Dev/subash/passrand (#7)

lsubash · web-flow · commit f18b95c59b8c · 2025-04-14T09:41:10.000-07:00
* [Verifier] Password randomization with charts deployment

This patch removes
- Password in values.yaml file
- Passwords are randomized using helm functionality
- K8S Secret is create for global admin credentials.
- trustagent aas json secret is created for usage in Trustagent charts
- Conditions are taken care to create password only once for user

Signed-off-by: Subash Lakkimsetti &lt;subash.lakkimsetti@intel.com&gt;

* [Trustagent] Use json secret created for trustagent with verifier deploymnet

Signed-off-by: Subash Lakkimsetti &lt;subash.lakkimsetti@intel.com&gt;

* [AM] Use global admin creds secret for generating bearer token

Signed-off-by: Subash Lakkimsetti &lt;subash.lakkimsetti@intel.com&gt;

---------

Signed-off-by: Subash Lakkimsetti &lt;subash.lakkimsetti@intel.com&gt;
diff --git a/helm/attestation-manager/templates/deployment.yaml b/helm/attestation-manager/templates/deployment.yaml
@@ -83,13 +83,13 @@ spec:
             - name: AAS_USERNAME
               valueFrom:
                 secretKeyRef:
-                  name: am-aas-credentials
-                  key: username
+                  name: global-admin-generator-credentials
+                  key: GLOBAL_ADMIN_USERNAME
             - name: AAS_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: am-aas-credentials
-                  key: password
+                  name: global-admin-generator-credentials
+                  key: GLOBAL_ADMIN_PASSWORD
             - name: NODE_NAME
               valueFrom:
                 fieldRef:
diff --git a/helm/attestation-manager/templates/secrets.yaml b/helm/attestation-manager/templates/secrets.yaml
diff --git a/helm/attestation-verifier/charts/aas/templates/db-secrets.yaml b/helm/attestation-verifier/charts/aas/templates/db-secrets.yaml
@@ -8,4 +8,4 @@ metadata:
   namespace: {{ .Release.Namespace }}
 stringData:
   AAS_DB_USERNAME: {{ .Values.secret.dbUsername }}
-  AAS_DB_PASSWORD: {{ .Values.secret.dbPassword }}
+  AAS_DB_PASSWORD: {{ randAlphaNum 16  }}
diff --git a/helm/attestation-verifier/charts/aas/templates/secrets.yaml b/helm/attestation-verifier/charts/aas/templates/secrets.yaml
@@ -9,8 +9,14 @@ metadata:
 stringData:
   {{- if .Values.global }}
   AAS_ADMIN_USERNAME: {{ .Values.global.aas.secret.adminUsername }}
+  {{- if not .Values.global.aas.secret.adminPassword }}
+  {{- $password := randAlphaNum 16 }}
+  {{- $_ := set .Values.global.aas.secret "adminPassword" $password }}
   AAS_ADMIN_PASSWORD: {{ .Values.global.aas.secret.adminPassword }}
   {{- else }}
+  AAS_ADMIN_PASSWORD: {{ .Values.global.aas.secret.adminPassword }}
+  {{- end }}
+  {{- else }}
   AAS_ADMIN_USERNAME: {{ .Values.secret.adminUsername }}
-  AAS_ADMIN_PASSWORD: {{ .Values.secret.adminPassword }}
+  AAS_ADMIN_PASSWORD: {{ .Values.secret.adminPassword | default (randAlphaNum 16) }}
   {{- end}}
diff --git a/helm/attestation-verifier/charts/global-admin-generator/aas-manager.json b/helm/attestation-verifier/charts/global-admin-generator/aas-manager.json
@@ -6,15 +6,15 @@
   {{- end }}
   {{- if .Values.global }}
   "aas_admin_username": "{{ required "A valid admin username is required!" .Values.global.aas.secret.adminUsername }}",
-  "aas_admin_password": "{{ required "A valid admin password is required!" .Values.global.aas.secret.adminPassword }}",
+  "aas_admin_password": "{{- if .Values.global.aas.secret.adminPassword -}}{{ .Values.global.aas.secret.adminPassword }}{{- else -}}{{ $aas_admin_password := randAlphaNum 16 }}{{ $aas_admin_password }}{{- $_ := set .Values.global.aas.secret "adminPassword" $aas_admin_password }}{{- end -}}",
   {{- else }}
   "aas_admin_username": "{{ required "A valid admin username is required!" .Values.aas.secret.adminUsername }}",
-  "aas_admin_password": "{{ required "A valid admin password is required!" .Values.aas.secret.adminPassword }}",
+  "aas_admin_password": "{{- if .Values.aas.secret.adminPassword -}}{{ .Values.aas.secret.adminPassword }}{{- else -}}{{ $aas_admin_password := randAlphaNum 16 }}{{ $aas_admin_password }}{{- $_ := set .Values.aas.secret "adminPassword" $aas_admin_password }}{{- end -}}",
   {{- end }}
    "users_and_roles":[
       {
          "username": "{{ .Values.secret.globalAdminUsername }}",
-         "password": "{{ .Values.secret.globalAdminPassword }}",
+         "password": "{{- if .Values.secret.globalAdminPassword -}}{{ .Values.secret.globalAdminPassword }}{{- else -}}{{ $password := randAlphaNum 16 }}{{ $password }}{{- $_ := set .Values.aas.secret "globalAdminPassword" $password}}{{- end -}}",
          "print_bearer_token": true,
          "roles": [
           {{- $size := len .Values.services_list }}
diff --git a/helm/attestation-verifier/charts/global-admin-generator/templates/secrets.yaml b/helm/attestation-verifier/charts/global-admin-generator/templates/secrets.yaml
@@ -0,0 +1,18 @@
+{{- include "factory.headers" . }}
+---
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: {{ include "factory.name" . }}-credentials
+  namespace: {{ .Release.Namespace }}
+stringData:
+  GLOBAL_ADMIN_USERNAME: {{ .Values.secret.globalAdminUsername }}
+  {{- if not .Values.secret.globalAdminPassword }}
+  {{- $password := randAlphaNum 16 }}
+  {{- $_ := set .Values.secret "globalAdminPassword" $password }}
+  GLOBAL_ADMIN_PASSWORD: {{ .Values.secret.globalAdminPassword }}
+  {{- else }}
+  GLOBAL_ADMIN_PASSWORD: {{ .Values.secret.globalAdminPassword }}
+  {{- end }}
+
diff --git a/helm/attestation-verifier/charts/hvs/aas-manager.json b/helm/attestation-verifier/charts/hvs/aas-manager.json
@@ -6,15 +6,15 @@
   {{- end }}
   {{- if .Values.global }}
   "aas_admin_username": "{{ required "A valid admin username is required!" .Values.global.aas.secret.adminUsername }}",
-  "aas_admin_password": "{{ required "A valid admin password is required!" .Values.global.aas.secret.adminPassword }}",
+  "aas_admin_password": "{{- if .Values.global.aas.secret.adminPassword -}}{{ .Values.global.aas.secret.adminPassword }}{{- else -}}{{ $aas_admin_password := randAlphaNum 16 }}{{ $aas_admin_password }}{{- $_ := set .Values.global.aas.secret "adminPassword" $aas_admin_password }}{{- end -}}",
   {{- else }}
   "aas_admin_username": "{{ required "A valid admin username is required!" .Values.aas.secret.adminUsername }}",
-  "aas_admin_password": "{{ required "A valid admin password is required!" .Values.aas.secret.adminPassword }}",
+  "aas_admin_password": "{{- if .Values.aas.secret.adminPassword -}}{{ .Values.aas.secret.adminPassword }}{{- else -}}{{ $aas_admin_password := randAlphaNum 16 }}{{ $aas_admin_password }}{{- $_ := set .Values.aas.secret "adminPassword" $aas_admin_password }}{{- end -}}",
   {{- end }}
    "users_and_roles":[
       {
          "username": "{{ .Values.secret.installAdminUsername }}",
-         "password": "{{ .Values.secret.installAdminPassword }}",
+         "password": "{{ randAlphaNum 16 }}",
          "print_bearer_token":true,
          "roles":[
             {
@@ -45,20 +45,6 @@
                ]
             }
          ]
-      },
-      {
-         "username": "{{ .Values.secret.serviceUsername }}",
-         "password": "{{ .Values.secret.servicePassword }}",
-         "print_bearer_token": false,
-         "roles": [
-          {
-             "service": "TA",
-             "name": "Administrator",
-             "permissions": [
-             "*:*:*"
-             ]
-          }
-	 ]
-     }
+      }
    ]
 }
diff --git a/helm/attestation-verifier/charts/hvs/templates/db-secrets.yaml b/helm/attestation-verifier/charts/hvs/templates/db-secrets.yaml
@@ -8,4 +8,4 @@ metadata:
   namespace: {{ .Release.Namespace }}
 stringData:
   HVS_DB_USERNAME: {{ .Values.secret.dbUsername }}
-  HVS_DB_PASSWORD: {{ .Values.secret.dbPassword }}
+  HVS_DB_PASSWORD: {{ randAlphaNum 16 }}
diff --git a/helm/attestation-verifier/charts/hvs/templates/secrets.yaml b/helm/attestation-verifier/charts/hvs/templates/secrets.yaml
@@ -8,4 +8,4 @@ metadata:
   namespace: {{ .Release.Namespace }}
 stringData:
   HVS_SERVICE_USERNAME: {{ .Values.secret.serviceUsername }}
-  HVS_SERVICE_PASSWORD: {{ .Values.secret.servicePassword }}
+  HVS_SERVICE_PASSWORD: {{ randAlphaNum 16 }}
diff --git a/helm/attestation-verifier/charts/hvs/values.yaml b/helm/attestation-verifier/charts/hvs/values.yaml
@@ -55,12 +55,12 @@ image:
     pullPolicy: Always # The pull policy for pulling from container registry for PostgreSQL image
     dbVersionUpgradeImage: # The image name of PostgresDB version upgrade
   svc:
-    name: registry-rs.edgeorchestration.intel.com/edge-orch/trusted-compute/attestation-verifier/hvs # The image name with which HVS image is pushed to registry<br> (**REQUIRED**)
+    name:  # The image name with which HVS image is pushed to registry<br> (**REQUIRED**)
     pullPolicy: Always # The pull policy for pulling from container registry for HVS<br> (Allowed values: `Always`/`IfNotPresent`)
     imagePullSecret: # The image pull secret for authenticating with image registry, can be left empty if image registry does not require authentication
-    initName: registry-rs.edgeorchestration.intel.com/edge-orch/trusted-compute/attestation-verifier/init-wait
+    initName:
   aasManager:
-    name: registry-rs.edgeorchestration.intel.com/edge-orch/trusted-compute/attestation-verifier/aas-manager # The image registry where AAS Manager image is pushed<br> (**REQUIRED**)
+    name:  # The image registry where AAS Manager image is pushed<br> (**REQUIRED**)
     pullPolicy: Always # The pull policy for pulling from container registry for AAS Manager <br> (Allowed values: `Always`/`IfNotPresent`)
     imagePullSecret: # The image pull secret for authenticating with image registry, can be left empty if image registry does not require authentication
 
diff --git a/helm/attestation-verifier/charts/nats-init/aas-manager.json b/helm/attestation-verifier/charts/nats-init/aas-manager.json
@@ -6,15 +6,15 @@
   {{- end }}
   {{- if .Values.global }}
   "aas_admin_username": "{{ required "A valid admin username is required!" .Values.global.aas.secret.adminUsername }}",
-  "aas_admin_password": "{{ required "A valid admin password is required!" .Values.global.aas.secret.adminPassword }}",
+  "aas_admin_password": "{{- if .Values.global.aas.secret.adminPassword -}}{{ .Values.global.aas.secret.adminPassword }}{{- else -}}{{ $aas_admin_password := randAlphaNum 16 }}{{ $aas_admin_password }}{{- $_ := set .Values.global.aas.secret "adminPassword" $aas_admin_password }}{{- end -}}",
   {{- else }}
   "aas_admin_username": "{{ required "A valid admin username is required!" .Values.aas.secret.adminUsername }}",
-  "aas_admin_password": "{{ required "A valid admin password is required!" .Values.aas.secret.adminPassword }}",
+  "aas_admin_password": "{{- if .Values.aas.secret.adminPassword -}}{{ .Values.aas.secret.adminPassword }}{{- else -}}{{ $aas_admin_password := randAlphaNum 16 }}{{ $aas_admin_password }}{{- $_ := set .Values.aas.secret "adminPassword" $aas_admin_password }}{{- end -}}",
   {{- end }}
    "users_and_roles":[
       {
          "username": "{{ .Values.secret.installAdminUsername }}",
-         "password": "{{ .Values.secret.installAdminPassword }}",
+         "password": "{{ randAlphaNum 16 }}",
          "print_bearer_token":true,
          "roles":[
             {
diff --git a/helm/attestation-verifier/charts/trustagent-aas-manager/Chart.lock b/helm/attestation-verifier/charts/trustagent-aas-manager/Chart.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: factory
+  repository: file://../../lib/factory/
+  version: 5.1.0
+digest: sha256:3b4bd625d523e35f813165a8a0f2edf12e51140d125a5eaae44b7305625203db
+generated: "2022-12-23T03:50:40.49815356-08:00"
diff --git a/helm/attestation-verifier/charts/trustagent-aas-manager/Chart.yaml b/helm/attestation-verifier/charts/trustagent-aas-manager/Chart.yaml
@@ -0,0 +1,10 @@
+apiVersion: v2
+appVersion: 0.0.9-dev
+dependencies:
+- name: factory
+  repository: file://../../charts/factory/
+  version: 0.0.9-dev
+description: A Helm chart for creating Trust agent service account
+name: trustagent-aas-manager
+type: application
+version: 0.0.9-dev
diff --git a/helm/attestation-verifier/charts/trustagent-aas-manager/README.md b/helm/attestation-verifier/charts/trustagent-aas-manager/README.md
@@ -0,0 +1,31 @@
+
+trust agent aas manager
+===========
+
+A Helm chart for creating service account for trust agent aas manager
+
+
+## Configuration
+
+The following table lists the configurable parameters of the trust agent aas manager chart and their default values.
+
+| Parameter                | Description             | Default        |
+| ------------------------ | ----------------------- | -------------- |
+| `nameOverride` | The name for AAS-MANAGER chart (Default: .Chart.Name) | `""` |
+| `controlPlaneHostname` | K8s control plane IP/Hostname | `"<user input>"` |
+| `dependentServices.cms` |  | `"cms"` |
+| `dependentServices.aas` |  | `"aas"` |
+| `image.name` | The image name with which aas manager image is pushed to registry | `"<user input>"` |
+| `image.pullPolicy` | The pull policy for pulling from container registry (Allowed values: Always/IfNotPresent) | `"Always"` |
+| `image.initName` | The image name of init container | `"<user input>"` |
+| `image.imagePullSecret` | The image pull secret for authenticating with image registry, can be left empty if image registry does not require authentication | `"<user input>"` |
+| `service.cms.containerPort` | The containerPort on which CMS can listen | `8445` |
+| `service.aas.containerPort` | The containerPort on which AAS can listen | `8444` |
+| `service.aas.port` | The externally exposed NodePort on which AAS can listen to external traffic | `30444` |
+| `factory.nameOverride` |  | `""` |
+
+
+
+---
+_Documentation generated by [Frigate](https://frigate.readthedocs.io)._
+
diff --git a/helm/attestation-verifier/charts/trustagent-aas-manager/aas-manager.json b/helm/attestation-verifier/charts/trustagent-aas-manager/aas-manager.json
@@ -0,0 +1,49 @@
+{
+  {{- if .Values.aas.url }}
+  "aas_api_url": "{{ .Values.aas.url }}",
+  {{- else }}
+  "aas_api_url": "https://{{ .Values.dependentServices.aas }}.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.service.aas.containerPort }}/aas/v1",
+  {{- end }}
+  {{- if .Values.global }}
+  "aas_admin_username": "{{ required "A valid admin username is required!" .Values.global.aas.secret.adminUsername }}",
+  "aas_admin_password": "{{- if .Values.global.aas.secret.adminPassword -}}{{ .Values.global.aas.secret.adminPassword }}{{- else -}}{{ $aas_admin_password := randAlphaNum 16 }}{{ $aas_admin_password }}{{- $_ := set .Values.global.aas.secret "adminPassword" $aas_admin_password }}{{- end -}}",
+  {{- else }}
+  "aas_admin_username": "{{ required "A valid admin username is required!" .Values.aas.secret.adminUsername }}",
+  "aas_admin_password": "{{- if .Values.aas.secret.adminPassword -}}{{ .Values.aas.secret.adminPassword }}{{- else -}}{{ $aas_admin_password := randAlphaNum 16 }}{{ $aas_admin_password }}{{- $_ := set .Values.aas.secret "adminPassword" $aas_admin_password }}{{- end -}}",
+  {{- end }}
+   "users_and_roles":[
+      {
+            "username": "{{ .Values.secret.serviceUsername }}",
+            "password": "{{ randAlphaNum 16 }}",
+            "print_bearer_token": true,
+            "roles":[
+                {
+                   "service": "CMS",
+                   "name": "CertApprover",
+                   "context":"CN=Trust Agent TLS Certificate;SAN=*;certType=TLS"
+                },
+                {
+                   "service":"AAS",
+                   "name":"CredentialCreator",
+                   "context":"type=TA",
+                   "permissions":[
+                      "credential:create:*",
+                      "custom_claims:create:*"
+                   ]
+                },
+                {
+                    "service": "HVS",
+                    "name": "AttestationRegister",
+                    "permissions": [
+                        "hosts:store:*",
+                        "hosts:search:*",
+                        "host_unique_flavors:create:*",
+                        "flavors:search:*",
+                        "host_aiks:certify:*"
+                    ]
+                }
+            ]
+       }
+
+   ]
+}
diff --git a/helm/attestation-verifier/charts/trustagent-aas-manager/templates/NOTES.txt b/helm/attestation-verifier/charts/trustagent-aas-manager/templates/NOTES.txt
@@ -0,0 +1,23 @@
+Thank you for installing {{ .Chart.Name }} Job of Intel® SecL-DC
+
+In the meantime the release gets up & running in the next few minutes, following information would be helpful
+
+  Release Name={{ .Release.Name }}
+  Release Namespace={{ .Release.Namespace }}
+
+To learn more about the chart, values, README, try:
+Note: If using a seprarate .kubeconfig file, ensure to provide the path using --kubeconfig
+
+  $ helm show chart {{ .Chart.Name }}
+  $ helm show values {{ .Chart.Name }}
+  $ helm show readme {{ .Chart.Name }}
+  
+To learn more about the released charts, try:
+Note: If using a seprarate .kubeconfig file, ensure to provide the path using --kubeconfig
+
+  $ helm get values {{ .Release.Name }} --namespace {{ .Release.Namespace }}
+  $ helm get manifest {{ .Release.Name }} --namespace {{ .Release.Namespace }}
+  $ helm list --namespace {{ .Release.Namespace }}
+  
+To check the status of the different k8s objects deployed, try:
+  $ kubectl get all --namespace {{ .Release.Namespace }}
diff --git a/helm/attestation-verifier/charts/trustagent-aas-manager/templates/_helpers.tpl b/helm/attestation-verifier/charts/trustagent-aas-manager/templates/_helpers.tpl
@@ -0,0 +1,29 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "trustagent.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "trustagent.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "trustagent.labels" -}}
+helm.sh/chart: {{ include "nats.chart" . }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+app.kubernetes.io/name: {{ include "trustagent.name" . }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "trustagent.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "trustagent.name" . }}
+{{- end }}
diff --git a/helm/attestation-verifier/charts/trustagent-aas-manager/templates/aas-mgr-secrets.yaml b/helm/attestation-verifier/charts/trustagent-aas-manager/templates/aas-mgr-secrets.yaml
@@ -0,0 +1,4 @@
+{{- include "factory.headers" . }}
+---
+{{- include "factory.createAASRolesAndPermissionSecret" . }}
+
diff --git a/helm/attestation-verifier/charts/trustagent-aas-manager/templates/rbac.yaml b/helm/attestation-verifier/charts/trustagent-aas-manager/templates/rbac.yaml
@@ -0,0 +1 @@
+{{- include "factory.getRBACRolesAndPermissions" . }}
diff --git a/helm/attestation-verifier/charts/trustagent-aas-manager/values.yaml b/helm/attestation-verifier/charts/trustagent-aas-manager/values.yaml
@@ -0,0 +1,48 @@
+# Default values for Trust agent aas manager.
+
+nameOverride: "" # The name for TAGENT AAS MANAGER chart (Default: .Chart.Name)
+controlPlaneHostname: <user input> # K8s control plane IP/Hostname
+
+# Warning: Ensure that the naming is applied consistently for all dependent services when modifying nameOverride
+dependentServices: # The dependent Service Name for deploying Trust agent chart, default is the chart name and override is from nameOverride value.
+  cms: cms
+  aas: aas
+
+secret:
+  serviceUsername: # Service Username for Trust agent
+  servicePassword: # Service Password for Trust agent
+
+image:
+  svc:
+    pullPolicy: Always # The pull policy for pulling from container registry for tagent aas manager <br> (Allowed values: `Always`/`IfNotPresent`)
+    imagePullSecret: # The image pull secret for authenticating with image registry, can be left empty if image registry does not require authentication
+    initName: <user input>
+  aasManager:
+    name: <user input> # The image registry where AAS Manager image is pushed<br> (**REQUIRED**)
+    pullPolicy: Always # The pull policy for pulling from container registry for AAS Manager<br> (Allowed values: `Always`/`IfNotPresent`)
+    imagePullSecret:  # The image pull secret for authenticating with image registry, can be left empty if image registry does not require authentication
+
+securityContext:
+  aasManager: # The security content for AAS-MANAGER Pod
+    runAsUser: 1001
+    runAsGroup: 1001
+    capabilities:
+      drop:
+        - all
+    allowPrivilegeEscalation: false
+  aasManagerInit: # The fsGroup id for init containers for AAS DB
+    fsGroup: 1001
+
+aas:
+  # Please update the url section if aas is exposed via ingress
+  url:
+  secret:
+    adminUsername: # Admin Username for AAS
+    adminPassword: # Admin Password for AAS
+
+service:
+  cms:
+    containerPort: 8445 # The containerPort on which CMS can listen
+  aas:
+    containerPort: 8444 # The containerPort on which AAS can listen
+    port: 30444 # The externally exposed NodePort on which AAS can listen to external traffic
diff --git a/helm/attestation-verifier/values.yaml b/helm/attestation-verifier/values.yaml
diff --git a/helm/trustagent/aas-manager.json b/helm/trustagent/aas-manager.json
diff --git a/helm/trustagent/charts/factory/templates/_job.tpl b/helm/trustagent/charts/factory/templates/_job.tpl
diff --git a/helm/trustagent/templates/aas-mgr-secrets.yaml b/helm/trustagent/templates/aas-mgr-secrets.yaml
