Skip to content

feat(authn): add support for fetching preshared keys from secrets #212

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
May 27, 2025
Merged

feat(authn): add support for fetching preshared keys from secrets #212

merged 4 commits into from
May 27, 2025

Conversation

sherv-cohere
Copy link
Contributor

Previously, preshared keys were only configurable directly through values.yaml, this change adds the ability to fetch preshared keys from Kubernetes secrets instead.

The new keysSecret field in the authn.preshared configuration allows specifying a secret name that contains the keys.

Description

This PR adds a new security enhancement to the Helm chart that allows fetching preshared authentication keys from Kubernetes secrets instead of storing them directly in values.yaml.

Key changes:

  • Added keysSecret field to authn.preshared configuration in values.schema.json
  • Updated deployment.yaml to support reading keys from the specified secret
  • Keys in the secret should be comma-separated in the keys field

This change follows the same pattern as datastore.uriSecret.

References

#175
#188

Review Checklist

  • I have clicked on "allow edits by maintainers".
  • I have added documentation for new/changed functionality in this PR or in a PR to openfga.dev (Will create another PR for the docs and update this PR)
  • The correct base branch is being used, if not main
  • I have added tests to validate that the change in functionality is working as expected

@sherv-cohere
feat(authn): add support for fetching preshared keys from secrets
41084e2 
Previously, preshared keys were only configurable directly through values.yaml, this change adds the ability to fetch
preshared keys from Kubernetes secrets instead.

The new keysSecret field in the authn.preshared configuration allows specifying
a secret name that contains the keys.
@sherv-cohere
test(authn): add test for preshared keys secret functionality
8d358bc 
Added a test case to verify that the new keysSecret feature works correctly.
The test validates that:
- Kubernetes secrets can be properly created
- Secret values can be mounted as environment variables
- The authentication configuration can read from secrets

This test ensures the security enhancement works as expected in a Kubernetes environment.
@linux-foundation-easycla Linux Foundation: EasyCLA
Copy link

linux-foundation-easycla bot commented Apr 9, 2025
edited
Loading

CLA Signed

The committers listed above are authorized under a signed CLA.

@sherv-cohere sherv-cohere marked this pull request as ready for review April 9, 2025 20:14
@sherv-cohere sherv-cohere requested review from a team as code owners April 9, 2025 20:14
whoisxx
whoisxx reviewed Apr 10, 2025
View reviewed changes
@sherv-cohere
fix(authn): update environment variable name for preshared keys
f52a25e 
Changed the environment variable name from OPENFGA_AUTHN_PRESHARED_KEYS_SECRET to OPENFGA_AUTHN_PRESHARED_KEYS in the deployment configuration to address PR comments
@whoisxx
Copy link
Contributor

whoisxx commented Apr 14, 2025

thank you for contributing, can you sign the CLA? it is required for the first time

@galibozek
Copy link

any news?

@mkyc mkyc mentioned this pull request Apr 30, 2025
Open
4 tasks
@sherv-cohere
Copy link
Contributor Author

@whoisxx @galibozek Sorry for the delay, EasyCLA has been signed.

@galibozek
Copy link

@sherv-cohere can we merge? :)

@jeremy-albuixech
Copy link
Contributor

Sorry, let me merge it. I think it looks good 👍

@jeremy-albuixech jeremy-albuixech merged commit 2ba3582 into openfga:main May 27, 2025
7 checks passed
@peter-nguyen-rw
Copy link

@jeremy-albuixech I don't think this is working correctly. When I attempt to use this exact structure with the preshared keys being fed through a secret I get:
panic: failed to initialize authenticator: invalid auth configuration, please specify at least one key goroutine 1 [running]:

At the pod level, the field OPENFGA_AUTHN_PRESHARED_KEYS doesnt even show up at all so i think there might be a problem with the schema or the like?

@peter-nguyen-rw
Copy link

@jeremy-albuixech Is this perhaps not released yet and that's why I'm not able to use the feature?

@jeremy-albuixech
Copy link
Contributor

ah yes likely, let me see if we can make a new release

@peter-nguyen-rw
Copy link

@jeremy-albuixech Are you able to make a release today? 🙂

@sprudel sprudel mentioned this pull request Sep 22, 2025
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jeremy-albuixech jeremy-albuixech jeremy-albuixech approved these changes

@whoisxx whoisxx whoisxx approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@sherv-cohere @whoisxx @galibozek @jeremy-albuixech @peter-nguyen-rw