feat(cloud-native): add ingress for jans-lock as jans-auth service

[iromli]

Prepare

• Read PR guidelines
• Read license information

---

Description

Target issue

closes #8853

Implementation Details

---

Test and Document the changes

• Static code analysis has been run locally and issues have been fixed
• Relevant unit and integration tests have been added/updated
• Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

• I confirm that there is no impact on the docs due to the code changes in this PR.

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Server-Side Request Forgery Analyzer	✅	0 findings
Configured Codepaths Analyzer	✅	0 findings
Secrets Analyzer	✅	0 findings
Authn/Authz Analyzer	✅	0 findings
SQL Injection Analyzer	✅	0 findings
Sensitive Files Analyzer	❕	1 finding
IDOR Analyzer	✅	0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The provided code changes cover various aspects of the Janssen application, including the Keycloak integration, caching, endpoint configurations, ingress settings, and Helm chart configurations. From an application security perspective, the key highlights are:

1. Keycloak Configuration: The changes include updates to the Keycloak database configuration, such as the database vendor, username, password, and schema name. Proper management of these credentials is crucial for application security.

2. Cache Configuration: The changes include the ability to configure the cache type, which can have security implications depending on the chosen cache implementation and its configuration.

3. Endpoint Configurations: The changes include the ability to enable or disable various endpoints, such as the OpenID Configuration, Device Code, and FIDO2 Configuration endpoints. Careful review of the enabled endpoints and their security is important.

4. Ingress Configuration: The changes include comprehensive Ingress resource configurations, which are crucial for securing the application's external access points. Features like SSL/TLS, proxy timeouts, and rewrite targets are noteworthy.

5. Persistence Configuration: The changes include the ability to configure the persistence backend, which can have security implications depending on the chosen technology and its configuration.

6. Key Rotation: The changes include the ability to configure the key rotation for the authentication server, which is an important security practice.

Overall, the provided code changes appear to be focused on improving the security posture of the Janssen application, with a particular emphasis on the Keycloak integration and the ingress configuration. As an application security engineer, I would recommend thoroughly reviewing these changes, ensuring that all sensitive configurations are properly secured, and verifying that the application's security practices align with industry best practices.

Files Changed:

1. charts/janssen-all-in-one/templates/configmap.yaml: Changes related to the removal of the KC_PROXY environment variable and the addition of Keycloak-related environment variables.
2. charts/janssen-all-in-one/README.md: Changes to disable the /.well-known/lock-master-configuration endpoint and set the Jetty header size limit.
3. charts/janssen-all-in-one/values.yaml: Extensive changes to the Keycloak, caching, endpoint, ingress, and persistence configurations.
4. charts/janssen-all-in-one/templates/nginx-ingress.yaml: Comprehensive Ingress resource configurations for various application functionalities.
5. charts/janssen/charts/config/README.md: Changes related to the removal of the kcProxy configuration and improvements to the Vault integration.
6. charts/janssen/README.md: Changes related to the removal of the kcProxy configuration parameter.
7. charts/janssen/charts/config/templates/configmaps.yaml: Changes related to the removal of the KC_PROXY environment variable and the addition of Keycloak database-related environment variables.
8. charts/janssen/values.yaml: Changes related to the removal of the kcProxy configuration parameter.
9. charts/janssen/charts/config/values.yaml: Changes to the Keycloak database configuration and other Keycloak-related settings.
10. charts/janssen/charts/nginx-ingress/README.md: Changes related to the addition of configuration options for the "lock config" ingress resource.
11. charts/janssen/charts/nginx-ingress/templates/ingress.yaml: Addition of a new Ingress resource for the "lock-config" functionality.
12. docker-jans-all-in-one/Dockerfile: Removal of unnecessary Keycloak-related environment variables.
13. charts/janssen/charts/nginx-ingress/values.yaml: Addition of new configuration options for ingress resource labels and annotations.
14. docker-jans-all-in-one/app/templates/nginx/jans-auth-location.conf: Configuration of the Nginx proxy for the Jans Authentication application.

Powered by DryRun Security