From 75fdc2da3e3a63f711c6049108680668dab06f89 Mon Sep 17 00:00:00 2001 From: Michele Zanotti Date: Tue, 6 Aug 2024 13:03:14 +0200 Subject: [PATCH] feat: jwt signing key --- README.md | 2 ++ main.tf | 12 ++++++++++++ templates/helm-values.tpl.yaml | 9 +++------ 3 files changed, 17 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 837ced0..743f32b 100644 --- a/README.md +++ b/README.md @@ -87,6 +87,7 @@ Available on [Terraform Registry](https://registry.terraform.io/modules/nebuly-a - resource.azurerm_cognitive_deployment.gpt_4o_mini (/terraform-docs/main.tf#422) - resource.azurerm_key_vault.main (/terraform-docs/main.tf#127) - resource.azurerm_key_vault_secret.api_key (/terraform-docs/main.tf#437) +- resource.azurerm_key_vault_secret.auth_jwt (/terraform-docs/main.tf#648) - resource.azurerm_key_vault_secret.azuread_application_client_id (/terraform-docs/main.tf#208) - resource.azurerm_key_vault_secret.azuread_application_client_secret (/terraform-docs/main.tf#213) - resource.azurerm_key_vault_secret.postgres_passwords (/terraform-docs/main.tf#371) @@ -117,6 +118,7 @@ Available on [Terraform Registry](https://registry.terraform.io/modules/nebuly-a - resource.azurerm_storage_container.models (/terraform-docs/main.tf#463) - resource.random_password.postgres_server_admin_password (/terraform-docs/main.tf#222) - resource.tls_private_key.aks (/terraform-docs/main.tf#536) +- resource.tls_private_key.auth_jwt (/terraform-docs/main.tf#644) - data source.azurerm_client_config.current (/terraform-docs/main.tf#47) - data source.azurerm_resource_group.main (/terraform-docs/main.tf#44) - data source.azurerm_subnet.aks_nodes (/terraform-docs/main.tf#53) diff --git a/main.tf b/main.tf index 6d6bb86..95340f5 100644 --- a/main.tf +++ b/main.tf @@ -640,6 +640,18 @@ resource "azurerm_kubernetes_cluster_node_pool" "linux_pools" { } +# ------ Auth ------ # +resource "tls_private_key" "auth_jwt" { + algorithm = "RSA" + rsa_bits = 4096 +} +resource "azurerm_key_vault_secret" "auth_jwt" { + key_vault_id = azurerm_key_vault.main.id + name = format("%s-jwt-signing-key", var.resource_prefix) + value = tls_private_key.auth_jwt.private_key_pem +} + + # ------ Post provisioning ------ # locals { diff --git a/templates/helm-values.tpl.yaml b/templates/helm-values.tpl.yaml index 3bcbd80..39b6828 100644 --- a/templates/helm-values.tpl.yaml +++ b/templates/helm-values.tpl.yaml @@ -151,14 +151,11 @@ auth: jwtSigningKey: ${k8s_secret_key_jwt_signing_key} loginModes: "password" + + # TODO: optional Microsoft SSO microsoft: enabled: false - redirectUri: https://${platform_domain}/backend/auth/oauth/microsoft/callback - tenantId: "" - existingSecret: - name: ${secret_provider_class_secret_name} - clientIdKey: microsoft-oauth-client-id - clientSecretKey: microsoft-oauth-client-secret + # TODO: optional Okta SSO volumeMounts: - name: secrets-store