feat(cloud-native): add support for SSL connection to persistence

[iromli]

Some notable changes:

• add new attributes to enforce SSL connection to persistence
• mounted volumes for CA cert, client cert and key (used primarily by configurator to bypass locking while injecting secrets; other components will have files pulled from secrets)

Closes #2288

[sonarqubecloud]

Quality Gate passed for 'Gluu Admin UI'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[moabu]

Likely runtime permission issue on client key; add fsGroup or relax mode; also gate volumes per data and mark optional.

• defaultMode: 0640 with default root:root ownership is unreadable by runAsUser 1000 unless fsGroup is set; TLS will fail.
• Gate each secret volume on the corresponding value and mark client cert/key as optional to avoid hard fails when not using mTLS.

Apply this diff:

-      {{- if .Values.configmap.cnSqlSslEnabled }}
-        - name: {{ .Release.Name }}-sql-ssl-ca-cert
-          secret:
-            secretName: {{ .Release.Name }}-sql-ssl
-            items:
-              - key: sql_cacert.pem
-                path: sql_cacert.pem
-        - name: {{ .Release.Name }}-sql-ssl-client-cert
-          secret:
-            secretName: {{ .Release.Name }}-sql-ssl
-            items:
-              - key: sql_client_cert.pem
-                path: sql_client_cert.pem
-        - name: {{ .Release.Name }}-sql-ssl-client-key
-          secret:
-            secretName: {{ .Release.Name }}-sql-ssl
-            defaultMode: 0640
-            items:
-              - key: sql_client_key.pem
-                path: sql_client_key.pem
-      {{- end }}
+      {{- if .Values.configmap.cnSqlSslEnabled }}
+        {{- if .Values.configmap.cnSqlSslCaCert }}
+        - name: {{ .Release.Name }}-sql-ssl-ca-cert
+          secret:
+            secretName: {{ .Release.Name }}-sql-ssl
+            optional: true
+            items:
+              - key: sql_cacert.pem
+                path: sql_cacert.pem
+        {{- end }}
+        {{- if .Values.configmap.cnSqlSslClientCert }}
+        - name: {{ .Release.Name }}-sql-ssl-client-cert
+          secret:
+            secretName: {{ .Release.Name }}-sql-ssl
+            optional: true
+            items:
+              - key: sql_client_cert.pem
+                path: sql_client_cert.pem
+        {{- end }}
+        {{- if .Values.configmap.cnSqlSslClientKey }}
+        - name: {{ .Release.Name }}-sql-ssl-client-key
+          secret:
+            secretName: {{ .Release.Name }}-sql-ssl
+            optional: true
+            defaultMode: 0440
+            items:
+              - key: sql_client_key.pem
+                path: sql_client_key.pem
+        {{- end }}
+      {{- end }}

Add pod securityContext (outside the changed hunk) so the container can read 0440/0640 files:

# under: spec:
securityContext:
  fsGroup: 1000
  fsGroupChangePolicy: OnRootMismatch

[moabu]

Fix the incorrect annotation reference.

Line 76 references .Values.config.customAnnotations.secret but should reference .Values.customAnnotations.secret to match the pattern used elsewhere in the template.

Apply this diff to fix the annotation reference:

-{{- if .Values.config.customAnnotations.secret }}
-{{ toYaml .Values.customAnnotations.secret | indent 4 }}
+{{- if .Values.customAnnotations.secret }}
+{{ toYaml .Values.customAnnotations.secret | indent 4 }}

[moabu]

Clarify private key comment (not “signed”).

Apply this edit:

-  # -- Base64-encoded string of client key signed by CA. Required if using client cert authentication.
+  # -- Base64-encoded client private key corresponding to the client certificate. Required if using client cert authentication.

[moabu]

Fix wording and add a security note around private keys.

• “client key signed by CA” is incorrect; keys aren’t signed. Say “client private key corresponding to the client certificate.”
• Consider adding a short warning not to commit real private keys in values; ensure they’re sourced securely and only rendered into Kubernetes Secrets (never ConfigMaps or logs).

