Add secret management to sentrius-chart-launcher - implement OAuth2, Keycloak, and Neo4j secrets templates with environment variable integration

Copilot · phrocker · Copilot · commit 7716ee5269bc · 2025-07-02T00:47:12.000Z
Co-authored-by: phrocker &lt;1781585+phrocker@users.noreply.github.com&gt;
diff --git a/sentrius-chart-launcher/templates/_helpers.tpl b/sentrius-chart-launcher/templates/_helpers.tpl
@@ -17,4 +17,9 @@ app.kubernetes.io/managed-by: {{ .Release.Service }}
 app.kubernetes.io/name: sentrius-launcher-service
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
-{{- end -}}
+{{- end -}}
+{{- define "keycloak.requireDbPassword" -}}
+{{- if not .Values.keycloak.db.password }}
+  {{- fail "Error: keycloak.db.password must be specified or generated externally." }}
+{{- end }}
+{{- end }}
diff --git a/sentrius-chart-launcher/templates/configmap.yaml b/sentrius-chart-launcher/templates/configmap.yaml
@@ -37,7 +37,7 @@ data:
     agent.api.url={{ .Values.sentriusDomain }}
     # Keycloak configuration
     spring.security.oauth2.client.registration.keycloak.client-id={{ .Values.launcherservice.oauth2.client_id }}
-    spring.security.oauth2.client.registration.keycloak.client-secret={{ .Values.launcherservice.oauth2.client_secret }}
+    spring.security.oauth2.client.registration.keycloak.client-secret=${KEYCLOAK_CLIENT_SECRET}
     spring.security.oauth2.client.registration.keycloak.authorization-grant-type={{ .Values.launcherservice.oauth2.authorization_grant_type }}
     spring.security.oauth2.client.registration.keycloak.redirect-uri={{ .Values.sentriusDomain }}/login/oauth2/code/keycloak
     spring.security.oauth2.client.registration.keycloak.scope={{ .Values.launcherservice.oauth2.scope }}
@@ -95,7 +95,7 @@ data:
 
     # Keycloak configuration
     spring.security.oauth2.client.registration.keycloak.client-id={{ .Values.launcherservice.oauth2.client_id }}
-    spring.security.oauth2.client.registration.keycloak.client-secret={{ .Values.launcherservice.oauth2.client_secret }}
+    spring.security.oauth2.client.registration.keycloak.client-secret=${KEYCLOAK_CLIENT_SECRET}
     spring.security.oauth2.client.registration.keycloak.authorization-grant-type={{ .Values.launcherservice.oauth2.authorization_grant_type }}
     spring.security.oauth2.client.registration.keycloak.redirect-uri={{ .Values.sentriusDomain }}/login/oauth2/code/keycloak
     spring.security.oauth2.client.registration.keycloak.scope={{ .Values.launcherservice.oauth2.scope }}
diff --git a/sentrius-chart-launcher/templates/keycloak-secrets.yaml b/sentrius-chart-launcher/templates/keycloak-secrets.yaml
@@ -0,0 +1,23 @@
+{{- include "keycloak.requireDbPassword" . }}
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-keycloak-secrets
+type: Opaque
+data:
+  # Keycloak Admin Password
+  {{- if .Values.keycloak.adminPassword }}
+  admin-password: {{ .Values.keycloak.adminPassword | b64enc }}
+  {{- else }}
+  admin-password: {{ randAlphaNum 24 | b64enc }}
+  {{- end }}
+  
+  # Keycloak Client Secret
+  {{- if .Values.keycloak.clientSecret }}
+  client-secret: {{ .Values.keycloak.clientSecret | b64enc }}
+  {{- else }}
+  client-secret: {{ randAlphaNum 32 | b64enc }}
+  {{- end }}
+  # Keycloak Database Password
+  db-password: {{ .Values.keycloak.db.password | b64enc }}
diff --git a/sentrius-chart-launcher/templates/launcher-deployment.yaml b/sentrius-chart-launcher/templates/launcher-deployment.yaml
@@ -29,6 +29,12 @@ spec:
           volumeMounts:
             - name: config-volume
               mountPath: /config
+          env:
+            - name: KEYCLOAK_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Release.Name }}-oauth2-secrets
+                  key: launcherservice-client-secret
       volumes:
         - name: config-volume
           configMap:
diff --git a/sentrius-chart-launcher/templates/neo4j-secrets.yaml b/sentrius-chart-launcher/templates/neo4j-secrets.yaml
@@ -0,0 +1,14 @@
+{{- if .Values.neo4j.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-neo4j-secrets
+type: Opaque
+data:
+  # Neo4j Authentication String (username/password)
+  {{- if .Values.neo4j.env.NEO4J_AUTH }}
+  neo4j-auth: {{ .Values.neo4j.env.NEO4J_AUTH | b64enc }}
+  {{- else }}
+  neo4j-auth: {{ printf "neo4j/%s" (randAlphaNum 16) | b64enc }}
+  {{- end }}
+{{- end }}
diff --git a/sentrius-chart-launcher/templates/oauth2-secrets.yaml b/sentrius-chart-launcher/templates/oauth2-secrets.yaml
@@ -0,0 +1,40 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-oauth2-secrets
+type: Opaque
+data:
+  # Sentrius OAuth2 Client Secret
+  {{- if .Values.sentrius.oauth2.client_secret }}
+  sentrius-client-secret: {{ .Values.sentrius.oauth2.client_secret | b64enc }}
+  {{- else }}
+  sentrius-client-secret: {{ randAlphaNum 32 | b64enc }}
+  {{- end }}
+  
+  # LLM Proxy OAuth2 Client Secret
+  {{- if .Values.llmproxy.oauth2.client_secret }}
+  llmproxy-client-secret: {{ .Values.llmproxy.oauth2.client_secret | b64enc }}
+  {{- else }}
+  llmproxy-client-secret: {{ randAlphaNum 32 | b64enc }}
+  {{- end }}
+  
+  # Sentrius Agent OAuth2 Client Secret
+  {{- if .Values.sentriusagent.oauth2.client_secret }}
+  sentriusagent-client-secret: {{ .Values.sentriusagent.oauth2.client_secret | b64enc }}
+  {{- else }}
+  sentriusagent-client-secret: {{ randAlphaNum 32 | b64enc }}
+  {{- end }}
+  
+  # Sentrius AI Agent OAuth2 Client Secret
+  {{- if .Values.sentriusaiagent.oauth2.client_secret }}
+  sentriusaiagent-client-secret: {{ .Values.sentriusaiagent.oauth2.client_secret | b64enc }}
+  {{- else }}
+  sentriusaiagent-client-secret: {{ randAlphaNum 32 | b64enc }}
+  {{- end }}
+  
+  # Launcher Service OAuth2 Client Secret
+  {{- if .Values.launcherservice.oauth2.client_secret }}
+  launcherservice-client-secret: {{ .Values.launcherservice.oauth2.client_secret | b64enc }}
+  {{- else }}
+  launcherservice-client-secret: {{ randAlphaNum 32 | b64enc }}
+  {{- end }}
