Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature Request] Use a Kubernetes secret to protect the OIDC client secret #236

Closed
srikanthchelluri opened this issue Oct 22, 2021 · 5 comments
Closed

[Feature Request] Use a Kubernetes secret to protect the OIDC client secret #236

srikanthchelluri opened this issue Oct 22, 2021 · 5 comments
Labels
enhancement New feature or request

Comments

@srikanthchelluri
Copy link
Contributor

srikanthchelluri commented Oct 22, 2021
edited
Loading

Ideally, when we configure authentication to Temporal Web, we shouldn't pass the plaintext client secret as a Helm value but instead pass the name of the Kubernetes Secret which contains the client secret.

Right now, all of .Values.web.config is simply just dumped into a ConfigMap [1] then mounted to the Deployment [2]. Temporal Web reads from this configuration file [3].

Some initial ideas:

  • Maybe we should be able to create a Kubernetes Secret separately that contains the entire configuration file and pass its name as a Helm value. Then we can mount the Secret in the web Deployment.
  • We could possibly also just put the client secret in the Kubernetes secret (as opposed to the entire configuration file) though I haven't thought through exactly how that'd look in terms of templates.

[1] https://github.com/temporalio/helm-charts/blob/master/templates/web-configmap.yaml
[2] https://github.com/temporalio/helm-charts/blob/master/templates/web-deployment.yaml
[3] https://github.com/temporalio/web/blob/master/server/auth/index.js
@srikanthchelluri srikanthchelluri added the enhancement New feature or request label Oct 22, 2021
@Davidonium
Copy link

I think this would be good to have as I've been trying to set up SSO for a fresh temporal installation using the chart.

IMO the easiest would be for the client_secret to be an env var that could be injected from a secret. That'd require changes in the web codebase though.

@Davidonium
Copy link

Davidonium commented May 24, 2023
edited
Loading

After some digging I found out that the temporalio/ui docker image dockerizes the configuration file before running. So the {{ .Env.TEMPORAL_* }} syntax can be used in the helm chart to achieve passing the client secret as a proper env var injected from a k8s secret.

@peter-c-larsson
Copy link

Thanks for that information @Davidonium . Will try that approach will waiting for this issue to get attention.

@debugger24 debugger24 mentioned this issue Oct 30, 2024
Merged
@enricojonas
Copy link

@debugger24 I tried this but it's not working and found out that it's not released yet. Is it possible to release it? It improves security a lot.

Thank you

@robholland
Copy link
Contributor

This was implemented in #603 which has since been released.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@robholland @Davidonium @srikanthchelluri @enricojonas @peter-c-larsson