From 8bc18ceff07af578718defcf44e9534f6a9bf1e2 Mon Sep 17 00:00:00 2001 From: as673366 Date: Mon, 11 Aug 2025 15:26:44 +0530 Subject: [PATCH 1/3] enabling operator to read external private key & cert for Dual GW use cases --- example/base/kustomization.yaml | 16 ++++++++++++++++ example/gateway/otk/otk-dmz.yaml | 14 ++++++++++++++ example/gateway/otk/otk-internal.yaml | 14 ++++++++++++++ pkg/gateway/reconcile/cron.go | 10 ---------- 4 files changed, 44 insertions(+), 10 deletions(-) diff --git a/example/base/kustomization.yaml b/example/base/kustomization.yaml index 222e1bfd..b1c9ec50 100644 --- a/example/base/kustomization.yaml +++ b/example/base/kustomization.yaml @@ -68,3 +68,19 @@ secretGenerator: # - ./resources/secrets/tls/tls.key # type: "kubernetes.io/tls" +# Create a secret for the OTK Dual Gateway Private Keys +# Uncomment this section to create your own key & certificate for the DMZ Gateway +# - name: otkdmztls +# files: +# - ./resources/secrets/tls/dmztls.crt +# - ./resources/secrets/tls/dmztls.key +# type: "kubernetes.io/tls" + +# Uncomment this section to create your own key & certificate for the Internal Gateway +# - name: otkinternaltls +# files: +# - ./resources/secrets/tls/internaltls.crt +# - ./resources/secrets/tls/internaltls.key +# type: "kubernetes.io/tls" + + diff --git a/example/gateway/otk/otk-dmz.yaml b/example/gateway/otk/otk-dmz.yaml index 293ab6a1..2e5f9de8 100644 --- a/example/gateway/otk/otk-dmz.yaml +++ b/example/gateway/otk/otk-dmz.yaml @@ -102,6 +102,20 @@ spec: enabled: true type: dynamic encryption: {} + externalKeys: + - name: otkdmztls + alias: test + keyUsageType: SSL + enabled: true + externalCerts: + - name: otkinternaltls + enabled: true + trustAnchor: true + revocationCheckPolicyType: USE_DEFAULT + trustedFor: + - "SSL" + - "SIGNING_SERVER_CERTS" + # verifyHostname: true bootstrap: script: enabled: true diff --git a/example/gateway/otk/otk-internal.yaml b/example/gateway/otk/otk-internal.yaml index a9601e45..cf7d79e6 100644 --- a/example/gateway/otk/otk-internal.yaml +++ b/example/gateway/otk/otk-internal.yaml @@ -138,6 +138,20 @@ spec: enabled: true type: dynamic encryption: {} + externalKeys: + - name: otkinternaltls + alias: test + keyUsageType: SSL + enabled: true + externalCerts: + - name: otkdmztls + enabled: true + trustAnchor: true + revocationCheckPolicyType: USE_DEFAULT + trustedFor: + - "SSL" + - "SIGNING_SERVER_CERTS" + # verifyHostname: true bootstrap: script: enabled: true diff --git a/pkg/gateway/reconcile/cron.go b/pkg/gateway/reconcile/cron.go index 979c54f7..72d27c8c 100644 --- a/pkg/gateway/reconcile/cron.go +++ b/pkg/gateway/reconcile/cron.go @@ -72,16 +72,6 @@ func registerJobs(ctx context.Context, params Params) { if err != nil { params.Log.V(2).Info("otk policy sync job already registered", "name", params.Instance.Name, "namespace", params.Instance.Namespace) } - if params.Instance.Spec.App.Otk.Type == securityv1.OtkTypeDMZ || params.Instance.Spec.App.Otk.Type == securityv1.OtkTypeInternal { - _, err = s.Every(otkSyncInterval).Seconds().Tag(params.Instance.Name+"-"+params.Instance.Namespace+"-sync-otk-certificates").Do(syncOtkCertificates, ctx, params) - if err != nil { - params.Log.V(2).Info("otk certificate sync job already registered", "name", params.Instance.Name, "namespace", params.Instance.Namespace) - } - _, err = s.Every(otkSyncInterval).Seconds().Tag(params.Instance.Name+"-"+params.Instance.Namespace+"-sync-otk-certificate-secret").Do(manageCertificateSecrets, ctx, params) - if err != nil { - params.Log.V(2).Info("otk certificate secret sync job already registered", "name", params.Instance.Name, "namespace", params.Instance.Namespace) - } - } } } From bbc2a6ea1887dc238d970e88f23cc2861df5bcd8 Mon Sep 17 00:00:00 2001 From: as673366 Date: Wed, 15 Oct 2025 13:54:59 +0530 Subject: [PATCH 2/3] updates to accept external key for OTK dmz & internal GWs --- api/v1/gateway_types.go | 2 ++ .../security.brcmlabs.com_gateways.yaml | 33 +++++++++++++++++++ charts/layer7-operator/crds/gateway-crd.yaml | 28 ++++++++++++++++ .../bases/security.brcmlabs.com_gateways.yaml | 4 +++ deploy/cw-bundle.yaml | 28 ++++++++++++++++ pkg/gateway/reconcile/externalkeys.go | 2 +- 6 files changed, 96 insertions(+), 1 deletion(-) diff --git a/api/v1/gateway_types.go b/api/v1/gateway_types.go index 8ad8787e..e0739aa0 100644 --- a/api/v1/gateway_types.go +++ b/api/v1/gateway_types.go @@ -845,6 +845,8 @@ type ExternalKey struct { // only one key usage type is allowed // SSL | CA | AUDIT_SIGNING | AUDIT_VIEWER KeyUsageType KeyUsageType `json:"keyUsageType,omitempty"` + // Identifies if the key usage was specific for OTK + Otk bool `json:"otk,omitempty"` } type KeyUsageType string diff --git a/bundle/manifests/security.brcmlabs.com_gateways.yaml b/bundle/manifests/security.brcmlabs.com_gateways.yaml index f3909778..7edab7dc 100644 --- a/bundle/manifests/security.brcmlabs.com_gateways.yaml +++ b/bundle/manifests/security.brcmlabs.com_gateways.yaml @@ -3791,6 +3791,34 @@ spec: type: object otk: properties: + externalKeys: + items: + description: |- + ExternalKey is a reference to an existing TLS Secret in Kubernetes + The Laye + properties: + otk: + description: Identifies if the key usage was specific for OTK + type: boolean + alias: + description: |- + Alias overrides the key name that is stored in the Gateway + This is useful f + type: string + enabled: + description: Enabled or disabled + type: boolean + keyUsageType: + description: |- + KeyUsageType allows keys to be marked as special purpose + only one key usage + type: string + name: + description: Name of the kubernetes.io/tls Secret which + already exists in Kubernetes + type: string + type: object + type: array database: description: Database configuration properties: @@ -6427,6 +6455,11 @@ spec: items: type: string type: array + lastAppliedExternalOtkKeys: + description: LastAppliedExternalOtkKeys + items: + type: string + type: array lastAppliedExternalSecrets: additionalProperties: items: diff --git a/charts/layer7-operator/crds/gateway-crd.yaml b/charts/layer7-operator/crds/gateway-crd.yaml index 45d13ae7..7e4f57ff 100644 --- a/charts/layer7-operator/crds/gateway-crd.yaml +++ b/charts/layer7-operator/crds/gateway-crd.yaml @@ -3790,6 +3790,34 @@ spec: type: object otk: properties: + externalKeys: + items: + description: |- + ExternalKey is a reference to an existing TLS Secret in Kubernetes + The Laye + properties: + otk: + description: Identifies if the key usage was specific for OTK + type: boolean + alias: + description: |- + Alias overrides the key name that is stored in the Gateway + This is useful f + type: string + enabled: + description: Enabled or disabled + type: boolean + keyUsageType: + description: |- + KeyUsageType allows keys to be marked as special purpose + only one key usage + type: string + name: + description: Name of the kubernetes.io/tls Secret which + already exists in Kubernetes + type: string + type: object + type: array database: description: Database configuration properties: diff --git a/config/crd/bases/security.brcmlabs.com_gateways.yaml b/config/crd/bases/security.brcmlabs.com_gateways.yaml index e0971f4d..d017438c 100644 --- a/config/crd/bases/security.brcmlabs.com_gateways.yaml +++ b/config/crd/bases/security.brcmlabs.com_gateways.yaml @@ -1588,6 +1588,10 @@ spec: description: Name of the kubernetes.io/tls Secret which already exists in Kubernetes type: string + otk: + description: Identifies if the key usage was specific for + OTK + type: boolean type: object type: array externalSecrets: diff --git a/deploy/cw-bundle.yaml b/deploy/cw-bundle.yaml index dc9f3c92..c5da3ac0 100644 --- a/deploy/cw-bundle.yaml +++ b/deploy/cw-bundle.yaml @@ -3798,6 +3798,34 @@ spec: type: object otk: properties: + externalKeys: + items: + description: |- + ExternalKey is a reference to an existing TLS Secret in Kubernetes + The Laye + properties: + otk: + description: Identifies if the key usage was specific for OTK + type: boolean + alias: + description: |- + Alias overrides the key name that is stored in the Gateway + This is useful f + type: string + enabled: + description: Enabled or disabled + type: boolean + keyUsageType: + description: |- + KeyUsageType allows keys to be marked as special purpose + only one key usage + type: string + name: + description: Name of the kubernetes.io/tls Secret which + already exists in Kubernetes + type: string + type: object + type: array database: description: Database configuration properties: diff --git a/pkg/gateway/reconcile/externalkeys.go b/pkg/gateway/reconcile/externalkeys.go index de07af50..277df0d1 100644 --- a/pkg/gateway/reconcile/externalkeys.go +++ b/pkg/gateway/reconcile/externalkeys.go @@ -32,7 +32,7 @@ import ( func ExternalKeys(ctx context.Context, params Params) error { gateway := params.Instance - if len(gateway.Spec.App.ExternalKeys) == 0 && len(gateway.Status.LastAppliedExternalKeys) == 0 { + if len(gateway.Spec.App.ExternalKeys) == 0 || len(gateway.Spec.App.Otk.ExternalKeys) == 0 && len(gateway.Status.LastAppliedExternalKeys) == 0 { return nil } From 193dd22a69e85c88aaffa8d088908b71a05ec997 Mon Sep 17 00:00:00 2001 From: as673366 Date: Tue, 28 Oct 2025 10:13:07 +0530 Subject: [PATCH 3/3] parking changes to fix existing minor issues in duql gw otk deployment --- api/v1/gateway_types.go | 1 + api/v1/zz_generated.deepcopy.go | 5 + .../security.brcmlabs.com_gateways.yaml | 5 - .../bases/security.brcmlabs.com_gateways.yaml | 29 ++++++ pkg/gateway/deployment.go | 94 +++++++++++++------ pkg/gateway/reconcile/deployment.go | 2 +- pkg/gateway/reconcile/externalkeys.go | 3 +- pkg/gateway/reconcile/secret.go | 2 +- pkg/gateway/secrets.go | 32 ++++--- pkg/util/graphman.go | 19 ++-- 10 files changed, 133 insertions(+), 59 deletions(-) diff --git a/api/v1/gateway_types.go b/api/v1/gateway_types.go index e0739aa0..84c0934e 100644 --- a/api/v1/gateway_types.go +++ b/api/v1/gateway_types.go @@ -323,6 +323,7 @@ type Otk struct { MaintenanceTasks OtkMaintenanceTasks `json:"maintenanceTasks,omitempty"` // RuntimeSyncIntervalSeconds how often OTK Gateways should be updated in internal/dmz mode RuntimeSyncIntervalSeconds int `json:"runtimeSyncIntervalSeconds,omitempty"` + ExternalKeys []ExternalKey `json:"externalKeys,omitempty"` } // OtkMaintenanceTasks are included in the install bundle as disabled scheduled tasks diff --git a/api/v1/zz_generated.deepcopy.go b/api/v1/zz_generated.deepcopy.go index 1d284f96..fa082fb9 100644 --- a/api/v1/zz_generated.deepcopy.go +++ b/api/v1/zz_generated.deepcopy.go @@ -1028,6 +1028,11 @@ func (in *Otk) DeepCopyInto(out *Otk) { copy(*out, *in) } out.MaintenanceTasks = in.MaintenanceTasks + if in.ExternalKeys != nil { + in, out := &in.ExternalKeys, &out.ExternalKeys + *out = make([]ExternalKey, len(*in)) + copy(*out, *in) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Otk. diff --git a/bundle/manifests/security.brcmlabs.com_gateways.yaml b/bundle/manifests/security.brcmlabs.com_gateways.yaml index 7edab7dc..59f232fd 100644 --- a/bundle/manifests/security.brcmlabs.com_gateways.yaml +++ b/bundle/manifests/security.brcmlabs.com_gateways.yaml @@ -6455,11 +6455,6 @@ spec: items: type: string type: array - lastAppliedExternalOtkKeys: - description: LastAppliedExternalOtkKeys - items: - type: string - type: array lastAppliedExternalSecrets: additionalProperties: items: diff --git a/config/crd/bases/security.brcmlabs.com_gateways.yaml b/config/crd/bases/security.brcmlabs.com_gateways.yaml index d017438c..13dd4da1 100644 --- a/config/crd/bases/security.brcmlabs.com_gateways.yaml +++ b/config/crd/bases/security.brcmlabs.com_gateways.yaml @@ -4006,6 +4006,35 @@ spec: enabled: description: Enable or disable the OTK initContainer type: boolean + externalKeys: + items: + description: |- + ExternalKey is a reference to an existing TLS Secret in Kubernetes + The Laye + properties: + alias: + description: |- + Alias overrides the key name that is stored in the Gateway + This is useful f + type: string + enabled: + description: Enabled or disabled + type: boolean + keyUsageType: + description: |- + KeyUsageType allows keys to be marked as special purpose + only one key usage + type: string + name: + description: Name of the kubernetes.io/tls Secret which + already exists in Kubernetes + type: string + otk: + description: Identifies if the key usage was specific + for OTK + type: boolean + type: object + type: array initContainerImage: description: InitContainerImage for the initContainer type: string diff --git a/pkg/gateway/deployment.go b/pkg/gateway/deployment.go index 4d485cde..6a8119e4 100644 --- a/pkg/gateway/deployment.go +++ b/pkg/gateway/deployment.go @@ -43,6 +43,7 @@ func NewDeployment(gw *securityv1.Gateway, platform string) *appsv1.Deployment { var image string = gw.Spec.App.Image defaultMode := int32(0755) optional := false + optionalTrue := true ports := []corev1.ContainerPort{} defaultUser := int64(1001) @@ -895,41 +896,80 @@ func NewDeployment(gw *securityv1.Gateway, platform string) *appsv1.Deployment { } } - if otkInstallInitContainer { - initContainers = append(initContainers, corev1.Container{ - Name: "otk-install-init", - Image: otkInitContainerImage, - ImagePullPolicy: otkInitContainerImagePullPolicy, - SecurityContext: &otkInitContainerSecurityContext, - VolumeMounts: otkInitContainerVolumeMounts, - EnvFrom: []corev1.EnvFromSource{ - { - ConfigMapRef: &corev1.ConfigMapEnvSource{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: gw.Name + "-otk-shared-init-config", + if gw.Spec.App.Otk.Type == securityv1.OtkTypeDMZ { + if otkInstallInitContainer { + initContainers = append(initContainers, corev1.Container{ + Name: "otk-install-init", + Image: otkInitContainerImage, + ImagePullPolicy: otkInitContainerImagePullPolicy, + SecurityContext: &otkInitContainerSecurityContext, + VolumeMounts: otkInitContainerVolumeMounts, + EnvFrom: []corev1.EnvFromSource{ + { + ConfigMapRef: &corev1.ConfigMapEnvSource{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: gw.Name + "-otk-shared-init-config", + }, }, }, - }, - { - ConfigMapRef: &corev1.ConfigMapEnvSource{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: gw.Name + "-otk-install-init-config", + { + ConfigMapRef: &corev1.ConfigMapEnvSource{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: gw.Name + "-otk-install-init-config", + }, + Optional: &optional, + }, + }, + { + SecretRef: &corev1.SecretEnvSource{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: otkInitContainerSecret, + }, + Optional: &optionalTrue, }, - Optional: &optional, }, }, - { - SecretRef: &corev1.SecretEnvSource{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: otkInitContainerSecret, + TerminationMessagePath: corev1.TerminationMessagePathDefault, + TerminationMessagePolicy: corev1.TerminationMessageReadFile, + }) + } + } else { + if otkInstallInitContainer { + initContainers = append(initContainers, corev1.Container{ + Name: "otk-install-init", + Image: otkInitContainerImage, + ImagePullPolicy: otkInitContainerImagePullPolicy, + SecurityContext: &otkInitContainerSecurityContext, + VolumeMounts: otkInitContainerVolumeMounts, + EnvFrom: []corev1.EnvFromSource{ + { + ConfigMapRef: &corev1.ConfigMapEnvSource{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: gw.Name + "-otk-shared-init-config", + }, + }, + }, + { + ConfigMapRef: &corev1.ConfigMapEnvSource{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: gw.Name + "-otk-install-init-config", + }, + Optional: &optional, + }, + }, + { + SecretRef: &corev1.SecretEnvSource{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: otkInitContainerSecret, + }, + Optional: &optional, }, - Optional: &optional, }, }, - }, - TerminationMessagePath: corev1.TerminationMessagePathDefault, - TerminationMessagePolicy: corev1.TerminationMessageReadFile, - }) + TerminationMessagePath: corev1.TerminationMessagePathDefault, + TerminationMessagePolicy: corev1.TerminationMessageReadFile, + }) + } } if otkDbInitContainer && gw.Spec.App.Otk.Database.Type != securityv1.OtkDatabaseTypeCassandra && (gw.Spec.App.Otk.Type == securityv1.OtkTypeInternal || gw.Spec.App.Otk.Type == securityv1.OtkTypeSingle) { diff --git a/pkg/gateway/reconcile/deployment.go b/pkg/gateway/reconcile/deployment.go index 0effc9b3..38973439 100644 --- a/pkg/gateway/reconcile/deployment.go +++ b/pkg/gateway/reconcile/deployment.go @@ -141,7 +141,7 @@ func setLabels(ctx context.Context, params Params, dep *appsv1.Deployment) (*app if params.Instance.Spec.App.Otk.Enabled && !params.Instance.Spec.App.Management.Database.Enabled { configMaps = append(configMaps, params.Instance.Name+"-otk-shared-init-config", params.Instance.Name+"-otk-install-init-config") - if params.Instance.Spec.App.Otk.Database.Type != securityv1.OtkDatabaseTypeCassandra { + if params.Instance.Spec.App.Otk.Database.Type != securityv1.OtkDatabaseTypeCassandra && params.Instance.Spec.App.Otk.Type != securityv1.OtkTypeDMZ { configMaps = append(configMaps, params.Instance.Name+"-otk-db-init-config") } } diff --git a/pkg/gateway/reconcile/externalkeys.go b/pkg/gateway/reconcile/externalkeys.go index 277df0d1..7ee15ae7 100644 --- a/pkg/gateway/reconcile/externalkeys.go +++ b/pkg/gateway/reconcile/externalkeys.go @@ -32,7 +32,8 @@ import ( func ExternalKeys(ctx context.Context, params Params) error { gateway := params.Instance - if len(gateway.Spec.App.ExternalKeys) == 0 || len(gateway.Spec.App.Otk.ExternalKeys) == 0 && len(gateway.Status.LastAppliedExternalKeys) == 0 { + if len(gateway.Spec.App.ExternalKeys) == 0 && len(gateway.Status.LastAppliedExternalKeys) == 0 { + //if (len(gateway.Spec.App.ExternalKeys) == 0 || len(gateway.Spec.App.Otk.ExternalKeys) == 0) && len(gateway.Status.LastAppliedExternalKeys) == 0 { return nil } diff --git a/pkg/gateway/reconcile/secret.go b/pkg/gateway/reconcile/secret.go index bf5796f8..26223446 100644 --- a/pkg/gateway/reconcile/secret.go +++ b/pkg/gateway/reconcile/secret.go @@ -29,7 +29,7 @@ func Secrets(ctx context.Context, params Params) error { desiredSecrets = append(desiredSecrets, desiredSecret) } - if params.Instance.Spec.App.Otk.Enabled && params.Instance.Spec.App.Otk.Database.Auth != (securityv1.OtkDatabaseAuth{}) && params.Instance.Spec.App.Otk.Database.Auth.ExistingSecret == "" { + if params.Instance.Spec.App.Otk.Enabled && params.Instance.Spec.App.Otk.Type != securityv1.OtkTypeDMZ && params.Instance.Spec.App.Otk.Database.Auth != (securityv1.OtkDatabaseAuth{}) && params.Instance.Spec.App.Otk.Database.Auth.ExistingSecret == "" { desiredSecret, err := gateway.NewSecret(params.Instance, params.Instance.Name+"-otk-db-credentials") if err != nil { return err diff --git a/pkg/gateway/secrets.go b/pkg/gateway/secrets.go index fda27885..f115b8e7 100644 --- a/pkg/gateway/secrets.go +++ b/pkg/gateway/secrets.go @@ -38,21 +38,23 @@ func NewSecret(gw *securityv1.Gateway, name string) (*corev1.Secret, error) { data["node.properties"] = []byte(nodeProperties) case gw.Name + "-otk-db-credentials": - if gw.Spec.App.Otk.Database.Auth.GatewayUser != (securityv1.OtkDatabaseAuthCredentials{}) { - data["OTK_DATABASE_USERNAME"] = []byte(gw.Spec.App.Otk.Database.Auth.GatewayUser.Username) - data["OTK_DATABASE_PASSWORD"] = []byte(gw.Spec.App.Otk.Database.Auth.GatewayUser.Password) - } - if gw.Spec.App.Otk.Database.Auth.AdminUser != (securityv1.OtkDatabaseAuthCredentials{}) { - data["OTK_DATABASE_DDL_USERNAME"] = []byte(gw.Spec.App.Otk.Database.Auth.AdminUser.Username) - data["OTK_DATABASE_DDL_PASSWORD"] = []byte(gw.Spec.App.Otk.Database.Auth.AdminUser.Password) - } - if gw.Spec.App.Otk.Database.Auth.ReadOnlyUser != (securityv1.OtkDatabaseAuthCredentials{}) { - data["OTK_RO_DATABASE_USERNAME"] = []byte(gw.Spec.App.Otk.Database.Auth.ReadOnlyUser.Username) - data["OTK_RO_DATABASE_PASSWORD"] = []byte(gw.Spec.App.Otk.Database.Auth.ReadOnlyUser.Password) - } - if gw.Spec.App.Otk.Database.Auth.ClientReadOnlyUser != (securityv1.OtkDatabaseAuthCredentials{}) { - data["OTK_CLIENT_READ_DATABASE_USERNAME"] = []byte(gw.Spec.App.Otk.Database.Auth.ClientReadOnlyUser.Username) - data["OTK_CLIENT_READ_DATABASE_PASSWORD"] = []byte(gw.Spec.App.Otk.Database.Auth.ClientReadOnlyUser.Password) + if gw.Spec.App.Otk.Type != securityv1.OtkTypeDMZ { + if gw.Spec.App.Otk.Database.Auth.GatewayUser != (securityv1.OtkDatabaseAuthCredentials{}) { + data["OTK_DATABASE_USERNAME"] = []byte(gw.Spec.App.Otk.Database.Auth.GatewayUser.Username) + data["OTK_DATABASE_PASSWORD"] = []byte(gw.Spec.App.Otk.Database.Auth.GatewayUser.Password) + } + if gw.Spec.App.Otk.Database.Auth.AdminUser != (securityv1.OtkDatabaseAuthCredentials{}) { + data["OTK_DATABASE_DDL_USERNAME"] = []byte(gw.Spec.App.Otk.Database.Auth.AdminUser.Username) + data["OTK_DATABASE_DDL_PASSWORD"] = []byte(gw.Spec.App.Otk.Database.Auth.AdminUser.Password) + } + if gw.Spec.App.Otk.Database.Auth.ReadOnlyUser != (securityv1.OtkDatabaseAuthCredentials{}) { + data["OTK_RO_DATABASE_USERNAME"] = []byte(gw.Spec.App.Otk.Database.Auth.ReadOnlyUser.Username) + data["OTK_RO_DATABASE_PASSWORD"] = []byte(gw.Spec.App.Otk.Database.Auth.ReadOnlyUser.Password) + } + if gw.Spec.App.Otk.Database.Auth.ClientReadOnlyUser != (securityv1.OtkDatabaseAuthCredentials{}) { + data["OTK_CLIENT_READ_DATABASE_USERNAME"] = []byte(gw.Spec.App.Otk.Database.Auth.ClientReadOnlyUser.Username) + data["OTK_CLIENT_READ_DATABASE_PASSWORD"] = []byte(gw.Spec.App.Otk.Database.Auth.ClientReadOnlyUser.Password) + } } case gw.Name + "-shared-state-client-configuration": diff --git a/pkg/util/graphman.go b/pkg/util/graphman.go index a5044221..ee5d7a4c 100644 --- a/pkg/util/graphman.go +++ b/pkg/util/graphman.go @@ -540,6 +540,12 @@ func BuildOtkOverrideBundle(mode string, gatewayHost string, otkPort int) ([]byt } } + bundle.ClusterProperties = append(bundle.ClusterProperties, &graphman.ClusterPropertyInput{ + Name: "otk.port", + Value: strconv.Itoa(otkPort), + Description: "OTK Port", + }) + bundle.FederatedIdps = append(bundle.FederatedIdps, &graphman.FederatedIdpInput{ Name: "otk-fips-provider", Goid: fipsProviderGuid, @@ -549,11 +555,6 @@ func BuildOtkOverrideBundle(mode string, gatewayHost string, otkPort int) ([]byt TrustedCerts: []*graphman.TrustedCertPartialInput{}, }) - bundle.ClusterProperties = append(bundle.ClusterProperties, &graphman.ClusterPropertyInput{ - Name: "otk.port", - Value: strconv.Itoa(otkPort), - Description: "OTK Port", - }) case "DMZ": for _, externalPolicy := range externalPolicies { switch externalPolicy { @@ -578,11 +579,11 @@ func BuildOtkOverrideBundle(mode string, gatewayHost string, otkPort int) ([]byt Soap: false, }) } - + } bundle.ClusterProperties = append(bundle.ClusterProperties, &graphman.ClusterPropertyInput{ - Name: "otk.port", - Value: strconv.Itoa(otkPort), - Description: "OTK Port", + Name: "otk.port", + Value: strconv.Itoa(otkPort), + Description: "OTK Port", }) case "SINGLE": bundle.ClusterProperties = append(bundle.ClusterProperties, &graphman.ClusterPropertyInput{