Helm chart jwt signing configuration (#4894)

* add helm chart config to customize jwt signing

* restore values

---------

Co-authored-by: Yuval Yacoby <yyacoby@paloaltonetworks.com>
This commit is contained in:
Yuval Yacoby 2023-10-05 17:46:28 +03:00 committed by GitHub
parent 530bdedf76
commit 659133fb68
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 34 additions and 0 deletions

View file

@ -13,10 +13,38 @@ data:
security.toml: |- security.toml: |-
# this file is read by master, volume server, and filer # this file is read by master, volume server, and filer
{{- if .Values.global.securityConfig.jwtSigning.volumeWrite }}
# the jwt signing key is read by master and volume server # the jwt signing key is read by master and volume server
# a jwt expires in 10 seconds # a jwt expires in 10 seconds
[jwt.signing] [jwt.signing]
key = "{{ randAlphaNum 10 | b64enc }}" key = "{{ randAlphaNum 10 | b64enc }}"
{{- end }}
{{- if .Values.global.securityConfig.jwtSigning.volumeRead }}
# this jwt signing key is read by master and volume server, and it is used for read operations:
# - the Master server generates the JWT, which can be used to read a certain file on a volume server
# - the Volume server validates the JWT on reading
[jwt.signing.read]
key = "{{ randAlphaNum 10 | b64enc }}"
{{- end }}
{{- if .Values.global.securityConfig.jwtSigning.filerWrite }}
# If this JWT key is configured, Filer only accepts writes over HTTP if they are signed with this JWT:
# - f.e. the S3 API Shim generates the JWT
# - the Filer server validates the JWT on writing
# the jwt defaults to expire after 10 seconds.
[jwt.filer_signing]
key = "{{ randAlphaNum 10 | b64enc }}"
{{- end }}
{{- if .Values.global.securityConfig.jwtSigning.filerRead }}
# If this JWT key is configured, Filer only accepts reads over HTTP if they are signed with this JWT:
# - f.e. the S3 API Shim generates the JWT
# - the Filer server validates the JWT on writing
# the jwt defaults to expire after 10 seconds.
[jwt.filer_signing.read]
key = "{{ randAlphaNum 10 | b64enc }}"
{{- end }}
# all grpc tls authentications are mutual # all grpc tls authentications are mutual
# the values for the following ca, cert, and key are paths to the PERM files. # the values for the following ca, cert, and key are paths to the PERM files.

View file

@ -10,6 +10,12 @@ global:
restartPolicy: Always restartPolicy: Always
loggingLevel: 1 loggingLevel: 1
enableSecurity: false enableSecurity: false
securityConfig:
jwtSigning:
volumeWrite: true
volumeRead: false
filerWrite: false
filerRead: false
certificates: certificates:
alphacrds: false alphacrds: false
monitoring: monitoring: