From cf329b724bb4cc4b035cba48bd9ff2a6be5b9b88 Mon Sep 17 00:00:00 2001 From: Brian Fletcher Date: Fri, 5 Feb 2021 11:27:27 +0000 Subject: [PATCH 1/4] it is safer if the jwt.secret is not set by default This change probably warrents attention from the user, as it may invalidate the sessions of logged in users when this change is uptaken. However I believe it is an acceptable interference. As things are now, if a deployment of vouch does not set the jwt.secret then the cookie, copied to another domain would be accepted. With this change, the default behaviour causes vouch to generate a secret. --- values.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/values.yaml b/values.yaml index 092752c..2afc5dc 100644 --- a/values.yaml +++ b/values.yaml @@ -107,8 +107,6 @@ config: domains: [] allowAllUsers: false whiteList: [] - jwt: - secret: super-secret-stuff testing: false oauth: From e0b2c06b194ae6ad8d203479b9bf1103ed0bb360 Mon Sep 17 00:00:00 2001 From: Brian Fletcher Date: Fri, 12 Mar 2021 13:06:05 +0000 Subject: [PATCH 2/4] fails the helm templating if a secret is not provided --- templates/secret.yaml | 3 +++ values.yaml | 2 ++ 2 files changed, 5 insertions(+) diff --git a/templates/secret.yaml b/templates/secret.yaml index 9f80d1a..c8d87b4 100644 --- a/templates/secret.yaml +++ b/templates/secret.yaml @@ -1,4 +1,7 @@ {{- if not .Values.existingSecretName }} +{{- if (lt (len .Values.config.vouch.jwt.secret) 1) }} + {{ fail "`config.vouch.jwt.secret` is not set and we are no longer providing a weak default" }} +{{- end }} apiVersion: v1 kind: Secret metadata: diff --git a/values.yaml b/values.yaml index 2afc5dc..781f13c 100644 --- a/values.yaml +++ b/values.yaml @@ -107,6 +107,8 @@ config: domains: [] allowAllUsers: false whiteList: [] + jwt: + secret: '' testing: false oauth: From f986fe0bb39648f28bd4fdba4d7edf0f7b0693e4 Mon Sep 17 00:00:00 2001 From: Brian Fletcher Date: Sat, 13 Mar 2021 12:14:13 +0000 Subject: [PATCH 3/4] bump version to 2.0.0 --- Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Chart.yaml b/Chart.yaml index 6d60eab..5eb94a7 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -3,7 +3,7 @@ apiVersion: v1 appVersion: "0.17.3" description: An SSO and OAuth login solution for nginx using the auth_request module name: vouch -version: 1.0.0 +version: 2.0.0 icon: https://avatars0.githubusercontent.com/u/45102943?s=200&v=4 sources: - https://github.com/vouch/vouch-proxy/ From 294f99d7a83f975239b8b698abd1a4ace8337417 Mon Sep 17 00:00:00 2001 From: Gavin Mogan Date: Sat, 13 Mar 2021 09:54:45 -0800 Subject: [PATCH 4/4] Update Chart.yaml --- Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Chart.yaml b/Chart.yaml index 5eb94a7..89e8415 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -3,7 +3,7 @@ apiVersion: v1 appVersion: "0.17.3" description: An SSO and OAuth login solution for nginx using the auth_request module name: vouch -version: 2.0.0 +version: 1.1.0 icon: https://avatars0.githubusercontent.com/u/45102943?s=200&v=4 sources: - https://github.com/vouch/vouch-proxy/