[TT-12407] MDCB improvements (#302)

* Set security secret from k8s secret

* Remove comment

* Update values file

* Watch for secret in MDCB deployment

* Change default value

* Rename a key

* Move httpPort out of probes

* Update tyk-control-plane/values.yaml

Co-authored-by: Burak Sekili <[email protected]>

---------

Co-authored-by: Burak Sekili <[email protected]>

components/tyk-mdcb/templates/_helpers.tpl

@@ -170,6 +170,6 @@ HealthCheckPort will take precedence to avoid breaking change
 {{- if .Values.mdcb.probes.healthCheckPort -}}
 {{ .Values.mdcb.probes.healthCheckPort }}
 {{- else -}}
-{{ .Values.mdcb.probes.httpPort }}
+{{ .Values.mdcb.httpPort }}
 {{- end }}
 {{- end -}}

components/tyk-mdcb/templates/deployment-mdcb.yaml

@@ -17,10 +17,11 @@ spec:
       {{- include "tyk-mdcb.selectorLabels" . | nindent 6 }}
   template:
     metadata:
-      {{- with .Values.mdcb.podAnnotations }}
       annotations:
+      {{- with .Values.mdcb.podAnnotations }}
         {{- toYaml . | nindent 8 }}
       {{- end }}
+        checksum/secrets: {{ include (print $.Template.BasePath "/secret-mdcb.yaml") . | sha256sum }}
       labels:
         {{- include "tyk-mdcb.labels" . | nindent 8 }}
         {{- with .Values.mdcb.podLabels }}
@@ -102,7 +103,10 @@ spec:
             - name: TYK_MDCB_HASHKEYS
               value: "{{ .Values.global.hashKeys }}"
             - name: TYK_MDCB_SECURITY_SECRET
-              value: "{{ .Values.mdcb.security.secret}}"
+              valueFrom: 
+                secretKeyRef: 
+                  name: {{ if .Values.mdcb.useSecretName }}{{ .Values.mdcb.useSecretName }} {{ else }} secrets-{{ include "tyk-mdcb.fullname" . }} {{ end }}
+                  key: securitySecret
             - name: TYK_MDCB_SECURITY_ENABLEHTTPSECUREENDPOINTS
               value: "{{ .Values.mdcb.security.enableHttpSecureEndpoints}}"
             # Redis TLS configurations

components/tyk-mdcb/templates/secret-mdcb.yaml

@@ -8,6 +8,7 @@ type: Opaque
 stringData:
 {{- if not .Values.mdcb.useSecretName }}
   MDCBLicense: "{{ .Values.mdcb.license }}"
+  securitySecret: "{{ .Values.mdcb.security.secret }}"
 {{- end -}}
 
 {{- if not ((.Values.global.redis.passSecret).name) }}

components/tyk-mdcb/templates/service-mdcb.yaml

@@ -13,8 +13,8 @@ spec:
       targetPort: {{ .Values.mdcb.listenPort }}
       protocol: TCP
       name: serviceport
-    - port: {{ if .Values.mdcb.probes.httpPort }}{{ .Values.mdcb.probes.httpPort }}{{ else }}{{ .Values.mdcb.probes.healthCheckPort }}{{ end }}
-      targetPort: {{ if .Values.mdcb.probes.httpPort }}{{ .Values.mdcb.probes.httpPort }}{{ else }}{{ .Values.mdcb.probes.healthCheckPort }}{{ end }}
+    - port: {{ include "mdcb.healthCheckPort" . }}
+      targetPort: {{ include "mdcb.healthCheckPort" . }}
       protocol: TCP
       name: healthport
   selector:

components/tyk-mdcb/values.yaml

@@ -143,10 +143,11 @@ mdcb:
   # fullnameOverride overrides App name. It is truncated to 63 characters.
   fullnameOverride: ""
 
-  # useSecretName can be used if you don't want to store plaintext values for MDCB license in
-  # the Helm value file and would rather provide the k8s Secret externally.
+  # useSecretName can be used if you don't want to store plaintext values for MDCB license and security secret in
+  # the Helm values file and would rather provide the k8s Secret externally.
   # You should set following fields in the secret
   # - MDCBLicense - Sets MDCB license key
+  # - securitySecret - Sets secret required for accessing secure HTTP endpoints
   useSecretName: ""
 
