fix(cloud-native): fix sql-ssl secret volume permissions (#2308)

misba7 · moabu · web-flow · commit ed31eea9358b · 2025-10-03T14:18:21.000+03:00
Signed-off-by: Amro Misbah &lt;amromisba7@gmail.com&gt;
Co-authored-by: Mohammad Abudayyeh &lt;47318409+moabu@users.noreply.github.com&gt;
diff --git a/charts/gluu-all-in-one/README.md b/charts/gluu-all-in-one/README.md
@@ -238,9 +238,9 @@ Kubernetes: `>=v1.22.0-0`
 | configmap.cnSqlDbUser | string | `"gluu"` | SQL database username. |
 | configmap.cnSqlSslCaCert | string | `""` | Base64-encoded string of CA certificate used to sign client/server certificate of MySQL/PostgreSQL server. Required if using client cert authentication. |
 | configmap.cnSqlSslClientCert | string | `""` | Base64-encoded string of client certificate signed by CA. Required if using client cert authentication. |
-| configmap.cnSqlSslClientKey | string | `""` | Base64-encoded string of client key signed by CA. Required if using client cert authentication. |
-| configmap.cnSqlSslEnabled | bool | `false` | Enforce connection to SQL database using SSL. |
-| configmap.cnSqlSslMode | string | `""` | Mode when connecting to SQL database using SSL. If using MySQL, choose one of `PREFERRED`, `REQUIRED`, `VERIFY_CA`, or `VERIFY_IDENTITY`. If using PostgreSQL, choose one of `allow`, `prefer`, `require`, `verify-ca`, or `verify-full`. |
+| configmap.cnSqlSslClientKey | string | `""` | Base64-encoded client private key corresponding to the client certificate. Required if using client cert authentication. We advise to not commit real private keys in values.yaml. |
+| configmap.cnSqlSslEnabled | bool | `false` | Enable SSL connection to SQL database. |
+| configmap.cnSqlSslMode | string | `""` | Mode used to connect to SQL database using SSL if cnSqlSslEnabled is set to true. If using MySQL, choose one of `PREFERRED`, `REQUIRED`, `VERIFY_CA`, or `VERIFY_IDENTITY`. If using PostgreSQL, choose one of `allow`, `prefer`, `require`, `verify-ca`, or `verify-full`. |
 | configmap.cnSqldbUserPassword | string | `"Test1234#"` | SQL password  injected the secrets . |
 | configmap.cnVaultAddr | string | `"http://localhost:8200"` | Base URL of Vault. |
 | configmap.cnVaultAppRolePath | string | `"approle"` | Path to Vault AppRole. |
diff --git a/charts/gluu-all-in-one/templates/deployment.yml b/charts/gluu-all-in-one/templates/deployment.yml
@@ -39,6 +39,9 @@ spec:
       {{- end }}
       {{- end }}
     spec:
+      securityContext:
+        fsGroup: 1000
+        fsGroupChangePolicy: OnRootMismatch
     {{- with .Values.image.pullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
@@ -136,12 +139,15 @@ spec:
           - name: {{ .Release.Name }}-sql-ssl-ca-cert
             mountPath: /etc/certs/sql_cacert.pem
             subPath: sql_cacert.pem
+            readOnly: true
           - name: {{ .Release.Name }}-sql-ssl-client-cert
             mountPath: /etc/certs/sql_client_cert.pem
             subPath: sql_client_cert.pem
+            readOnly: true
           - name: {{ .Release.Name }}-sql-ssl-client-key
             mountPath: /etc/certs/sql_client_key.pem
             subPath: sql_client_key.pem
+            readOnly: true
         {{- end }}
         livenessProbe:
 {{- toYaml .Values.livenessProbe | nindent 10 }}
@@ -178,19 +184,22 @@ spec:
         - name: {{ .Release.Name }}-sql-ssl-ca-cert
           secret:
             secretName: {{ .Release.Name }}-sql-ssl
+            optional: true
             items:
               - key: sql_cacert.pem
                 path: sql_cacert.pem
         - name: {{ .Release.Name }}-sql-ssl-client-cert
           secret:
             secretName: {{ .Release.Name }}-sql-ssl
+            optional: true
             items:
               - key: sql_client_cert.pem
                 path: sql_client_cert.pem
         - name: {{ .Release.Name }}-sql-ssl-client-key
           secret:
             secretName: {{ .Release.Name }}-sql-ssl
-            defaultMode: 0640
+            optional: true
+            defaultMode: 0440
             items:
               - key: sql_client_key.pem
                 path: sql_client_key.pem
diff --git a/charts/gluu-all-in-one/templates/secret.yaml b/charts/gluu-all-in-one/templates/secret.yaml
@@ -73,7 +73,7 @@ metadata:
 {{- if .Values.additionalAnnotations }}
 {{ toYaml .Values.additionalAnnotations | indent 4 }}
 {{- end }}
-{{- if .Values.config.customAnnotations.secret }}
+{{- if .Values.customAnnotations.secret }}
 {{ toYaml .Values.customAnnotations.secret | indent 4 }}
 {{- end }}
 {{- end }}
diff --git a/charts/gluu-all-in-one/values.yaml b/charts/gluu-all-in-one/values.yaml
@@ -53,15 +53,15 @@ configmap:
   cnSqlDbTimezone: UTC
   # -- SQL password  injected the secrets .
   cnSqldbUserPassword: Test1234#
-  # -- Enforce connection to SQL database using SSL.
