Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Including an internal-frontend service with auth enabled #571

Closed
wants to merge 2 commits into from
Closed

Including an internal-frontend service with auth enabled #571

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
4553162
Including an internal-frontend service with auth enabled
dleblanc Sep 30, 2024
3e56fe0
Added notes to the readme
dleblanc Sep 30, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 30 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -316,6 +316,36 @@ helm install \
--wait
```

### Configuring authorization

See https://docs.temporal.io/self-hosted-guide/security#claim-mapper

This chart enables you to configure Temporal's authorization support. The values within this Helm chart
server.config.authorization section are included in the resulting Temporal configuration under the
global.authorization section.

For instance, you could enable the JWT based default authorizer and claim mapper functionality by including the following:

This configures Temporal to load the JSON Web Key Set from the provided keySourceURIs, and refresh it on an internal.
That is used to validate the JWTs that you provide to Temporal via the "authorization" meta data header.

```yaml
server:
config:
authorization:
jwtKeyProvider:
keySourceURIs:
- http://localhost:/jwks.json
refreshInterval: 1m
permissionsClaimName: permissions
authorizer: default
claimMapper: default
```

Note that if a non-default value is provided for server.config.authorization.authorizer, then we will automatically
include the "internal-frontend" service that the other Temporal services use for internal communication that bypasses the
authorization process.

## Play With It

### Exploring Your Cluster
Expand Down
11 changes: 11 additions & 0 deletions charts/temporal/templates/server-configmap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,15 @@ data:
membershipPort: {{ $server.frontend.service.membershipPort }}
bindOnIP: "0.0.0.0"

{{- if and (hasKey .Values.server.config "authorization") (hasKey .Values.server.config.authorization "authorizer") }}
internal-frontend:
rpc:
grpcPort: {{ index $server "internal-frontend" "service" "port" }}
httpPort: {{ index $server "internal-frontend" "service" "httpPort" }}
membershipPort: {{ index $server "internal-frontend" "service" "membershipPort" }}
bindOnIP: "0.0.0.0"
{{- end }}

history:
rpc:
grpcPort: {{ $server.history.service.port }}
Expand Down Expand Up @@ -173,8 +182,10 @@ data:
{{- toYaml . | nindent 6 }}
{{- end }}

{{- if not (and (hasKey .Values.server.config "authorization") (hasKey .Values.server.config.authorization "authorizer")) }}
publicClient:
hostPort: "{{ include "temporal.componentname" (list $ "frontend") }}:{{ $server.frontend.service.port }}"
{{- end }}

dynamicConfigClient:
filepath: "/etc/temporal/dynamic_config/dynamic_config.yaml"
Expand Down
9 changes: 8 additions & 1 deletion charts/temporal/templates/server-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,12 @@
{{- if $.Values.server.enabled }}
{{- range $service := (list "frontend" "history" "matching" "worker") }}

{{- $serviceList := (list "frontend" "history" "matching" "worker") }}

{{- if and (hasKey .Values.server.config "authorization") (hasKey .Values.server.config.authorization "authorizer") }}
{{- $serviceList = (list "frontend" "internal-frontend" "history" "matching" "worker") }}
{{- end }}

{{- range $service := $serviceList }}
{{ $serviceValues := index $.Values.server $service }}
apiVersion: apps/v1
kind: Deployment
Expand Down
43 changes: 43 additions & 0 deletions charts/temporal/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -218,6 +218,49 @@ server:
# - secretName: chart-example-tls
# hosts:
# - chart-example.local

metrics:
annotations:
enabled: true
serviceMonitor: {}
# enabled: false
prometheus: {}
# timerType: histogram
podAnnotations: {}
podLabels: {}
resources: {}
nodeSelector: {}
tolerations: []
affinity: {}
additionalEnv: []
containerSecurityContext: {}
topologySpreadConstraints: []
podDisruptionBudget: {}

internal-frontend:
service:
# Evaluated as template
annotations: {}
type: ClusterIP
port: 7236
membershipPort: 6936
#httpPort: 7243
ingress:
enabled: false
# className:
annotations: {}
# kubernetes.io/ingress.class: traefik
# ingress.kubernetes.io/ssl-redirect: "false"
# traefik.frontend.rule.type: PathPrefix
hosts:
- "/"
# - "domain.com/xyz"
# - "domain.com"
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local

metrics:
annotations:
enabled: true
Expand Down