feat(cloud-native): secure mounted configuration schema

[iromli]

Prepare

• Read PR guidelines
• Read license information

---

Description

Target issue

closes #10550

Implementation Details

---

Test and Document the changes

• Static code analysis has been run locally and issues have been fixed
• Relevant unit and integration tests have been added/updated
• Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

• I confirm that there is no impact on the docs due to the code changes in this PR.

[sonarqubecloud]

Quality Gate passed for 'agama parent'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate passed for 'jans-pycloudlib'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate passed for 'jans-linux-setup'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate passed for 'Jans-Keycloak-Link'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate passed for 'Fido2 API'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate passed for 'SCIM API'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate passed for 'jans-config-api-parent'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[moabu]

Key properties should be specified. We should indicate that only symmetric is supported and show what sizes are supported to limit possible errors and issues. Also we need to handle the case when an error occurs handling the key and act as if its empty when that happens skipping encryption/decryption.

[iromli]

Hi @moabu , thanks for the review. I made several changes to address potential issue.

Key properties should be specified. We should indicate that only symmetric is supported and show what sizes are supported to limit possible errors and issues.

The new cnConfiguratorKey attribute is now specified in docs and validated in values.schema.json.

Also we need to handle the case when an error occurs handling the key and act as if its empty when that happens skipping encryption/decryption.

Invalid key or invalid text is handled by jans-pycloudlib, for example: https://github.com/JanssenProject/jans/blob/main/jans-pycloudlib/jans/pycloudlib/secret/file_secret.py#L17-L19. The OCI image entrypoint will catch the errors and treat them as warning message instead so the pod will still running regardless of failed decryption process.

Though there's an exception, the configurator job will throw error and kill the pod to ensure only valid configuration schema is mounted to pod (useful on first installation).