feat(charts): reduce mounted files for external configuration backends

[iromli]

Prepare

• Read PR guidelines
• Read license information

---

Description

Target issue

closes #9410

Implementation Details

---

Test and Document the changes

• Static code analysis has been run locally and issues have been fixed
• Relevant unit and integration tests have been added/updated
• Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

• I confirm that there is no impact on the docs due to the code changes in this PR.

[dryrunsecurity]

DryRun Security Summary

The provided code changes focus on enhancing the security and configurability of the Janssen application, a Kubernetes-based OpenID Connect Provider and UMA Authorization Server, by centralizing configuration management, improving logging and monitoring, implementing Kubernetes security practices, and introducing more flexibility and customization options.

Expand for full summary

Summary:

The provided code changes cover various updates and improvements to the Janssen Helm chart, which is used to deploy the Janssen application, an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS). The changes focus on enhancing the security and configurability of the application's deployment, with a particular emphasis on the following areas:

1. Centralized Configuration Management: The changes move towards a more centralized approach to managing the application's configuration, utilizing Kubernetes Secrets to store sensitive data instead of relying on direct cloud provider integrations (AWS, Google, Vault). This helps reduce the attack surface and improve the overall security posture.

2. Logging and Monitoring: The changes include updates to the logging configuration for various Janssen components, allowing for more granular control and better visibility into the application's operations, which can aid in security monitoring and incident investigation.

3. Kubernetes Security Practices: The changes incorporate security-conscious Kubernetes configurations, such as using non-root containers, setting resource limits, and implementing liveness and readiness probes. These practices help improve the overall security and reliability of the deployed application.

4. Flexibility and Customization: The changes introduce new configuration options, allowing administrators to customize various aspects of the deployment, such as the location of configuration files, the execution of custom scripts, and the integration with external secret management services. This flexibility can be beneficial for adapting the application to specific security requirements.

While the changes appear to be focused on improving the security and maintainability of the Janssen deployment, it is important to thoroughly review the implementation details, especially regarding the handling of sensitive data, the execution of custom scripts, and the integration with external services, to ensure that no new security vulnerabilities are introduced.

Files Changed:

1. charts/janssen-all-in-one/README.md: Added two new configuration parameters for the Configurator component, cnConfiguratorConfigurationFile and cnConfiguratorDumpFile, to provide more flexibility in managing the configuration schema.
2. charts/janssen-all-in-one/templates/cronjobs.yaml: Simplified the secrets management by using a single {{ .Release.Name }}-configuration-file secret, and set appropriate resource limits and restart policies for the cronjobs.
3. charts/janssen-all-in-one/templates/_helpers.tpl: Added two new Helm template functions to generate AWS shared credentials and configuration files, which should be carefully reviewed to ensure secure handling of AWS credentials.
4. charts/janssen-all-in-one/templates/configmap.yaml: Updated the ConfigMap to include various environment variables for integrating with AWS Secrets Manager, Google Secret Manager, Hashicorp Vault, SQL databases, Couchbase, Redis, SCIM, and FIDO2.
5. charts/janssen-all-in-one/templates/deployment.yml: Simplified the configuration file mounting by using a single {{ .Release.Name }}-configuration-file secret, and included conditional execution of custom scripts and TLS certificate management.
6. charts/janssen-all-in-one/values.yaml: Updated the global configuration options, including the ability to configure annotations, labels, Java options, and additional volumes and volume mounts, which can have security implications.
7. And several other files related to the Janssen Helm chart, covering changes to the configuration, deployment, and secret management of various Janssen components.

Code Analysis

We ran 9 analyzers against 26 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.