Complete secret removal - fix template validation and add documentation

Co-authored-by: phrocker <[email protected]>

Author: Copilot

ai-agent/src/main/resources/challenger.properties

@@ -46,7 +46,7 @@ server.error.whitelabel.enabled=false
 keycloak.realm=sentrius
 keycloak.base-url=${KEYCLOAK_BASE_URL:http://localhost:8180}
 spring.security.oauth2.client.registration.keycloak.client-id=ai-agents-assessor
-spring.security.oauth2.client.registration.keycloak.client-secret=e4WgJovH8MzcAvRnFg3rROAbeDIwiYmy
+spring.security.oauth2.client.registration.keycloak.client-secret=${KEYCLOAK_CLIENT_SECRET:}
 spring.security.oauth2.client.registration.keycloak.authorization-grant-type=client_credentials
 spring.security.oauth2.client.registration.keycloak.redirect-uri=http://192.168.1.162:8080/login/oauth2/code/keycloak
 spring.security.oauth2.client.registration.keycloak.scope=openid,profile,email

docker/keycloak/README.md

@@ -0,0 +1,14 @@
+# Keycloak Realm Configuration
+
+This realm configuration file contains client definitions for Sentrius.
+
+⚠️ **IMPORTANT**: The client secrets in this file are set to "CHANGE_ME_AFTER_IMPORT" and must be updated after importing the realm to match the secrets configured in your Helm deployment.
+
+The client secrets should be configured to match:
+- The OAuth2 secrets generated by the Helm chart
+- Or the secrets you provide in your values.yaml
+
+You can update client secrets via:
+1. Keycloak Admin Console
+2. Keycloak Admin REST API
+3. Environment variable substitution during realm import

docker/keycloak/realms/sentrius-realm.json

@@ -6,7 +6,7 @@
       "clientId": "sentrius-api",
       "enabled": true,
       "clientAuthenticatorType": "client-secret",
-      "secret": "nGkEukexSWTvDzYjSkDmeUlM0FJ5Jhh0",
+      "secret": "CHANGE_ME_AFTER_IMPORT",
       "rootUrl": "${ROOT_URL}",
       "baseUrl": "${ROOT_URL}",
       "serviceAccountsEnabled": true,
@@ -40,7 +40,7 @@
       "clientId": "sentrius-launcher-service",
       "enabled": true,
       "clientAuthenticatorType": "client-secret",
-      "secret": "nGkEukexSWTSjklj3sddgvDzYjSkDmeUlM0FJ5Jhh0",
+      "secret": "CHANGE_ME_AFTER_IMPORT",
       "rootUrl": "${ROOT_URL}",
       "baseUrl": "${ROOT_URL}",
 
@@ -81,7 +81,7 @@
       "enabled": true,
       "alwaysDisplayInConsole": false,
       "clientAuthenticatorType": "client-secret",
-      "secret": "e4WgJovH8MzcAvRnFg3rROAbeDIwiYmx",
+      "secret": "CHANGE_ME_AFTER_IMPORT",
       "redirectUris": [
         "${REDIRECT_URIS}/*"
       ],
@@ -168,7 +168,7 @@
       "enabled": true,
       "alwaysDisplayInConsole": false,
       "clientAuthenticatorType": "client-secret",
-      "secret": "e4WgJovH8MzcAvRnFg3rROAbeDIwiYmy",
+      "secret": "CHANGE_ME_AFTER_IMPORT",
       "redirectUris": [
         "${REDIRECT_URIS}/*"
       ],

docs/secret-management.md

@@ -0,0 +1,70 @@
+# Sentrius Secret Management
+
+## Overview
+
+Hardcoded secrets have been removed from the Helm charts and application properties files. The system now supports both dynamic secret generation and external secret management.
+
+## Dynamic Secret Generation
+
+When no secrets are provided in values.yaml, the Helm charts will automatically generate random secrets for:
+
+- OAuth2 client secrets (32 characters)
+- Database passwords (32 characters) 
+- Keystore passwords (24 characters)
+- Keycloak admin passwords (24 characters)
+- Neo4j authentication strings (16 character passwords)
+
+## Providing Custom Secrets
+
+You can override the generated secrets by setting them in your values.yaml:
+
+```yaml
+# Example custom secrets
+secrets:
+  db:
+    username: "my-db-user"
+    password: "my-secure-password"
+    keystorePassword: "my-keystore-password"
+
+sentrius:
+  oauth2:
+    client_secret: "my-oauth2-secret"
+
+keycloak:
+  adminPassword: "my-keycloak-admin-password"
+  clientSecret: "my-keycloak-client-secret"
+  db:
+    password: "my-keycloak-db-password"
+
+neo4j:
+  env:
+    NEO4J_AUTH: "neo4j/my-neo4j-password"
+```
+
+## Environment Variables
+
+Application properties files now use environment variables with fallback defaults:
+
+- `KEYCLOAK_CLIENT_SECRET` - OAuth2 client secret for Keycloak
+- `DATABASE_PASSWORD` - Database password (defaults to "password")
+- `KEYSTORE_PASSWORD` - Keystore password (defaults to "keystorepassword")
+
+## Production Deployment
+
+For production environments, it is recommended to:
+
+1. Use an external secret management system (HashiCorp Vault, AWS Secrets Manager, etc.)
+2. Set all secrets explicitly in your values.yaml file
+3. Use Kubernetes secrets or external secret operators
+4. Never commit secrets to version control
+
+## Removed Hardcoded Secrets
+
+The following hardcoded secrets were removed:
+
+- `nGkEukexSWTvDzYjSkDmeUlM0FJ5Jhh0` (multiple OAuth2 client secrets)
+- `e4WgJovH8MzcAvRnFg3rROAbeDIwiYmx` (agent client secret)
+- `KLJMLKSDJGlkj23@#jasdlkjg@#dsagsagdsag` (AI agent client secret)
+- `neo4j/testingsecret` (Neo4j authentication)
+- Base64 encoded database credentials
+- Hardcoded keystore passwords

