Generate JWT passphrase and public / private keys on deploy

Author: teohhanhui

api/helm/api/templates/php-deployment.yaml

@@ -81,6 +81,21 @@ spec:
                 secretKeyRef:
                   name: {{ template "fullname" . }}
                   key: mercure-jwt-secret
+            - name: JWT_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "fullname" . }}
+                  key: jwt-secret-key
+            - name: JWT_PUBLIC_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "fullname" . }}
+                  key: jwt-public-key
+            - name: JWT_PASSPHRASE
+              valueFrom:
+                secretKeyRef:
+                  name: {{ template "fullname" . }}
+                  key: jwt-passphrase
           resources:
 {{ toYaml .Values.resources | indent 12 }}
     {{- if .Values.nodeSelector }}

api/helm/api/templates/secrets.yaml

@@ -12,9 +12,12 @@ metadata:
 type: Opaque
 data:
   {{ if .Values.postgresql.enabled }}
-  database-url: {{ printf "pgsql://%s:%s@%s/%s?serverVersion=9.6" .Values.postgresql.postgresqlUsername .Values.postgresql.postgresqlPassword $postgresqlServiceName .Values.postgresql.postgresqlDatabase | b64enc | quote }}
+  database-url: {{ printf "pgsql://%s:%s@%s/%s?serverVersion=10" .Values.postgresql.postgresqlUsername .Values.postgresql.postgresqlPassword $postgresqlServiceName .Values.postgresql.postgresqlDatabase | b64enc | quote }}
   {{ else }}
   database-url: {{ .Values.postgresql.url | b64enc | quote }}
   {{ end }}
   secret: {{ .Values.php.secret | default (randAlphaNum 40) | b64enc | quote }}
   mercure-jwt-secret: {{ .Values.php.mercure.jwtSecret | b64enc | quote }}
+  jwt-secret-key: {{ .Values.php.jwt.secretKey | b64enc | quote }}
+  jwt-public-key: {{ .Values.php.jwt.publicKey | b64enc | quote }}
+  jwt-passphrase: {{ .Values.php.jwt.passphrase | b64enc | quote }}

api/helm/api/values.yaml

@@ -9,6 +9,10 @@ php:
   replicaCount: 1
   mercure:
     jwtSecret: ""
+  jwt:
+    secretKey: ""
+    publicKey: ""
+    passphrase: ""
   env: prod
   debug: '0'
   secret: ""
@@ -50,7 +54,7 @@ varnish:
 postgresql:
   enabled: true
   # If bringing your own PostgreSQL, the full uri to use
-  #url: pgsql://api-platform:!ChangeMe!@example.com/api?serverVersion=10.1
+  #url: pgsql://api-platform:!ChangeMe!@example.com/api?serverVersion=10
   postgresqlUsername: "api-platform"
   postgresqlPassword: ""
   postgresqlDatabase: "api"
@@ -59,9 +63,9 @@ postgresql:
   persistence:
     enabled: false
   pullPolicy: IfNotPresent
-#  image:
-#    repository: postgres
-#    tag: alpine
+  image:
+    repository: bitnami/postgresql
+    tag: 10
 
 mercure:
   enabled: true

ci/before_deploy

@@ -23,6 +23,18 @@ if [[ -z $MERCURE_JWT_KEY ]]; then
     export MERCURE_JWT_SECRET
 fi
 
+# Generate random passphrase and keys for JWT signing if not set
+if [ -z "$JWT_PASSPHRASE" ]; then
+    JWT_PASSPHRASE=$(< /dev/urandom tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
+    export JWT_PASSPHRASE
+fi
+if [ -z "$JWT_SECRET_KEY" ]; then
+    JWT_SECRET_KEY=$(openssl genpkey -pass file:<(echo "$JWT_PASSPHRASE") -aes256 -algorithm rsa -pkeyopt rsa_keygen_bits:4096)
+    export JWT_SECRET_KEY
+    JWT_PUBLIC_KEY=$(openssl pkey -in <(echo "$JWT_SECRET_KEY") -passin file:<(echo "$JWT_PASSPHRASE") -pubout)
+    export JWT_PUBLIC_KEY
+fi
+
 # Generate random database password if not set
 if [[ -z $DATABASE_PASSWORD ]]; then
     export DATABASE_PASSWORD=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)

ci/deploy

@@ -62,6 +62,9 @@ helm upgrade --install --reset-values --force --namespace=$NAMESPACE --recreate-
     --set php.trustedHosts=$TRUSTED_HOSTS \
     --set php.repository=$PHP_REPOSITORY,php.tag=$TAG \
     --set php.mercure.jwtSecret=$MERCURE_JWT_SECRET \
+    --set php.jwt.secretKey="$JWT_SECRET_KEY" \
+    --set php.jwt.publicKey="$JWT_PUBLIC_KEY" \
+    --set php.jwt.passphrase="$JWT_PASSPHRASE" \
     --set nginx.repository=$NGINX_REPOSITORY,nginx.tag=$TAG \
     --set varnish.repository=$VARNISH_REPOSITORY,varnish.tag=$TAG \
     --set blackfire.blackfire.server_id=$BLACKFIRE_SERVER_ID \