From 2d15ac904dc3e54a40f220af9572bf5551e8ec44 Mon Sep 17 00:00:00 2001 From: Kara Date: Mon, 19 Jan 2026 11:23:10 +0000 Subject: [PATCH 1/3] Split certificates for client/server usage --- .../templates/configmap/envoy-configmap.yaml | 6 +++--- .../templates/deployment/deployment.yaml | 20 ++++++++----------- .../values.yaml | 5 ++--- 3 files changed, 13 insertions(+), 18 deletions(-) diff --git a/charts/eric-oss-hello-world-python-app/templates/configmap/envoy-configmap.yaml b/charts/eric-oss-hello-world-python-app/templates/configmap/envoy-configmap.yaml index bf71f2e..dfdbf23 100644 --- a/charts/eric-oss-hello-world-python-app/templates/configmap/envoy-configmap.yaml +++ b/charts/eric-oss-hello-world-python-app/templates/configmap/envoy-configmap.yaml @@ -51,12 +51,12 @@ data: common_tls_context: tls_certificates: - certificate_chain: - filename: {{ printf "%s/%s" (default $.Values.instantiationDefaults.proxyAppCertMountPath $.Values.proxyAppCertMountPath) (default $.Values.instantiationDefaults.appCertFileName $.Values.appCertFileName) | quote }} + filename: {{ printf "%s/%s" (default $.Values.instantiationDefaults.appServerCertMountPath $.Values.appServerCertMountPath) (default $.Values.instantiationDefaults.appServerCertFileName $.Values.appServerCertFileName) | quote }} private_key: - filename: {{ printf "%s/%s" (default $.Values.instantiationDefaults.proxyAppCertMountPath $.Values.proxyAppCertMountPath) (default $.Values.instantiationDefaults.appKeyFileName $.Values.appKeyFileName) | quote }} + filename: {{ printf "%s/%s" (default $.Values.instantiationDefaults.appServerCertMountPath $.Values.appServerCertMountPath) (default $.Values.instantiationDefaults.appServerKeyFileName $.Values.appServerKeyFileName) | quote }} validation_context: trusted_ca: - filename: {{ printf "%s/%s" (default $.Values.instantiationDefaults.proxyCaCertMountPath $.Values.proxyCaCertMountPath) (default $.Values.instantiationDefaults.platformCaCertFileName $.Values.platformCaCertFileName) | quote }} + filename: {{ printf "%s/%s" (default $.Values.instantiationDefaults.platformCaCertMountPath $.Values.platformCaCertMountPath) (default $.Values.instantiationDefaults.platformCaCertFileName $.Values.platformCaCertFileName) | quote }} clusters: - name: eric-oss-hello-world-python-app-cluster type: STATIC diff --git a/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml b/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml index 70350b7..1c174a7 100644 --- a/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml +++ b/charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml @@ -70,17 +70,13 @@ spec: secret: secretName: {{ index .Values "appSecretName" | quote }} defaultMode: 420 - - name: client-creds + - name: app-server-certs secret: - secretName: {{ include "eric-oss-hello-world-python-app.clientSecret" . | quote }} - defaultMode: 420 - - name: proxy-platform-cacerts - secret: - secretName: {{ index .Values "platformCaCertSecretName" | quote }} + secretName: {{ index .Values "appServerSecretName" | quote }} defaultMode: 420 - - name: proxy-app-certs + - name: client-creds secret: - secretName: {{ index .Values "appSecretName" | quote }} + secretName: {{ include "eric-oss-hello-world-python-app.clientSecret" . | quote }} defaultMode: 420 containers: - name: eric-oss-hello-world-python-app @@ -252,11 +248,11 @@ spec: - name: envoy-config mountPath: /etc/envoy readOnly: true - - name: proxy-platform-cacerts - mountPath: {{ index .Values "proxyCaCertMountPath" | default .Values.instantiationDefaults.proxyCaCertMountPath | quote }} + - name: platform-cacerts + mountPath: {{ index .Values "platformCaCertMountPath" | default .Values.instantiationDefaults.platformCaCertMountPath | quote }} readOnly: true - - name: proxy-app-certs - mountPath: {{ index .Values "proxyAppCertMountPath" | default .Values.instantiationDefaults.proxyAppCertMountPath | quote }} + - name: app-server-certs + mountPath: {{ index .Values "appServerCertMountPath" | default .Values.instantiationDefaults.appServerCertMountPath | quote }} readOnly: true {{- if include "eric-oss-hello-world-python-app.pullSecrets" . }} imagePullSecrets: diff --git a/charts/eric-oss-hello-world-python-app/values.yaml b/charts/eric-oss-hello-world-python-app/values.yaml index 54191ed..c389c19 100644 --- a/charts/eric-oss-hello-world-python-app/values.yaml +++ b/charts/eric-oss-hello-world-python-app/values.yaml @@ -124,10 +124,9 @@ podPriority: # Defaults if these values are not provided at instantiation instantiationDefaults: platformCaCertMountPath: "/etc/tls-ca/platform/" - appCertMountPath: "/etc/tls/log/" + appCertMountPath: "/etc/tls/" clientCredsMountPath: "/etc/client-creds/" - proxyCaCertMountPath: "/etc/certs/ca" - proxyAppCertMountPath: "/etc/certs/app" + appServerCertMountPath: "/etc/tls-srv/" # Below variables values are populated by App Manager automatically From 0a07fc2c2404dfd2384dbf5ee678cba15172d284 Mon Sep 17 00:00:00 2001 From: Kara Date: Mon, 19 Jan 2026 20:11:11 +0000 Subject: [PATCH 2/3] Added secrets to static_resources to enable key rotation --- .../templates/configmap/envoy-configmap.yaml | 23 ++++++++++++------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/charts/eric-oss-hello-world-python-app/templates/configmap/envoy-configmap.yaml b/charts/eric-oss-hello-world-python-app/templates/configmap/envoy-configmap.yaml index dfdbf23..6703c59 100644 --- a/charts/eric-oss-hello-world-python-app/templates/configmap/envoy-configmap.yaml +++ b/charts/eric-oss-hello-world-python-app/templates/configmap/envoy-configmap.yaml @@ -13,6 +13,17 @@ metadata: data: ENVOY_CONFIG_FILE: |- static_resources: + secrets: + - name: server_cert + tls_certificate: + certificate_chain: + filename: {{ printf "%s/%s" (default $.Values.instantiationDefaults.appServerCertMountPath $.Values.appServerCertMountPath) (default $.Values.instantiationDefaults.appServerCertFileName $.Values.appServerCertFileName) | quote }} + private_key: + filename: {{ printf "%s/%s" (default $.Values.instantiationDefaults.appServerCertMountPath $.Values.appServerCertMountPath) (default $.Values.instantiationDefaults.appServerKeyFileName $.Values.appServerKeyFileName) | quote }} + - name: validation_context + validation_context: + trusted_ca: + filename: {{ printf "%s/%s" (default $.Values.instantiationDefaults.platformCaCertMountPath $.Values.platformCaCertMountPath) (default $.Values.instantiationDefaults.platformCaCertFileName $.Values.platformCaCertFileName) | quote }} listeners: # TLS listener for mTLS endpoint - name: listener_https @@ -49,14 +60,10 @@ data: "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext require_client_certificate: true common_tls_context: - tls_certificates: - - certificate_chain: - filename: {{ printf "%s/%s" (default $.Values.instantiationDefaults.appServerCertMountPath $.Values.appServerCertMountPath) (default $.Values.instantiationDefaults.appServerCertFileName $.Values.appServerCertFileName) | quote }} - private_key: - filename: {{ printf "%s/%s" (default $.Values.instantiationDefaults.appServerCertMountPath $.Values.appServerCertMountPath) (default $.Values.instantiationDefaults.appServerKeyFileName $.Values.appServerKeyFileName) | quote }} - validation_context: - trusted_ca: - filename: {{ printf "%s/%s" (default $.Values.instantiationDefaults.platformCaCertMountPath $.Values.platformCaCertMountPath) (default $.Values.instantiationDefaults.platformCaCertFileName $.Values.platformCaCertFileName) | quote }} + tls_certificate_sds_secret_configs: + - name: server_cert + validation_context_sds_secret_config: + name: validation_context clusters: - name: eric-oss-hello-world-python-app-cluster type: STATIC From 76c0da72ac49d6938c8a6f3fbc763c464eed2319 Mon Sep 17 00:00:00 2001 From: Kara Date: Mon, 19 Jan 2026 20:17:58 +0000 Subject: [PATCH 3/3] Added missing instantiationDefaults --- charts/eric-oss-hello-world-python-app/values.yaml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/charts/eric-oss-hello-world-python-app/values.yaml b/charts/eric-oss-hello-world-python-app/values.yaml index c389c19..73fcaaf 100644 --- a/charts/eric-oss-hello-world-python-app/values.yaml +++ b/charts/eric-oss-hello-world-python-app/values.yaml @@ -123,10 +123,16 @@ podPriority: # Defaults if these values are not provided at instantiation instantiationDefaults: - platformCaCertMountPath: "/etc/tls-ca/platform/" + appSecretName: "rapp-mtls-secret" appCertMountPath: "/etc/tls/" - clientCredsMountPath: "/etc/client-creds/" + appKeyFileName: "tls.key" + appCertFileName: "tls.crt" + appServerSecretName: "rapp-mtls-srv-secret" appServerCertMountPath: "/etc/tls-srv/" + appServerKeyFileName: "tls-srv.key" + appServerCertFileName: "tls-srv.crt" + platformCaCertMountPath: "/etc/tls-ca/platform/" + clientCredsMountPath: "/etc/client-creds/" # Below variables values are populated by App Manager automatically