From 6135f4ea8adebc73f0193c79682948abc85ae63d Mon Sep 17 00:00:00 2001
From: Komal Sukhani <komaldsukhani@gmail.com>
Date: Mon, 1 Jul 2024 15:58:47 +0530
Subject: [PATCH] [TT-12407] MDCB improvements (#302)

* Set security secret from k8s secret

* Remove comment

* Update values file

* Watch for secret in MDCB deployment

* Change default value

* Rename a key

* Move httpPort out of probes

* Update tyk-control-plane/values.yaml

Co-authored-by: Burak Sekili <buraksekili@gmail.com>

---------

Co-authored-by: Burak Sekili <buraksekili@gmail.com>
---
 components/tyk-mdcb/templates/_helpers.tpl    |  2 +-
 .../tyk-mdcb/templates/deployment-mdcb.yaml   |  8 +++++--
 .../tyk-mdcb/templates/secret-mdcb.yaml       |  1 +
 .../tyk-mdcb/templates/service-mdcb.yaml      |  4 ++--
 components/tyk-mdcb/values.yaml               | 17 ++++++++------
 tyk-control-plane/values.yaml                 | 22 +++++++++++--------
 6 files changed, 33 insertions(+), 21 deletions(-)

diff --git a/components/tyk-mdcb/templates/_helpers.tpl b/components/tyk-mdcb/templates/_helpers.tpl
index 0f70c138..d4edb30b 100644
--- a/components/tyk-mdcb/templates/_helpers.tpl
+++ b/components/tyk-mdcb/templates/_helpers.tpl
@@ -170,6 +170,6 @@ HealthCheckPort will take precedence to avoid breaking change
 {{- if .Values.mdcb.probes.healthCheckPort -}}
 {{ .Values.mdcb.probes.healthCheckPort }}
 {{- else -}}
-{{ .Values.mdcb.probes.httpPort }}
+{{ .Values.mdcb.httpPort }}
 {{- end }}
 {{- end -}}
diff --git a/components/tyk-mdcb/templates/deployment-mdcb.yaml b/components/tyk-mdcb/templates/deployment-mdcb.yaml
index ababba22..0c2edcf2 100644
--- a/components/tyk-mdcb/templates/deployment-mdcb.yaml
+++ b/components/tyk-mdcb/templates/deployment-mdcb.yaml
@@ -17,10 +17,11 @@ spec:
       {{- include "tyk-mdcb.selectorLabels" . | nindent 6 }}
   template:
     metadata:
-      {{- with .Values.mdcb.podAnnotations }}
       annotations:
+      {{- with .Values.mdcb.podAnnotations }}
         {{- toYaml . | nindent 8 }}
       {{- end }}
+        checksum/secrets: {{ include (print $.Template.BasePath "/secret-mdcb.yaml") . | sha256sum }}
       labels:
         {{- include "tyk-mdcb.labels" . | nindent 8 }}
         {{- with .Values.mdcb.podLabels }}
@@ -102,7 +103,10 @@ spec:
             - name: TYK_MDCB_HASHKEYS
               value: "{{ .Values.global.hashKeys }}"
             - name: TYK_MDCB_SECURITY_SECRET
-              value: "{{ .Values.mdcb.security.secret}}"
+              valueFrom: 
+                secretKeyRef: 
+                  name: {{ if .Values.mdcb.useSecretName }}{{ .Values.mdcb.useSecretName }} {{ else }} secrets-{{ include "tyk-mdcb.fullname" . }} {{ end }}
+                  key: securitySecret
             - name: TYK_MDCB_SECURITY_ENABLEHTTPSECUREENDPOINTS
               value: "{{ .Values.mdcb.security.enableHttpSecureEndpoints}}"
             # Redis TLS configurations
diff --git a/components/tyk-mdcb/templates/secret-mdcb.yaml b/components/tyk-mdcb/templates/secret-mdcb.yaml
index e8a46ce7..dd56d5fd 100644
--- a/components/tyk-mdcb/templates/secret-mdcb.yaml
+++ b/components/tyk-mdcb/templates/secret-mdcb.yaml
@@ -8,6 +8,7 @@ type: Opaque
 stringData:
 {{- if not .Values.mdcb.useSecretName }}
   MDCBLicense: "{{ .Values.mdcb.license }}"
+  securitySecret: "{{ .Values.mdcb.security.secret }}"
 {{- end -}}
 
 {{- if not ((.Values.global.redis.passSecret).name) }}
diff --git a/components/tyk-mdcb/templates/service-mdcb.yaml b/components/tyk-mdcb/templates/service-mdcb.yaml
index 2c59bbb6..b6ebfe7f 100644
--- a/components/tyk-mdcb/templates/service-mdcb.yaml
+++ b/components/tyk-mdcb/templates/service-mdcb.yaml
@@ -13,8 +13,8 @@ spec:
       targetPort: {{ .Values.mdcb.listenPort }}
       protocol: TCP
       name: serviceport
-    - port: {{ if .Values.mdcb.probes.httpPort }}{{ .Values.mdcb.probes.httpPort }}{{ else }}{{ .Values.mdcb.probes.healthCheckPort }}{{ end }}
-      targetPort: {{ if .Values.mdcb.probes.httpPort }}{{ .Values.mdcb.probes.httpPort }}{{ else }}{{ .Values.mdcb.probes.healthCheckPort }}{{ end }}
+    - port: {{ include "mdcb.healthCheckPort" . }}
+      targetPort: {{ include "mdcb.healthCheckPort" . }}
       protocol: TCP
       name: healthport
   selector:
diff --git a/components/tyk-mdcb/values.yaml b/components/tyk-mdcb/values.yaml
index 71ff93ce..ce0fb32f 100644
--- a/components/tyk-mdcb/values.yaml
+++ b/components/tyk-mdcb/values.yaml
@@ -143,10 +143,11 @@ mdcb:
   # fullnameOverride overrides App name. It is truncated to 63 characters.
   fullnameOverride: ""
 
-  # useSecretName can be used if you don't want to store plaintext values for MDCB license in
-  # the Helm value file and would rather provide the k8s Secret externally.
+  # useSecretName can be used if you don't want to store plaintext values for MDCB license and security secret in
+  # the Helm values file and would rather provide the k8s Secret externally.
   # You should set following fields in the secret
   # - MDCBLicense - Sets MDCB license key
+  # - securitySecret - Sets secret required for accessing secure HTTP endpoints
   useSecretName: ""
 
   # Tyk MDCB license
@@ -189,7 +190,8 @@ mdcb:
   security:
     # Secret is the key required for accessing secure HTTP endpoints and must be included as the `X-Tyk-Authorization` header.
     # Ensure confidentiality of the key and avoid exposing management endpoints publicly.
-    secret: 1234567890
+    # This field can be set using k8s secret. Please refer `mdcb.useSecretName` field.
+    secret: CHANGEME
     # EnableHTTPSecureEndpoints enables HTTP endpoints for monitoring and debugging MDCB.
     # Secure endpoints providing critical system information are disabled by default for security enhancement.
     # Authentication via the `Secret` is required for access, e.g., /dataplanes for dataplane details.
@@ -204,16 +206,17 @@ mdcb:
     
     # For TLS 1.0 use 769, for TLS 1.1 use 770, for TLS 1.2 use 771, for TLS 1.3 use 772
     # minVersion: 771
+
+  # This is the preferred port setting for MDCB >= v2.6.0.
+  # Users should use httpPort instead of probes.healthCheckPort for newer versions.
+  httpPort: 8181
+
   probes:
     # This port lets MDCB allow standard health checks.
     # It also defines the path for liveness and readiness probes.
     # It is used to set TYK_MDCB_HEALTHCHECKPORT and TYK_MDCB_HTTPPORT when mdcb >= v2.6.0
     # This field will be deprecated in upcoming release. Use `httpPort` instead.
     # healthCheckPort: 8181
-    
-    # This is the preferred port setting for MDCB >= v2.6.0.
-    # Users should use httpPort instead of healthCheckPort for newer versions.
-    httpPort: 8181
 
     # liveness includes details about liveness probe used in MDCB Deployment.
     liveness:
diff --git a/tyk-control-plane/values.yaml b/tyk-control-plane/values.yaml
index 0dc25d42..d7ee65ed 100644
--- a/tyk-control-plane/values.yaml
+++ b/tyk-control-plane/values.yaml
@@ -1158,10 +1158,11 @@ tyk-mdcb:
     # fullnameOverride overrides App name. It is truncated to 63 characters.
     fullnameOverride: ""
 
-    # useSecretName can be used if you don't want to store plaintext values for MDCB license in
-    # the Helm value file and would rather provide the k8s Secret externally.
-    # You should set following fields in the secret
-    # - MDCBLicense - Sets MDCB license key
+  # useSecretName can be used if you don't want to store plaintext values for MDCB license and security secret in
+  # the Helm values file and would rather provide the k8s Secret externally.
+  # You should set following fields in the secret
+  # - MDCBLicense - Sets MDCB license key
+  # - securitySecret - Sets secret required for accessing secure HTTP endpoints
     useSecretName: ""
 
     # Tyk MDCB license
@@ -1212,11 +1213,18 @@ tyk-mdcb:
     security:
       # Secret is the key required for accessing secure HTTP endpoints and must be included as the `X-Tyk-Authorization` header.
       # Ensure confidentiality of the key and avoid exposing management endpoints publicly.
-      secret: 1234567890
+      # This field can be set using k8s secret. Please refer `mdcb.useSecretName` field.
+      secret: CHANGEME
       # EnableHTTPSecureEndpoints enables HTTP endpoints for monitoring and debugging MDCB.
       # Secure endpoints providing critical system information are disabled by default for security enhancement.
       # Authentication via the `Secret` is required for access, e.g., /dataplanes for dataplane details.
       enableHttpSecureEndpoints: false
+
+    # This is the preferred port setting for MDCB >= v2.6.0.
+    # Users should use httpPort instead of probes.healthCheckPort for newer versions.
+    # This value is used to set TYK_MDCB_HTTPPORT when MDCB is >= 2.6.0.
+    httpPort: 8181
+
     probes:
       # This port lets MDCB allow standard health checks.
       # It also defines the path for liveness and readiness probes.
@@ -1224,10 +1232,6 @@ tyk-mdcb:
       # This field will be deprecated in upcoming release. Use `httpPort` instead.
       # healthCheckPort: 8181
 
-      # This is the preferred port setting for MDCB >= v2.6.0.
-      # Users should use httpPort instead of healthCheckPort for newer versions.
-      # This value is used to set TYK_MDCB_HTTPPORT when MDCB is >= 2.6.0.
-      httpPort: 8181
       # liveness includes details about liveness probe used in MDCB Deployment.
       liveness:
         # path represents the http path to be used in liveness probe in MDBC deployment.