[DEV]Protect insecure cloud-init endpoints for everything but GET

[travisbcotton]

Short Description
The current insecure cloud-init endpoint does not require a JWT to GET cloud-init data. This is the intended behavior as the configs served by this endpoint should be fine to be read by anyone. BUT, it is also possible to POST/DELETE/PATCH etc which is a major flaw, as this would allow someone on the clients/computes to update what is in cloud-init. Like giving themselves sudo access maybe.

Definition of Done
A JWT should be required to perform any action on the insecure cloud-init endpoint that is not GET

[LRitzdorf]

Very good point! Just to clarify how this interacts with the existing setup:

• Currently, a JWKS URL is optional, and specifying one will enable the secured endpoint
• In the process of fixing this issue, we'd make the JWKS URL required, and could either:
  • Add another flag to control the secure endpoint, or
  • Always enable the secured endpoint

Thoughts on those last two options?

[travisbcotton]

I think always enabling the secured endpoint is my preference.

[davidallendj]

By having it always enabled, does that mean cloud-init will throw an error if the JWKS URL is not set?

[travisbcotton]

Since cloud-init is a cluster facing service I think it should throw errors if JWKS URL is not set.