+  # -- Enable SSL connection to SQL database.
   cnSqlSslEnabled: false
-  # -- Mode when connecting to SQL database using SSL. If using MySQL, choose one of `PREFERRED`, `REQUIRED`, `VERIFY_CA`, or `VERIFY_IDENTITY`. If using PostgreSQL, choose one of `allow`, `prefer`, `require`, `verify-ca`, or `verify-full`.
+  # -- Mode used to connect to SQL database using SSL if cnSqlSslEnabled is set to true. If using MySQL, choose one of `PREFERRED`, `REQUIRED`, `VERIFY_CA`, or `VERIFY_IDENTITY`. If using PostgreSQL, choose one of `allow`, `prefer`, `require`, `verify-ca`, or `verify-full`.
   cnSqlSslMode: ""
   # -- Base64-encoded string of CA certificate used to sign client/server certificate of MySQL/PostgreSQL server. Required if using client cert authentication.
   cnSqlSslCaCert: ""
   # -- Base64-encoded string of client certificate signed by CA. Required if using client cert authentication.
   cnSqlSslClientCert: ""
-  # -- Base64-encoded string of client key signed by CA. Required if using client cert authentication.
+  # -- Base64-encoded client private key corresponding to the client certificate. Required if using client cert authentication. We advise to not commit real private keys in values.yaml.
   cnSqlSslClientKey: ""
   # -- Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` .
   cnCacheType: NATIVE_PERSISTENCE
diff --git a/charts/gluu/README.md b/charts/gluu/README.md
diff --git a/charts/gluu/charts/config/README.md b/charts/gluu/charts/config/README.md
@@ -61,9 +61,9 @@ Kubernetes: `>=v1.21.0-0`
 | configmap.cnSqlDbUser | string | `"gluu"` | SQL database username. |
 | configmap.cnSqlSslCaCert | string | `""` | Base64-encoded string of CA certificate used to sign client/server certificate of MySQL/PostgreSQL server. Required if using client cert authentication. |
 | configmap.cnSqlSslClientCert | string | `""` | Base64-encoded string of client certificate signed by CA. Required if using client cert authentication. |
-| configmap.cnSqlSslClientKey | string | `""` | Base64-encoded string of client key signed by CA. Required if using client cert authentication. |
-| configmap.cnSqlSslEnabled | bool | `false` | Enforce connection to SQL database using SSL. |
-| configmap.cnSqlSslMode | string | `""` | Mode when connecting to SQL database using SSL. If using MySQL, choose one of `PREFERRED`, `REQUIRED`, `VERIFY_CA`, or `VERIFY_IDENTITY`. If using PostgreSQL, choose one of `allow`, `prefer`, `require`, `verify-ca`, or `verify-full`. |
+| configmap.cnSqlSslClientKey | string | `""` | Base64-encoded client private key corresponding to the client certificate. Required if using client cert authentication. We advise to not commit real private keys in values.yaml. |
+| configmap.cnSqlSslEnabled | bool | `false` | Enable SSL connection to SQL database. |
+| configmap.cnSqlSslMode | string | `""` | Mode used to connect to SQL database using SSL if cnSqlSslEnabled is set to true. If using MySQL, choose one of `PREFERRED`, `REQUIRED`, `VERIFY_CA`, or `VERIFY_IDENTITY`. If using PostgreSQL, choose one of `allow`, `prefer`, `require`, `verify-ca`, or `verify-full`. |
 | configmap.cnSqldbUserPassword | string | `"Test1234#"` | SQL password  injected in the secrets. |
 | configmap.cnVaultAddr | string | `"http://localhost:8200"` | Base URL of Vault. |
 | configmap.cnVaultAppRolePath | string | `"approle"` | Path to Vault AppRole. |
diff --git a/charts/gluu/charts/config/templates/load-init-config.yml b/charts/gluu/charts/config/templates/load-init-config.yml
@@ -27,6 +27,9 @@ spec:
         APP_NAME: configurator
         app: {{ .Release.Name }}-{{ include "config.name" . }}-init-load
     spec:
+      securityContext:
+        fsGroup: 1000
+        fsGroupChangePolicy: OnRootMismatch
     {{- with .Values.image.pullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
@@ -54,19 +57,22 @@ spec:
         - name: {{ .Release.Name }}-sql-ssl-ca-cert
           secret:
             secretName: {{ .Release.Name }}-sql-ssl
+            optional: true
             items:
               - key: sql_cacert.pem
                 path: sql_cacert.pem
         - name: {{ .Release.Name }}-sql-ssl-client-cert
           secret:
             secretName: {{ .Release.Name }}-sql-ssl
+            optional: true
             items:
               - key: sql_client_cert.pem
                 path: sql_client_cert.pem
         - name: {{ .Release.Name }}-sql-ssl-client-key
           secret:
             secretName: {{ .Release.Name }}-sql-ssl
-            defaultMode: 0640
+            optional: true
+            defaultMode: 0440
             items:
               - key: sql_client_key.pem
                 path: sql_client_key.pem
@@ -97,12 +103,15 @@ spec:
           - name: {{ .Release.Name }}-sql-ssl-ca-cert
             mountPath: /etc/certs/sql_cacert.pem
             subPath: sql_cacert.pem
+            readOnly: true
           - name: {{ .Release.Name }}-sql-ssl-client-cert
             mountPath: /etc/certs/sql_client_cert.pem
             subPath: sql_client_cert.pem
+            readOnly: true
           - name: {{ .Release.Name }}-sql-ssl-client-key
             mountPath: /etc/certs/sql_client_key.pem
             subPath: sql_client_key.pem
+            readOnly: true
           {{- end }}
         envFrom:
         - configMapRef:
diff --git a/charts/gluu/charts/config/values.yaml b/charts/gluu/charts/config/values.yaml
@@ -31,15 +31,15 @@ configmap:
   cnSqlDbTimezone: UTC
   # -- SQL password  injected in the secrets.
   cnSqldbUserPassword: Test1234#
-  # -- Enforce connection to SQL database using SSL.
+  # -- Enable SSL connection to SQL database.
   cnSqlSslEnabled: false
-  # -- Mode when connecting to SQL database using SSL. If using MySQL, choose one of `PREFERRED`, `REQUIRED`, `VERIFY_CA`, or `VERIFY_IDENTITY`. If using PostgreSQL, choose one of `allow`, `prefer`, `require`, `verify-ca`, or `verify-full`.
+  # -- Mode used to connect to SQL database using SSL if cnSqlSslEnabled is set to true. If using MySQL, choose one of `PREFERRED`, `REQUIRED`, `VERIFY_CA`, or `VERIFY_IDENTITY`. If using PostgreSQL, choose one of `allow`, `prefer`, `require`, `verify-ca`, or `verify-full`.
   cnSqlSslMode: ""
   # -- Base64-encoded string of CA certificate used to sign client/server certificate of MySQL/PostgreSQL server. Required if using client cert authentication.
   cnSqlSslCaCert: ""
   # -- Base64-encoded string of client certificate signed by CA. Required if using client cert authentication.
   cnSqlSslClientCert: ""
-  # -- Base64-encoded string of client key signed by CA. Required if using client cert authentication.
+  # -- Base64-encoded client private key corresponding to the client certificate. Required if using client cert authentication. We advise to not commit real private keys in values.yaml.
   cnSqlSslClientKey: ""
   # -- Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` .
   cnCacheType: NATIVE_PERSISTENCE
diff --git a/charts/gluu/values.yaml b/charts/gluu/values.yaml
@@ -363,15 +363,15 @@ config:
     cnSqlDbTimezone: UTC
     # -- SQL password  injected the secrets .
     cnSqldbUserPassword: Test1234#
-    # -- Enforce connection to SQL database using SSL.
+    # -- Enable SSL connection to SQL database.
     cnSqlSslEnabled: false
-    # -- Mode when connecting to SQL database using SSL. If using MySQL, choose one of `PREFERRED`, `REQUIRED`, `VERIFY_CA`, or `VERIFY_IDENTITY`. If using PostgreSQL, choose one of `allow`, `prefer`, `require`, `verify-ca`, or `verify-full`.
+    # -- Mode used to connect to SQL database using SSL if cnSqlSslEnabled is set to true. If using MySQL, choose one of `PREFERRED`, `REQUIRED`, `VERIFY_CA`, or `VERIFY_IDENTITY`. If using PostgreSQL, choose one of `allow`, `prefer`, `require`, `verify-ca`, or `verify-full`.
     cnSqlSslMode: ""
     # -- Base64-encoded string of CA certificate used to sign client/server certificate of MySQL/PostgreSQL server. Required if using client cert authentication.
     cnSqlSslCaCert: ""
     # -- Base64-encoded string of client certificate signed by CA. Required if using client cert authentication.
     cnSqlSslClientCert: ""
-    # -- Base64-encoded string of client key signed by CA. Required if using client cert authentication.
+    # -- Base64-encoded client private key corresponding to the client certificate. Required if using client cert authentication. We advise to not commit real private keys in values.yaml.
     cnSqlSslClientKey: ""
     # -- Cache type. `NATIVE_PERSISTENCE`, `REDIS`. or `IN_MEMORY`. Defaults to `NATIVE_PERSISTENCE` .
     cnCacheType: NATIVE_PERSISTENCE
@@ -913,7 +913,7 @@ global:
     adminUiServiceName: admin-ui
     ingress:
       # -- Enable Admin UI endpoints in either istio or nginx ingress depending on users choice
-      adminUiEnabled: false
+      adminUiEnabled: true
       # -- Admin UI ingress resource labels. key app is taken.
       adminUiLabels: { }
       # -- Admin UI ingress resource additional annotations.
