From 2f06883be2c54f91e3432cb4411f852d792eda7b Mon Sep 17 00:00:00 2001 From: jdorsch Date: Wed, 13 Dec 2023 11:30:43 +0100 Subject: [PATCH 1/2] added F7T_AUTH_ISSUER and removed REALM and URL --- deploy/k8s/kong/templates/cm.kong.yaml | 16 ++++++---------- deploy/k8s/values-dev.yaml | 3 +-- 2 files changed, 7 insertions(+), 12 deletions(-) diff --git a/deploy/k8s/kong/templates/cm.kong.yaml b/deploy/k8s/kong/templates/cm.kong.yaml index ebc4cf64..74f7a0b8 100644 --- a/deploy/k8s/kong/templates/cm.kong.yaml +++ b/deploy/k8s/kong/templates/cm.kong.yaml @@ -49,20 +49,16 @@ items: consumers: {{- range .Values.global.auth }} - - username: {{ .username }} - custom_id: {{ .username }} + - jwt_secrets: + - key: "{{ .F7T_AUTH_ISSUER }}" + algorithm: "{{ .F7T_AUTH_REALM_TYPE }}" + rsa_public_key: "-----BEGIN PUBLIC KEY-----\n{{ .F7T_AUTH_REALM_PUBKEY }}\n-----END PUBLIC KEY-----" + username: "{{ .username }}" {{- end }} + - username: docs custom_id: docs - {{- range .Values.global.auth }} - jwt_secrets: - - key: "{{ .F7T_AUTH_URL }}/auth/realms/{{ .F7T_AUTH_REALM }}" - algorithm: "{{ .F7T_AUTH_REALM_TYPE }}" - rsa_public_key: "-----BEGIN PUBLIC KEY-----\n{{ .F7T_AUTH_REALM_PUBKEY }}\n-----END PUBLIC KEY-----" - consumer: "{{ .username }}" - {{- end }} - routes: - name: reject # rejects any undefined route with 'request-termination' plugin diff --git a/deploy/k8s/values-dev.yaml b/deploy/k8s/values-dev.yaml index 4c84cdff..a8e3930a 100644 --- a/deploy/k8s/values-dev.yaml +++ b/deploy/k8s/values-dev.yaml @@ -93,7 +93,6 @@ global: F7T_RESERVATIONS_HOST: "https://svc-reservations" auth: - username: kc-demo - F7T_AUTH_URL: "http://svc-keycloak:8080" - F7T_AUTH_REALM: "kcrealm" + F7T_AUTH_ISSUER: "http://svc-keycloak:8080/auth/realms/kcrealm" F7T_AUTH_REALM_PUBKEY: 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqB44q32bQp8LbyW6dQvgsjseXESkLT1g5LQKGb+P79AC+nOAtxhn8i/kmgc6zsQH8NlUtNJruLxlzdo2/OGmlDGYZH1x6VmAwvJPJ4er0xPUrvZ8YclxYQC16PY5LFiQRNBMRyQwP5Kne1O46FpmADFVWMfoabdnaqoXexxB56b25o8tE2ulRBgfpnrRgZAvf7kWjugRCNO06FV074FVMYHA1aBk0ICyaFCDM/Tb5oaDyGr5c/ZvdrRUrw8vaiYyMgaAnnJPL75cebGoHeMJaEyZalsHA+iuhRAfeAwpSClsmhVqnfH7a7hqrqumVRo27dydqmfVgpFjU5gbFcBZ5wIDAQAB' F7T_AUTH_REALM_TYPE: "RS256" \ No newline at end of file From f9e3d15518a0b89f89ff06dc3b2c4aadbca13c27 Mon Sep 17 00:00:00 2001 From: jdorsch Date: Wed, 13 Dec 2023 11:57:24 +0100 Subject: [PATCH 2/2] modified also docker demo kong --- CHANGELOG.md | 2 ++ deploy/demo/kong/kong.yml | 13 +++++-------- 2 files changed, 7 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c138538e..63b55159 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Add description for each parameter in `GET /status/parameters` response. - Add support for Object Storage Tenants in S3v4 object storage. The associated environment variable is `F7T_S3_TENANT` and it can be empty or be `null` or `none` when the tenant is not needed. Otherwise the tenant name has to be set. - The task that is returned from a successful `GET /jobs/acct` would returns the attribute `time`, which is `cputime` from slurm. The attribute will remain and `cputime` and `elapsed` will be also returned. Similarly, `time_left` is actually the time of termination of the jobs. `time_left` will remain for compatibility reasons, but `elapsed` attribute will also be returned. +- Added `F7T_AUTH_ISSUER` to specify the JWT token issuer to be checked by Kong GW + - Removed `F7T_AUTH_REALM` and `F7T_AUTH_URL` which are no longer needed ## Changed diff --git a/deploy/demo/kong/kong.yml b/deploy/demo/kong/kong.yml index b647ed3a..b2ea67fa 100644 --- a/deploy/demo/kong/kong.yml +++ b/deploy/demo/kong/kong.yml @@ -45,17 +45,14 @@ plugins: max_age: 3600 consumers: -- username: firecrest - custom_id: firecrest +- jwt_secrets: + - key: http://localhost:8080/auth/realms/kcrealm + algorithm: "RS256" + rsa_public_key: "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqB44q32bQp8LbyW6dQvgsjseXESkLT1g5LQKGb+P79AC+nOAtxhn8i/kmgc6zsQH8NlUtNJruLxlzdo2/OGmlDGYZH1x6VmAwvJPJ4er0xPUrvZ8YclxYQC16PY5LFiQRNBMRyQwP5Kne1O46FpmADFVWMfoabdnaqoXexxB56b25o8tE2ulRBgfpnrRgZAvf7kWjugRCNO06FV074FVMYHA1aBk0ICyaFCDM/Tb5oaDyGr5c/ZvdrRUrw8vaiYyMgaAnnJPL75cebGoHeMJaEyZalsHA+iuhRAfeAwpSClsmhVqnfH7a7hqrqumVRo27dydqmfVgpFjU5gbFcBZ5wIDAQAB\n-----END PUBLIC KEY-----" + username: firecrest - username: docs custom_id: docs -jwt_secrets: -- consumer: firecrest - key: http://localhost:8080/auth/realms/kcrealm - algorithm: "RS256" - rsa_public_key: "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqB44q32bQp8LbyW6dQvgsjseXESkLT1g5LQKGb+P79AC+nOAtxhn8i/kmgc6zsQH8NlUtNJruLxlzdo2/OGmlDGYZH1x6VmAwvJPJ4er0xPUrvZ8YclxYQC16PY5LFiQRNBMRyQwP5Kne1O46FpmADFVWMfoabdnaqoXexxB56b25o8tE2ulRBgfpnrRgZAvf7kWjugRCNO06FV074FVMYHA1aBk0ICyaFCDM/Tb5oaDyGr5c/ZvdrRUrw8vaiYyMgaAnnJPL75cebGoHeMJaEyZalsHA+iuhRAfeAwpSClsmhVqnfH7a7hqrqumVRo27dydqmfVgpFjU5gbFcBZ5wIDAQAB\n-----END PUBLIC KEY-----" - routes: - name: reject # rejects any undefined route with 'request-termination' plugin