Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Helm chart jwt signing configuration (#4894) 

* add helm chart config to customize jwt signing

* restore values

---------

Co-authored-by: Yuval Yacoby <yyacoby@paloaltonetworks.com>
pull/4898/head
Yuval Yacoby 1 year ago
committed by GitHub
parent
530bdedf76
commit
659133fb68
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 34 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 28
      k8s/charts/seaweedfs/templates/security-configmap.yaml
  2. 6
      k8s/charts/seaweedfs/values.yaml

28
k8s/charts/seaweedfs/templates/security-configmap.yaml
View File

@ -13,10 +13,38 @@ data:
security.toml: |- security.toml: |-
# this file is read by master, volume server, and filer # this file is read by master, volume server, and filer
{{- if .Values.global.securityConfig.jwtSigning.volumeWrite }}
# the jwt signing key is read by master and volume server # the jwt signing key is read by master and volume server
# a jwt expires in 10 seconds # a jwt expires in 10 seconds
[jwt.signing] [jwt.signing]
key = "{{ randAlphaNum 10 | b64enc }}" key = "{{ randAlphaNum 10 | b64enc }}"
{{- end }}
{{- if .Values.global.securityConfig.jwtSigning.volumeRead }}
# this jwt signing key is read by master and volume server, and it is used for read operations:
# - the Master server generates the JWT, which can be used to read a certain file on a volume server
# - the Volume server validates the JWT on reading
[jwt.signing.read]
key = "{{ randAlphaNum 10 | b64enc }}"
{{- end }}
{{- if .Values.global.securityConfig.jwtSigning.filerWrite }}
# If this JWT key is configured, Filer only accepts writes over HTTP if they are signed with this JWT:
# - f.e. the S3 API Shim generates the JWT
# - the Filer server validates the JWT on writing
# the jwt defaults to expire after 10 seconds.
[jwt.filer_signing]
key = "{{ randAlphaNum 10 | b64enc }}"
{{- end }}
{{- if .Values.global.securityConfig.jwtSigning.filerRead }}
# If this JWT key is configured, Filer only accepts reads over HTTP if they are signed with this JWT:
# - f.e. the S3 API Shim generates the JWT
# - the Filer server validates the JWT on writing
# the jwt defaults to expire after 10 seconds.
[jwt.filer_signing.read]
key = "{{ randAlphaNum 10 | b64enc }}"
{{- end }}
# all grpc tls authentications are mutual # all grpc tls authentications are mutual
# the values for the following ca, cert, and key are paths to the PERM files. # the values for the following ca, cert, and key are paths to the PERM files.

6
k8s/charts/seaweedfs/values.yaml
View File

@ -10,6 +10,12 @@ global:
restartPolicy: Always restartPolicy: Always
loggingLevel: 1 loggingLevel: 1
enableSecurity: false enableSecurity: false
securityConfig:
jwtSigning:
volumeWrite: true
volumeRead: false
filerWrite: false
filerRead: false
certificates: certificates:
alphacrds: false alphacrds: false
monitoring: monitoring:

Write Preview
Loading…
Cancel
Save