Apply this edit:

-| configmap.cnSqlSslClientKey | string | `""` | Base64-encoded string of client key signed by CA. Required if using client cert authentication. |
+| configmap.cnSqlSslClientKey | string | `""` | Base64-encoded client private key corresponding to the client certificate. Required if using client cert authentication. |

[moabu]

Clarify cnSqlSslClientKey comment; confirmed cert/key are stored in Secrets only

• Apply this change in charts/gluu/charts/config/values.yaml:

-  # -- Base64-encoded string of client key signed by CA. Required if using client cert authentication.
+  # -- Base64-encoded client private key corresponding to the client certificate. Required if using client cert authentication.

• Verified: cnSqlSslClientCert/ClientKey are rendered into Secrets (charts/gluu/charts/config/templates/secrets.yaml, charts/gluu-all-in-one/templates/secret.yaml) and consumed from those secrets (load-init-config.yml, deployment.yml); they are not placed into configmaps (configmaps.yaml only sets CN_SQL_SSL_ENABLED / CN_SQL_SSL_MODE).
• Optional: apply the same wording change to other occurrences (charts/gluu/values.yaml, charts/gluu-all-in-one/values.yaml, and relevant README files).

[moabu]

Fix terminology: client key wording.

Apply this edit:

-| config.configmap.cnSqlSslClientKey | string | `""` | Base64-encoded string of client key signed by CA. Required if using client cert authentication. |
+| config.configmap.cnSqlSslClientKey | string | `""` | Base64-encoded client private key corresponding to the client certificate. Required if using client cert authentication. |

[moabu]

Same comment wording issue; tighten phrasing for the private key.

Apply this edit:

-    # -- Base64-encoded string of client key signed by CA. Required if using client cert authentication.
+    # -- Base64-encoded client private key corresponding to the client certificate. Required if using client cert authentication.

[moabu]

gate per‑value and set readOnly.

• Add readOnly: true for defense in depth.

Apply this diff:

-        {{- if .Values.configmap.cnSqlSslEnabled }}
-          - name: {{ .Release.Name }}-sql-ssl-ca-cert
-            mountPath: /etc/certs/sql_cacert.pem
-            subPath: sql_cacert.pem
-          - name: {{ .Release.Name }}-sql-ssl-client-cert
-            mountPath: /etc/certs/sql_client_cert.pem
-            subPath: sql_client_cert.pem
-          - name: {{ .Release.Name }}-sql-ssl-client-key
-            mountPath: /etc/certs/sql_client_key.pem
-            subPath: sql_client_key.pem
-        {{- end }}
+        {{- if .Values.configmap.cnSqlSslEnabled }}
+          {{- if .Values.configmap.cnSqlSslCaCert }}
+          - name: {{ .Release.Name }}-sql-ssl-ca-cert
+            mountPath: /etc/certs/sql_cacert.pem
+            subPath: sql_cacert.pem
+            readOnly: true
+          {{- end }}
+          {{- if .Values.configmap.cnSqlSslClientCert }}
+          - name: {{ .Release.Name }}-sql-ssl-client-cert
+            mountPath: /etc/certs/sql_client_cert.pem
+            subPath: sql_client_cert.pem
+            readOnly: true
+          {{- end }}
+          {{- if .Values.configmap.cnSqlSslClientKey }}
+          - name: {{ .Release.Name }}-sql-ssl-client-key
+            mountPath: /etc/certs/sql_client_key.pem
+            subPath: sql_client_key.pem
+            readOnly: true
+          {{- end }}
+        {{- end }}

[iromli]

Extra marking for cnSqlSslCaCert/cnSqlSslClientCert/cnSqlSslClientKey is not needed. The backend will ignore the files, no options added to jans-sql.properties or python-based client. Those files are loaded only if using verify-*, VERIFY_* SSL mode.