softcoded TLS passwords

trinodb · Feb 6, 2025 · 55d2314 · 55d2314
1 parent a3c7cb2
commit 55d2314
Show file tree

Hide file tree

Showing 5 changed files with 74 additions and 22 deletions.
diff --git a/charts/trino/templates/configmap-coordinator.yaml b/charts/trino/templates/configmap-coordinator.yaml
@@ -74,14 +74,14 @@ data:
     node-manager.http-client.trust-store-path={{ .Values.server.config.https.truststore.path }}
     scheduler.http-client.trust-store-path={{ .Values.server.config.https.truststore.path }}
     workerInfo.http-client.trust-store-path={{ .Values.server.config.https.truststore.path }}
-    discovery.http-client.trust-store-password={{ .Values.server.config.https.truststore.key }}
-    dynamic.http-client.trust-store-password={{ .Values.server.config.https.truststore.key }}
-    exchange.http-client.trust-store-password={{ .Values.server.config.https.truststore.key }}
-    failure-detector.http-client.trust-store-password={{ .Values.server.config.https.truststore.key }}
-    memoryManager.http-client.trust-store-password={{ .Values.server.config.https.truststore.key }}
-    node-manager.http-client.trust-store-password={{ .Values.server.config.https.truststore.key }}
-    scheduler.http-client.trust-store-password={{ .Values.server.config.https.truststore.key }}
-    workerInfo.http-client.trust-store-password={{ .Values.server.config.https.truststore.key }}
+    discovery.http-client.trust-store-password=${ENV:TRINO_HTTPS_TRUSTSTORE_SECRET}
+    dynamic.http-client.trust-store-password=${ENV:TRINO_HTTPS_TRUSTSTORE_SECRET}
+    exchange.http-client.trust-store-password=${ENV:TRINO_HTTPS_TRUSTSTORE_SECRET}
+    failure-detector.http-client.trust-store-password=${ENV:TRINO_HTTPS_TRUSTSTORE_SECRET}
+    memoryManager.http-client.trust-store-password=${ENV:TRINO_HTTPS_TRUSTSTORE_SECRET}
+    node-manager.http-client.trust-store-password=${ENV:TRINO_HTTPS_TRUSTSTORE_SECRET}
+    scheduler.http-client.trust-store-password=${ENV:TRINO_HTTPS_TRUSTSTORE_SECRET}
+    workerInfo.http-client.trust-store-password=${ENV:TRINO_HTTPS_TRUSTSTORE_SECRET}
     discovery.http-client.https.hostname-verification=false
     dynamic.http-client.https.hostname-verification=false
     exchange.http-client.https.hostname-verification=false
@@ -97,10 +97,10 @@ data:
     http-server.https.enabled=true
     http-server.https.port={{ .Values.service.tlsPort }}
     http-server.https.keystore.path={{ .Values.server.config.https.keystore.path }}
-    http-server.https.keystore.key={{ .Values.server.config.https.keystore.key }}
-    http-server.https.keymanager.password={{ .Values.server.config.https.keymanager.password }}
+    http-server.https.keystore.key=${ENV:TRINO_HTTPS_KEYSTORE_SECRET}
+    http-server.https.keymanager.password=${ENV:TRINO_HTTPS_KEYMANAGER_SECRET}
     http-server.https.truststore.path={{ .Values.server.config.https.truststore.path }}
-    http-server.https.truststore.key={{ .Values.server.config.https.truststore.key }}
+    http-server.https.truststore.key=${ENV:TRINO_HTTPS_TRUSTSTORE_SECRET}
     {{- end }}
     {{- if .Values.ingress.enabled }}
     http-server.process-forwarded=true

diff --git a/charts/trino/templates/configmap-worker.yaml b/charts/trino/templates/configmap-worker.yaml
@@ -61,20 +61,20 @@ data:
     discovery.uri=https://{{ template "trino.fullname" . }}:{{ .Values.service.tlsPort }}
     http-server.https.enabled=true
     http-server.https.port={{ .Values.service.tlsPort }}
-    http-server.https.keystore.path={{ .Values.server.config.https.keystore.path }}
-    http-server.https.keystore.key={{ .Values.server.config.https.keystore.key }}
-    http-server.https.keymanager.password={{ .Values.server.config.https.keymanager.password }}
+    http-server.https.keystore.path={{ .Values.server.config.https.workers.keystore.path }}
+    http-server.https.keystore.key=${ENV:TRINO_HTTPS_KEYSTORE_SECRET}
+    http-server.https.keymanager.password=${ENV:TRINO_HTTPS_KEYMANAGER_SECRET}
     http-server.https.truststore.path={{ .Values.server.config.https.truststore.path }}
-    http-server.https.truststore.key={{ .Values.server.config.https.truststore.key }}
+    http-server.https.truststore.key=${ENV:TRINO_HTTPS_TRUSTSTORE_SECRET}
     # Taken from https://github.com/trinodb/trino/issues/5230#issuecomment-2062013346
     # Not checking the hostnames may seems like an issue but tls works and is already an additional layer
     # of security compared to the shared secret
     discovery.http-client.trust-store-path={{ .Values.server.config.https.truststore.path }}
     exchange.http-client.trust-store-path={{ .Values.server.config.https.truststore.path }}
     node-manager.http-client.trust-store-path={{ .Values.server.config.https.truststore.path }}
-    discovery.http-client.trust-store-password={{ .Values.server.config.https.truststore.key }}
-    exchange.http-client.trust-store-password={{ .Values.server.config.https.truststore.key }}
-    node-manager.http-client.trust-store-password={{ .Values.server.config.https.truststore.key }}
+    discovery.http-client.trust-store-password=${ENV:TRINO_HTTPS_TRUSTSTORE_SECRET}
+    exchange.http-client.trust-store-password=${ENV:TRINO_HTTPS_TRUSTSTORE_SECRET}
+    node-manager.http-client.trust-store-password=${ENV:TRINO_HTTPS_TRUSTSTORE_SECRET}
     discovery.http-client.https.hostname-verification=false
     exchange.http-client.https.hostname-verification=false
     node-manager.http-client.https.hostname-verification=false

diff --git a/charts/trino/templates/deployment-coordinator.yaml b/charts/trino/templates/deployment-coordinator.yaml
@@ -135,6 +135,23 @@ spec:
             {{- toYaml .Values.containerSecurityContext | nindent 12 }}
           env:
             {{- toYaml .Values.env | nindent 12 }}
+            {{- if .Values.server.config.https.enabled }}
+            - name: TRINO_HTTPS_TRUSTSTORE_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.server.config.https.truststore.passwordSecretRef.name }}
+                  key: {{ .Values.server.config.https.truststore.passwordSecretRef.key }}
+            - name: TRINO_HTTPS_KEYSTORE_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.server.config.https.keystore.passwordSecretRef.name }}
+                  key: {{ .Values.server.config.https.keystore.passwordSecretRef.key }}
+            - name: TRINO_HTTPS_KEYMANAGER_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.server.config.https.keymanager.passwordSecretRef.name }}
+                  key: {{ .Values.server.config.https.keymanager.passwordSecretRef.key }}
+            {{- end }}
           envFrom:
             {{- toYaml .Values.envFrom | nindent 12 }}
           volumeMounts:

diff --git a/charts/trino/templates/deployment-worker.yaml b/charts/trino/templates/deployment-worker.yaml
@@ -121,6 +121,23 @@ spec:
             {{- toYaml .Values.containerSecurityContext | nindent 12 }}
           env:
             {{- toYaml .Values.env | nindent 12 }}
+            {{- if .Values.server.config.https.internal }}
+            - name: TRINO_HTTPS_TRUSTSTORE_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.server.config.https.truststore.passwordSecretRef.name }}
+                  key: {{ .Values.server.config.https.truststore.passwordSecretRef.key }}
+            - name: TRINO_HTTPS_KEYSTORE_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.server.config.https.workers.keystore.passwordSecretRef.name }}
+                  key: {{ .Values.server.config.https.workers.keystore.passwordSecretRef.key }}
+            - name: TRINO_HTTPS_KEYMANAGER_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.server.config.https.workers.keymanager.passwordSecretRef.name }}
+                  key: {{ .Values.server.config.https.workers.keymanager.passwordSecretRef.key }}
+            {{- end }}
           envFrom:
             {{- toYaml .Values.envFrom | nindent 12 }}
           volumeMounts:

diff --git a/charts/trino/values.yaml b/charts/trino/values.yaml
@@ -52,19 +52,37 @@ server:
       # -- Enable https support
       enabled: false
       # -- Enable communications between coordinator and workers through https. It depends on https being enabled.
-      # Be aware that when enabled, keystore, keymanager and truststore infos must also be valid for workers
+      # Be aware that when enabled, truststore infos must also be valid for workers
       # TLS certificates must also have serverAuth and clientAuth usages
       internal: false
       # -- Disable http server completely. It requires https.internal and ingress.tlsService (if Ingress is configured)
       only: false
       keystore:
         path: ""
-        key: ""
+        passwordSecretRef:
+          name: ""
+          key: ""
       keymanager:
-        password: ""
+        passwordSecretRef:
+          name: ""
+          key: ""
+      # -- Specific workers TLS settings when communications between coordinator and workers go through https.
+      # Notice that truststore infos are the same as the coordinator
+      workers:
+        keystore:
+          path: ""
+          passwordSecretRef:
+            name: ""
+            key: ""
+        keymanager:
+          passwordSecretRef:
+            name: ""
+            key: ""
       truststore:
         path: ""
-        key: ""
+        passwordSecretRef:
+          name: ""
+          key: ""
     # -- Trino supports multiple [authentication
     # types](https://trino.io/docs/current/security/authentication-types.html):
     # PASSWORD, CERTIFICATE, OAUTH2, JWT, KERBEROS.