smolnar82 opened a new pull request, #1184: URL: https://github.com/apache/knox/pull/1184
[KNOX-3284](https://issues.apache.org/jira/browse/KNOX-3284) - `knox.token.hash.key` provisioning in Knox's Docker image ## What changes were proposed in this pull request? Added support to create `knox.token.hash.key` gateway-level alias in the Knox Gateway entrypoint. The value of this alias is - either uses what was provided in the `KNOX_TOKEN_HASH_KEY` environment variable - or auto-generated (if nothing was set in the above-referenced ENV variable) ## How was this patch tested? Spun up a local k8s cluster with and without that ENV variable and confirmed - Knox was up&running and could create client credentials (this would not have been possible without that alias being provisioned) - Knox uses the generated/pre-configured value for that alias ``` # Without KNOX_TOKEN_HASH_KEY ~ $ kubectl logs knox-59bdc965df-qhz4v -n knox Defaulted container "knox" out of: knox, import-os-trusted-certs (init), copy-knox-conf (init) WARNING: sun.reflect.Reflection.getCallerClass is not supported. This will impact performance. Master secret has been persisted to disk. Generating knox.token.hash.key alias ... WARNING: sun.reflect.Reflection.getCallerClass is not supported. This will impact performance. knox.token.hash.key has been successfully created. # With KNOX_TOKEN_HASH_KEY ~ $ kubectl logs knox-675c7f75b7-g7b8j -n knox Defaulted container "knox" out of: knox, import-os-trusted-certs (init), copy-knox-conf (init) WARNING: sun.reflect.Reflection.getCallerClass is not supported. This will impact performance. Master secret has been persisted to disk. Creating knox.token.hash.key alias using the provided secret (via ENV variable)... WARNING: sun.reflect.Reflection.getCallerClass is not supported. This will impact performance. knox.token.hash.key has been successfully created. ``` I also verified that the token hash key is not listed in the deployment/pod manifests: ``` ~ $ kubectl get deployment knox -n knox -o yaml | grep -i hash key: token.hash name: knox-token-hash-key # We see the reference to the secret name and key, but not the actual hash ~ $ kubectl describe pod knox-675c7f75b7-g7b8j -n knox | grep -i hash pod-template-hash=675c7f75b7 KNOX_TOKEN_HASH_KEY: <set to the key 'token.hash' in secret 'knox-token-hash-key'> Optional: false # It lists the environment variable name and the secret it points to, but the value will be hidden. ``` ## Integration Tests Done manually in local k8s cluster, no automated tests this time. ## UI changes N/A -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
