[TT-9735] Allow confidential fields to be set via k8s secrets (#103)

* Add an option to specify remoteControlPlane configurations via k8s secret

Signed-off-by: Burak Sekili <[email protected]>

* remove duplicated comment

Signed-off-by: Burak Sekili <[email protected]>

* Add an option to specify enterprise portal configurations via k8s secret

Signed-off-by: Burak Sekili <[email protected]>

* Add an option to specify admin user configurations via k8s secret

Signed-off-by: Burak Sekili <[email protected]>

* Move the secret fields for admin user credentials to the new section

Signed-off-by: Burak Sekili <[email protected]>

* Add a documentation about secret usage in oss

Signed-off-by: Burak Sekili <[email protected]>

* Add a documentation about secret usage in mdcb-data-plane

Signed-off-by: Burak Sekili <[email protected]>

* Add a documentation about secret usage in single-dc

Signed-off-by: Burak Sekili <[email protected]>

* Add adminUser info

Signed-off-by: Burak Sekili <[email protected]>

* Refactor namings

Signed-off-by: Burak Sekili <[email protected]>

* Update tyk-oss/README.md

Co-authored-by: Komal Sukhani <[email protected]>

* Create dashboard secret if adminUser.useSecret is not in use

Signed-off-by: Burak Sekili <[email protected]>

* Update statefulset-enterprise-portal.yaml

* Fix pre-hook

* Set latest enterprise portal tag in component chart

---------

Signed-off-by: Burak Sekili <[email protected]>
Co-authored-by: Komal Sukhani <[email protected]>

Author: buraksekili

components/tyk-bootstrap/templates/bootstrap-post-install.yaml

@@ -29,23 +29,44 @@ spec:
       serviceAccountName: k8s-bootstrap-role
       containers:
         - name: bootstrap-tyk-post-install
-          image: tykio/tyk-k8s-bootstrap-post:latest
+          image: tykio/tyk-k8s-bootstrap-post:v1.5.0
           command: [ './app/bin/bootstrap-app-post' ]
           imagePullPolicy: IfNotPresent
           env:
             - name: TYK_DB_OMITCONFIGFILE
               value: "true"
             - name: TYK_ADMIN_FIRST_NAME
+              {{ if .Values.global.adminUser.useSecretName }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.global.adminUser.useSecretName }}
+                  key: adminUserFirstName
+              {{ else }}
               value: {{ .Values.global.adminUser.firstName | quote }}
+              {{ end }}
             - name: TYK_ADMIN_LAST_NAME
+              {{ if .Values.global.adminUser.useSecretName }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.global.adminUser.useSecretName }}
+                  key: adminUserLastName
+              {{ else }}
               value: {{ .Values.global.adminUser.lastName | quote }}
+              {{ end }}
             - name: TYK_ADMIN_EMAIL
+              {{ if .Values.global.adminUser.useSecretName }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.global.adminUser.useSecretName }}
+                  key: adminUserEmail
+              {{ else }}
               value: {{ .Values.global.adminUser.email | quote }}
+              {{ end }}
             - name: TYK_ADMIN_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: tyk-dashboard-login-details
-                  key: TYK_PASS
+                  name: {{ if .Values.global.adminUser.useSecretName }} {{ .Values.global.adminUser.useSecretName }} {{ else }} tyk-dashboard-login-details {{ end }}
+                  key: adminUserPassword
             - name: TYK_POD_NAMESPACE
               valueFrom:
                 fieldRef:
@@ -62,6 +83,15 @@ spec:
               {{- end }}
             - name: TYK_DB_LISTENPORT
               value: "{{ .Values.global.servicePorts.dashboard }}"
+            - name: TYK_DB_LICENSEKEY
+              {{ if .Values.global.secrets.useSecretName }}
+              valueFrom:
+                secretKeyRef:
+                  key: DashLicense
+                  name: {{ .Values.global.secrets.useSecretName }}
+              {{ else }}
+              value: {{ .Values.global.license.dashboard | quote }}
+              {{ end }}
             - name: TYK_ADMIN_SECRET
               {{- if not .Values.global.secrets.useSecretName }}
               value: {{ .Values.global.secrets.AdminSecret | quote }}

components/tyk-bootstrap/templates/bootstrap-pre-install.yaml

@@ -33,7 +33,14 @@ spec:
           imagePullPolicy: IfNotPresent
           env:
             - name: TYK_DB_LICENSEKEY
+              {{ if .Values.global.secrets.useSecretName }}
+              valueFrom:
+                secretKeyRef:
+                  key: DashLicense
+                  name: {{ .Values.global.secrets.useSecretName }}
+              {{ else }}
               value: {{ .Values.global.license.dashboard | quote }}
+              {{ end }}
       restartPolicy: Never
       terminationGracePeriodSeconds: 0
 {{- end }}

components/tyk-bootstrap/values.yaml

@@ -6,11 +6,17 @@ global:
     # The license key needed for the Tyk Dashboard.
     dashboard: ""
   adminUser:
+    # If you don't want to store plaintext secrets for admin user in the Helm value file and would
+    # rather provide the k8s Secret externally please populate the value below
+    # You can set following fields in the secret
+    # adminUserFirstName - sets .global.adminUser.firstName
+    # adminUserLastName - sets .global.adminUser.lastName
+    # adminUserEmail - sets .global.adminUser.email
+    useSecretName: ""
+
     firstName: admin
     lastName: user
     email: [email protected]
-    # Set a password or a random one will be assigned. Admin user password must have at least 6 characters.
-    password: "123456"
 
   bootstrap:
     enterprisePortal: true
@@ -81,8 +87,6 @@ bootstrap:
   # Trigger to control if we want to create the tyk-operator secret
   operatorSecret: true
 
-
-
   fullnameOverride: ""
   nameOverride: ""
 

components/tyk-dashboard/templates/secret-dashboard.yaml

@@ -1,3 +1,4 @@
+{{ if not .Values.global.adminUser.useSecretName }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -10,7 +11,8 @@ metadata:
 type: Opaque
 data:
   {{ if .Values.global.adminUser.password }}
-  TYK_PASS: {{ .Values.global.adminUser.password | b64enc | quote }}
+  adminUserPassword: {{ .Values.global.adminUser.password | b64enc | quote }}
   {{ else }}
-  TYK_PASS: {{ randAlphaNum 10 | b64enc | quote }}
-  {{ end }}
+  adminUserPassword: {{ randAlphaNum 10 | b64enc | quote }}
+  {{ end }}
+{{ end }}

components/tyk-dashboard/values.yaml

@@ -6,10 +6,23 @@ fullnameOverride: ""
 
 global:
   license:
-    # The license key needed by Tyk Dashboard to work
+    # The license key needed by Tyk Dashboard to work.
+    #
+    # NOTE: If you do not want to store license as a plain text in the file, you can use a Kubernetes secret
+    # that stores the dashboard license. Please see `.global.secrets.useSecretName`.
     dashboard: ""
+
   # Dashboard admin information.
   adminUser:
+    # If you don't want to store plaintext secrets for admin user in the Helm value file and would
+    # rather provide the k8s Secret externally please populate the value below
+    # You can set following fields in the secret
+    # adminUserFirstName - sets .global.adminUser.firstName
+    # adminUserLastName - sets .global.adminUser.lastName
+    # adminUserEmail - sets .global.adminUser.email
+    # adminUserPassword - sets .global.adminUser.password
+    useSecretName: ""
+
     # First name of the admin user
     firstName: admin
     # Last name of the admin user
@@ -18,6 +31,7 @@ global:
     email: [email protected]
     # Set a password or a random one will be assigned.
     password: "123456"
+
   servicePorts:
     # The port at which the dashboard service can be found
     dashboard: 3000

components/tyk-enterprise-portal/templates/secret.yaml

@@ -11,7 +11,7 @@ metadata:
 type: Opaque
 stringData:
   EnterprisePortalLicense: "{{ .Values.license }}"
-  EnterprisePortalAdminPassword: "{{ .Values.global.adminUser.password }}"
+  adminUserPassword: "{{ .Values.global.adminUser.password }}"
   EnterprisePortalStorageConnectionString: "{{ .Values.storage.database.connectionString }}"
   EnterprisePortalAwsAccessKeyId: "{{ .Values.storage.s3.awsAccessKeyid }}"
   EnterprisePortalAwsSecretAccessKey: "{{ .Values.storage.s3.awsSecretAccessKey }}"

components/tyk-enterprise-portal/templates/statefulset-enterprise-portal.yaml

@@ -66,16 +66,23 @@ spec:
           - name: PORTAL_HOST_PORT
             value: "{{ .Values.containerPort }}"
           - name: ADMIN_EMAIL
+            {{ if .Values.global.adminUser.useSecretName }}
+            valueFrom:
+              secretKeyRef:
+                key: adminUserEmail
+                name: {{ .Values.global.adminUser.useSecretName }}
+            {{ else }}
             value: "{{ .Values.global.adminUser.email }}"
+            {{ end }}
           - name: ADMIN_PASSWORD
             valueFrom:
               secretKeyRef:
-                {{ if .Values.global.secrets.useSecretName }}
-                name: {{ .Values.global.secrets.useSecretName }}
+                {{ if .Values.global.adminUser.useSecretName }}
+                name: {{ .Values.global.adminUser.useSecretName }}
                 {{ else }}
                 name: secrets-{{ include "tyk-enterprise-portal.fullname" . }}
                 {{ end }}
-                key: EnterprisePortalAdminPassword
+                key: adminUserPassword
           - name: PORTAL_STORAGE
             value: "{{ .Values.storage.type }}"
           - name: PORTAL_DATABASE_DIALECT
@@ -145,20 +152,12 @@ spec:
           - name: TYK_AUTH
             valueFrom:
               secretKeyRef:
-                {{ if .Values.global.secrets.useSecretName }}
-                name: {{ .Values.global.secrets.useSecretName }}
-                {{ else }}
                 name: {{ .Values.global.secrets.enterprisePortal}}
-                {{ end }}
                 key: TYK_AUTH
           - name: TYK_ORG
             valueFrom:
               secretKeyRef:
-                {{ if .Values.global.secrets.useSecretName }}
-                name: {{ .Values.global.secrets.useSecretName }}
-                {{ else }}
                 name: {{ .Values.global.secrets.enterprisePortal}}
-                {{ end }}
                 key: TYK_ORG
         {{- if .Values.extraEnvs }}
         {{- range $env := .Values.extraEnvs }}
@@ -271,4 +270,4 @@ spec:
         {{ $key }}: {{ $value | quote }}
       {{- end }}
       {{- end }}
-  {{- end }}
+  {{- end }}

components/tyk-enterprise-portal/values.yaml

@@ -8,7 +8,16 @@
 
 global:
   adminUser:
+    # If you don't want to store plaintext secrets for admin user in the Helm value file and would
+    # rather provide the k8s Secret externally please populate the value below
+    # You can set following fields in the secret:
+    # - adminUserEmail sets .global.adminUser.email
+    # - adminUserPassword sets .global.adminUser.password
+    useSecretName: ""
+
+    # email of Enterprise Portal admin
     email: [email protected]
+    # password of Enterprise Portal admin
     password: 123456
   tls:
     dashboard: false
@@ -17,20 +26,29 @@ global:
     dashboard: 3000
   bootstrap:
     enterprisePortal: false
+
   secrets:
+    # enterprisePortal secret stands for secret including Tyk Dashboard credentials.
+    # It should include the followings:
+    # - TYK_ORG: Tyk Dashboard Organisation ID
+    # - TYK_AUTH: Tyk Dashboard API Access Credentials
     enterprisePortal: tyk-enterprise-portal-conf
 
-    # If you don't want to store plaintext secrets in the Helm value file and would
-    # rather provide the k8s Secret externally please populate the value below
+    # useSecretName can be used if you don't want to store plaintext values for Enterprise Portal license in
+    # the Helm value file and would rather provide the k8s Secret externally.
+    # You should set following fields in the secret
+    # - EnterprisePortalLicense - Sets LicenseKey for Enterprise Portal
+    # - EnterprisePortalStorageConnectionString - Sets Database.ConnectionString for Enterprise Portal
     useSecretName: ""
 
 # The hostname to bind the Enterprise Portal to.
 hostName: tyk-enterprise-portal.local
+
 # Enterprise Portal license.
 license: ""
 
-#In case you want to deploy enterprise portal as a standalone app, you can configure a different dashboard URL using
-#the parameter bellow
+# In case you want to deploy enterprise portal as a standalone app, you can configure a different dashboard URL using
+# the parameter bellow.
 overrideTykDashUrl: ""
 # Enterprise portal can be deployed as StatefulSet or as Deployment
 kind: StatefulSet
@@ -73,22 +91,27 @@ storage:
     annotations: {}
     labels: {}
     selector: {}
+
 replicaCount: 1
 containerPort: 3001
+
 image:
   repository: tykio/portal
   # Enterprise portal < v1.2 is not supported
-  tag: v1.5.0
+  tag: v1.6.0
   pullPolicy: Always
+
 # image pull secrets to use when pulling images from repository
 imagePullSecrets: []
+
 service:
   type: NodePort
   port: 3001
   externalTrafficPolicy: Local
   annotations: {}
 # Creates an ingress object in k8s. Will require an ingress-controller and
 # annotation to that ingress controller.
+
 ingress:
   enabled: false
   # specify your ingress controller class name below
@@ -105,6 +128,7 @@ ingress:
 #  - secretName: chart-example-tls
 #    hosts:
 #      - chart-example.local
+
 resources: {}
   # We usually recommend not to specify default resources and to leave this
   # as a conscious choice for the user. This also increases chances charts
@@ -117,6 +141,7 @@ resources: {}
   # requests:
   #  cpu: 100m
 #  memory: 128Mi
+
 securityContext:
   runAsUser: 1000
   fsGroup: 2000
@@ -132,13 +157,15 @@ nodeSelector: {}
 tolerations: []
 affinity: {}
 extraEnvs: []
+
 ## extraVolumes A list of volumes to be added to the pod
 ## extraVolumes:
 ##   - name: ca-certs
 ##     secret:
 ##       defaultMode: 420
 ##       secretName: ca-certs
 extraVolumes: []
+
 ## extraVolumeMounts A list of volume mounts to be added to the pod
 ## extraVolumeMounts:
 ##   - name: ca-certs

components/tyk-gateway/templates/deployment-gw-repset.yaml

@@ -165,11 +165,32 @@ spec:
           - name: TYK_GW_AUTHOVERRIDE_AUTHPROVIDER_STORAGEENGINE
             value: "rpc"
           - name: TYK_GW_SLAVEOPTIONS_RPCKEY
+            {{ if .Values.global.remoteControlPlane.useSecretName }}
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.global.remoteControlPlane.useSecretName }}
+                key: orgId
+            {{ else }}
             value: "{{ .Values.global.remoteControlPlane.orgId }}"
+            {{ end }}
           - name: TYK_GW_SLAVEOPTIONS_APIKEY
+            {{ if .Values.global.remoteControlPlane.useSecretName }}
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.global.remoteControlPlane.useSecretName }}
+                key: userApiKey
+            {{ else }}
             value: "{{  .Values.global.remoteControlPlane.userApiKey }}"
+            {{ end }}
           - name: TYK_GW_SLAVEOPTIONS_GROUPID
+            {{ if .Values.global.remoteControlPlane.useSecretName }}
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.global.remoteControlPlane.useSecretName }}
+                key: groupID
+            {{ else }}
             value: "{{ .Values.global.remoteControlPlane.groupID}}"
+            {{ end }}
           - name: TYK_GW_SLAVEOPTIONS_CONNECTIONSTRING
             value: "{{ .Values.global.remoteControlPlane.connectionString }}"
           - name: TYK_GW_SLAVEOPTIONS_USESSL

components/tyk-gateway/values.yaml

@@ -91,6 +91,14 @@ global:
       database: 0
 
   remoteControlPlane:
+    # useSecretName can be used if you don't want to store plaintext values for remote control plane configurations in
+    # the Helm value file and would rather provide the k8s Secret externally.
+    # You should set following fields in the secret
+    # - orgId - Sets slave_options.rpc_key of Tyk Gateway
+    # - userApiKey - Sets slave_options.api_key of Tyk Gateway
+    # - groupID - Sets slave_options.group_id of Tyk Gateway
+    useSecretName: ""
+
     enabled: false
     # connection string used to connect to an MDCB deployment. For Tyk Cloud users, you can get it from Tyk Cloud Console and retrieve the MDCB connection string.
     connectionString: ""

components/tyk-pump/values.yaml

@@ -98,6 +98,14 @@ global:
     #   keyName: ""
 
   remoteControlPlane:
+    # useSecretName can be used if you don't want to store plaintext values for remote control plane configurations in
+    # the Helm value file and would rather provide the k8s Secret externally.
+    # You should set following fields in the secret
+    # - orgId - Sets slave_options.rpc_key of Tyk Gateway
+    # - userApiKey - Sets slave_options.api_key of Tyk Gateway
+    # - groupID - Sets slave_options.group_id of Tyk Gateway
+    useSecretName: ""
+
     # connection string used to connect to an MDCB deployment. For Tyk Cloud users, you can get it from Tyk Cloud Console and retrieve the MDCB connection string.
     connectionString: ""
     # orgID of your dashboard user