Add EPICS_PVA_TLS_KEYCHAIN_PWD_FILE for file-based keychain password#3783
Add EPICS_PVA_TLS_KEYCHAIN_PWD_FILE for file-based keychain password#3783george-mcintyre wants to merge 2 commits intoControlSystemStudio:masterfrom
Conversation
kasemir
left a comment
kasemir
left a comment
There was a problem hiding this comment.
Like all PVA settings, the new EPICS_PVAS_TLS_KEYCHAIN_PWD_FILE and EPICS_PVA_TLS_KEYCHAIN_PWD_FILE should be defined and documented in src/main/java/org/epics/pva/PVASettings.java, next to the existing definition and documentation of PVASettings.EPICS_PVAS_TLS_KEYCHAIN and PVASettings.EPICS_PVA_TLS_KEYCHAIN
Per review feedback: all PVA settings must be declared as public static fields in PVASettings.java, documented next to their related keychain settings, and initialised in the static block. - Add EPICS_PVAS_TLS_KEYCHAIN_PWD_FILE next to EPICS_PVAS_TLS_KEYCHAIN - Add EPICS_PVA_TLS_KEYCHAIN_PWD_FILE next to EPICS_PVA_TLS_KEYCHAIN - Initialise both in the static block alongside their keychain peers - Update SecureSockets.readKeychainPassword() to read from the PVASettings fields rather than calling PVASettings.get() directly
george-mcintyre
left a comment
george-mcintyre
left a comment
There was a problem hiding this comment.
Done in cd72fb5. Both EPICS_PVAS_TLS_KEYCHAIN_PWD_FILE and EPICS_PVA_TLS_KEYCHAIN_PWD_FILE are now declared as public static String fields in PVASettings, documented in the same style as EPICS_PVAS_TLS_KEYCHAIN / EPICS_PVA_TLS_KEYCHAIN immediately adjacent to them, and initialised in the static block right after their respective keychain peers. SecureSockets.readKeychainPassword() now reads from the PVASettings fields directly instead of calling PVASettings.get() ad hoc.
|
|
Looks good, except there's now a minor merge conflict |
2 participants
Motivation
The existing
EPICS_PVA_TLS_KEYCHAINsetting embeds the keystore password directly in the path string (e.g.path/to/client.p12|password). This is convenient for development but unsuitable for production environments where secrets must not appear in environment variables, process listings, or configuration files.Container orchestration platforms such as Kubernetes mount secrets as files (e.g. via
Secretvolumes or external secret operators like Vault Agent). There was no way to supply the keychain password via a file path.Change
Two new environment variables are introduced:
EPICS_PVA_TLS_KEYCHAIN_PWD_FILEEPICS_PVAS_TLS_KEYCHAIN_PWD_FILEWhen set,
SecureSocketsreads the password from the referenced file instead of parsing it from the keychain path string. The inlinepath|passwordsyntax continues to work; the_PWD_FILEvariable takes precedence when both are present.This enables secure password injection for Kubernetes deployments using
secretKeyRefvolume mounts without patching the keychain path.Files Changed
core/pva/src/main/java/org/epics/pva/common/SecureSockets.java