Transition to using secrets in Key Vault.

This does the following:

- Removes references to the atst-override.ini file, now deprecated.
- Adds all non-secret data that was managed in the override file to the
  relevant K8s ConfigMaps.
- Adds additional documentation explaining out use of Key Vault for
  secrets management.

deploy/azure/atst-envvars-configmap.yml

@@ -6,15 +6,28 @@ metadata:
   namespace: atat
 data:
   ASSETS_URL: https://atat-cdn.azureedge.net/
+  AZURE_ACCOUNT_NAME: atat
+  AZURE_TO_BUCKET_NAME: task-order-pdfs
   BLOB_STORAGE_URL: https://atat.blob.core.windows.net/
+  CAC_URL: https://auth-staging.atat.code.mil/login-redirect
   CDN_ORIGIN: https://azure.atat.code.mil
   CELERY_DEFAULT_QUEUE: celery-master
   CSP: azure
+  DEBUG: 0
   FLASK_ENV: master
   LOG_JSON: "true"
-  OVERRIDE_CONFIG_FULLPATH: /opt/atat/atst/atst-overrides.ini
+  MAIL_PORT: 587
+  MAIL_SENDER: postmaster@atat.code.mil
+  MAIL_SERVER: smtp.mailgun.org
+  MAIL_TLS: "true"
+  OVERRIDE_CONFIG_DIRECTORY: /config
+  PGAPPNAME: atst
+  PGDATABASE: staging
+  PGHOST: atat-db.postgres.database.azure.com
+  PGPORT: 5432
   PGSSLMODE: verify-full
   PGSSLROOTCERT: /opt/atat/atst/ssl/pgsslrootcert.crt
+  PGUSER: atat_master@atat-db
   REDIS_HOST: atat.redis.cache.windows.net:6380
   REDIS_TLS: "true"
   STATIC_URL: https://atat-cdn.azureedge.net/static/

deploy/azure/atst-worker-envvars-configmap.yml

@@ -5,9 +5,25 @@ metadata:
   name: atst-worker-envvars
   namespace: atat
 data:
+  AZURE_ACCOUNT_NAME: atat
+  AZURE_TO_BUCKET_NAME: task-order-pdfs
+  CAC_URL: https://auth-staging.atat.code.mil/login-redirect
   CELERY_DEFAULT_QUEUE: celery-master
-  DISABLE_CRL_CHECK: "True"
+  DEBUG: 0
+  DISABLE_CRL_CHECK: "true"
+  MAIL_PORT: 587
+  MAIL_SENDER: postmaster@atat.code.mil
+  MAIL_SERVER: smtp.mailgun.org
+  MAIL_TLS: "true"
+  OVERRIDE_CONFIG_DIRECTORY: /config
+  PGAPPNAME: atst
+  PGDATABASE: staging
+  PGHOST: atat-db.postgres.database.azure.com
+  PGPORT: 5432
   PGSSLMODE: verify-full
   PGSSLROOTCERT: /opt/atat/atst/ssl/pgsslrootcert.crt
+  PGUSER: atat_master@atat-db
+  REDIS_HOST: atat.redis.cache.windows.net:6380
+  REDIS_TLS: "true"
   SERVER_NAME: azure.atat.code.mil
   TZ: UTC

deploy/azure/azure.yml

@@ -34,9 +34,6 @@ spec:
             - configMapRef:
                 name: atst-envvars
           volumeMounts:
-            - name: atst-config
-              mountPath: "/opt/atat/atst/atst-overrides.ini"
-              subPath: atst-overrides.ini
             - name: nginx-client-ca-bundle
               mountPath: "/opt/atat/atst/ssl/server-certs/ca-chain.pem"
               subPath: client-ca-bundle.pem
@@ -81,13 +78,6 @@ spec:
             - name: nginx-secret
               mountPath: "/etc/ssl/"
       volumes:
-        - name: atst-config
-          secret:
-            secretName: atst-config-ini
-            items:
-              - key: override.ini
-                path: atst-overrides.ini
-                mode: 0644
         - name: nginx-client-ca-bundle
           configMap:
             name: nginx-client-ca-bundle
@@ -195,22 +185,12 @@ spec:
             - configMapRef:
                 name: atst-worker-envvars
           volumeMounts:
-            - name: atst-config
-              mountPath: "/opt/atat/atst/atst-overrides.ini"
-              subPath: atst-overrides.ini
             - name: pgsslrootcert
               mountPath: "/opt/atat/atst/ssl/pgsslrootcert.crt"
               subPath: pgsslrootcert.crt
             - name: flask-secret
               mountPath: "/config"
       volumes:
-        - name: atst-config
-          secret:
-            secretName: atst-config-ini
-            items:
-              - key: override.ini
-                path: atst-overrides.ini
-                mode: 0644
         - name: pgsslrootcert
           configMap:
             name: pgsslrootcert
@@ -270,22 +250,12 @@ spec:
             - configMapRef:
                 name: atst-worker-envvars
           volumeMounts:
-            - name: atst-config
-              mountPath: "/opt/atat/atst/atst-overrides.ini"
-              subPath: atst-overrides.ini
             - name: pgsslrootcert
               mountPath: "/opt/atat/atst/ssl/pgsslrootcert.crt"
               subPath: pgsslrootcert.crt
             - name: flask-secret
               mountPath: "/config"
       volumes:
-        - name: atst-config
-          secret:
-            secretName: atst-config-ini
-            items:
-              - key: override.ini
-                path: atst-overrides.ini
-                mode: 0644
         - name: pgsslrootcert
           configMap:
             name: pgsslrootcert

deploy/azure/crls-sync.yaml

@@ -32,21 +32,11 @@ spec:
             - configMapRef:
                 name: atst-worker-envvars
             volumeMounts:
-              - name: atst-config
-                mountPath: "/opt/atat/atst/atst-overrides.ini"
-                subPath: atst-overrides.ini
               - name: crls-vol
                 mountPath: "/opt/atat/atst/crls"
               - name: flask-secret
                 mountPath: "/config"
           volumes:
-            - name: atst-config
-              secret:
-                secretName: atst-config-ini
-                items:
-                - key: override.ini
-                  path: atst-overrides.ini
-                  mode: 0644
             - name: crls-vol
               persistentVolumeClaim:
                 claimName: crls-vol-claim