Helm chart jwt signing configuration (#4894)

* add helm chart config to customize jwt signing * restore values --------- Co-authored-by: Yuval Yacoby <yyacoby@paloaltonetworks.com>
author: Yuval Yacoby <33892515+yuvalyacoby@users.noreply.github.com> 2023-10-05 17:46:28 +0300
committer: GitHub <noreply@github.com> 2023-10-05 07:46:28 -0700
commit: 659133fb682b70146b65ebca56e8415e38f2dff4 (patch)
tree: 4a594929cb9f34ea79b98633634fe2b9f6569533
parent: 530bdedf763a1c1754784debc331f02201cb910f (diff)
download: seaweedfs-659133fb682b70146b65ebca56e8415e38f2dff4.tar.xz
seaweedfs-659133fb682b70146b65ebca56e8415e38f2dff4.zip
2 files changed, 34 insertions, 0 deletions
diff --git a/k8s/charts/seaweedfs/templates/security-configmap.yaml b/k8s/charts/seaweedfs/templates/security-configmap.yaml
index 8f82c25a9..884fe6bb4 100644
--- a/k8s/charts/seaweedfs/templates/security-configmap.yaml
+++ b/k8s/charts/seaweedfs/templates/security-configmap.yaml
@@ -13,10 +13,38 @@ data:
   security.toml: |-
     # this file is read by master, volume server, and filer
 
+    {{- if .Values.global.securityConfig.jwtSigning.volumeWrite }}
     # the jwt signing key is read by master and volume server
     # a jwt expires in 10 seconds
     [jwt.signing]
     key = "{{ randAlphaNum 10 | b64enc }}"
+    {{- end }}
+
+    {{- if .Values.global.securityConfig.jwtSigning.volumeRead }}
+    # this jwt signing key is read by master and volume server, and it is used for read operations:
+    # - the Master server generates the JWT, which can be used to read a certain file on a volume server
+    # - the Volume server validates the JWT on reading
+    [jwt.signing.read]
+    key = "{{ randAlphaNum 10 | b64enc }}"
+    {{- end }}
+
+    {{- if .Values.global.securityConfig.jwtSigning.filerWrite }}
+    # If this JWT key is configured, Filer only accepts writes over HTTP if they are signed with this JWT:
+    # - f.e. the S3 API Shim generates the JWT
+    # - the Filer server validates the JWT on writing
+    # the jwt defaults to expire after 10 seconds.
+    [jwt.filer_signing]
+    key = "{{ randAlphaNum 10 | b64enc }}"
+    {{- end }}
+
+    {{- if .Values.global.securityConfig.jwtSigning.filerRead }}
+    # If this JWT key is configured, Filer only accepts reads over HTTP if they are signed with this JWT:
+    # - f.e. the S3 API Shim generates the JWT
+    # - the Filer server validates the JWT on writing
+    # the jwt defaults to expire after 10 seconds.
+    [jwt.filer_signing.read]
+    key = "{{ randAlphaNum 10 | b64enc }}"
+    {{- end }}
 
     # all grpc tls authentications are mutual
     # the values for the following ca, cert, and key are paths to the PERM files.
diff --git a/k8s/charts/seaweedfs/values.yaml b/k8s/charts/seaweedfs/values.yaml
index 9d62f43cc..9e12a6e05 100644
--- a/k8s/charts/seaweedfs/values.yaml
+++ b/k8s/charts/seaweedfs/values.yaml
@@ -10,6 +10,12 @@ global:
   restartPolicy: Always
   loggingLevel: 1
   enableSecurity: false
+  securityConfig:
+    jwtSigning:
+      volumeWrite: true
+      volumeRead: false
+      filerWrite: false
+      filerRead: false
   certificates:
     alphacrds: false
   monitoring:
author	Yuval Yacoby <33892515+yuvalyacoby@users.noreply.github.com>	2023-10-05 17:46:28 +0300
committer	GitHub <noreply@github.com>	2023-10-05 07:46:28 -0700
commit	659133fb682b70146b65ebca56e8415e38f2dff4 (patch)
tree	4a594929cb9f34ea79b98633634fe2b9f6569533
parent	530bdedf763a1c1754784debc331f02201cb910f (diff)
download	seaweedfs-659133fb682b70146b65ebca56e8415e38f2dff4.tar.xz seaweedfs-659133fb682b70146b65ebca56e8415e38f2dff4.zip