diff --git a/charts/platform/README.md b/charts/platform/README.md index 9f9db6b..6042126 100644 --- a/charts/platform/README.md +++ b/charts/platform/README.md @@ -214,7 +214,7 @@ Download the [keycloak_data.yaml](https://raw.githubusercontent.com/opentdf/plat | services.kas.config.registered_kas_uri | string | `nil` | Used by key management, if present. | | services.kas.privateKeysSecret | string | `"kas-private-keys"` | KAS secret containing keys @deprecated Use `private_keys_secret` instead. This value will be removed in a future release. | | services.kas.private_keys_secret | string | `""` | KAS secret containing keys kas-private.pem , kas-cert.pem , kas-ec-private.pem , kas-ec-cert.pem | -| services.kas.root_key_secret | object | `{"key":"root_key","name":"kas-root-key"}` | Key needed when key_management feature is enabled (openssl rand 32 -hex) openssl rand 32 -hex | kubectl create secret generic kas-root-key --from-file=root_key=/dev/stdin | +| services.kas.root_key_secret | object | `{"key":"root_key","name":"kas-root-key"}` | Key needed when key_management feature is enabled. Injected as `{PREFIX}_SERVICES_KAS_ROOT_KEY` env var (openssl rand 32 -hex) openssl rand 32 -hex | kubectl create secret generic kas-root-key --from-file=root_key=/dev/stdin | | tolerations | list | `[]` | Tolerations to apply to the pod (https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) | | trace.enabled | bool | `false` | Enable distributed tracing | | trace.provider.file.compress | string | `nil` | Enable compression of trace files | diff --git a/charts/platform/templates/deployment.yaml b/charts/platform/templates/deployment.yaml index 22a2a14..6823c49 100644 --- a/charts/platform/templates/deployment.yaml +++ b/charts/platform/templates/deployment.yaml @@ -91,7 +91,7 @@ spec: key: {{ .Values.sdk_config.existingSecret.key }} {{- end }} {{- if and (or (contains "all" .Values.mode) (contains "kas" .Values.mode)) .Values.services.kas.config.preview.key_management }} - - name: {{include "platform.envVarPrefix" .}}_KAS_ROOT_KEY + - name: {{include "platform.envVarPrefix" .}}_SERVICES_KAS_ROOT_KEY valueFrom: secretKeyRef: name: {{ .Values.services.kas.root_key_secret.name }} diff --git a/charts/platform/values.yaml b/charts/platform/values.yaml index 9ecc79a..f6ff50c 100644 --- a/charts/platform/values.yaml +++ b/charts/platform/values.yaml @@ -478,7 +478,7 @@ services: alg: ec:secp256r1 - kid: r1 alg: rsa:2048 - # -- Key needed when key_management feature is enabled (openssl rand 32 -hex) + # -- Key needed when key_management feature is enabled. Injected as `{PREFIX}_SERVICES_KAS_ROOT_KEY` env var (openssl rand 32 -hex) # openssl rand 32 -hex | kubectl create secret generic kas-root-key --from-file=root_key=/dev/stdin root_key_secret: name: kas-root-key diff --git a/tests/chart_platform_template_test.go b/tests/chart_platform_template_test.go index 4ca0bde..83b65bd 100644 --- a/tests/chart_platform_template_test.go +++ b/tests/chart_platform_template_test.go @@ -944,7 +944,7 @@ func (s *PlatformChartTemplateSuite) Test_KeyManagement_Enabled_With_RootKeySecr envVarFound := false for _, container := range deployment.Spec.Template.Spec.Containers { for _, envVar := range container.Env { - if envVar.Name == "OPENTDF_KAS_ROOT_KEY" { + if envVar.Name == "OPENTDF_SERVICES_KAS_ROOT_KEY" { s.Require().Equal("my-root-key-secret", envVar.ValueFrom.SecretKeyRef.Name) s.Require().Equal("my-root-key", envVar.ValueFrom.SecretKeyRef.Key) envVarFound = true