Helm chart jwt signing configuration (#4894)

* add helm chart config to customize jwt signing * restore values --------- Co-authored-by: Yuval Yacoby <yyacoby@paloaltonetworks.com>
2024-06-03 01:00:04 +02:00 · 2023-10-05 17:46:28 +03:00 · 2023-10-05 17:46:28 +03:00 · 659133fb68
parent 530bdedf76
commit 659133fb68
2 changed files with 34 additions and 0 deletions
--- a/k8s/charts/seaweedfs/templates/security-configmap.yaml
+++ b/k8s/charts/seaweedfs/templates/security-configmap.yaml
@ -13,10 +13,38 @@ data:
  security.toml: |-
    # this file is read by master, volume server, and filer

+    {{- if .Values.global.securityConfig.jwtSigning.volumeWrite }}
    # the jwt signing key is read by master and volume server
    # a jwt expires in 10 seconds
    [jwt.signing]
    key = "{{ randAlphaNum 10 | b64enc }}"
+    {{- end }}
+
+    {{- if .Values.global.securityConfig.jwtSigning.volumeRead }}
+    # this jwt signing key is read by master and volume server, and it is used for read operations:
+    # - the Master server generates the JWT, which can be used to read a certain file on a volume server
+    # - the Volume server validates the JWT on reading
+    [jwt.signing.read]
+    key = "{{ randAlphaNum 10 | b64enc }}"
+    {{- end }}
+
+    {{- if .Values.global.securityConfig.jwtSigning.filerWrite }}
+    # If this JWT key is configured, Filer only accepts writes over HTTP if they are signed with this JWT:
+    # - f.e. the S3 API Shim generates the JWT
+    # - the Filer server validates the JWT on writing
+    # the jwt defaults to expire after 10 seconds.
+    [jwt.filer_signing]
+    key = "{{ randAlphaNum 10 | b64enc }}"
+    {{- end }}
+
+    {{- if .Values.global.securityConfig.jwtSigning.filerRead }}
+    # If this JWT key is configured, Filer only accepts reads over HTTP if they are signed with this JWT:
+    # - f.e. the S3 API Shim generates the JWT
+    # - the Filer server validates the JWT on writing
+    # the jwt defaults to expire after 10 seconds.
+    [jwt.filer_signing.read]
+    key = "{{ randAlphaNum 10 | b64enc }}"
+    {{- end }}

    # all grpc tls authentications are mutual
    # the values for the following ca, cert, and key are paths to the PERM files.
--- a/k8s/charts/seaweedfs/values.yaml
+++ b/k8s/charts/seaweedfs/values.yaml
@ -10,6 +10,12 @@ global:
  restartPolicy: Always
  loggingLevel: 1
  enableSecurity: false
+  securityConfig:
+    jwtSigning:
+      volumeWrite: true
+      volumeRead: false
+      filerWrite: false
+      filerRead: false
  certificates:
    alphacrds: false
  monitoring: