[
https://issues.apache.org/jira/browse/KNOX-3284?focusedWorklogId=1011314&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1011314
]
ASF GitHub Bot logged work on KNOX-3284:
----------------------------------------
Author: ASF GitHub Bot
Created on: 25/Mar/26 09:41
Start Date: 25/Mar/26 09:41
Worklog Time Spent: 10m
Work Description: smolnar82 opened a new pull request, #1184:
URL: https://github.com/apache/knox/pull/1184
[KNOX-3284](https://issues.apache.org/jira/browse/KNOX-3284) -
`knox.token.hash.key` provisioning in Knox's Docker image
## What changes were proposed in this pull request?
Added support to create `knox.token.hash.key` gateway-level alias in the
Knox Gateway entrypoint. The value of this alias is
- either uses what was provided in the `KNOX_TOKEN_HASH_KEY` environment
variable
- or auto-generated (if nothing was set in the above-referenced ENV variable)
## How was this patch tested?
Spun up a local k8s cluster with and without that ENV variable and confirmed
- Knox was up&running and could create client credentials (this would not
have been possible without that alias being provisioned)
- Knox uses the generated/pre-configured value for that alias
```
# Without KNOX_TOKEN_HASH_KEY
~ $ kubectl logs knox-59bdc965df-qhz4v -n knox
Defaulted container "knox" out of: knox, import-os-trusted-certs (init),
copy-knox-conf (init)
WARNING: sun.reflect.Reflection.getCallerClass is not supported. This will
impact performance.
Master secret has been persisted to disk.
Generating knox.token.hash.key alias ...
WARNING: sun.reflect.Reflection.getCallerClass is not supported. This will
impact performance.
knox.token.hash.key has been successfully created.
# With KNOX_TOKEN_HASH_KEY
~ $ kubectl logs knox-675c7f75b7-g7b8j -n knox
Defaulted container "knox" out of: knox, import-os-trusted-certs (init),
copy-knox-conf (init)
WARNING: sun.reflect.Reflection.getCallerClass is not supported. This will
impact performance.
Master secret has been persisted to disk.
Creating knox.token.hash.key alias using the provided secret (via ENV
variable)...
WARNING: sun.reflect.Reflection.getCallerClass is not supported. This will
impact performance.
knox.token.hash.key has been successfully created.
```
I also verified that the token hash key is not listed in the deployment/pod
manifests:
```
~ $ kubectl get deployment knox -n knox -o yaml | grep -i hash
key: token.hash
name: knox-token-hash-key
# We see the reference to the secret name and key, but not the actual hash
~ $ kubectl describe pod knox-675c7f75b7-g7b8j -n knox | grep -i hash
pod-template-hash=675c7f75b7
KNOX_TOKEN_HASH_KEY: <set to the key 'token.hash' in secret
'knox-token-hash-key'> Optional: false
# It lists the environment variable name and the secret it points to, but
the value will be hidden.
```
## Integration Tests
Done manually in local k8s cluster, no automated tests this time.
## UI changes
N/A
Issue Time Tracking
-------------------
Worklog Id: (was: 1011314)
Remaining Estimate: 0h
Time Spent: 10m
> Knox's Docker image should create knox.token.hash.key
> -----------------------------------------------------
>
> Key: KNOX-3284
> URL: https://issues.apache.org/jira/browse/KNOX-3284
> Project: Apache Knox
> Issue Type: Task
> Components: docker
> Reporter: Sandor Molnar
> Assignee: Sandor Molnar
> Priority: Major
> Fix For: 3.0.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Many features recently added to Knox wrt. OAuth2 flows require the
> {{knox.token.hash.key}} alias being present in a k8s cluster where Knox's
> Docker image is used.
> The scope of this work item is adding that missing alias in the Knox
> Gateway's entrypoint conditionally (based on the existing ENV variable
> choices).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
