App Suite CacheService

SCR-1557

Summary: Adding support of secret providing configuration data

In most cases, like with this service, the Helm stack chart provided values for a service are transformed into a ConfigMap properties file created during the Helm stackchart update/install step for a deployment. These config values are then used by the service container/pod during startup. Although this approach covers all relevant config properties for the service, it is often desirable for the admin to specify all or just some of the service config properties via a kubernetes secret for e.g. security reasons.

To provide a way to use service config values from an existing secret within the current deployment namespace, the service Helm chart contains a property to specify the name of an existing secret within the deployment namespace: .Values.existingPropertiesSecret. Service properties (key/value pairs) set within this secret always have precedence over service properties contained within the Helm chart created ConfigMap property values.

Documentation for the service-specific configuration values can be found at this configuration values location.

Since authorization data is most prone to security attacks, the following example will concentrate on these properties only, although all other service properties can be set via a deployed secret this way as well:

  • HTTP API BasicAuth properties (com.openexchange.cacheservice.basicAuth.user, com.openexchange.cacheservice.basicAuth.password)
  • DB authorization properties (com.openexchange.cacheservice.database.user, com.openexchange.cacheservice.database.password, com.openexchange.cacheservice.database.rootPassword)
  • S3 authorization properties (com.openexchange.cacheservice.objectstore.s3.1.accessKey, com.openexchange.cacheservice.objectstore.s3.1.secretKey)

Example steps to provide a service config properties/values secret to be used by the deployed service

Step 1

First of all, a secret containing all required service config property keys and values needs to be created (current filename is ./myCacheServiceSecret.yaml) Please note that all config values need to be set as Base64 encoded values. All my* names and values need to be adjusted according to the admins' requirements.

apiVersion: v1
kind: Secret
metadata:
  name: my-cacheservice-secret
type: Opaque
data:
  com.openexchange.cacheservice.basicAuth.user: bXlCYXNpY0F1dGhVc2VyCg==  # Base64 encoded value of `myBasicAuthUser`
  com.openexchange.cacheservice.basicAuth.password: bXlCYXNpY0F1dGhQYXNzd29yZAo=  # Base64 encoded value of `myBasicAuthPassword`
  com.openexchange.cacheservice.database.user: bXlEQlVzZXIK  # Base64 encoded value of `myDBUser`
  com.openexchange.cacheservice.database.password: bXlEQlBhc3N3b3JkCg==  # Base64 encoded value of `myDBPassword`
  com.openexchange.cacheservice.database.rootPassword: bXlEQlJvb3RQYXNzd29yZAo=  # Base64 encoded value of `myDBRootPassword`
  com.openexchange.cacheservice.objectstore.s3.1.accessKey: bXlTM0FjY2Vzc0tleQo=  # Base64 encoded value of `myS3AccessKey`
  com.openexchange.cacheservice.objectstore.s3.1.secretKey: bXlTM1NlY3JldEtleQo=  # Base64 encoded value of `myS3SecretKey`
Step 2

After preparing all config values within the secret definition, the secret itself needs to be deployed or updated to the deployment namespace.

kubectl replace --force=true --namespace=myNamespace --filename=./myCacheServiceSecret.yaml
Step 3

After the property secret has been deployed to the cluster namespace the admin needs to adjust the service .Values.existingPropertiesSecret stackchart value for the service.

core-cacheservice:
  existingPropertiesSecret: my-cacheservice-secret
Step 4

The stackchart with the set Helm chart service value .Values.existingPropertiesSecret name needs to be installed or updated via usual deployment mechanisms. After the deployment has been finished, the service itself preferably uses the service key/value properties from the secret. If a secret has already been deployed and secret values need changes, the secret itself needs to be redeployed to be effective. Afterward the service itself needs to be restarted as well to acknowledge the new secret properties key/value pairs.