4 files changed, 56 insertions, 11 deletions

diff --git a/kubernetes/policy/charts/policy-xacml-pdp/resources/config/config.json b/kubernetes/policy/charts/policy-xacml-pdp/resources/config/config.json
index a52cc0f6d4..3b72d8ed90 100644
--- a/kubernetes/policy/charts/policy-xacml-pdp/resources/config/config.json
+++ b/kubernetes/policy/charts/policy-xacml-pdp/resources/config/config.json
@@ -21,16 +21,16 @@
     "restServerParameters": {
         "host": "0.0.0.0",
         "port": 6969,
-        "userName": "healthcheck",
-        "password": "zb!XztG34",
+        "userName": "${RESTSERVER_USER}",
+        "password": "${RESTSERVER_PASSWORD}",
         "https": true,
         "aaf": false
     },
     "policyApiParameters": {
         "host": "policy-api",
         "port": 6969,
-        "userName": "healthcheck",
-        "password": "zb!XztG34",
+        "userName": "${API_USER}",
+        "password": "${API_PASSWORD}",
         "https": true,
         "aaf": false
     },
diff --git a/kubernetes/policy/charts/policy-xacml-pdp/resources/config/xacml.properties b/kubernetes/policy/charts/policy-xacml-pdp/resources/config/xacml.properties
index f2c2cd7765..c7e4ad197e 100644
--- a/kubernetes/policy/charts/policy-xacml-pdp/resources/config/xacml.properties
+++ b/kubernetes/policy/charts/policy-xacml-pdp/resources/config/xacml.properties
@@ -50,4 +50,4 @@ xacml.pip.engines=count-recent-operations,get-operation-outcome
 javax.persistence.jdbc.driver=org.mariadb.jdbc.Driver
 javax.persistence.jdbc.url=jdbc:mariadb://{{ .Values.global.mariadb.service.name }}:{{ .Values.global.mariadb.service.internalPort }}/operationshistory
 javax.persistence.jdbc.user=${SQL_USER}
-javax.persistence.jdbc.password=${SQL_PASSWORD}
+javax.persistence.jdbc.password=${SQL_PASSWORD_BASE64}
diff --git a/kubernetes/policy/charts/policy-xacml-pdp/templates/deployment.yaml b/kubernetes/policy/charts/policy-xacml-pdp/templates/deployment.yaml
index 5b02c177b5..bd126b810b 100644
--- a/kubernetes/policy/charts/policy-xacml-pdp/templates/deployment.yaml
+++ b/kubernetes/policy/charts/policy-xacml-pdp/templates/deployment.yaml
@@ -31,17 +31,38 @@ spec:
         image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}"
         imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
         name: {{ include "common.name" . }}-readiness
+      - command:
+        - sh
+        args:
+        - -c
+        - "export SQL_PASSWORD_BASE64=`echo -n ${SQL_PASSWORD} | base64`; cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done"
+        env:
+        - name: RESTSERVER_USER
+          {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "login") | indent 10 }}
+        - name: RESTSERVER_PASSWORD
+          {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "password") | indent 10 }}
+        - name: API_USER
+          {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "api-creds" "key" "login") | indent 10 }}
+        - name: API_PASSWORD
+          {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "api-creds" "key" "password") | indent 10 }}
+        - name: SQL_USER
+          {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 10 }}
+        - name: SQL_PASSWORD
+          {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }}
+        volumeMounts:
+        - mountPath: /config-input
+          name: pdpxconfig
+        - mountPath: /config
+          name: pdpxconfig-processed
+        image: "{{ .Values.global.envsubstImage }}"
+        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+        name: {{ include "common.name" . }}-update-config
       containers:
         - name: {{ include "common.name" . }}
           image: "{{ include "common.repository" . }}/{{ .Values.image }}"
           imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
           command: ["/opt/app/policy/pdpx/bin/policy-pdpx.sh"]
           args: ["/opt/app/policy/pdpx/etc/mounted/config.json"]
-          env:
-          - name: SQL_USER
-            {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 12 }}
-          - name: SQL_PASSWORD
-            {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 12 }}
           ports:
           - containerPort: {{ .Values.service.internalPort }}
           # disable liveness probe when breakpoints set in debugger
@@ -63,7 +84,9 @@ spec:
             name: localtime
             readOnly: true
           - mountPath: /opt/app/policy/pdpx/etc/mounted
-            name: pdpxconfig
+            name: pdpxconfig-processed
+            emptyDir:
+              medium: Memory
           resources:
 {{ include "common.resources" . | indent 12 }}
         {{- if .Values.nodeSelector }}
@@ -82,5 +105,8 @@ spec:
           configMap:
             name: {{ include "common.fullname" . }}-configmap
             defaultMode: 0755
+        - name: pdpxconfig-processed
+          emptyDir:
+            medium: Memory
       imagePullSecrets:
       - name: "{{ include "common.namespace" . }}-docker-registry-key"
diff --git a/kubernetes/policy/charts/policy-xacml-pdp/values.yaml b/kubernetes/policy/charts/policy-xacml-pdp/values.yaml
index a2c0aa0e63..63f50fd7fa 100644
--- a/kubernetes/policy/charts/policy-xacml-pdp/values.yaml
+++ b/kubernetes/policy/charts/policy-xacml-pdp/values.yaml
@@ -21,6 +21,7 @@
 #################################################################
 global:
   persistence: {}
+  envsubstImage: dibi/envsubst
 
 #################################################################
 # Secrets metaconfig
@@ -32,6 +33,18 @@ secrets:
     login: '{{ .Values.db.user }}'
     password: '{{ .Values.db.password }}'
     passwordPolicy: required
+  - uid: restserver-creds
+    type: basicAuth
+    externalSecret: '{{ tpl (default "" .Values.restServer.credsExternalSecret) . }}'
+    login: '{{ .Values.restServer.user }}'
+    password: '{{ .Values.restServer.password }}'
+    passwordPolicy: required
+  - uid: api-creds
+    type: basicAuth
+    externalSecret: '{{ tpl (default "" .Values.apiServer.credsExternalSecret) . }}'
+    login: '{{ .Values.apiServer.user }}'
+    password: '{{ .Values.apiServer.password }}'
+    passwordPolicy: required
 
 #################################################################
 # Application configuration defaults.
@@ -49,6 +62,12 @@ debugEnabled: false
 db:
   user: policy_user
   password: policy_user
+restServer:
+  user: healthcheck
+  password: zb!XztG34
+apiServer:
+  user: healthcheck
+  password: zb!XztG34
 
 # default number of instances
 replicaCount: 1