Skip to content

Conversation

sherv-cohere
Copy link
Contributor

Previously, preshared keys were only configurable directly through values.yaml, this change adds the ability to fetch preshared keys from Kubernetes secrets instead.

The new keysSecret field in the authn.preshared configuration allows specifying a secret name that contains the keys.

Description

This PR adds a new security enhancement to the Helm chart that allows fetching preshared authentication keys from Kubernetes secrets instead of storing them directly in values.yaml.

Key changes:

  • Added keysSecret field to authn.preshared configuration in values.schema.json
  • Updated deployment.yaml to support reading keys from the specified secret
  • Keys in the secret should be comma-separated in the keys field

This change follows the same pattern as datastore.uriSecret.

References

#175
#188

Review Checklist

  • I have clicked on "allow edits by maintainers".
  • I have added documentation for new/changed functionality in this PR or in a PR to openfga.dev (Will create another PR for the docs and update this PR)
  • The correct base branch is being used, if not main
  • I have added tests to validate that the change in functionality is working as expected

Previously, preshared keys were only configurable directly through values.yaml, this change adds the ability to fetch
preshared keys from Kubernetes secrets instead.

The new keysSecret field in the authn.preshared configuration allows specifying
a secret name that contains the keys.
Added a test case to verify that the new keysSecret feature works correctly.
The test validates that:
- Kubernetes secrets can be properly created
- Secret values can be mounted as environment variables
- The authentication configuration can read from secrets

This test ensures the security enhancement works as expected in a Kubernetes environment.
Copy link

linux-foundation-easycla bot commented Apr 9, 2025

CLA Signed

The committers listed above are authorized under a signed CLA.

@sherv-cohere sherv-cohere marked this pull request as ready for review April 9, 2025 20:14
@sherv-cohere sherv-cohere requested review from a team as code owners April 9, 2025 20:14
Changed the environment variable name from OPENFGA_AUTHN_PRESHARED_KEYS_SECRET to OPENFGA_AUTHN_PRESHARED_KEYS in the deployment configuration to address PR comments
@whoisxx
Copy link
Contributor

whoisxx commented Apr 14, 2025

thank you for contributing, can you sign the CLA? it is required for the first time

@galibozek
Copy link

any news?

@sherv-cohere
Copy link
Contributor Author

@whoisxx @galibozek Sorry for the delay, EasyCLA has been signed.

@galibozek
Copy link

@sherv-cohere can we merge? :)

@jeremy-albuixech
Copy link
Contributor

Sorry, let me merge it. I think it looks good 👍

@jeremy-albuixech jeremy-albuixech merged commit 2ba3582 into openfga:main May 27, 2025
7 checks passed
@peter-nguyen-rw
Copy link

@jeremy-albuixech I don't think this is working correctly. When I attempt to use this exact structure with the preshared keys being fed through a secret I get:
panic: failed to initialize authenticator: invalid auth configuration, please specify at least one key goroutine 1 [running]:

At the pod level, the field OPENFGA_AUTHN_PRESHARED_KEYS doesnt even show up at all so i think there might be a problem with the schema or the like?

@peter-nguyen-rw
Copy link

@jeremy-albuixech Is this perhaps not released yet and that's why I'm not able to use the feature?

@jeremy-albuixech
Copy link
Contributor

ah yes likely, let me see if we can make a new release

@peter-nguyen-rw
Copy link

@jeremy-albuixech Are you able to make a release today? 🙂

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants