-
-
Notifications
You must be signed in to change notification settings - Fork 665
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(helm): added jwt secret auto gen (#1062) #1092
base: dev
Are you sure you want to change the base?
feat(helm): added jwt secret auto gen (#1062) #1092
Conversation
Introduced a new auto generated secret key that will only be generated on first install called "jwtSignatureGeneratorSecret". The value of this secret key is added via an environment variable setting to the depoyment only if no user defined variable with the same name is found. This should avoid duplicate env var names that can cause trouble with subsequent changes to the deployment object.
@tchiotludo would love to hear your feedback on this before moving on. |
hi @danielhass, thanks for that. I look at quickly but I found it's some kind of breaking change. I think I would prefer: jwtSecret:
create: true
value: "xx" to allow people to define one or to let autocreate one. What do you think about that? |
@tchiotludo I get your concern. Actually I don't know enough about Micronaut to comment on the precedence of the different ways of setting the jwt generator secret. I don't know if a env variable would overwrite a configuration file supplied setting or vice versa. Based on your feedback I will try to adapt my PR to a more explizit variant were users have to opt-in in order to use the autogen feature. However my ultimate goal in #1062 was to provide akhq users with a secure installation out-of-the-box. Switching to a explicit setting somehow contradicts this. What would you think of an addition to the charts |
@danielhass : any env vars will override any application files in micronaut. I think we could kept the conf for convenience : jwtSecret:
create: true
value: "xx" what do you think ? |
@tchiotludo thanks for the feedback and clarifying the precedence of configs in Micronaut. I'm not sure if I get your proposal right but I would not be a huge fan of merging a generated secret into the user supplied values saved in the This would have the additional charm that even if users use other ways of providing a secret the convenience option or auto generated value will always have a higher precedence. And as this values.yaml option is a clear user opt-in for me this sounds quite right. What to you think about this proposal? If it sounds good to you I will go ahead and try to implement it this way. |
Best solution: https://github.com/tchiotludo/akhq/pull/1152/files#diff-9cc2bd3ea2b84a15de094176387d72447ead7aa612f26fd272f05e4996559752R16 Please see 16th line. than just use
|
670f1e4
to
c757938
Compare
I would like to get some feedback on the implementation design. I tried to introduce the new feature without breaking existing behavior.
Summary of changes:
release-name-akhq-secrets
is now created always and the previous conditional is moved closer to theapplication-secrets.yml
keyenv
section now incorporates a bunch of logic to check if a user as explicitly set theMICRONAUT_SECURITY_TOKEN_JWT_SIGNATURES_SECRET_GENERATOR_SECRET
env var. In this case the auto generated value will not be used (however it will still be generated and written to the secret).One point of uncertainty at this point is the question if we should include a general switch to completely disable this new feature. However with the default setting being active as the goal of #1062 is to make the chart secure per default.