ROX-18826: watch jwt-key mount changes #7322
Conversation
|
Images are ready for the commit at cc71cfd. To use with deploy scripts, first |
central/jwt/jwt.go
Outdated
| } | ||
|
|
||
| // We pass parameter here to satisfy WatchPrivateKeyDir interface. | ||
| func loadPrivateKey(_ string) (*rsa.PrivateKey, error) { |
There was a problem hiding this comment.
nit: to potentially circumvent adding the parameter here, we may do the same inline in l.65:
jwt.WatchPrivateKeyDir(privateKeyDir, func(_ string) (*rsa.PrivateKey, error) { return loadPrivateKey() }, func(key *rsa.PrivateKey) {
privateKeyStore.UpdateKey(keyID, key)
})Feel like this is more clean instead of passing privateKeyDir to loadPrivateKey in l.59.
pkg/jwt/facade.go
Outdated
| // CreateRS256SignerAndValidator creates a token signer and validator pair with the given properties from the | ||
| // specified RSA private key. | ||
| func CreateRS256SignerAndValidator(issuerID string, audience jwt.Audience, privateKeyStore PrivateKeyGetter, publicKeyStore PublicKeyGetter, keyID string) (*SignerFactory, Validator) { | ||
| validator := NewRS256Validator(publicKeyStore, issuerID, audience) | ||
| signerFactory := &SignerFactory{ | ||
| keyStore: privateKeyStore, | ||
| keyID: keyID, | ||
| } | ||
| return signer, validator, nil | ||
| return signerFactory, validator | ||
| } |
There was a problem hiding this comment.
This CreateRS256SignerAndValidator function takes two sets of parameters, which are used to construct two objects.
The parameters for the returned objects constructors do not overlap, so I'd suggest splitting this function into CreateSignerFactory (sic!) and CreateRS256Validator with the corresponding parameters. And then we would realize that one doesn't need another function to create a Validator.
| @@ -40,8 +43,8 @@ func getBytesFromPem(path string) ([]byte, error) { | |||
|
|
|||
| // GetPrivateKeyBytes returns the contents of the file containing the private key. | |||
| func GetPrivateKeyBytes() ([]byte, error) { | |||
There was a problem hiding this comment.
| func GetPrivateKeyBytes() ([]byte, error) { | |
| func GetPrivateKeyBytes(dir string) ([]byte, error) { |
There was a problem hiding this comment.
Unfortunately this method is also used here:
which means we would either have to copy and reuse same parameter there as well or, even worse, introduce second method with different name. That's why I decided to keep it as it is
Co-authored-by: dhaus67 <dhaus@redhat.com>
|
/retest |
1 similar comment
|
/retest |
|
Decided to gather more information from the customer as the suggested approach does not seem to solve their problem |
Description
The goal of this PR is to make Central listen to
jwt-keyupdates incentral-tlssecret. This PR includes:Checklist
If any of these don't apply, please comment below.
Testing Performed
Manually execute with port-forward located on port 8000 pointing to central:
old-tokenexport ROX_API_TOKEN=<old-token-valueroxctl central debug download-diagnostics --endpoint=localhost:8000should be successfulJWT_KEY=<valid jwt key>kubectl patch secret central-tls -n stackrox --patch="{\"data\": { \"jwt-key.pem\": \"$JWT_KEY\" }}"roxctl central debug download-diagnostics --endpoint=localhost:8000should return an errornew-tokenexport ROX_API_TOKEN=<new-token-valueroxctl central debug download-diagnostics --endpoint=localhost:8000should be successful