Update Jitsu to v2.4.5 (#6)

* feat: bump appversion to 2.4.5

* feat: remove base64 token hash format as all components now use the console format

* feat: secure rotor with auth tokens

Chart.yaml

@@ -4,7 +4,7 @@ type: application
 
 # Chart version is set automatically as part of the release process
 version: 0.0.0
-appVersion: 2.4.3
+appVersion: 2.4.5
 
 dependencies:
   - name: postgresql

templates/console/_helpers.tpl

@@ -61,6 +61,24 @@ app.kubernetes.io/component: console
   value: {{ . | quote }}
 {{- end }}
 
+{{- if .rotorAuthKeyFrom }}
+- name: ROTOR_AUTH_KEY
+  valueFrom:
+    {{- toYaml .rotorAuthKeyFrom | nindent 4 }}
+{{- else }}
+{{- if and (not .rotorAuthKey) $.Values.rotor.enabled $.Values.tokenGenerator.enabled }}
+- name: ROTOR_AUTH_KEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "jitsu.fullname" $ }}-tokens
+      key: rotorAuthToken
+{{- end }}
+{{- with .rotorAuthKey }}
+- name: ROTOR_AUTH_KEY
+  value: {{ . | quote }}
+{{- end }}
+{{- end }}
+
 {{- if and (not .ingestHost) (not $.Values.config.ingestHost) $.Values.ingest.enabled }}
 - name: INGEST_HOST
   value: {{ $.Values.ingest.config.dataDomain | default (printf "%s-ingest" (include "jitsu.fullname" $)) | quote }}

templates/ingest/_helpers.tpl

@@ -162,6 +162,24 @@ app.kubernetes.io/component: ingest
   value: {{ . | quote }}
 {{- end }}
 
+{{- if .rotorAuthKeyFrom }}
+- name: INGEST_ROTOR_AUTH_KEY
+  valueFrom:
+    {{- toYaml .rotorAuthKeyFrom | nindent 4 }}
+{{- else }}
+{{- if and (not .rotorAuthKey) $.Values.rotor.enabled $.Values.tokenGenerator.enabled }}
+- name: INGEST_ROTOR_AUTH_KEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "jitsu.fullname" $ }}-tokens
+      key: rotorAuthToken
+{{- end }}
+{{- with .rotorAuthKey }}
+- name: INGEST_ROTOR_AUTH_KEY
+  value: {{ . | quote }}
+{{- end }}
+{{- end }}
+
 {{- with .eventsLogMaxSize }}
 - name: INGEST_EVENTS_LOG_MAX_SIZE
   value: {{ . | quote }}

templates/rotor/_helpers.tpl

@@ -37,6 +37,42 @@ app.kubernetes.io/component: rotor
   value: {{ . | quote }}
 {{- end }}
 
+{{- if .authTokensFrom }}
+- name: ROTOR_AUTH_TOKENS
+  valueFrom:
+    {{- toYaml .authTokensFrom | nindent 4 }}
+{{- else }}
+{{- if and (not .authTokens) $.Values.tokenGenerator.enabled }}
+- name: ROTOR_AUTH_TOKENS
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "jitsu.fullname" $ }}-tokens
+      key: rotorAuthTokens
+{{- end }}
+{{- with .authTokens}}
+- name: ROTOR_AUTH_TOKENS
+  value: {{ . | quote }}
+{{- end }}
+{{- end }}
+
+{{- if .tokenSecretFrom }}
+- name: ROTOR_TOKEN_SECRET
+  valueFrom:
+    {{- toYaml .tokenSecretFrom | nindent 4 }}
+{{- else }}
+{{- if and (not .tokenSecret) $.Values.tokenGenerator.enabled }}
+- name: ROTOR_TOKEN_SECRET
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "jitsu.fullname" $ }}-tokens
+      key: rotorTokenSecret
+{{- end }}
+{{- with .tokenSecret }}
+- name: ROTOR_TOKEN_SECRET
+  value: {{ . | quote }}
+{{- end }}
+{{- end }}
+
 {{- if .repositoryAuthTokenFrom }}
 - name: REPOSITORY_AUTH_TOKEN
   valueFrom:

templates/token-generator/job.yaml

@@ -69,29 +69,29 @@ spec:
                 secret="$3"
                 echo -n "$token$salt$secret" | sha512sum | awk '{print $1}' | tr -d '\n'
               }
-              base64_hash_token() {
-                hex_hash_token "$@" | xxd -r -p | base64 -w 0 | tr -d '='
-              }
               globalHashSecret=$(random_string $SECRET_LENGTH)
               ingestTokenSecret=$(random_string $SECRET_LENGTH)
               bulkerTokenSecret=$(random_string $SECRET_LENGTH)
               syncctlTokenSecret=$(random_string $SECRET_LENGTH)
+              rotorTokenSecret=$(random_string $SECRET_LENGTH)
 
               consoleAuthToken=$(random_string $TOKEN_LENGTH)
               ingestAuthToken=$(random_string $TOKEN_LENGTH)
               bulkerAuthToken=$(random_string $TOKEN_LENGTH)
               syncctlAuthToken=$(random_string $TOKEN_LENGTH)
+              rotorAuthToken=$(random_string $TOKEN_LENGTH)
 
               consoleAuthTokenSalt=$(random_string $SALT_LENGTH)
               ingestAuthTokenSalt=$(random_string $SALT_LENGTH)
               bulkerAuthTokenSalt=$(random_string $SALT_LENGTH)
               syncctlAuthTokenSalt=$(random_string $SALT_LENGTH)
+              rotorAuthTokenSalt=$(random_string $SALT_LENGTH)
 
-              ingestAuthTokens="$ingestAuthTokenSalt.$(base64_hash_token $ingestAuthToken $ingestAuthTokenSalt $ingestTokenSecret)"
-              bulkerAuthTokens="$bulkerAuthTokenSalt.$(base64_hash_token $bulkerAuthToken $bulkerAuthTokenSalt $bulkerTokenSecret)"
-              syncctlAuthTokens="$syncctlAuthTokenSalt.$(base64_hash_token $syncctlAuthToken $syncctlAuthTokenSalt $syncctlTokenSecret)"
-
+              ingestAuthTokens="$ingestAuthTokenSalt.$(hex_hash_token $ingestAuthToken $ingestAuthTokenSalt $ingestTokenSecret)"
+              bulkerAuthTokens="$bulkerAuthTokenSalt.$(hex_hash_token $bulkerAuthToken $bulkerAuthTokenSalt $bulkerTokenSecret)"
+              syncctlAuthTokens="$syncctlAuthTokenSalt.$(hex_hash_token $syncctlAuthToken $syncctlAuthTokenSalt $syncctlTokenSecret)"
               consoleAuthTokens="$consoleAuthTokenSalt.$(hex_hash_token $consoleAuthToken $consoleAuthTokenSalt $globalHashSecret)"
+              rotorAuthTokens="$rotorAuthTokenSalt.$(hex_hash_token $rotorAuthToken $rotorAuthTokenSalt $globalHashSecret)"
 
               kubectl apply -f- <<EOF
               apiVersion: v1
@@ -105,16 +105,19 @@ spec:
                 ingestTokenSecret: "$ingestTokenSecret"
                 bulkerTokenSecret: "$bulkerTokenSecret"
                 syncctlTokenSecret: "$syncctlTokenSecret"
+                rotorTokenSecret: "$rotorTokenSecret"
 
                 ingestAuthToken: "$ingestAuthToken"
                 bulkerAuthToken: "$bulkerAuthToken"
                 syncctlAuthToken: "$syncctlAuthToken"
                 consoleAuthToken: "service-admin-account:$consoleAuthToken"
+                rotorAuthToken: "$rotorAuthToken"
 
                 ingestAuthTokens: "$ingestAuthTokens"
                 bulkerAuthTokens: "$bulkerAuthTokens"
                 syncctlAuthTokens: "$syncctlAuthTokens"
                 consoleAuthTokens: "$consoleAuthTokens"
+                rotorAuthTokens: "$rotorAuthTokens"
               EOF
       {{- with (.Values.tokenGenerator.nodeSelector | default .Values.global.nodeSelector) }}
       nodeSelector:

values.yaml

@@ -158,6 +158,12 @@ console:
     # https://docs.jitsu.com/self-hosting/configuration#rotor_url
     rotorUrl: ""
 
+    # Leave empty to configure automatically.
+    # https://docs.jitsu.com/self-hosting/configuration#ingest
+    rotorAuthKey: ""
+    rotorAuthKeyFrom: ""
+
+
     # Public domain where ingest service is available. Leave empty to configure automatically.
     # https://docs.jitsu.com/self-hosting/configuration#ingest_host
     ingestHost: ""
@@ -393,6 +399,17 @@ rotor:
     # https://docs.jitsu.com/self-hosting/configuration#repository_refresh_period_sec
     repositoryRefreshPeriodSec: ""
 
+    # Leave empty to automatically configure.
+    # https://docs.jitsu.com/self-hosting/configuration#rotor
+    authTokens: ""
+    authTokensFrom: {}
+
+    # Leave empty to automatically configure.
+    # https://docs.jitsu.com/self-hosting/configuration#rotor
+    tokenSecret: ""
+    tokenSecretFrom: {}
+
+
     # Leave empty to configure automatically if config.redisUrl is set or Redis subchart is being used.
     # https://docs.jitsu.com/self-hosting/configuration#redis_url
     redisUrl: ""
@@ -532,6 +549,11 @@ ingest:
     # https://docs.jitsu.com/self-hosting/configuration#ingest_rotor_url
     rotorUrl: ""
 
+    # Leave empty to configure automatically.
+    # https://docs.jitsu.com/self-hosting/configuration#console
+    rotorAuthKey: ""
+    rotorAuthKeyFrom: ""
+
     # Leave empty to configure automatically when Redis subchart is enabled or config.redisUrl is set.
     # https://docs.jitsu.com/self-hosting/configuration#ingest_redis_url
     redisUrl: ""