Removed need to create secrets for internal encryption

Author: Vadym Mudryi

charts/opencrvs-services/TODO.md

@@ -61,7 +61,9 @@ Automatically issue SSL secret for traefix, check possibility to issue valid SSL
 
 ...
 
-# Check
+# Data persistence
+
+Kubernetes helm chart doesn't have data persistence in case of uninstall
 
 - https://kubernetes.io/docs/concepts/storage/volumes/#image
 
@@ -75,4 +77,10 @@ Some services like login and client require extra attention at this point since
 
 Some services just need proper configuration
 
-# Add minio-mc container
+# Add minio-mc container
+
+TODO: Check if container is needed
+
+# Add common secret
+
+On github environment we have all secrets stored per environment, We could also store all secrets together in common secret, that will simplify configuration.

charts/opencrvs-services/templates/auth-deployment.yaml

@@ -103,8 +103,8 @@ spec:
             items:
               - key: public-key.pem
                 path: public-key.pem
-            name: public-key
+            name: {{ .Release.Name }}-cert-tls
           name: public-key
         - secret:
-            secretName: private-key
+            secretName: {{ .Release.Name }}-key-tls
           name: private-key

charts/opencrvs-services/templates/config-deployment.yaml

@@ -32,10 +32,7 @@ spec:
       port: 2021
     middlewares:
       - name: sts-and-basic-response-headers
-{{- $http := "http" }}
-{{- if .Values.ingress.ssl_enabled }}
-{{- $http = "https" }}
-{{- end }}
+
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -62,7 +59,7 @@ spec:
             - name: FHIR_URL
               value: {{ .Values.fhir_url | quote }}
             - name: CLIENT_APP_URL
-              value: "{{ $http }}://register.{{ .Values.hostname }}"
+              value: {{ include "render-external-url" (dict "service_name" "register" "Values" .Values) }}
             - name: HOST
               value: 0.0.0.0
             - name: PORT
@@ -99,5 +96,5 @@ spec:
             items:
               - key: public-key.pem
                 path: public-key.pem
-            name: public-key
+            name: {{ .Release.Name }}-cert-tls
           name: public-key

charts/opencrvs-services/templates/countryconfig-deployment.yaml

@@ -120,5 +120,5 @@ spec:
             items:
               - key: public-key.pem
                 path: public-key.pem
-            name: public-key
+            name: {{ .Release.Name }}-cert-tls
           name: public-key

charts/opencrvs-services/templates/dashboards-deployment.yaml

@@ -53,7 +53,7 @@ spec:
           image: "ghcr.io/opencrvs/ocrvs-dashboards:{{ .Values.image.tag }}"
           env:
             - name: OPENCRVS_METABASE_SITE_URL
-              value: "http://metabase.{{ .Values.hostname }}"
+              value: {{ include "render-external-url" (dict "service_name" "metabase" "Values" .Values) }}
             - name: OPENCRVS_METABASE_MAP_URL
               value: "http://countryconfig.{{ .Release.Namespace }}.svc.cluster.local:3040/content/map.geojson"
             - name: OPENCRVS_METABASE_DB_HOST

charts/opencrvs-services/templates/documents-deployment.yaml

@@ -41,7 +41,7 @@ spec:
               value: {{ .Values.minio.host | quote }}
             - name: MINIO_PORT
               value: {{ .Values.minio.port | quote }}
-            # TODO: MINIO
+            # TODO: MINIO: Check if we need http/https prefix here
             - name: MINIO_URL
               value: minio.{{ .Values.hostname }}
           {{- include "render-env-vars" (dict "service_name" "documents" "Values" .Values) }}
@@ -59,5 +59,5 @@ spec:
             items:
               - key: public-key.pem
                 path: public-key.pem
-            name: public-key
+            name: {{ .Release.Name }}-cert-tls
           name: public-key

charts/opencrvs-services/templates/gateway-deployment.yaml

@@ -72,15 +72,15 @@ spec:
             - name: AUTH_URL
               value: http://auth.{{ .Release.Namespace }}.svc.cluster.local:4040
             - name: DOCUMENTS_URL
-              value: "http://documents.{{ .Release.Namespace }}.svc.cluster.local:9050" # FIXME: harcoded
+              value: "http://documents.{{ .Release.Namespace }}.svc.cluster.local:9050"
             - name: METRICS_URL
-              value: "http://metrics.{{ .Release.Namespace }}.svc.cluster.local:1050" # FIXME: harcoded
+              value: "http://metrics.{{ .Release.Namespace }}.svc.cluster.local:1050"
             - name: NOTIFICATION_URL
               value: "http://notification.{{ .Release.Namespace }}.svc.cluster.local:2020/"
             - name: SEARCH_URL
-              value: "http://search.{{ .Release.Namespace }}.svc.cluster.local:9090/" # FIXME: harcoded
+              value: "http://search.{{ .Release.Namespace }}.svc.cluster.local:9090/"
             - name: USER_MANAGEMENT_URL
-              value: "http://user-mgnt.{{ .Release.Namespace }}.svc.cluster.local:3030/" # FIXME: hardcoded
+              value: "http://user-mgnt.{{ .Release.Namespace }}.svc.cluster.local:3030/"
             - name: WEBHOOKS_URL
               value: "http://webhooks.{{ .Release.Namespace }}.svc.cluster.local:2525/"
             - name: WORKFLOW_URL
@@ -103,5 +103,5 @@ spec:
             items:
               - key: public-key.pem
                 path: public-key.pem
-            name: public-key
+            name: {{ .Release.Name }}-cert-tls
           name: public-key

charts/opencrvs-services/templates/metrics-deployment.yaml

@@ -74,5 +74,5 @@ spec:
             items:
               - key: public-key.pem
                 path: public-key.pem
-            name: public-key
+            name: {{ .Release.Name }}-cert-tls
           name: public-key

charts/opencrvs-services/templates/notification-deployment.yaml

@@ -58,5 +58,5 @@ spec:
             items:
               - key: public-key.pem
                 path: public-key.pem
-            name: public-key
+            name: {{ .Release.Name }}-cert-tls
           name: public-key

charts/opencrvs-services/templates/opencrvs-token-ssl.yaml

@@ -0,0 +1,17 @@
+{{- $ca := genCA "opensearchca" 4096 }}
+{{- $cn := printf "auth.%s.svc.cluster.local" .Release.Namespace }}
+{{- $cert := genSignedCert $cn nil (list $cn) 4096 $ca }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-key-tls
+type: Opaque
+data:
+  "private-key.pem": {{ $cert.Key | b64enc | toYaml | indent 4}}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Release.Name }}-cert-tls
+data:
+  "public-key.pem": {{ $cert.Cert | toYaml | indent 4}}