Refactor secrets for aws

helm-charts/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: choreo-apk
 description: A Helm chart for APK components
 type: application
-version: 1.3.0-20
+version: 1.3.0-21
 appVersion: "1.3.0"
 dependencies:
   - name: postgresql

helm-charts/templates/data-plane/gateway-components/adapter/adapter-deployment.yaml

@@ -88,6 +88,22 @@ spec:
             - name: enforcer-jwks-tls-secret-volume
               mountPath: /home/wso2/security/truststore/enforcer.crt
               subPath: tls.crt
+            {{- else if eq .Values.wso2.apk.secretProviderClass.provider "aws" }}
+            - name: apk-server-tls-secret-volume
+              mountPath: /home/wso2/security/keystore/adapter.key
+              subPath: apk-server.key
+            - name: apk-server-tls-secret-volume
+              mountPath: /home/wso2/security/keystore/adapter.crt
+              subPath: apk-server.crt
+            - name: apk-server-tls-secret-volume
+              mountPath: /home/wso2/security/truststore/adapter-ca.crt
+              subPath: apim-internal-intermediate-ca.crt
+            - name: apk-server-tls-secret-volume
+              mountPath: /home/wso2/security/truststore/router.crt
+              subPath: apk-server.crt
+            - name: enforcer-jwks-tls-secret-volume
+              mountPath: /home/wso2/security/truststore/enforcer.crt
+              subPath: enforcer-jwks.crt # TODO: (thushani) should be enforcer-jwks-ca.crt check this
             {{- else }}
             - name: secret-provider-class
               mountPath: /home/wso2/security/keystore/adapter.key
@@ -205,7 +221,7 @@ spec:
             nodePublishSecretRef:
               name: {{ .Values.wso2.apk.secretProviderClass.nodePublishSecretRef }}
             {{- end }}
-        {{- if eq .Values.wso2.apk.secretProviderClass.provider "azure" }}
+        {{- if or (eq .Values.wso2.apk.secretProviderClass.provider "azure") (eq .Values.wso2.apk.secretProviderClass.provider "aws") }}
         - name: apk-server-tls-secret-volume
           secret:
             secretName: {{ template "apk-helm.resource.prefix" . }}-apk-server-tls

helm-charts/templates/data-plane/gateway-components/common-controller/common-controller-deployment.yaml

@@ -98,6 +98,25 @@ spec:
               mountPath: /home/wso2/security/truststore/ratelimiter-ca.crt
               subPath: ratelimiter-ca.crt
             {{- end }}
+            {{- else if eq .Values.wso2.apk.secretProviderClass.provider "aws" }}
+            - name: apk-server-tls-secret-volume
+              mountPath: /home/wso2/security/keystore/commoncontroller.key
+              subPath: apk-server.key
+            - name: apk-server-tls-secret-volume
+              mountPath: /home/wso2/security/keystore/commoncontroller.crt
+              subPath: apk-server.crt
+            - name: apk-server-tls-secret-volume
+              mountPath: /home/wso2/security/truststore/adapter-ca.crt
+              subPath: apim-internal-intermediate-ca.crt
+            - name: apk-server-tls-secret-volume
+              mountPath: /tmp/k8s-webhook-server/serving-certs/tls.key
+              subPath: apk-server.key
+            - name: apk-server-tls-secret-volume
+              mountPath: /tmp/k8s-webhook-server/serving-certs/tls.crt
+              subPath: apk-server.crt
+            - name: apk-server-tls-secret-volume
+              mountPath: /tmp/k8s-webhook-server/serving-certs/ca.crt
+              subPath: apim-internal-intermediate-ca.crt
             {{- else }}
             - name: secret-provider-class
               mountPath: /home/wso2/security/keystore/commoncontroller.key
@@ -211,7 +230,7 @@ spec:
             nodePublishSecretRef:
               name: {{ .Values.wso2.apk.secretProviderClass.nodePublishSecretRef }}
             {{- end }}
-        {{- if eq .Values.wso2.apk.secretProviderClass.provider "azure" }}
+        {{- if or (eq .Values.wso2.apk.secretProviderClass.provider "azure") (eq .Values.wso2.apk.secretProviderClass.provider "aws") }}
         - name: apk-server-tls-secret-volume
           secret:
             secretName: {{ template "apk-helm.resource.prefix" . }}-apk-server-tls

helm-charts/templates/data-plane/gateway-components/gateway-runtime/gateway-runtime-deployment.yaml

@@ -219,6 +219,34 @@ spec:
               mountPath: /home/wso2/security/truststore/ratelimiter.crt
               subPath: tls.crt
             {{- end }}
+            {{- else if eq .Values.wso2.apk.secretProviderClass.provider "aws" }}
+            - name: apk-server-tls-secret-volume
+              mountPath: /home/wso2/security/keystore/enforcer.key
+              subPath: apk-server.key
+            - name: apk-server-tls-secret-volume
+              mountPath: /home/wso2/security/keystore/enforcer.crt
+              subPath: apk-server.crt
+            - name: apk-server-tls-secret-volume
+              mountPath: /home/wso2/security/truststore/apk.crt
+              subPath: apim-internal-intermediate-ca.crt
+            - name: apk-server-tls-secret-volume
+              mountPath: /home/wso2/security/truststore/enforcer.crt
+              subPath: apk-server.crt
+            - name: apk-server-tls-secret-volume
+              mountPath: /home/wso2/security/truststore/adapter.crt
+              subPath: apim-internal-intermediate-ca.crt
+            - name: apk-server-tls-secret-volume
+              mountPath: /home/wso2/security/truststore/router.crt
+              subPath: apim-internal-intermediate-ca.crt
+            - name: enforcer-jwks-tls-secret-volume
+              mountPath: /home/wso2/security/keystore/mg.key
+              subPath: enforcer-jwks.key
+            - name: enforcer-jwks-tls-secret-volume
+              mountPath: /home/wso2/security/keystore/mg.pem
+              subPath: enforcer-jwks.crt
+            - name: apk-server-tls-secret-volume
+              mountPath: /home/wso2/security/truststore/mg.pem
+              subPath: apim-internal-intermediate-ca.crt
             {{- else }}
             - name: secret-provider-class
               mountPath: /home/wso2/security/keystore/enforcer.key
@@ -438,6 +466,24 @@ spec:
               mountPath: /home/wso2/security/truststore/ratelimiter.crt
               subPath: tls.crt
             {{- end }}
+            {{- else if eq .Values.wso2.apk.secretProviderClass.provider "aws" }}
+            - name: apk-server-tls-secret-volume
+              mountPath: /home/wso2/security/keystore/router.key
+              subPath: apk-server.key
+            - name: apk-server-tls-secret-volume
+              mountPath: /home/wso2/security/keystore/router.crt
+              subPath: apk-server.crt
+            - name: apk-server-tls-secret-volume
+              mountPath: /home/wso2/security/truststore/adapter.crt
+              subPath: apk-server.crt
+            - name: apk-server-tls-secret-volume
+              mountPath: /home/wso2/security/truststore/enforcer.crt
+              subPath: apk-server.crt
+            {{- if and .Values.wso2.apk.dp.enabled .Values.wso2.apk.dp.ratelimiter.enabled }}
+            - name: apk-server-tls-secret-volume
+              mountPath: /home/wso2/security/truststore/ratelimiter.crt
+              subPath: apk-server.crt
+            {{- end }}
             {{- else }}
             - name: secret-provider-class
               mountPath: /home/wso2/security/keystore/router.key

helm-charts/templates/data-plane/ratelimiter/ratelimiter-deployment.yaml

@@ -192,6 +192,22 @@ spec:
             - name: secret-provider-class
               mountPath: /home/wso2/security/truststore/router.pem
               subPath: router-ca.crt
+            {{- else if eq .Values.wso2.apk.secretProviderClass.provider "aws" }}
+            - name: apk-server-tls-secret-volume
+              mountPath: /home/wso2/security/keystore/ratelimiter.key
+              subPath: apk-server.key
+            - name: apk-server-tls-secret-volume
+              mountPath: /home/wso2/security/keystore/ratelimiter.crt
+              subPath: apk-server.crt
+            - name: apk-server-tls-secret-volume
+              mountPath: /home/wso2/security/truststore/ratelimiter-ca.crt
+              subPath: apk-server.crt
+            - name: apk-server-tls-secret-volume
+              mountPath: /home/wso2/security/truststore/adapter.pem
+              subPath: apk-server.crt
+            - name: apk-server-tls-secret-volume
+              mountPath: /home/wso2/security/truststore/router.pem
+              subPath: apk-server.crt
             {{- else }}
             - name: secret-provider-class
               mountPath: /home/wso2/security/keystore/ratelimiter.key
@@ -305,7 +321,7 @@ spec:
             nodePublishSecretRef:
               name: {{ .Values.wso2.apk.secretProviderClass.nodePublishSecretRef }}
             {{- end }}
-        {{- if eq .Values.wso2.apk.secretProviderClass.provider "azure" }}
+        {{- if or (eq .Values.wso2.apk.secretProviderClass.provider "azure") (eq .Values.wso2.apk.secretProviderClass.provider "aws") }}
         - name: apk-server-tls-secret-volume
           secret:
             secretName: {{ template "apk-helm.resource.prefix" . }}-apk-server-tls

helm-charts/templates/secret-providers/secret-provider-aws.yaml

@@ -30,20 +30,26 @@ spec:
       data:
         - objectName: ratelimiter_redis_credentials
           key: ratelimiter_redis_credentials
-    - secretName: {{ template "apk-helm.resource.prefix" . }}-system-listener-tls
+    - secretName: {{ template "apk-helm.resource.prefix" . }}-apk-server-tls
       type: Opaque
       data:
+        - objectName: apk-server.key
+          key: apk-server.key
+        - objectName: apk-server.crt
+          key: apk-server.crt
+        - objectName: apim-internal-intermediate-ca.crt
+          key: apim-internal-intermediate-ca.crt
         - objectName: system-api-listener.key
-          key: tls.key
+          key: system-api-listener.key
         - objectName: system-api-listener.crt
-          key: tls.crt
-    - secretName: {{ template "apk-helm.resource.prefix" . }}-router-tls
+          key: system-api-listener.crt
+    - secretName: {{ template "apk-helm.resource.prefix" . }}-enforcer-jwks-tls
       type: Opaque
       data:
-        - objectName: router.key
-          key: tls.key
-        - objectName: router.crt
-          key: tls.crt
+        - objectName: enforcer-jwks.key
+          key: enforcer-jwks.key
+        - objectName: enforcer-jwks.crt
+          key: enforcer-jwks.crt
   parameters:
     objects:  |
       - objectName: {{ .Values.wso2.apk.secretProviderClass.secrets.ratelimiterRedisCredentials.secretName | quote }}
@@ -52,64 +58,16 @@ spec:
         objectVersion: {{ .Values.wso2.apk.secretProviderClass.secrets.ratelimiterRedisCredentials.version | quote }}
       - objectName: {{ .Values.wso2.apk.secretProviderClass.secrets.adapterKey.secretName | quote }}
         objectType: secretsmanager
-        objectAlias: adapter.key
+        objectAlias: apk-server.key
         objectVersion: {{ .Values.wso2.apk.secretProviderClass.secrets.adapterKey.version | quote }}
       - objectName: {{ .Values.wso2.apk.secretProviderClass.secrets.adapterCert.secretName | quote }}
         objectType: secretsmanager
-        objectAlias: adapter.crt
+        objectAlias: apk-server.crt
         objectVersion: {{ .Values.wso2.apk.secretProviderClass.secrets.adapterCert.version | quote }}
       - objectName: {{ .Values.wso2.apk.secretProviderClass.secrets.adapterCaCert.secretName | quote }}
         objectType: secretsmanager
-        objectAlias: adapter-ca.crt
+        objectAlias: apim-internal-intermediate-ca.crt
         objectVersion: {{ .Values.wso2.apk.secretProviderClass.secrets.adapterCaCert.version | quote }}
-      - objectName: {{ .Values.wso2.apk.secretProviderClass.secrets.enforcerKey.secretName | quote }}
-        objectType: secretsmanager
-        objectAlias: enforcer.key
-        objectVersion: {{ .Values.wso2.apk.secretProviderClass.secrets.enforcerKey.version | quote }}
-      - objectName: {{ .Values.wso2.apk.secretProviderClass.secrets.enforcerCert.secretName | quote }}
-        objectType: secretsmanager
-        objectAlias: enforcer.crt
-        objectVersion: {{ .Values.wso2.apk.secretProviderClass.secrets.enforcerCert.version | quote }}
-      - objectName: {{ .Values.wso2.apk.secretProviderClass.secrets.enforcerCaCert.secretName | quote }}
-        objectType: secretsmanager
-        objectAlias: enforcer-ca.crt
-        objectVersion: {{ .Values.wso2.apk.secretProviderClass.secrets.enforcerCaCert.version | quote }}
-      - objectName: {{ .Values.wso2.apk.secretProviderClass.secrets.routerKey.secretName | quote }}
-        objectType: secretsmanager
-        objectAlias: router.key
-        objectVersion: {{ .Values.wso2.apk.secretProviderClass.secrets.routerKey.version | quote }}
-      - objectName: {{ .Values.wso2.apk.secretProviderClass.secrets.routerCert.secretName | quote }}
-        objectType: secretsmanager
-        objectAlias: router.crt
-        objectVersion: {{ .Values.wso2.apk.secretProviderClass.secrets.routerCert.version | quote }}
-      - objectName: {{ .Values.wso2.apk.secretProviderClass.secrets.routerCaCert.secretName | quote }}
-        objectType: secretsmanager
-        objectAlias: router-ca.crt
-        objectVersion: {{ .Values.wso2.apk.secretProviderClass.secrets.routerCaCert.version | quote }}
-      - objectName: {{ .Values.wso2.apk.secretProviderClass.secrets.ratelimiterKey.secretName | quote }}
-        objectType: secretsmanager
-        objectAlias: ratelimiter.key
-        objectVersion: {{ .Values.wso2.apk.secretProviderClass.secrets.ratelimiterKey.version | quote }}
-      - objectName: {{ .Values.wso2.apk.secretProviderClass.secrets.ratelimiterCert.secretName | quote }}
-        objectType: secretsmanager
-        objectAlias: ratelimiter.crt
-        objectVersion: {{ .Values.wso2.apk.secretProviderClass.secrets.ratelimiterCert.version | quote }}
-      - objectName: {{ .Values.wso2.apk.secretProviderClass.secrets.ratelimiterCaCert.secretName | quote }}
-        objectType: secretsmanager
-        objectAlias: ratelimiter-ca.crt
-        objectVersion: {{ .Values.wso2.apk.secretProviderClass.secrets.ratelimiterCaCert.version | quote }}
-      - objectName: {{ .Values.wso2.apk.secretProviderClass.secrets.commonControllerKey.secretName | quote }}
-        objectType: secretsmanager
-        objectAlias: commoncontroller.key
-        objectVersion: {{ .Values.wso2.apk.secretProviderClass.secrets.commonControllerKey.version | quote }}
-      - objectName: {{ .Values.wso2.apk.secretProviderClass.secrets.commonControllerCert.secretName | quote }}
-        objectType: secretsmanager
-        objectAlias: commoncontroller.crt
-        objectVersion: {{ .Values.wso2.apk.secretProviderClass.secrets.commonControllerCert.version | quote }}
-      - objectName: {{ .Values.wso2.apk.secretProviderClass.secrets.commonControllerCaCert.secretName | quote }}
-        objectType: secretsmanager
-        objectAlias: commoncontroller-ca.crt
-        objectVersion: {{ .Values.wso2.apk.secretProviderClass.secrets.commonControllerCaCert.version | quote }}
       - objectName: {{ .Values.wso2.apk.secretProviderClass.secrets.systemApiListenerKey.secretName | quote }}
         objectType: secretsmanager
         objectAlias: system-api-listener.key
@@ -126,10 +84,6 @@ spec:
         objectType: secretsmanager
         objectAlias: enforcer-jwks.crt
         objectVersion: {{ .Values.wso2.apk.secretProviderClass.secrets.enforcerJwksCert.version | quote }}
-      - objectName: {{ .Values.wso2.apk.secretProviderClass.secrets.enforcerJwksCaCert.secretName | quote }}
-        objectType: secretsmanager
-        objectAlias: enforcer-jwks-ca.crt
-        objectVersion: {{ .Values.wso2.apk.secretProviderClass.secrets.enforcerJwksCaCert.version | quote }}
     {{- if and .Values.wso2.apk.dp.gatewayRuntime.tracing .Values.wso2.apk.dp.gatewayRuntime.tracing.enabled .Values.wso2.apk.dp.gatewayRuntime.tracing.configProperties .Values.wso2.apk.dp.gatewayRuntime.tracing.configProperties.tls .Values.wso2.apk.dp.gatewayRuntime.tracing.configProperties.tls.enabled }}
       - objectName: {{ .Values.wso2.apk.secretProviderClass.secrets.tracingCaCert.secretName | quote }}
         objectType: secretsmanager