Commit 78bd1994 authored by Sandro Mathys's avatar Sandro Mathys
Browse files

allow more sealer keys parameters to be configured

parent fc97f8f6
......@@ -11,7 +11,7 @@ metadata:
{{- toYaml .Values.podAnnotations | nindent 4 }}
{{- end }}
spec:
schedule: "{{ .Values.backend.shibboleth.sessionCache.sealerKeys.schedule | default "@daily" }}"
schedule: "{{ .Values.backend.shibboleth.sessionCache.sealerKeys.schedule }}"
jobTemplate:
spec:
template:
......@@ -28,7 +28,7 @@ spec:
# extract current set of sealer keys
kubectl get secret {{ include "shibboleth-sp.sealerKeys.secretName" . }} -o=jsonpath='{.data.sealer\.keys}' | base64 -d > /dev/shm/sealer.keys
# add/rotate sealer keys
shib-seckeygen -o /dev/shm -f sealer.keys -b 256 -h 14 -u "$(id -u)" -g "$(id -g)"
shib-seckeygen -o /dev/shm -f sealer.keys -h {{ .Values.backend.shibboleth.sessionCache.sealerKeys.numberOfKeysToKeep }} -b {{ .Values.backend.shibboleth.sessionCache.sealerKeys.sizeOfKeysInBits }} -u "$(id -u)" -g "$(id -g)"
# replace secret with new sealer keys
kubectl create secret generic {{ include "shibboleth-sp.sealerKeys.secretName" . }} --from-file=/dev/shm/sealer.keys --dry-run=client -o yaml | kubectl replace --save-config -f-
# restart all pods in deployment in order to pick up new secret
......
......@@ -30,7 +30,7 @@ spec:
- -c
- |
# create first sealer key
shib-seckeygen -o /dev/shm -f sealer.keys -b 256 -h 14 -u "$(id -u)" -g "$(id -g)"
shib-seckeygen -o /dev/shm -f sealer.keys -h {{ .Values.backend.shibboleth.sessionCache.sealerKeys.numberOfKeysToKeep }} -b {{ .Values.backend.shibboleth.sessionCache.sealerKeys.sizeOfKeysInBits }} -u "$(id -u)" -g "$(id -g)"
# create secret from sealer key(s)
kubectl create secret generic {{ include "shibboleth-sp.sealerKeys.secretName" . }} --from-file=/dev/shm/sealer.keys
restartPolicy: OnFailure
......
......@@ -153,7 +153,12 @@ backend:
sealerKeys:
# if enabled, sealer keys will be created and rotated in a secret automatically
manage: true
schedule: "" # default: "@daily"
# https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#cron-schedule-syntax
schedule: "@daily"
# https://wiki.shibboleth.net/confluence/display/SP3/seckeygen
numberOfKeysToKeep: 14
sizeOfKeysInBits: 128
# Overwrites the image for the Job and CronJob. The priority is as follows: this > backend > global.
# This image must include shib-seckeygen and kubectl.
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment