From 659133fb682b70146b65ebca56e8415e38f2dff4 Mon Sep 17 00:00:00 2001 From: Yuval Yacoby <33892515+yuvalyacoby@users.noreply.github.com> Date: Thu, 5 Oct 2023 17:46:28 +0300 Subject: [PATCH] Helm chart jwt signing configuration (#4894) * add helm chart config to customize jwt signing * restore values --------- Co-authored-by: Yuval Yacoby --- .../templates/security-configmap.yaml | 28 +++++++++++++++++++ k8s/charts/seaweedfs/values.yaml | 6 ++++ 2 files changed, 34 insertions(+) diff --git a/k8s/charts/seaweedfs/templates/security-configmap.yaml b/k8s/charts/seaweedfs/templates/security-configmap.yaml index 8f82c25a9..884fe6bb4 100644 --- a/k8s/charts/seaweedfs/templates/security-configmap.yaml +++ b/k8s/charts/seaweedfs/templates/security-configmap.yaml @@ -13,10 +13,38 @@ data: security.toml: |- # this file is read by master, volume server, and filer + {{- if .Values.global.securityConfig.jwtSigning.volumeWrite }} # the jwt signing key is read by master and volume server # a jwt expires in 10 seconds [jwt.signing] key = "{{ randAlphaNum 10 | b64enc }}" + {{- end }} + + {{- if .Values.global.securityConfig.jwtSigning.volumeRead }} + # this jwt signing key is read by master and volume server, and it is used for read operations: + # - the Master server generates the JWT, which can be used to read a certain file on a volume server + # - the Volume server validates the JWT on reading + [jwt.signing.read] + key = "{{ randAlphaNum 10 | b64enc }}" + {{- end }} + + {{- if .Values.global.securityConfig.jwtSigning.filerWrite }} + # If this JWT key is configured, Filer only accepts writes over HTTP if they are signed with this JWT: + # - f.e. the S3 API Shim generates the JWT + # - the Filer server validates the JWT on writing + # the jwt defaults to expire after 10 seconds. + [jwt.filer_signing] + key = "{{ randAlphaNum 10 | b64enc }}" + {{- end }} + + {{- if .Values.global.securityConfig.jwtSigning.filerRead }} + # If this JWT key is configured, Filer only accepts reads over HTTP if they are signed with this JWT: + # - f.e. the S3 API Shim generates the JWT + # - the Filer server validates the JWT on writing + # the jwt defaults to expire after 10 seconds. + [jwt.filer_signing.read] + key = "{{ randAlphaNum 10 | b64enc }}" + {{- end }} # all grpc tls authentications are mutual # the values for the following ca, cert, and key are paths to the PERM files. diff --git a/k8s/charts/seaweedfs/values.yaml b/k8s/charts/seaweedfs/values.yaml index 9d62f43cc..9e12a6e05 100644 --- a/k8s/charts/seaweedfs/values.yaml +++ b/k8s/charts/seaweedfs/values.yaml @@ -10,6 +10,12 @@ global: restartPolicy: Always loggingLevel: 1 enableSecurity: false + securityConfig: + jwtSigning: + volumeWrite: true + volumeRead: false + filerWrite: false + filerRead: false certificates: alphacrds: false monitoring: