mirror of
https://github.com/seaweedfs/seaweedfs.git
synced 2024-01-19 02:48:24 +00:00
Helm chart jwt signing configuration (#4894)
* add helm chart config to customize jwt signing * restore values --------- Co-authored-by: Yuval Yacoby <yyacoby@paloaltonetworks.com>
This commit is contained in:
parent
530bdedf76
commit
659133fb68
|
@ -13,10 +13,38 @@ data:
|
|||
security.toml: |-
|
||||
# this file is read by master, volume server, and filer
|
||||
|
||||
{{- if .Values.global.securityConfig.jwtSigning.volumeWrite }}
|
||||
# the jwt signing key is read by master and volume server
|
||||
# a jwt expires in 10 seconds
|
||||
[jwt.signing]
|
||||
key = "{{ randAlphaNum 10 | b64enc }}"
|
||||
{{- end }}
|
||||
|
||||
{{- if .Values.global.securityConfig.jwtSigning.volumeRead }}
|
||||
# this jwt signing key is read by master and volume server, and it is used for read operations:
|
||||
# - the Master server generates the JWT, which can be used to read a certain file on a volume server
|
||||
# - the Volume server validates the JWT on reading
|
||||
[jwt.signing.read]
|
||||
key = "{{ randAlphaNum 10 | b64enc }}"
|
||||
{{- end }}
|
||||
|
||||
{{- if .Values.global.securityConfig.jwtSigning.filerWrite }}
|
||||
# If this JWT key is configured, Filer only accepts writes over HTTP if they are signed with this JWT:
|
||||
# - f.e. the S3 API Shim generates the JWT
|
||||
# - the Filer server validates the JWT on writing
|
||||
# the jwt defaults to expire after 10 seconds.
|
||||
[jwt.filer_signing]
|
||||
key = "{{ randAlphaNum 10 | b64enc }}"
|
||||
{{- end }}
|
||||
|
||||
{{- if .Values.global.securityConfig.jwtSigning.filerRead }}
|
||||
# If this JWT key is configured, Filer only accepts reads over HTTP if they are signed with this JWT:
|
||||
# - f.e. the S3 API Shim generates the JWT
|
||||
# - the Filer server validates the JWT on writing
|
||||
# the jwt defaults to expire after 10 seconds.
|
||||
[jwt.filer_signing.read]
|
||||
key = "{{ randAlphaNum 10 | b64enc }}"
|
||||
{{- end }}
|
||||
|
||||
# all grpc tls authentications are mutual
|
||||
# the values for the following ca, cert, and key are paths to the PERM files.
|
||||
|
|
|
@ -10,6 +10,12 @@ global:
|
|||
restartPolicy: Always
|
||||
loggingLevel: 1
|
||||
enableSecurity: false
|
||||
securityConfig:
|
||||
jwtSigning:
|
||||
volumeWrite: true
|
||||
volumeRead: false
|
||||
filerWrite: false
|
||||
filerRead: false
|
||||
certificates:
|
||||
alphacrds: false
|
||||
monitoring:
|
||||
|
|
Loading…
Reference in a new issue