From 59137640fcb41f858c20f19d6a25a0ba35383b7c Mon Sep 17 00:00:00 2001
From: Dominik Pinsel <dominik.pinsel@mercedes-benz.com>
Date: Thu, 10 Aug 2023 17:25:36 +0200
Subject: [PATCH] feat(helm): encryption key is now always stored in secret

Signed-off-by: Dominik Pinsel <dominik.pinsel@mercedes-benz.com>
---
 .../templates/deployment.yaml                 |  5 +++-
 .../templates/secret.yaml                     | 18 +++++++++++++
 charts/managed-identity-wallet/values.yaml    | 26 ++++++++++++-------
 3 files changed, 39 insertions(+), 10 deletions(-)

diff --git a/charts/managed-identity-wallet/templates/deployment.yaml b/charts/managed-identity-wallet/templates/deployment.yaml
index f1f066df8..11ba11636 100644
--- a/charts/managed-identity-wallet/templates/deployment.yaml
+++ b/charts/managed-identity-wallet/templates/deployment.yaml
@@ -56,7 +56,10 @@ spec:
             - name: MIW_HOST_NAME
               value: {{ tpl .Values.miw.host . }}
             - name: ENCRYPTION_KEY
-              value: {{ default .Values.miw.database.encryptionKey (randAlphaNum 32)}}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ default .Values.miw.database.encryptionKey.secret (printf "%s-encryption-key" ( include "managed-identity-wallet.fullname" . )) }}
+                  key: {{ default .Values.miw.database.encryptionKey.secretKey "encryption-key" }}
             - name: AUTHORITY_WALLET_BPN
               value: {{ tpl  .Values.miw.authorityWallet.bpn . }}
             - name: AUTHORITY_WALLET_DID
diff --git a/charts/managed-identity-wallet/templates/secret.yaml b/charts/managed-identity-wallet/templates/secret.yaml
index 2f7268f10..53b4b7b28 100644
--- a/charts/managed-identity-wallet/templates/secret.yaml
+++ b/charts/managed-identity-wallet/templates/secret.yaml
@@ -29,4 +29,22 @@ data:
   {{- range $key, $val := .Values.secrets }}
   {{ $key }}: {{ $val | b64enc }}
   {{- end}}
+{{- end }}
+
+---
+{{- if not .Values.miw.database.encryptionKey.secret }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "managed-identity-wallet.fullname" . }}-encryption-key
+  labels:
+    {{- include "managed-identity-wallet.labels" . | nindent 4 }}
+type: Opaque
+data:
+  {{- if .Values.miw.database.encryptionKey.value }}
+  {{ default .Values.miw.database.encryptionKey.secretKey "encryption-key" }}: {{ .Values.miw.database.encryptionKey.value | b64enc }}
+  {{- else }}
+  {{ default .Values.miw.database.encryptionKey.secretKey "encryption-key" }}: {{ randAlphaNum 32 | b64enc }}
+  {{- end }}
+
 {{- end }}
\ No newline at end of file
diff --git a/charts/managed-identity-wallet/values.yaml b/charts/managed-identity-wallet/values.yaml
index 0b9b2265d..1e5da9f46 100644
--- a/charts/managed-identity-wallet/values.yaml
+++ b/charts/managed-identity-wallet/values.yaml
@@ -77,15 +77,21 @@ miw:
     secretPasswordKey: "password"
     # -- Database name. Default: miw_app
     name: "miw_app"
-    # -- Database encryption key for confidential data. If empty it is set to 32 random alphanumeric chars
-    encryptionKey: ""
+    # -- Database encryption key for confidential data. If empty a secret with 32 random alphanumeric chars is generated
+    encryptionKey:
+      # -- Encryption key value. Ignored if `secret` is set
+      value: ""
+      # -- Existing secret for database encryption key
+      secret: ""
+      # -- Existing secret key for database encryption key
+      secretKey: ""
   keycloak:
     # -- Keycloak realm
     realm: "miw_test"
     # -- Keycloak client id
     clientId: "miw_private_client"
-    # -- Keycloak URL. Default: <release name>-keycloak:4200
-    url: "http://{{ .Release.Name }}-keycloak:4200"
+    # -- Keycloak URL. Default: <release name>-keycloak
+    url: "http://{{ .Release.Name }}-keycloak"
   logging:
     # -- Log Level. Should be ether ERROR, WARN, INFO, DEBUG, or TRACE. Default: INFO
     level: "INFO"
@@ -182,10 +188,10 @@ keycloak:
   # -- Keycloak authentication
   auth:
     # -- Keycloak admin user
-    adminUser: ""
+    adminUser: "admin"
     # -- Keycloak admin password
-    adminPassword: ""
-  # -- Playground Keycloak realm configuration for the MIW
+    adminPassword: "password"
+  # -- Keycloak realm configuration
   keycloakConfigCli:
     # -- Enable to create the miw playground realm
     enabled: true
@@ -195,9 +201,9 @@ keycloak:
     backoffLimit: 5
   # -- Environment Variables for the Keycloak container
   extraEnvVars:
-    # -- Keycloak hostname. Default: <release name>-keycloak:4200
+    # -- Keycloak hostname. Default: <release name>-keycloak
     - name: KEYCLOAK_HOSTNAME
-      value: "{{ .Release.Name }}-keycloak:4200"
+      value: "{{ .Release.Name }}-keycloak"
 
 # -- Postgresql configuration
 postgresql:
@@ -209,6 +215,8 @@ postgresql:
     enablePostgresUser: false
     # -- User to create
     username: "miw"
+    # -- Password to set
+    password: "password"
   # -- Backup configuration (see https://github.com/bitnami/charts/tree/main/bitnami/postgresql#backup-parameters)
   backup:
     # -- Enable to create a backup cronjob