sentrius-chart/templates/ingress.yaml

@@ -18,7 +18,7 @@ spec:
                 name: {{ .Release.Name }}-keycloak
                 port:
                   number: 8081
-    - host: {{ .Values.subdomain }}
+    - host: {{ .Values.tenant }}.sentrius.cloud
       http:
         paths:
           - path: /

sentrius-chart/templates/keycloak-deployment.yaml

@@ -10,33 +10,35 @@ spec:
   selector:
     matchLabels:
       app: keycloak
-      release: {{ .Release.Name }}
   template:
     metadata:
       labels:
         app: keycloak
-        release: {{ .Release.Name }}
     spec:
+      initContainers:
+        - name: wait-for-keycloak-db
+          image: busybox
+          command: ['sh', '-c', 'until nc -z keycloak-db 5432; do echo waiting for keycloak-db; sleep 2; done;']
       containers:
         - name: keycloak
           image: "{{ .Values.keycloak.image.repository }}:{{ .Values.keycloak.image.tag }}"
           imagePullPolicy: "{{ .Values.keycloak.image.pullPolicy }}"
           ports:
-            - containerPort: 8081
-          {{- if not (eq .Values.environment "gke") }}
+            - containerPort: {{ .Values.keycloak.port }}
           readinessProbe:
             httpGet:
               path: {{ .Values.healthCheck.keycloak.readinessPath }}
-              port: {{ .Values.healthCheck.keycloak.port }}
-            initialDelaySeconds: 5
+              port: {{ .Values.keycloak.port }}
+            initialDelaySeconds: 30
             periodSeconds: 10
+            timeoutSeconds: 5
           livenessProbe:
             httpGet:
               path: {{ .Values.healthCheck.keycloak.livenessPath }}
-              port: {{ .Values.healthCheck.keycloak.port }}
-            initialDelaySeconds: 5
+              port: {{ .Values.keycloak.port }}
+            initialDelaySeconds: 60
             periodSeconds: 10
-          {{- end }}
+            timeoutSeconds: 5
           env:
             - name: KC_HTTP_PORT
               value: "8081"
@@ -61,7 +63,7 @@ spec:
                   name: {{ .Release.Name }}-keycloak-secrets
                   key: db-password
             - name: KC_HOSTNAME
-              value: {{ .Values.keycloakHostname }}
+              value: "keycloak.{{ .Values.tenant }}.sentrius.cloud"
             - name: KC_HOSTNAME_STRICT
               value: "false"
             - name: KEYCLOAK_LOGLEVEL
@@ -85,5 +87,5 @@ spec:
                 secretKeyRef:
                   name: {{ .Release.Name }}-keycloak-secrets
                   key: client-secret
-          command: [ "/opt/keycloak/bin/kc.sh" ]
-          args: [ "start-dev", "--proxy=edge", "--import-realm", "--health-enabled=true"]
+          command: ["/opt/keycloak/bin/kc.sh"]
+          args: ["start-dev", "--proxy=edge", "--import-realm", "--health-enabled=true"]

sentrius-chart/values.yaml

@@ -6,10 +6,10 @@ environment: "gke"  # Can be "gke", "aws", "azure", "local"
 
 tenant: sentrius-demo
 subdomain: "{{ .Values.tenant }}.sentrius.cloud"
-keycloakSubdomain: keycloak.{{ .Values.subdomain }}
-keycloakHostname: "{{ .Values.keycloakSubdomain }}"
-keycloakDomain: https://{{ .Values.keycloakSubdomain }}
-sentriusDomain: https://{{ .Values.subdomain }}
+keycloakSubdomain: "keycloak.{{ .Values.tenant }}.sentrius.cloud"
+keycloakHostname: "keycloak.{{ .Values.tenant }}.sentrius.cloud"
+keycloakDomain: "https://keycloak.{{ .Values.tenant }}.sentrius.cloud"
+sentriusDomain: "https://{{ .Values.tenant }}.sentrius.cloud"
 launcherFQDN: sentrius-launcher-service.dev.svc.cluster.local
 
 
@@ -203,7 +203,7 @@ keycloak:
       service.beta.kubernetes.io/azure-load-balancer-internal: "true"
 
 ingress:
-  enabled: false  # Temporarily disabled during secret refactoring
+  enabled: true
   class: "nginx"  # Default for local; override for GKE/AWS
   tlsEnabled: true  # Enable TLS when supported
   annotations: