fixes the secret handling (#58)

* fixes the secret handling

you either have to configure a dockerjsonconfig or a global.imagepullsecrets

but when you configure both, both are added to the imagepullsecrets in the deployments and stateful-sets

* refactors the secret handling to streamline it with the mini-identity-provider

* adds the DNS Port to the networkPolicy of the updater

* adjust config

* also update the mini-identity-provider dependency

.gitignore

@@ -8,4 +8,5 @@
 *.tgz
 .fleet/
 .output/
-Chart.lock
+Chart.lock
+tmp/

README.md

@@ -9,14 +9,21 @@ Vaas helm is a chart for deploying Verdict-as-a-Service on-premise.
 
 * Create a minimal values.yaml file. 
 
-  To access the VaaS docker containers, the imagePullSecret has to be set in the `global.secret.dockerconfigjson` variable.
+To access the VaaS docker containers, you have to provide at least one imagePullSecret.
+
+To set the image pull secret, you need to create a custom values.yaml file that includes the necessary configurations for image pull secrets. Here's how you can do it:
+
+  1. **Direct Image Pull Secrets**: If you have a direct image pull secret (a base64 encoded JSON containing Docker auth config), you can set it directly in the values.yaml file under either of these keys
+    * `global.secret.dockerconfigjson`
+    * `global.secret.imagePullSecret`
+    * `global.imagePullSecret`
 
 ```yaml
 global:
-  imagePullSecrets:
-    - registry
   secret:
     dockerconfigjson: "BASE64_ENCODED_JSON_CONTAINING_DOCKER_AUTH_CONFIG"
+    imagePullSecret: "BASE64_ENCODED_JSON_CONTAINING_DOCKER_AUTH_CONFIG"
+imagePullSecret: "BASE64_ENCODED_JSON_CONTAINING_DOCKER_AUTH_CONFIG"
 ```
 
 You can generate this value with a bash command like this
@@ -32,6 +39,15 @@ echo '{
 
 You need to substitute the username and password with the credentials we provided to you.
 
+  2. **Global Image Pull Secrets**: You can specify a list of predeployed image pull secrets under the global.imagePullSecrets key. These are the names of Kubernetes secrets that contain the registry credentials.
+
+```yaml
+global:
+  imagePullSecrets:
+    - my-image-pull-secret
+```
+
+
 * Install Verdict-as-a-Service:
 
 ```bash

charts/vaas/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: vaas
-version: 1.8.1
+version: 1.9.0
 description: Deployment of a Verdict-as-a-Service on-premise instance
 maintainers:
   - name: G DATA CyberDefense AG
@@ -12,6 +12,6 @@ dependencies:
     condition: redis.enabled
     repository: oci://registry-1.docker.io/bitnamicharts
   - name: mini-identity-provider
-    version: 0.4.0
+    version: 0.5.0
     condition: mini-identity-provider.enabled
     repository: oci://ghcr.io/gdatasoftwareag

charts/vaas/templates/gateway/_helpers.tpl

@@ -24,14 +24,25 @@ If release name contains chart name it will be used as a full name.
 {{- end }}
 
 {{- define "gateway.imagePullSecrets" -}}
+{{- if or (gt (len .Values.global.imagePullSecrets) 0) (.Values.imagePullSecret) (((.Values.global).secret).imagePullSecret) (((.Values.global).secret).dockerconfigjson) }}
 imagePullSecrets:
   {{- range .Values.global.imagePullSecrets }}
   - name: {{ . }}
   {{- end }}
   {{- if .Values.imagePullSecret }}
-  - name: {{ .Release.Name }}-registry-secret
+  - name: {{ include "gateway.fullname" . }}-image-pull-secret
   {{- end }}
+  {{- if ((.Values.global).secret).imagePullSecret }}
+  - name: {{ include "gateway.fullname" . }}-global-image-pull-secret
+  {{- end }}
+  {{- if ((.Values.global).secret).dockerconfigjson }}
+  - name: {{ include "gateway.fullname" . }}-global-dockerconfigjson
+  {{- end }}
+{{- else -}}
+{{- fail "You have to set at least one imagePullSecret" }}
 {{- end -}}
+{{ end -}}
+
 
 {{/*
 Create chart name and version as used by the chart label.

charts/vaas/templates/gateway/secrets.yaml

@@ -0,0 +1,33 @@
+{{- if .Values.imagePullSecret }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "gateway.fullname" . }}-image-pull-secret
+  namespace: {{ .Release.Namespace }}
+data:
+  .dockerconfigjson: {{ .Values.imagePullSecret }}
+type: kubernetes.io/dockerconfigjson
+{{- end }}
+{{- if ((.Values.global).secret).imagePullSecret }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "gateway.fullname" . }}-global-image-pull-secret
+  namespace: {{ .Release.Namespace }}
+data:
+  .dockerconfigjson: {{ .Values.global.secret.imagePullSecret }}
+type: kubernetes.io/dockerconfigjson
+{{- end }}
+{{- if ((.Values.global).secret).dockerconfigjson }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "gateway.fullname" . }}-global-dockerconfigjson
+  namespace: {{ .Release.Namespace }}
+data:
+  .dockerconfigjson: {{ .Values.global.secret.dockerconfigjson }}
+type: kubernetes.io/dockerconfigjson
+{{- end }}

charts/vaas/templates/gdscan/_helpers.tpl

@@ -43,15 +43,24 @@ app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end }}
 
 {{- define "gdscan.imagePullSecrets" -}}
-
-{{- $imagePullSecrets := concat (((.Values.global | default dict).imagePullSecrets)| default list) (.Values.gdscan.imagePullSecrets | default list) -}}
-{{- if gt (len $imagePullSecrets) 0 -}}
+{{- if or (gt (len .Values.global.imagePullSecrets) 0) (.Values.imagePullSecret) (((.Values.global).secret).imagePullSecret) (((.Values.global).secret).dockerconfigjson) }}
 imagePullSecrets:
-  {{- range $imagePullSecrets }}
+  {{- range .Values.global.imagePullSecrets }}
   - name: {{ . }}
   {{- end }}
-{{- end }}
-{{- end }}
+  {{- if .Values.imagePullSecret }}
+  - name: {{ include "gdscan.fullname" . }}-image-pull-secret
+  {{- end }}
+  {{- if ((.Values.global).secret).imagePullSecret }}
+  - name: {{ include "gdscan.fullname" . }}-global-image-pull-secret
+  {{- end }}
+  {{- if ((.Values.global).secret).dockerconfigjson }}
+  - name: {{ include "gdscan.fullname" . }}-global-dockerconfigjson
+  {{- end }}
+{{- else -}}
+{{- fail "You have to set at least one imagePullSecret" }}
+{{- end -}}
+{{ end -}}
 
 {{/*
 Selector labels

charts/vaas/templates/gdscan/secrets.yaml

@@ -0,0 +1,33 @@
+{{- if .Values.imagePullSecret }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "gdscan.fullname" . }}-image-pull-secret
+  namespace: {{ .Release.Namespace }}
+data:
+  .dockerconfigjson: {{ .Values.imagePullSecret }}
+type: kubernetes.io/dockerconfigjson
+{{- end }}
+{{- if ((.Values.global).secret).imagePullSecret }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "gdscan.fullname" . }}-global-image-pull-secret
+  namespace: {{ .Release.Namespace }}
+data:
+  .dockerconfigjson: {{ .Values.global.secret.imagePullSecret }}
+type: kubernetes.io/dockerconfigjson
+{{- end }}
+{{- if ((.Values.global).secret).dockerconfigjson }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "gdscan.fullname" . }}-global-dockerconfigjson
+  namespace: {{ .Release.Namespace }}
+data:
+  .dockerconfigjson: {{ .Values.global.secret.dockerconfigjson }}
+type: kubernetes.io/dockerconfigjson
+{{- end }}

charts/vaas/templates/gdscan/update.yaml

@@ -115,6 +115,7 @@ spec:
     - ports:
         - port: {{ .Values.gdscan.autoUpdate.networkPolicy.k8sApiPort }}
         - port: 443
-        - port: 53 # DNS
+        - port: 53
+          protocol: UDP
 {{- end }}
 {{- end}}

charts/vaas/values.yaml

@@ -1,6 +1,11 @@
 global:
-  imagePullSecrets: []
+  imagePullSecrets:
+    - imagePullSecrets
+  secret:
+    dockerconfigjson: "e30K"
+    imagePullSecret: "e30K"
 
+imagePullSecret: "e30K"
 mini-identity-provider:
   issuer: "http://vaas/auth"
   enabled: true
@@ -147,6 +152,7 @@ gateway:
   gdscanUrl: "http://gdscan:8080/scan/body"
 
 gdscan:
+  imagePullSecrets: []
   replicaCount: 1
   deploymentStrategy: "RollingUpdate"
   client: