feat: add encryption configuration for dial-core and support it's aut…

…ogeneration (#9)
epam · Dec 21, 2023 · c956854 · c956854
1 parent b1a2e72
commit c956854
Show file tree

Hide file tree

Showing 8 changed files with 144 additions and 6 deletions.
diff --git a/charts/dial-core/Chart.yaml b/charts/dial-core/Chart.yaml
@@ -21,4 +21,4 @@ maintainers:
 name: dial-core
 sources:
   - https://github.com/epam/ai-dial-helm/tree/main/charts/dial-core
-version: 1.0.1
+version: 1.1.1
diff --git a/charts/dial-core/README.md b/charts/dial-core/README.md
@@ -1,6 +1,6 @@
 # dial-core
 
-![Version: 1.0.1](https://img.shields.io/badge/Version-1.0.1-informational?style=flat-square) ![AppVersion: 1.0](https://img.shields.io/badge/AppVersion-1.0-informational?style=flat-square)
+![Version: 1.1.1](https://img.shields.io/badge/Version-1.1.1-informational?style=flat-square) ![AppVersion: 1.0](https://img.shields.io/badge/AppVersion-1.0-informational?style=flat-square)
 
 Helm chart for dial core
 
@@ -81,6 +81,9 @@ helm install my-release dial/dial-core -f values.yaml
 | command | list | `[]` | Override default dial-core command (useful when using custom images) |
 | commonAnnotations | object | `{}` | Annotations to add to all deployed objects |
 | commonLabels | object | `{}` | Labels to add to all deployed objects |
+| configuration.encryption.existingSecret | string | `""` | The name of the Kubernetes secret containing the encryption password and salt. WARNING: Changing this value in the middle of environment lifecycle WILL cause access loss to already encrypted data. |
+| configuration.encryption.password | string | `""` | Random string used to encrypt sensitive data e.g. `pwgen -s 32 1` WARNING: Autogenerated if not set during first installation. Changing this value after first installation takes no effect without existing secret removal. Changing this value in the middle of environment lifecycle WILL cause access loss to already encrypted data. |
+| configuration.encryption.salt | string | `""` | Random string used to encrypt sensitive data e.g. `pwgen -s 32 1` WARNING: Autogenerated if not set during first installation. WARNING: Changing this value after first installation takes no effect without existing secret removal. Changing this value in the middle of environment lifecycle WILL cause access loss to already encrypted data. |
 | containerPorts.http | int | `8080` | dial-core HTTP container port |
 | containerPorts.metrics | int | `9464` | dial-core HTTP container port for metrics |
 | containerSecurityContext.enabled | bool | `true` | Enabled dial-core container's Security Context |

diff --git a/charts/dial-core/templates/NOTES.txt b/charts/dial-core/templates/NOTES.txt
@@ -16,4 +16,9 @@ Access the pod you want to debug by executing
   kubectl exec --namespace {{ include "common.names.namespace" . | quote }} -ti <NAME OF THE POD> -- bash
 {{- end }}
 
+{{- if not .Values.configuration.encryption.existingSecret -}}
+  {{- $passwordValidationErrors := include "dialCore.values.requirePasswords" (dict "secret" (include "dialCore.encryptionSecretName" .) "context" $) -}}
+  {{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $passwordValidationErrors) "context" $) -}}
+{{- end }}
+
 {{- include "dialCore.validateValues" . }}
diff --git a/charts/dial-core/templates/_helpers.tpl b/charts/dial-core/templates/_helpers.tpl
@@ -43,7 +43,7 @@ Compile all warnings into a single message.
 {{- $message := join "\n" $messages -}}
 
 {{- if $message -}}
-{{-   printf "\nVALUES VALIDATION:\n%s" $message -}}
+{{- printf "\nVALUES VALIDATION:\n%s" $message | fail -}}
 {{- end -}}
 {{- end -}}
 
@@ -53,3 +53,84 @@ Return name for logger resources
 {{- define "dialCoreLogger.names.fullname" -}}
 {{- template "common.names.fullname" . -}}-logger
 {{- end -}}
+
+
+{{/*
+Return name for encryption secret
+*/}}
+{{- define "dialCore.encryptionSecretName" -}}
+{{- template "dialCore.names.fullname" . -}}-encryption
+{{- end -}}
+
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Validate dial-core required passwords are not empty.
+
+Usage:
+{{ include "dialCore.values.requirePasswords" (dict "secret" "secretName" "subchart" false "context" $) }}
+Params:
+  - secret - String - Required. Name of the secret where dial-core values are stored, e.g: "core-encryption"
+  - subchart - Boolean - Optional. Whether dial-core is used as subchart or not. Default: false
+*/}}
+{{- define "dialCore.values.requirePasswords" -}}
+  {{- $existingSecret := include "dialCore.values.existingSecret" . -}}
+  {{- $enabled := include "dialCore.values.enabled" . -}}
+  {{- $authPrefix := include "dialCore.values.key.encryption" . -}}
+  {{- $valueKeyPassword := printf "%s.password" $authPrefix -}}
+  {{- $valueKeySalt := printf "%s.salt" $authPrefix -}}
+
+  {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}}
+    {{- $requiredPasswords := list -}}
+      {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "aidial.encryption.password" -}}
+      {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}}
+      {{- $requiredSalt := dict "valueKey" $valueKeySalt "secret" .secret "field" "aidial.encryption.salt" -}}
+      {{- $requiredPasswords = append $requiredPasswords $requiredSalt -}}
+    {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for existingSecret.
+
+Usage:
+{{ include "dialCore.values.existingSecret" (dict "context" $) }}
+Params:
+  - subchart - Boolean - Optional. Whether dial-core is used as subchart or not. Default: false
+*/}}
+{{- define "dialCore.values.existingSecret" -}}
+  {{- if .subchart -}}
+    {{- .context.Values.core.configuration.encryption.existingSecret | quote -}}
+  {{- else -}}
+    {{- .context.Values.configuration.encryption.existingSecret | quote -}}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for enabled dial-core.
+
+Usage:
+{{ include "dialCore.values.enabled" (dict "context" $) }}
+*/}}
+{{- define "dialCore.values.enabled" -}}
+  {{- if .subchart -}}
+    {{- printf "%v" .context.Values.core.enabled -}}
+  {{- else -}}
+    {{- printf "%v" (not .context.Values.enabled) -}}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+Auxiliary function to get the right value for the key auth
+
+Usage:
+{{ include "dialCore.values.key.encryption" (dict "subchart" "true" "context" $) }}
+Params:
+  - subchart - Boolean - Optional. Whether dial-core is used as subchart or not. Default: false
+*/}}
+{{- define "dialCore.values.key.encryption" -}}
+  {{- if .subchart -}}
+    core.configuration.encryption
+  {{- else -}}
+    configuration.encryption
+  {{- end -}}
+{{- end -}}
diff --git a/charts/dial-core/templates/deployment.yaml b/charts/dial-core/templates/deployment.yaml
@@ -97,17 +97,22 @@ spec:
               value: {{ tpl $value $ | quote }}
             {{- end }}
           {{- end }}
-          {{- if or .Values.secrets .Values.extraEnvVarsSecret }}
           envFrom:
             {{- if .Values.secrets }}
             - secretRef:
                 name: {{ template "dialCore.names.fullname" . }}
             {{- end }}
+            {{- if .Values.configuration.encryption.existingSecret }}
+            - secretRef:
+                name: {{ .Values.configuration.encryption.existingSecret }}
+            {{- else }}
+            - secretRef:
+                name: {{ template "dialCore.encryptionSecretName" . }}
+            {{- end }}
             {{- if .Values.extraEnvVarsSecret }}
             - secretRef:
                 name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsSecret "context" $) }}
             {{- end }}
-          {{- end }}
           {{- if .Values.resources }}
           resources: {{- toYaml .Values.resources | nindent 12 }}
           {{- end }}

diff --git a/charts/dial-core/templates/secret-encryption.yaml b/charts/dial-core/templates/secret-encryption.yaml
@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "dialCore.encryptionSecretName" . }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{ include "dialCore.labels.standard" . | nindent 4 }}
+    {{- if .Values.commonLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
+    {{- end }}
+    {{- if .Values.labels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.labels "context" $ ) | nindent 4 }}
+    {{- end }}
+  {{- if or .Values.annotations .Values.commonAnnotations }}
+  annotations:
+    {{- if .Values.annotations }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.annotations "context" $ ) | nindent 4 }}
+    {{- end }}
+    {{- if .Values.commonAnnotations }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+    {{- end }}
+  {{- end }}
+type: Opaque
+data:
+  aidial.encryption.password: {{ include "common.secrets.passwords.manage" (dict "secret" (include "dialCore.encryptionSecretName" .) "key" "aidial.encryption.password" "providedValues" (list "configuration.encryption.password") "length" 32 "strong" false "context" $) }}
+  aidial.encryption.salt: {{ include "common.secrets.passwords.manage" (dict "secret" (include "dialCore.encryptionSecretName" .) "key" "aidial.encryption.salt" "providedValues" (list "configuration.encryption.salt") "length" 32 "strong" false "context" $) }}
diff --git a/charts/dial-core/templates/secret.yaml b/charts/dial-core/templates/secret.yaml
@@ -25,4 +25,4 @@ data:
   {{- range $key, $value := .Values.secrets }}
   {{ $key }}: {{ tpl $value $ | b64enc | quote }}
   {{- end }}
-{{- end }}
+{{- end }}
diff --git a/charts/dial-core/values.yaml b/charts/dial-core/values.yaml
@@ -150,6 +150,25 @@ schedulerName: ""
 terminationGracePeriodSeconds: ""
 # -- for the dial-core container(s) to automate configuration before or after startup
 lifecycleHooks: {}
+# Application-specific configuration values
+configuration:
+  # Encryption configuration used in dial-core, e.g. for blob storage
+  encryption:
+    # -- Random string used to encrypt sensitive data
+    # e.g. `pwgen -s 32 1`
+    # WARNING: Autogenerated if not set during first installation.
+    # Changing this value after first installation takes no effect without existing secret removal.
+    # Changing this value in the middle of environment lifecycle WILL cause access loss to already encrypted data.
+    password: ""
+    # -- Random string used to encrypt sensitive data
+    # e.g. `pwgen -s 32 1`
+    # WARNING: Autogenerated if not set during first installation.
+    # WARNING: Changing this value after first installation takes no effect without existing secret removal.
+    # Changing this value in the middle of environment lifecycle WILL cause access loss to already encrypted data.
+    salt: ""
+    # -- The name of the Kubernetes secret containing the encryption password and salt.
+    # WARNING: Changing this value in the middle of environment lifecycle WILL cause access loss to already encrypted data.
+    existingSecret: ""
 # -- Key-value pairs extra environment variables to add to dial-core
 env:
   {}