   # Tyk MDCB license
@@ -189,7 +190,8 @@ mdcb:
   security:
     # Secret is the key required for accessing secure HTTP endpoints and must be included as the `X-Tyk-Authorization` header.
     # Ensure confidentiality of the key and avoid exposing management endpoints publicly.
-    secret: 1234567890
+    # This field can be set using k8s secret. Please refer `mdcb.useSecretName` field.
+    secret: CHANGEME
     # EnableHTTPSecureEndpoints enables HTTP endpoints for monitoring and debugging MDCB.
     # Secure endpoints providing critical system information are disabled by default for security enhancement.
     # Authentication via the `Secret` is required for access, e.g., /dataplanes for dataplane details.
@@ -204,16 +206,17 @@ mdcb:
 
     # For TLS 1.0 use 769, for TLS 1.1 use 770, for TLS 1.2 use 771, for TLS 1.3 use 772
     # minVersion: 771
+
+  # This is the preferred port setting for MDCB >= v2.6.0.
+  # Users should use httpPort instead of probes.healthCheckPort for newer versions.
+  httpPort: 8181
+
   probes:
     # This port lets MDCB allow standard health checks.
     # It also defines the path for liveness and readiness probes.
     # It is used to set TYK_MDCB_HEALTHCHECKPORT and TYK_MDCB_HTTPPORT when mdcb >= v2.6.0
     # This field will be deprecated in upcoming release. Use `httpPort` instead.
     # healthCheckPort: 8181
-
-    # This is the preferred port setting for MDCB >= v2.6.0.
-    # Users should use httpPort instead of healthCheckPort for newer versions.
-    httpPort: 8181
 
     # liveness includes details about liveness probe used in MDCB Deployment.
     liveness:

tyk-control-plane/values.yaml

@@ -1158,10 +1158,11 @@ tyk-mdcb:
     # fullnameOverride overrides App name. It is truncated to 63 characters.
     fullnameOverride: ""
 
-    # useSecretName can be used if you don't want to store plaintext values for MDCB license in
-    # the Helm value file and would rather provide the k8s Secret externally.
-    # You should set following fields in the secret
-    # - MDCBLicense - Sets MDCB license key
+  # useSecretName can be used if you don't want to store plaintext values for MDCB license and security secret in
+  # the Helm values file and would rather provide the k8s Secret externally.
+  # You should set following fields in the secret
+  # - MDCBLicense - Sets MDCB license key
+  # - securitySecret - Sets secret required for accessing secure HTTP endpoints
     useSecretName: ""
 
     # Tyk MDCB license
@@ -1212,22 +1213,25 @@ tyk-mdcb:
     security:
       # Secret is the key required for accessing secure HTTP endpoints and must be included as the `X-Tyk-Authorization` header.
       # Ensure confidentiality of the key and avoid exposing management endpoints publicly.
-      secret: 1234567890
+      # This field can be set using k8s secret. Please refer `mdcb.useSecretName` field.
+      secret: CHANGEME
       # EnableHTTPSecureEndpoints enables HTTP endpoints for monitoring and debugging MDCB.
       # Secure endpoints providing critical system information are disabled by default for security enhancement.
       # Authentication via the `Secret` is required for access, e.g., /dataplanes for dataplane details.
       enableHttpSecureEndpoints: false
+
+    # This is the preferred port setting for MDCB >= v2.6.0.
+    # Users should use httpPort instead of probes.healthCheckPort for newer versions.
+    # This value is used to set TYK_MDCB_HTTPPORT when MDCB is >= 2.6.0.
+    httpPort: 8181
+
     probes:
       # This port lets MDCB allow standard health checks.
       # It also defines the path for liveness and readiness probes.
       # It is used to set TYK_MDCB_HEALTHCHECKPORT and TYK_MDCB_HTTPPORT when mdcb >= v2.6.0
       # This field will be deprecated in upcoming release. Use `httpPort` instead.
       # healthCheckPort: 8181
 
-      # This is the preferred port setting for MDCB >= v2.6.0.
-      # Users should use httpPort instead of healthCheckPort for newer versions.
-      # This value is used to set TYK_MDCB_HTTPPORT when MDCB is >= 2.6.0.
-      httpPort: 8181
       # liveness includes details about liveness probe used in MDCB Deployment.
       liveness:
         # path represents the http path to be used in liveness probe in MDBC deployment.