESQL_PASSWORD
             valueFrom:
               secretKeyRef:
-                name: {{ printf "%s-db-connection-key" .Release.Name }}
+                name: {{ default (printf "%s-db" .Release.Name) .Values.core.databaseSecretName }}
                 key: CONNECTION_KEY
                 optional: false
           - name: POSTGRESQL_DATABASE
             value: cryostat3
           - name: PG_ENCRYPT_KEY
             valueFrom:
               secretKeyRef:
-                name: {{ default (printf "%s-db-encryption-key" .Release.Name) .Values.core.databaseSecretName }}
+                name: {{ default (printf "%s-db" .Release.Name) .Values.core.databaseSecretName }}
                 key: ENCRYPTION_KEY
                 optional: false
           ports:
@@ -169,7 +169,7 @@ spec:
           - name: CRYOSTAT_SECRET_KEY
             valueFrom:
               secretKeyRef:
-                name: {{ printf "%s-storage-secret-key" .Release.Name }}
+                name: {{ printf "%s-storage" .Release.Name }}
                 key: SECRET_KEY
                 optional: false
           - name: DATA_DIR

diff --git a/.../templates/storage_access_key_secret.yaml → ...stat/templates/storage_access_secret.yaml b/.../templates/storage_access_key_secret.yaml → ...stat/templates/storage_access_secret.yaml
@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ .Release.Name }}-storage-secret-key
+  name: {{ .Release.Name }}-storage
 type: Opaque
 data:
   SECRET_KEY: {{ include "cryostat.objectStorageSecretKey" . }}
diff --git a/charts/cryostat/values.schema.json b/charts/cryostat/values.schema.json
@@ -178,7 +178,7 @@
                 },
                 "databaseSecretName": {
                     "type": "string",
-                    "description": "Name of the secret to extract password for credentials database.",
+                    "description": "Name of the secret containing database keys. This secret must contain a CONNECTION_KEY secret which is the database connection password, and an ENCRYPTION_KEY secret which is the key used to encrypt sensitive data stored within the database, such as the target credentials keyring. It must not be updated across chart upgrades. It is recommended that the secret should be marked as immutable to avoid accidental changes to secret's data. More details: https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable",
                     "default": ""
                 },
                 "discovery": {

diff --git a/charts/cryostat/values.yaml b/charts/cryostat/values.yaml
@@ -58,7 +58,7 @@ core:
     capabilities:
       drop:
         - ALL
-  ## @param core.databaseSecretName Name of the secret to extract password for credentials database.
+  ## @param core.databaseSecretName Name of the secret containing database keys. This secret must contain a CONNECTION_KEY secret which is the database connection password, and an ENCRYPTION_KEY secret which is the key used to encrypt sensitive data stored within the database, such as the target credentials keyring. It must not be updated across chart upgrades. It is recommended that the secret should be marked as immutable to avoid accidental changes to secret's data. More details: https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable
   databaseSecretName: ""
   ## @extra core.discovery Configuration options to the Cryostat application's target discovery mechanisms
   discovery: