Helm Chart: Remove encryption key volume (#4355)

* Remove encryption key volume * Remove encrpytion key volume migration from config-init job
cloudfoundry · Jul 10, 2020 · 05b2b1a · 05b2b1a
1 parent 6baf89f
commit 05b2b1a
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 69 deletions.
diff --git a/deploy/containers/config-init/config-init.sh b/deploy/containers/config-init/config-init.sh
@@ -11,10 +11,6 @@ echo "RELEASE_NAME                : ${RELEASE_NAME}"
 echo "RELEASE_REVISION            : ${RELEASE_REVISION}"
 echo "IS_UPGRADE                  : ${IS_UPGRADE}"
 echo "CONSOLE_TLS_SECRET_NAME     : ${CONSOLE_TLS_SECRET_NAME}"
-echo "ENCRYPTION_KEY_VOLUME       : ${ENCRYPTION_KEY_VOLUME}"
-echo "ENCRYPTION_KEY_FILENAME     : ${ENCRYPTION_KEY_FILENAME}"
-echo "CONSOLE_PROXY_CERT_PATH     : ${CONSOLE_PROXY_CERT_PATH}"
-echo "CONSOLE_PROXY_CERT_KEY_PATH : ${CONSOLE_PROXY_CERT_KEY_PATH}"
 echo ""
 echo "============================================"
 echo ""
@@ -44,15 +40,6 @@ EOF
 }
 
 function generateCert {
-  if [ -n "${CONSOLE_PROXY_CERT_PATH}" ] && [ -n "${CONSOLE_PROXY_CERT_KEY_PATH}" ]; then
-    if [ -f "${CONSOLE_PROXY_CERT_PATH}" ] && [ -f "${CONSOLE_PROXY_CERT_KEY_PATH}" ]; then
-      echo "Found existing certificate on encryption key volume - going to use it"
-      CERT_CRT=$(cat ${CONSOLE_PROXY_CERT_PATH} | base64 -w 0)
-      CERT_KEY=$(cat ${CONSOLE_PROXY_CERT_KEY_PATH} | base64 -w 0)
-      return
-    fi
-  fi
-
   echo "Using cert generator to generate a self-signed certificate ..."
   export CERTS_PATH=./certs
   export DEV_CERTS_DOMAIN=tls
@@ -97,20 +84,9 @@ if [ $EXISTS -eq 0 ]; then
 else
   echo "Fresh installation - generating a new Encryption Key secret"
 
-  # Migrate existing key from the legacy encryption key volume if there is one
-  if [ ${ENCRYPTION_KEY_VOLUME} -a ${ENCRYPTION_KEY_FILENAME} ]; then
-    ekFile="${ENCRYPTION_KEY_VOLUME}/${ENCRYPTION_KEY_FILENAME}"
-    if [ -f "${ekFile}" ]; then
-      echo "Found encryption key file on the legacy encryption key volume"
-      KEY=$(cat ${ekFile} | base64 -w 0)
-    fi
-  fi
-
-  if [ -z $KEY ]; then
-    # Generate a random encryption key
-    echo "Generating a new Encryption Key ..."
-    KEY=$(openssl enc -aes-256-cbc -k secret -P -md sha1 | grep key | cut -d '=' -f2 | base64 -w 0)
-  fi
+  # Generate a random encryption key
+  echo "Generating a new Encryption Key ..."
+  KEY=$(openssl enc -aes-256-cbc -k secret -P -md sha1 | grep key | cut -d '=' -f2 | base64 -w 0)
 
   # We will create a new secret for the encryption key
   cat << EOF > create-key-secret.yaml

diff --git a/deploy/kubernetes/console/templates/config-init.yaml b/deploy/kubernetes/console/templates/config-init.yaml
@@ -118,26 +118,14 @@ spec:
           value: "{{ .Chart.AppVersion }}"
         - name: "HELM_CHART"
           value:  "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
-        - name: ENCRYPTION_KEY_VOLUME
-          value: "/{{ .Release.Name }}-encryption-key-volume"
-        - name: ENCRYPTION_KEY_FILENAME
-          value: key
         - name: CONSOLE_TLS_SECRET_NAME
           value: "{{ default "" .Values.console.tlsSecretName }}"
-        - name: CONSOLE_PROXY_CERT_PATH
-          value: "/{{ .Release.Name }}-encryption-key-volume/console.crt"
-        - name: CONSOLE_PROXY_CERT_KEY_PATH
-          value: "/{{ .Release.Name }}-encryption-key-volume/console.key"
         image: {{.Values.kube.registry.hostname}}/{{.Values.kube.organization}}/{{default "stratos-config-init" .Values.images.configInit}}:{{.Values.consoleVersion}}
         command: ["/config-init.sh"]
         imagePullPolicy: {{.Values.imagePullPolicy}}
         livenessProbe: ~
         name: "config-init"
         readinessProbe: ~
-        volumeMounts:
-          - mountPath: "/{{ .Release.Name }}-encryption-key-volume"
-            name: "{{ .Release.Name }}-encryption-key-volume"
-            readOnly: true
       {{- if and .Values.kube.registry.username .Values.kube.registry.password }}
       imagePullSecrets:
       - name: {{.Values.dockerRegistrySecret}}
@@ -147,10 +135,6 @@ spec:
       serviceAccountName: "config-init"
       {{- end }}
       terminationGracePeriodSeconds: 600
-      volumes:
-      - name: "{{ .Release.Name }}-encryption-key-volume"
-        persistentVolumeClaim:
-          claimName: "{{ .Release.Name }}-encryption-key-volume"
 ---
 {{- if .Values.autoCleanup }}
 # Cleanup job will delete the created secret when the release is deleted

diff --git a/deploy/kubernetes/console/templates/volumes.yaml b/deploy/kubernetes/console/templates/volumes.yaml
@@ -1,31 +1,6 @@
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: "{{ .Release.Name }}-encryption-key-volume"
-  labels:
-    app.kubernetes.io/name: "stratos"
-    app.kubernetes.io/instance: "{{ .Release.Name }}"
-    app.kubernetes.io/version: "{{ .Chart.AppVersion }}"
-    app.kubernetes.io/component: "console-encryption-volume"
-    helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
-  annotations:
-  {{- if .Values.storageClass }}
-    volume.beta.kubernetes.io/storage-class: {{ .Values.storageClass | quote }}
-  {{- else if .Values.kube.storage_class.persistent }}
-    volume.beta.kubernetes.io/storage-class: {{ .Values.kube.storage_class.persistent | quote }}
-  {{- else }}
-    volume.alpha.kubernetes.io/storage-class: default
-  {{- end }}
-spec:
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: 20Mi
----
 {{- if (not .Values.mariadb.external) }}
 {{- if and .Values.mariadb.persistence.enabled (not .Values.mariadb.persistence.existingClaim) }}
+---
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata: