chore: Update the jdk version to remove high vulnerability (#252)

Update JDK version to remove high vulnerability in openssl library
Update location of keytool
Realign the secretagentconfiguration file with th file in forgeops.

ref: FORGEOPS-4603

Dockerfile

@@ -5,7 +5,7 @@ ARG GO_VERSION="1.16.5"
 ARG GO_PACKAGE_SHA256="b12c23023b68de22f74c0524f10b753e7b08b1504cb7e417eccebdd3fae49061"
 ARG KUBEBUILDER_VERSION="3.1.0"
 
-FROM openjdk:21-ea-23-jdk-slim as tester
+FROM openjdk:22-ea-15-jdk-slim-bullseye as tester
 
 ARG GO_VERSION
 ARG GO_PACKAGE_SHA256
@@ -61,7 +61,7 @@ RUN CGO_ENABLED=0 GOOS=linux GOARCH=$TARGETARCH GO111MODULE=on go build -ldflags
 
 
 
-FROM openjdk:21-ea-23-jdk-slim as release
+FROM openjdk:22-ea-15-jdk-slim-bullseye as release
 
 RUN apt-get update && \
     DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y lsof net-tools && \

charts/secret-agent/templates/deployment.yaml

@@ -34,7 +34,7 @@ spec:
           command:
             - /manager
           args:
-            - --keytoolPath=/usr/local/openjdk-21/bin/keytool
+            - --keytoolPath=/usr/local/openjdk-22/bin/keytool
             - --opensslPath=/usr/bin/openssl
             - --webhook-service-ns={{ .Release.Namespace }}
             - --webhook-service-name={{ include "secret-agent.fullname" . }}

config/manager/manager.yaml

@@ -35,7 +35,7 @@ spec:
       - command:
         - /manager
         args:
-        - --keytoolPath=/usr/local/openjdk-21/bin/keytool
+        - --keytoolPath=/usr/local/openjdk-22/bin/keytool
         - --opensslPath=/usr/bin/openssl
         - --webhook-service-ns=$(SERVICE_NAMESPACE)
         - --webhook-service-name=$(SERVICE_NAME)

config/samples/secret-agent_v1alpha1_secretagentconfiguration.yaml

@@ -11,20 +11,25 @@ spec:
     ## Timeout in seconds for generating each individual secret. Default 40
     # secretTimeout: 40
 
+    ## Prefix added to the name of the secrets stored in the cloud secret manager instead of the namespace.
+    # secretsManagerPrefix: "benchmark"
+
     # A cloud provider's secret manager is the source of truth.
     # If secrets don't exist, they are generated and stored in the manager.
     secretsManager: none # none, AWS, Azure, or GCP
-    ## prefix added to the name of the secrets stored in the cloud secret manager instead of the namespace.
-    # secretsManagerPrefix: "prefix"
-    ## credentials for cloud provider (optional. see README.md)
-    # credentialsSecretName: cloud-credentials
+
     ## When running on GCP, specify a ProjectID
-    # gcpProjectID: sample-project-id
-    ## When running on AWS, specify a region
+    # gcpProjectID: my-project-id
+
+    # When running on AWS, specify a region
     # awsRegion: example-region
-    ## When running on Azure, specify a vault
+
+    # When running on Azure, specify a vault
     # azureVaultName: secret-agent-test
 
+    # credentials for cloud provider
+    # credentialsSecretName: cloud-storage-credentials
+
   # Start of secrets array
 
   # In this YAML file, the "secrets" key defines Kubernetes secret objects managed by the
@@ -45,8 +50,6 @@ spec:
 
   secrets:
 
-  # example of binary data
-
   # platform-ca secret: a root certificate for signing keys
 
   - name: platform-ca
@@ -69,7 +72,7 @@ spec:
 
   # truststore secret: a single Java truststore for all applications
 
-  - name: truststore
+  - name: truststore-pem
     keys:
 
       # The keystore alias
@@ -86,7 +89,7 @@ spec:
           # If the the certificate is managed by secret agent the path is simply
           # `name/key`.
           #
-          # If there's additional or keys generated outside of the operator then:
+          # If there's additional keys or keys generated outside of the operator then:
           # truststoreImportPath is a reference to a secret object's data
           # with the following pattern:
           #   `kubectl get secret {secret object} | jq `.data.{key}.pem`
@@ -101,8 +104,15 @@ spec:
           #      secret/vault-secrets created
           # multiple keys
           #   truststoreImportPaths: ["platform-ca/ca", "vault-secrets/vault-ca"]
+          pemFormat: true
           truststoreImportPaths: ["platform-ca/ca"]
 
+  - name: truststore
+    keys:
+      - name: cacerts
+        type: truststore
+        spec:
+          truststoreImportPaths: ["platform-ca/ca"]
   # DS secrets
 
   # ds-passwords secret
@@ -111,7 +121,7 @@ spec:
     keys:
 
       - name: dirmanager.pw
-        # A password type is a random human readible string.
+        # A password type is a random human readable string.
         type: password
         spec:
           # Default length 32
@@ -121,40 +131,27 @@ spec:
         type: literal
         spec:
           # A simple string literal
-          value: prometheus
+          value: password
+
+  # am-passwords secret
 
-  # ds pem truststore
-  - name: ds-truststore
+  - name: am-passwords
     keys:
-      - name: ds.pem
-        type: truststore
-        spec:
-          # Write public keys in PEM format instead of pkcs12
-          pemFormat: true
-          # This truststore will also contain the public key generated in `platform-ca`
-          # key `ca`
-          #
-          # If the the certificate is managed by secret agent the path is simply
-          # `name/key`.
-          #
-          # If there's additional or keys generated outside of the operator then:
-          # truststoreImportPath is a reference to a secret object's data
-          # with the following pattern:
-          #   `kubectl get secret {secret object} | jq `.data.{key}.pem`
-          #   _note_ the suffix of `.pem`
-          #    e.g.
-          #      ❯ mkcert vault-ca
-          #      Using the local CA at "/home/max/.local/share/mkcert" ✨
-          #      Created a new certificate valid for the following names 📜
-          #       - "vault-ca"
-          #       The certificate is at "./vault-ca.pem" and the key at "./vault-ca-key.pem" ✅
-          #      ❯ kubectl create secret generic vault-secrets --from-file=vault-ca.pem=./vault-ca.pem
-          #      secret/vault-secrets created
-          # multiple keys
-          #   truststoreImportPaths: ["platform-ca/ca", "vault-secrets/vault-ca"]
-          truststoreImportPaths: ["platform-ca/ca"]
+    - name: .keypass
+      type: password
+      spec:
+        length: 24
+    - name: .storepass
+      type: password
+      spec:
+        length: 24
+    - name: username
+      type: literal
+      spec:
+        value: amadmin
 
   # ds secret: encryption certificates
+
   - name: ds
     keys:
 
@@ -230,13 +227,6 @@ spec:
             cmd: importkeystore
             sourcePath: "ds/master-key-pair"
             isKeyPair: true
-          - name: configstorepwd
-            # import a password/passhphrase
-            cmd: importpassword
-            sourcePath: "am-passwords/.storepass"
-          - name: dsameuserpwd
-            cmd: importpassword
-            sourcePath: "ds-passwords/dirmanager.pw"
 
   # AM secrets
 
@@ -252,10 +242,6 @@ spec:
         # e.g. might include control characters and the value is base 64 encoded
         # and application must decode the value
         useBinaryCharacters: true
-    - name: "AM_CONFIRMATION_ID_HMAC_KEY"
-      type: password
-      spec:
-        length: 24
     - name: "AM_ENCRYPTION_KEY"
       type: password
       spec:
@@ -271,7 +257,8 @@ spec:
     - name: "AM_SELFSERVICE_LEGACY_CONFIRMATION_EMAIL_LINK_SIGNING_KEY"
       type: password
       spec:
-        length: 24
+        length: 32
+        useBinaryCharacters: true
     - name: "AM_SESSION_STATELESS_ENCRYPTION_KEY"
       type: password
       spec:
@@ -283,24 +270,6 @@ spec:
         length: 32
         useBinaryCharacters: true
 
-
-  # am-passwords secret
-
-  - name: am-passwords
-    keys:
-    - name: .keypass
-      type: password
-      spec:
-        length: 24
-    - name: .storepass
-      type: password
-      spec:
-        length: 24
-    - name: username
-      type: literal
-      spec:
-        value: amadmin
-
   # am-keystore secret
 
   - name: am-keystore
@@ -341,9 +310,14 @@ spec:
         - name: directenctest
           cmd: genseckey
           args: ["-keyalg", "aes", "-keysize", "256"]
-        - name: sms.transport.key
-          cmd: genseckey
-          args: ["-keyalg", "AES", "-keysize", "128"]
+        # The sms.transport.key is used by amster to encrypt exported secrets.
+        # Enabling this key significantly impacts the performance of REST and UI calls
+        # This key adds marginal value in forgeops - since the exported secrets are replaced by commons expressions
+        # and/or come from an external secret provider.
+        # We recommend leaving this key disabled.
+        # - name: sms.transport.key
+        #   cmd: genseckey
+        #   args: ["-keyalg", "AES", "-keysize", "128"]
 
         - name: configstorepwd
           cmd: importpassword
@@ -421,7 +395,7 @@ spec:
           # If the the certificate is managed by secret agent the path is simply
           # `name/key`.
           #
-          # If there's additional or keys generated outside of the operator then:
+          # If there's additional keys or keys generated outside of the operator then:
           # truststoreImportPath is a reference to a secret object's data
           # with the following pattern:
           #   `kubectl get secret {secret object} | jq `.data.{key}.pem`