diff --git a/helm-charts/Chart.yaml b/helm-charts/Chart.yaml index 175318dc7..90b1bb677 100644 --- a/helm-charts/Chart.yaml +++ b/helm-charts/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: choreo-apk description: A Helm chart for APK components type: application -version: 1.3.0-20 +version: 1.3.0-21 appVersion: "1.3.0" dependencies: - name: postgresql diff --git a/helm-charts/templates/data-plane/gateway-components/adapter/adapter-deployment.yaml b/helm-charts/templates/data-plane/gateway-components/adapter/adapter-deployment.yaml index e3c100d11..a02f0816a 100644 --- a/helm-charts/templates/data-plane/gateway-components/adapter/adapter-deployment.yaml +++ b/helm-charts/templates/data-plane/gateway-components/adapter/adapter-deployment.yaml @@ -88,6 +88,22 @@ spec: - name: enforcer-jwks-tls-secret-volume mountPath: /home/wso2/security/truststore/enforcer.crt subPath: tls.crt + {{- else if eq .Values.wso2.apk.secretProviderClass.provider "aws" }} + - name: apk-server-tls-secret-volume + mountPath: /home/wso2/security/keystore/adapter.key + subPath: apk-server.key + - name: apk-server-tls-secret-volume + mountPath: /home/wso2/security/keystore/adapter.crt + subPath: apk-server.crt + - name: apk-server-tls-secret-volume + mountPath: /home/wso2/security/truststore/adapter-ca.crt + subPath: apim-internal-intermediate-ca.crt + - name: apk-server-tls-secret-volume + mountPath: /home/wso2/security/truststore/router.crt + subPath: apk-server.crt + - name: enforcer-jwks-tls-secret-volume + mountPath: /home/wso2/security/truststore/enforcer.crt + subPath: enforcer-jwks.crt # TODO: (thushani) should be enforcer-jwks-ca.crt check this {{- else }} - name: secret-provider-class mountPath: /home/wso2/security/keystore/adapter.key @@ -205,7 +221,7 @@ spec: nodePublishSecretRef: name: {{ .Values.wso2.apk.secretProviderClass.nodePublishSecretRef }} {{- end }} - {{- if eq .Values.wso2.apk.secretProviderClass.provider "azure" }} + {{- if or (eq .Values.wso2.apk.secretProviderClass.provider "azure") (eq .Values.wso2.apk.secretProviderClass.provider "aws") }} - name: apk-server-tls-secret-volume secret: secretName: {{ template "apk-helm.resource.prefix" . }}-apk-server-tls diff --git a/helm-charts/templates/data-plane/gateway-components/common-controller/common-controller-deployment.yaml b/helm-charts/templates/data-plane/gateway-components/common-controller/common-controller-deployment.yaml index f4dd4a784..9b01930fd 100644 --- a/helm-charts/templates/data-plane/gateway-components/common-controller/common-controller-deployment.yaml +++ b/helm-charts/templates/data-plane/gateway-components/common-controller/common-controller-deployment.yaml @@ -98,6 +98,25 @@ spec: mountPath: /home/wso2/security/truststore/ratelimiter-ca.crt subPath: ratelimiter-ca.crt {{- end }} + {{- else if eq .Values.wso2.apk.secretProviderClass.provider "aws" }} + - name: apk-server-tls-secret-volume + mountPath: /home/wso2/security/keystore/commoncontroller.key + subPath: apk-server.key + - name: apk-server-tls-secret-volume + mountPath: /home/wso2/security/keystore/commoncontroller.crt + subPath: apk-server.crt + - name: apk-server-tls-secret-volume + mountPath: /home/wso2/security/truststore/adapter-ca.crt + subPath: apim-internal-intermediate-ca.crt + - name: apk-server-tls-secret-volume + mountPath: /tmp/k8s-webhook-server/serving-certs/tls.key + subPath: apk-server.key + - name: apk-server-tls-secret-volume + mountPath: /tmp/k8s-webhook-server/serving-certs/tls.crt + subPath: apk-server.crt + - name: apk-server-tls-secret-volume + mountPath: /tmp/k8s-webhook-server/serving-certs/ca.crt + subPath: apim-internal-intermediate-ca.crt {{- else }} - name: secret-provider-class mountPath: /home/wso2/security/keystore/commoncontroller.key @@ -211,7 +230,7 @@ spec: nodePublishSecretRef: name: {{ .Values.wso2.apk.secretProviderClass.nodePublishSecretRef }} {{- end }} - {{- if eq .Values.wso2.apk.secretProviderClass.provider "azure" }} + {{- if or (eq .Values.wso2.apk.secretProviderClass.provider "azure") (eq .Values.wso2.apk.secretProviderClass.provider "aws") }} - name: apk-server-tls-secret-volume secret: secretName: {{ template "apk-helm.resource.prefix" . }}-apk-server-tls diff --git a/helm-charts/templates/data-plane/gateway-components/gateway-runtime/gateway-runtime-deployment.yaml b/helm-charts/templates/data-plane/gateway-components/gateway-runtime/gateway-runtime-deployment.yaml index 6987cdc8b..59160f734 100644 --- a/helm-charts/templates/data-plane/gateway-components/gateway-runtime/gateway-runtime-deployment.yaml +++ b/helm-charts/templates/data-plane/gateway-components/gateway-runtime/gateway-runtime-deployment.yaml @@ -219,6 +219,34 @@ spec: mountPath: /home/wso2/security/truststore/ratelimiter.crt subPath: tls.crt {{- end }} + {{- else if eq .Values.wso2.apk.secretProviderClass.provider "aws" }} + - name: apk-server-tls-secret-volume + mountPath: /home/wso2/security/keystore/enforcer.key + subPath: apk-server.key + - name: apk-server-tls-secret-volume + mountPath: /home/wso2/security/keystore/enforcer.crt + subPath: apk-server.crt + - name: apk-server-tls-secret-volume + mountPath: /home/wso2/security/truststore/apk.crt + subPath: apim-internal-intermediate-ca.crt + - name: apk-server-tls-secret-volume + mountPath: /home/wso2/security/truststore/enforcer.crt + subPath: apk-server.crt + - name: apk-server-tls-secret-volume + mountPath: /home/wso2/security/truststore/adapter.crt + subPath: apim-internal-intermediate-ca.crt + - name: apk-server-tls-secret-volume + mountPath: /home/wso2/security/truststore/router.crt + subPath: apim-internal-intermediate-ca.crt + - name: enforcer-jwks-tls-secret-volume + mountPath: /home/wso2/security/keystore/mg.key + subPath: enforcer-jwks.key + - name: enforcer-jwks-tls-secret-volume + mountPath: /home/wso2/security/keystore/mg.pem + subPath: enforcer-jwks.crt + - name: apk-server-tls-secret-volume + mountPath: /home/wso2/security/truststore/mg.pem + subPath: apim-internal-intermediate-ca.crt {{- else }} - name: secret-provider-class mountPath: /home/wso2/security/keystore/enforcer.key @@ -438,6 +466,24 @@ spec: mountPath: /home/wso2/security/truststore/ratelimiter.crt subPath: tls.crt {{- end }} + {{- else if eq .Values.wso2.apk.secretProviderClass.provider "aws" }} + - name: apk-server-tls-secret-volume + mountPath: /home/wso2/security/keystore/router.key + subPath: apk-server.key + - name: apk-server-tls-secret-volume + mountPath: /home/wso2/security/keystore/router.crt + subPath: apk-server.crt + - name: apk-server-tls-secret-volume + mountPath: /home/wso2/security/truststore/adapter.crt + subPath: apk-server.crt + - name: apk-server-tls-secret-volume + mountPath: /home/wso2/security/truststore/enforcer.crt + subPath: apk-server.crt + {{- if and .Values.wso2.apk.dp.enabled .Values.wso2.apk.dp.ratelimiter.enabled }} + - name: apk-server-tls-secret-volume + mountPath: /home/wso2/security/truststore/ratelimiter.crt + subPath: apk-server.crt + {{- end }} {{- else }} - name: secret-provider-class mountPath: /home/wso2/security/keystore/router.key diff --git a/helm-charts/templates/data-plane/ratelimiter/ratelimiter-deployment.yaml b/helm-charts/templates/data-plane/ratelimiter/ratelimiter-deployment.yaml index ab76071f2..12ab17c9c 100644 --- a/helm-charts/templates/data-plane/ratelimiter/ratelimiter-deployment.yaml +++ b/helm-charts/templates/data-plane/ratelimiter/ratelimiter-deployment.yaml @@ -192,6 +192,22 @@ spec: - name: secret-provider-class mountPath: /home/wso2/security/truststore/router.pem subPath: router-ca.crt + {{- else if eq .Values.wso2.apk.secretProviderClass.provider "aws" }} + - name: apk-server-tls-secret-volume + mountPath: /home/wso2/security/keystore/ratelimiter.key + subPath: apk-server.key + - name: apk-server-tls-secret-volume + mountPath: /home/wso2/security/keystore/ratelimiter.crt + subPath: apk-server.crt + - name: apk-server-tls-secret-volume + mountPath: /home/wso2/security/truststore/ratelimiter-ca.crt + subPath: apk-server.crt + - name: apk-server-tls-secret-volume + mountPath: /home/wso2/security/truststore/adapter.pem + subPath: apk-server.crt + - name: apk-server-tls-secret-volume + mountPath: /home/wso2/security/truststore/router.pem + subPath: apk-server.crt {{- else }} - name: secret-provider-class mountPath: /home/wso2/security/keystore/ratelimiter.key @@ -305,7 +321,7 @@ spec: nodePublishSecretRef: name: {{ .Values.wso2.apk.secretProviderClass.nodePublishSecretRef }} {{- end }} - {{- if eq .Values.wso2.apk.secretProviderClass.provider "azure" }} + {{- if or (eq .Values.wso2.apk.secretProviderClass.provider "azure") (eq .Values.wso2.apk.secretProviderClass.provider "aws") }} - name: apk-server-tls-secret-volume secret: secretName: {{ template "apk-helm.resource.prefix" . }}-apk-server-tls diff --git a/helm-charts/templates/secret-providers/secret-provider-aws.yaml b/helm-charts/templates/secret-providers/secret-provider-aws.yaml index 80d18c99f..690d40ba1 100644 --- a/helm-charts/templates/secret-providers/secret-provider-aws.yaml +++ b/helm-charts/templates/secret-providers/secret-provider-aws.yaml @@ -30,20 +30,26 @@ spec: data: - objectName: ratelimiter_redis_credentials key: ratelimiter_redis_credentials - - secretName: {{ template "apk-helm.resource.prefix" . }}-system-listener-tls + - secretName: {{ template "apk-helm.resource.prefix" . }}-apk-server-tls type: Opaque data: + - objectName: apk-server.key + key: apk-server.key + - objectName: apk-server.crt + key: apk-server.crt + - objectName: apim-internal-intermediate-ca.crt + key: apim-internal-intermediate-ca.crt - objectName: system-api-listener.key - key: tls.key + key: system-api-listener.key - objectName: system-api-listener.crt - key: tls.crt - - secretName: {{ template "apk-helm.resource.prefix" . }}-router-tls + key: system-api-listener.crt + - secretName: {{ template "apk-helm.resource.prefix" . }}-enforcer-jwks-tls type: Opaque data: - - objectName: router.key - key: tls.key - - objectName: router.crt - key: tls.crt + - objectName: enforcer-jwks.key + key: enforcer-jwks.key + - objectName: enforcer-jwks.crt + key: enforcer-jwks.crt parameters: objects: | - objectName: {{ .Values.wso2.apk.secretProviderClass.secrets.ratelimiterRedisCredentials.secretName | quote }} @@ -52,64 +58,16 @@ spec: objectVersion: {{ .Values.wso2.apk.secretProviderClass.secrets.ratelimiterRedisCredentials.version | quote }} - objectName: {{ .Values.wso2.apk.secretProviderClass.secrets.adapterKey.secretName | quote }} objectType: secretsmanager - objectAlias: adapter.key + objectAlias: apk-server.key objectVersion: {{ .Values.wso2.apk.secretProviderClass.secrets.adapterKey.version | quote }} - objectName: {{ .Values.wso2.apk.secretProviderClass.secrets.adapterCert.secretName | quote }} objectType: secretsmanager - objectAlias: adapter.crt + objectAlias: apk-server.crt objectVersion: {{ .Values.wso2.apk.secretProviderClass.secrets.adapterCert.version | quote }} - objectName: {{ .Values.wso2.apk.secretProviderClass.secrets.adapterCaCert.secretName | quote }} objectType: secretsmanager - objectAlias: adapter-ca.crt + objectAlias: apim-internal-intermediate-ca.crt objectVersion: {{ .Values.wso2.apk.secretProviderClass.secrets.adapterCaCert.version | quote }} - - objectName: {{ .Values.wso2.apk.secretProviderClass.secrets.enforcerKey.secretName | quote }} - objectType: secretsmanager - objectAlias: enforcer.key - objectVersion: {{ .Values.wso2.apk.secretProviderClass.secrets.enforcerKey.version | quote }} - - objectName: {{ .Values.wso2.apk.secretProviderClass.secrets.enforcerCert.secretName | quote }} - objectType: secretsmanager - objectAlias: enforcer.crt - objectVersion: {{ .Values.wso2.apk.secretProviderClass.secrets.enforcerCert.version | quote }} - - objectName: {{ .Values.wso2.apk.secretProviderClass.secrets.enforcerCaCert.secretName | quote }} - objectType: secretsmanager - objectAlias: enforcer-ca.crt - objectVersion: {{ .Values.wso2.apk.secretProviderClass.secrets.enforcerCaCert.version | quote }} - - objectName: {{ .Values.wso2.apk.secretProviderClass.secrets.routerKey.secretName | quote }} - objectType: secretsmanager - objectAlias: router.key - objectVersion: {{ .Values.wso2.apk.secretProviderClass.secrets.routerKey.version | quote }} - - objectName: {{ .Values.wso2.apk.secretProviderClass.secrets.routerCert.secretName | quote }} - objectType: secretsmanager - objectAlias: router.crt - objectVersion: {{ .Values.wso2.apk.secretProviderClass.secrets.routerCert.version | quote }} - - objectName: {{ .Values.wso2.apk.secretProviderClass.secrets.routerCaCert.secretName | quote }} - objectType: secretsmanager - objectAlias: router-ca.crt - objectVersion: {{ .Values.wso2.apk.secretProviderClass.secrets.routerCaCert.version | quote }} - - objectName: {{ .Values.wso2.apk.secretProviderClass.secrets.ratelimiterKey.secretName | quote }} - objectType: secretsmanager - objectAlias: ratelimiter.key - objectVersion: {{ .Values.wso2.apk.secretProviderClass.secrets.ratelimiterKey.version | quote }} - - objectName: {{ .Values.wso2.apk.secretProviderClass.secrets.ratelimiterCert.secretName | quote }} - objectType: secretsmanager - objectAlias: ratelimiter.crt - objectVersion: {{ .Values.wso2.apk.secretProviderClass.secrets.ratelimiterCert.version | quote }} - - objectName: {{ .Values.wso2.apk.secretProviderClass.secrets.ratelimiterCaCert.secretName | quote }} - objectType: secretsmanager - objectAlias: ratelimiter-ca.crt - objectVersion: {{ .Values.wso2.apk.secretProviderClass.secrets.ratelimiterCaCert.version | quote }} - - objectName: {{ .Values.wso2.apk.secretProviderClass.secrets.commonControllerKey.secretName | quote }} - objectType: secretsmanager - objectAlias: commoncontroller.key - objectVersion: {{ .Values.wso2.apk.secretProviderClass.secrets.commonControllerKey.version | quote }} - - objectName: {{ .Values.wso2.apk.secretProviderClass.secrets.commonControllerCert.secretName | quote }} - objectType: secretsmanager - objectAlias: commoncontroller.crt - objectVersion: {{ .Values.wso2.apk.secretProviderClass.secrets.commonControllerCert.version | quote }} - - objectName: {{ .Values.wso2.apk.secretProviderClass.secrets.commonControllerCaCert.secretName | quote }} - objectType: secretsmanager - objectAlias: commoncontroller-ca.crt - objectVersion: {{ .Values.wso2.apk.secretProviderClass.secrets.commonControllerCaCert.version | quote }} - objectName: {{ .Values.wso2.apk.secretProviderClass.secrets.systemApiListenerKey.secretName | quote }} objectType: secretsmanager objectAlias: system-api-listener.key @@ -126,10 +84,6 @@ spec: objectType: secretsmanager objectAlias: enforcer-jwks.crt objectVersion: {{ .Values.wso2.apk.secretProviderClass.secrets.enforcerJwksCert.version | quote }} - - objectName: {{ .Values.wso2.apk.secretProviderClass.secrets.enforcerJwksCaCert.secretName | quote }} - objectType: secretsmanager - objectAlias: enforcer-jwks-ca.crt - objectVersion: {{ .Values.wso2.apk.secretProviderClass.secrets.enforcerJwksCaCert.version | quote }} {{- if and .Values.wso2.apk.dp.gatewayRuntime.tracing .Values.wso2.apk.dp.gatewayRuntime.tracing.enabled .Values.wso2.apk.dp.gatewayRuntime.tracing.configProperties .Values.wso2.apk.dp.gatewayRuntime.tracing.configProperties.tls .Values.wso2.apk.dp.gatewayRuntime.tracing.configProperties.tls.enabled }} - objectName: {{ .Values.wso2.apk.secretProviderClass.secrets.tracingCaCert.secretName | quote }} objectType: secretsmanager