ONYX-16576: Add Authn-JWT support to helm #431
Conversation
tzheleznyak
force-pushed
the
add-authn-jwt-params-to-helm
branch
from
567bd41 to
555e363
Compare
| name: {{ .Values.secretsProvider.name }} | ||
| env: | ||
| {{- if .Values.environment.conjur.authnJWT.projectToken}} | ||
| - name: JWT_TOKEN_PATH |
There was a problem hiding this comment.
Using an environment variable here for the Secrets Provider "standalone" or "app" mode Helm chart is okay, but when the Secrets Provider is run in any other mode, this should be configured as a Pod Annotation. Is there a plan to add support to Secrets Provider so that this can be configured as a Pod Annotation?
There was a problem hiding this comment.
Actually, I thought we wouldn't need this setting, and the token would be hard-coded in the Secrets Provider code?
There was a problem hiding this comment.
It will be hardcoded to defaults in documentation and helm charts but if client for any reason want to change he can
There was a problem hiding this comment.
We talked about not adding it as annotation not?
There was a problem hiding this comment.
Our discussion was in the context of setting the token path via Pod Annotations, but I assumed that this extended more generally to not having a configuration for this in env variables, either.
My thinking is that if the token path, and/or the token filename, is something that we expect the user would never care about (i.e. it's only ever used inside the SP container, which we own and control), then it's probably best to not provide a way for a user to configure it (one less thing that can be misconfigured, and it's one less thing we need to document and test).
If this is being added to this Helm chart as a "just-in-case" setting, then we should already have support for this environment variable built into the SP container image. We could exclude this setting from user-facing Helm charts (e.g. this one) and user-facing documentation for now. If the situation does arise where a customer for some unforeseen reason needs to change this, we can always offer the customer a workaround (they can just modify their manifests or Helm charts).
But if this is a setting that we still want to make available to the user in this Helm chart, then we'll also want to add support for this into SP as an Annotation (so that it's available when SP is running as an init or sidecar container).
| @@ -216,10 +216,6 @@ function main() { | |||
| conjur_authn_login_test "" | |||
| update_results "$?" "$EXPECT_FAILURE" | |||
|
|
|||
| announce "Missing Conjur authn login causes failure" | |||
There was a problem hiding this comment.
For non-JWT functionality, the value .Values.environment.conjur.authnLogin is still required, and we want the user notified (as a "fail fast" mechanism) if this is missing, and it's not configured for authn-jwt.
We'll probably need to add an authnJWT.enabled boolean chart value to this Helm chart, and default it to "false". Then, either in the Helm chart secrets-provider.yaml template, or better yet, in the values.schema.json, we need to indicate that either authnJWT.enabled needs to be set to "true", or authnLogin needs to be provided.
With the above changes, then the missing_conjur_authn_login_test should still be called here.
There was a problem hiding this comment.
I thought about authnJWT.enabled but because token projection is mandatory for authn-jwt then
authnJWT.projectToken.
There was a problem hiding this comment.
How can i do this test thing with values.schema.json?
| @@ -84,3 +84,8 @@ environment: | |||
| # This setting is required. | |||
There was a problem hiding this comment.
If you add an authnJWT.enabled setting, then this comment should say:
# This setting is required if `authnJWT.enabled` is set to false.
Or something like that.
| name: {{ .Values.secretsProvider.name }} | ||
| env: | ||
| {{- if .Values.environment.conjur.authnJWT.projectToken}} | ||
| - name: JWT_TOKEN_PATH | ||
| value: /var/run/secrets/tokens/{{ .Values.environment.conjur.authnJWT.projectedFilname }} |
There was a problem hiding this comment.
Typo here and below: projectedFilname should be projectedFilename.
tzheleznyak
force-pushed
the
add-authn-jwt-params-to-helm
branch
from
555e363 to
c6b6ca8
Compare
|
Please take a look at the changes that I made on this branch: f5703bb On this branch, I've implemented the following:
(I figured that it's probably quicker to just add the schema/unittest code, since I've done it before.) I've set the minimum JWT token interval to 1 (second). I don't know if this is appropriate. Please feel free to copy the changes from that branch/commit into your PR branch. |
tzheleznyak
force-pushed
the
add-authn-jwt-params-to-helm
branch
2 times, most recently
from
a071fea to
0e70d8e
Compare
tzheleznyak
force-pushed
the
add-authn-jwt-params-to-helm
branch
from
0e70d8e to
ca062f1
Compare
|
Code Climate has analyzed commit ca062f1 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 92.6% (0.0% change). View more on Code Climate. |
tzheleznyak
dismissed
diverdane’s stale review
Talked about it. Tell me if i missed something and i will open new PR. I will create a PR for annotation add for JWT token path and add it to the automation
Changed helm chart to support token projection for JWT cases using this values.yaml