feat(cloud-native): secure mounted configuration schema

charts/janssen-all-in-one/README.md

@@ -134,6 +134,8 @@ Kubernetes: `>=v1.22.0-0`
 | cnConfiguratorCustomSchema | object | `{"secretName":""}` | Use custom configuration schema in existing secrets. Note, the secrets has to contain the key configuration.json or any basename as specified in cnConfiguratorConfigurationFile. |
 | cnConfiguratorCustomSchema.secretName | string | `""` | The name of the secrets used for storing custom configuration schema. |
 | cnConfiguratorDumpFile | string | `"/etc/jans/conf/configuration.out.json"` | Path to dumped configuration schema file |
+| cnConfiguratorKey | string | `""` | Key to encrypt/decrypt configuration schema file using AES-256 CBC mode. Set the value to empty string to disable encryption/decryption, or 32 alphanumeric characters to enable it. |
+| cnConfiguratorKeyFile | string | `"/etc/jans/conf/configuration.key"` | Path to file contains key to encrypt/decrypt configuration schema file. |
 | cnDocumentStoreType | string | `"DB"` | Document store type to use for shibboleth files DB. |
 | cnGoogleApplicationCredentials | string | `"/etc/jans/conf/google-credentials.json"` | Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets. Leave as this is a sensible default. |
 | cnPersistenceType | string | `"sql"` | Persistence backend to run Janssen with hybrid|sql. |

charts/janssen-all-in-one/templates/_helpers.tpl

@@ -73,10 +73,10 @@ Create optional scopes list
 {{- define "janssen-all-in-one.optionalScopes"}}
 {{ $newList := list }}
 {{- if eq .Values.configmap.cnCacheType "REDIS" }}
-{{ $newList = append $newList ("redis" | quote )  }}
+{{ $newList = append $newList "redis" }}
 {{- end}}
 {{ if eq .Values.cnPersistenceType "sql" }}
-{{ $newList = append $newList ("sql" | quote) }}
+{{ $newList = append $newList "sql" }}
 {{- end }}
 {{ toJson $newList }}
 {{- end }}
@@ -178,12 +178,78 @@ Create configuration schema-related objects.
 {{- define "janssen-all-in-one.config.schema" -}}
 {{- $commonName := (printf "%s-configuration-file" .Release.Name) -}}
 {{- $secretName := .Values.cnConfiguratorCustomSchema.secretName | default $commonName -}}
+{{- $keyName := (printf "%s-configuration-key-file" .Release.Name) -}}
 volumes:
   - name: {{ $commonName }}
     secret:
       secretName: {{ $secretName }}
+{{- if .Values.cnConfiguratorKey }}
+  - name: {{ $keyName }}
+    secret:
+      secretName: {{ $keyName }}
+{{- end }}
 volumeMounts:
   - name: {{ $commonName }}
     mountPath: {{ .Values.cnConfiguratorConfigurationFile }}
     subPath: {{ .Values.cnConfiguratorConfigurationFile | base }}
-{{- end -}}
+{{- if .Values.cnConfiguratorKey }}
+  - name: {{ $keyName }}
+    mountPath: {{ .Values.cnConfiguratorKeyFile }}
+    subPath: {{ .Values.cnConfiguratorKeyFile | base }}
+{{- end }}
+{{- end }}
+
+{{/*
+Obfuscate configuration schema (only if configuration key is available)
+*/}}
+{{- define "janssen-all-in-one.config.prepareSchema" }}
+
+{{- $configmapSchema := dict }}
+{{- $_ := set $configmapSchema "hostname" .Values.fqdn }}
+{{- $_ := set $configmapSchema "country_code" .Values.countryCode }}
+{{- $_ := set $configmapSchema "state" .Values.state }}
+{{- $_ := set $configmapSchema "city" .Values.city }}
+{{- $_ := set $configmapSchema "admin_email" .Values.email }}
+{{- $_ := set $configmapSchema "orgName" .Values.orgName }}
+{{- $_ := set $configmapSchema "auth_sig_keys" (index .Values "auth-server" "authSigKeys") }}
+{{- $_ := set $configmapSchema "auth_enc_keys" (index .Values "auth-server" "authEncKeys") }}
+{{- $_ := set $configmapSchema "optional_scopes" (include "janssen-all-in-one.optionalScopes" . | trim) }}
+{{- if .Values.saml.enabled }}
+{{- $_ := set $configmapSchema "kc_admin_username" .Values.configmap.kcAdminUsername }}
+{{- end }}
+{{- $_ := set $configmapSchema "init_keys_exp" (index .Values "auth-server-key-rotation" "initKeysLife") }}
+
+{{- $secretSchema := dict }}
+{{- $_ := set $secretSchema "admin_password" .Values.adminPassword }}
+{{- $_ := set $secretSchema "redis_password" .Values.redisPassword }}
+{{- if or ( eq .Values.cnPersistenceType "sql" ) ( eq .Values.cnPersistenceType "hybrid" ) }}
+{{- $_ := set $secretSchema "sql_password" .Values.configmap.cnSqldbUserPassword }}
+{{- end }}
+{{- if eq .Values.configSecretAdapter "vault" }}
+{{- $_ := set $secretSchema "vault_role_id" .Values.configmap.cnVaultRoleId }}
+{{- $_ := set $secretSchema "vault_secret_id" .Values.configmap.cnVaultSecretId }}
+{{- end }}
+{{- if or (eq .Values.configSecretAdapter "google") (eq .Values.configAdapterName "google") }}
+{{- $_ := set $secretSchema "google_credentials" .Values.configmap.cnGoogleSecretManagerServiceAccount }}
+{{- end }}
+{{- if or (eq .Values.configAdapterName "aws") (eq .Values.configSecretAdapter "aws") }}
+{{- $_ := set $secretSchema "aws_credentials" (include "config.aws-shared-credentials" . | b64enc) }}
+{{- $_ := set $secretSchema "aws_config" (include "config.aws-config" . | b64enc) }}
+{{- $_ := set $secretSchema "aws_replica_regions" (toJson .Values.configmap.cnAwsSecretsReplicaRegions | b64enc) }}
+{{- end }}
+{{- if .Values.saml.enabled }}
+{{- $_ := set $secretSchema "kc_db_password" .Values.configmap.kcDbPassword }}
+{{- $_ := set $secretSchema "kc_admin_password" .Values.configmap.kcAdminPassword }}
+{{- end }}
+{{- $_ := set $secretSchema "encoded_salt" .Values.salt }}
+
+{{- $schema := dict "_configmap" $configmapSchema "_secret" $secretSchema }}
+
+{{- if .Values.cnConfiguratorKey }}
+{{- printf "%s" (encryptAES .Values.cnConfiguratorKey (toPrettyJson $schema)) }}
+{{- else -}}
+{{- toPrettyJson $schema }}
+{{- end }}
+
+{{/* end of helpers */}}
+{{- end }}

charts/janssen-all-in-one/templates/secret.yaml

@@ -22,45 +22,33 @@ metadata:
 type: Opaque
 stringData:
   {{ .Values.cnConfiguratorConfigurationFile | base }}: |-
-    {
-      "_configmap": {
-        "hostname": {{ .Values.fqdn | quote }},
-        "country_code": {{ .Values.countryCode | quote }},
-        "state": {{ .Values.state | quote }},
-        "city": {{ .Values.city | quote }},
-        "admin_email": {{ .Values.email | quote }},
-        "orgName": {{ .Values.orgName | quote }},
-        "auth_sig_keys": {{ index .Values "auth-server" "authSigKeys" | quote }},
-        "auth_enc_keys": {{ index .Values "auth-server" "authEncKeys" | quote }},
-        "optional_scopes": {{ list (include "janssen-all-in-one.optionalScopes" . | fromJsonArray | join ",") | quote }},
-        {{- if .Values.saml.enabled }}
-        "kc_admin_username": {{ .Values.configmap.kcAdminUsername | quote }},
-        {{- end }}
-        "init_keys_exp": {{ index .Values "auth-server-key-rotation" "initKeysLife" }}
-      },
-      "_secret": {
-        "admin_password": {{ .Values.adminPassword | quote }},
-        "redis_password": {{ .Values.redisPassword | quote }},
-        {{ if or ( eq .Values.cnPersistenceType "sql" ) ( eq .Values.cnPersistenceType "hybrid" ) }}
-        "sql_password": {{ .Values.configmap.cnSqldbUserPassword | quote }},
-        {{- end }}
-        {{ if eq .Values.configSecretAdapter "vault" }}
-        "vault_role_id": {{ .Values.configmap.cnVaultRoleId | quote }},
-        "vault_secret_id": {{ .Values.configmap.cnVaultSecretId | quote }},
-        {{- end }}
-        {{ if or (eq .Values.configSecretAdapter "google") (eq .Values.configAdapterName "google") }}
-        "google_credentials": {{ .Values.configmap.cnGoogleSecretManagerServiceAccount | quote }},
-        {{- end }}
-        {{ if or (eq .Values.configAdapterName "aws") (eq .Values.configSecretAdapter "aws") }}
-        "aws_credentials": {{ include "janssen-all-in-one.aws-shared-credentials" . | b64enc | quote }},
-        "aws_config": {{ include "janssen-all-in-one.aws-config" . | b64enc | quote }},
-        "aws_replica_regions": {{ .Values.configmap.cnAwsSecretsReplicaRegions | toJson | b64enc | quote }},
-        {{- end }}
-        {{- if .Values.saml.enabled }}
-        "kc_db_password": {{ .Values.configmap.kcDbPassword | quote }},
-        "kc_admin_password": {{ .Values.configmap.kcAdminPassword | quote }},
-        {{- end }}
-        "encoded_salt": {{ .Values.salt | quote }}
-      }
-    }
+{{ include "janssen-all-in-one.config.prepareSchema" . | indent 4  }}
+{{- end }}
+
+---
+
+{{- if .Values.cnConfiguratorKey -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-configuration-key-file
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ .Release.Name }}-{{ include "janssen-all-in-one.name" . }}-aio
+{{ include "janssen-all-in-one.labels" . | indent 4 }}
+{{- if .Values.additionalLabels }}
+{{ toYaml .Values.additionalLabels | indent 4 }}
+{{- end }}
+{{- if or (.Values.additionalAnnotations) (.Values.customAnnotations.secret) }}
+  annotations:
+{{- if .Values.additionalAnnotations }}
+{{ toYaml .Values.additionalAnnotations | indent 4 }}
+{{- end }}
+{{- if .Values.customAnnotations.secret }}
+{{ toYaml .Values.customAnnotations.secret | indent 4 }}
+{{- end }}
+{{- end }}
+type: Opaque
+data:
+  {{ .Values.cnConfiguratorKeyFile | base }}: {{ .Values.cnConfiguratorKey | b64enc }}
 {{- end }}

charts/janssen-all-in-one/values.yaml

@@ -573,6 +573,10 @@ cnConfiguratorDumpFile: /etc/jans/conf/configuration.out.json
 cnConfiguratorCustomSchema:
   # -- The name of the secrets used for storing custom configuration schema.
   secretName: ""
+# -- Key to encrypt/decrypt configuration schema file using AES-256 CBC mode. Set the value to empty string to disable encryption/decryption, or 32 alphanumeric characters to enable it.
+cnConfiguratorKey: ""
+# -- Path to file contains key to encrypt/decrypt configuration schema file.
+cnConfiguratorKeyFile: /etc/jans/conf/configuration.key
 
 # ingress properties
 istio: