diff --git a/charts/eric-oss-hello-world-python-app/templates/configmap/envoy-configmap.yaml b/charts/eric-oss-hello-world-python-app/templates/configmap/envoy-configmap.yaml index bf71f2e..6703c59 100644 --- a/charts/eric-oss-hello-world-python-app/templates/configmap/envoy-configmap.yaml +++ b/charts/eric-oss-hello-world-python-app/templates/configmap/envoy-configmap.yaml @@ -13,6 +13,17 @@ metadata: data: ENVOY_CONFIG_FILE: |- static_resources: + secrets: + - name: server_cert + tls_certificate: + certificate_chain: + filename: {{ printf "%s/%s" (default $.Values.instantiationDefaults.appServerCertMountPath $.Values.appServerCertMountPath) (default $.Values.instantiationDefaults.appServerCertFileName $.Values.appServerCertFileName) | quote }} + private_key: + filename: {{ printf "%s/%s" (default $.Values.instantiationDefaults.appServerCertMountPath $.Values.appServerCertMountPath) (default $.Values.instantiationDefaults.appServerKeyFileName $.Values.appServerKeyFileName) | quote }} + - name: validation_context + validation_context: + trusted_ca: + filename: {{ printf "%s/%s" (default $.Values.instantiationDefaults.platformCaCertMountPath $.Values.platformCaCertMountPath) (default $.Values.instantiationDefaults.platformCaCertFileName $.Values.platformCaCertFileName) | quote }} listeners: # TLS listener for mTLS endpoint - name: listener_https @@ -49,14 +60,10 @@ data: "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext require_client_certificate: true common_tls_context: - tls_certificates: - - certificate_chain: - filename: {{ printf "%s/%s" (default $.Values.instantiationDefaults.proxyAppCertMountPath $.Values.proxyAppCertMountPath) (default $.Values.instantiationDefaults.appCertFileName $.Values.appCertFileName) | quote }} - private_key: - filename: {{ printf "%s/%s" (default $.Values.instantiationDefaults.proxyAppCertMountPath $.Values.proxyAppCertMountPath) (default $.Values.instantiationDefaults.appKeyFileName $.Values.appKeyFileName) | quote }} - validation_context: - trusted_ca: - filename: {{ printf "%s/%s" (default $.Values.instantiationDefaults.proxyCaCertMountPath $.Values.proxyCaCertMountPath) (default $.Values.instantiationDefaults.platformCaCertFileName $.Values.platformCaCertFileName) | quote }} + tls_certificate_sds_secret_configs: + - name: server_cert + validation_context_sds_secret_config: + name: validation_context clusters: - name: eric-oss-hello-world-python-app-cluster type: STATIC diff --git a/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml b/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml index 70350b7..1c174a7 100644 --- a/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml +++ b/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml @@ -70,17 +70,13 @@ spec: secret: secretName: {{ index .Values "appSecretName" | quote }} defaultMode: 420 - - name: client-creds + - name: app-server-certs secret: - secretName: {{ include "eric-oss-hello-world-python-app.clientSecret" . | quote }} - defaultMode: 420 - - name: proxy-platform-cacerts - secret: - secretName: {{ index .Values "platformCaCertSecretName" | quote }} + secretName: {{ index .Values "appServerSecretName" | quote }} defaultMode: 420 - - name: proxy-app-certs + - name: client-creds secret: - secretName: {{ index .Values "appSecretName" | quote }} + secretName: {{ include "eric-oss-hello-world-python-app.clientSecret" . | quote }} defaultMode: 420 containers: - name: eric-oss-hello-world-python-app @@ -252,11 +248,11 @@ spec: - name: envoy-config mountPath: /etc/envoy readOnly: true - - name: proxy-platform-cacerts - mountPath: {{ index .Values "proxyCaCertMountPath" | default .Values.instantiationDefaults.proxyCaCertMountPath | quote }} + - name: platform-cacerts + mountPath: {{ index .Values "platformCaCertMountPath" | default .Values.instantiationDefaults.platformCaCertMountPath | quote }} readOnly: true - - name: proxy-app-certs - mountPath: {{ index .Values "proxyAppCertMountPath" | default .Values.instantiationDefaults.proxyAppCertMountPath | quote }} + - name: app-server-certs + mountPath: {{ index .Values "appServerCertMountPath" | default .Values.instantiationDefaults.appServerCertMountPath | quote }} readOnly: true {{- if include "eric-oss-hello-world-python-app.pullSecrets" . }} imagePullSecrets: diff --git a/charts/eric-oss-hello-world-python-app/values.yaml b/charts/eric-oss-hello-world-python-app/values.yaml index 54191ed..73fcaaf 100644 --- a/charts/eric-oss-hello-world-python-app/values.yaml +++ b/charts/eric-oss-hello-world-python-app/values.yaml @@ -123,11 +123,16 @@ podPriority: # Defaults if these values are not provided at instantiation instantiationDefaults: + appSecretName: "rapp-mtls-secret" + appCertMountPath: "/etc/tls/" + appKeyFileName: "tls.key" + appCertFileName: "tls.crt" + appServerSecretName: "rapp-mtls-srv-secret" + appServerCertMountPath: "/etc/tls-srv/" + appServerKeyFileName: "tls-srv.key" + appServerCertFileName: "tls-srv.crt" platformCaCertMountPath: "/etc/tls-ca/platform/" - appCertMountPath: "/etc/tls/log/" clientCredsMountPath: "/etc/client-creds/" - proxyCaCertMountPath: "/etc/certs/ca" - proxyAppCertMountPath: "/etc/certs/app" # Below variables values are populated by App Manager automatically