Optimize Helm Chart for JWT Secret setting

[danielhass]

Dear AKHQ-Maintainers,

first of all, thanks for this awesome project and keep up the great work!

We are running AKHQ on Kubernetes using the projects Helm-Chart. In the default configuration, the application uses the default JWT secret to sign tokens. This flaw is also written to the application start-up log.

Changing the JWT secret is described in the AKHQ docs: https://akhq.io/docs/configuration/authentifications/jwt.html

However, the Helm Chart currently doesn't offer great support for this settings as it stores the whole application config under the following object in the values.yaml: https://github.com/tchiotludo/akhq/blob/dev/helm/akhq/values.yaml#L36

If a user doesn't want to store sensitive information in the values.yaml third-party tools and toys have to be used, as templating of values in the values.yaml itself is not supported by Helm.

It would be great to have an alternative way for storing the JWT secret like a Kubernetes Secret or environment variable.

Regarding my last note: does AKHQ support reading the JWT secret from another source than the default application.yml config file?

Hoping to get some input and ideas around this topic. I can think of many solutions to work around this and would like to hear the maintainers thoughts on this.

[tchiotludo]

In fact, all the configuration values that you put on configuration from values can be put on secrets part and will be store as secret on k8s.
You can also use an env variable MICRONAUT_SECURITY_TOKEN_JWT_SIGNATURES_SECRET_GENERATOR with the same effect.
(all configuration can be passed as env var, transforming to upper case and replace all special characters with _)

I think it will resolved all your issues ?

[danielhass]

@tchiotludo - thanks for the blazing fast answer!

In theory this looks like a great option to work around the issue described above of storing sensitive information in the values.yaml. I was able to implement the following configuration:

I kept the majority of the configuration under the usual configuration: section in the values file. I additionally added the following object to the extraEnv section:

- name: MICRONAUT_SECURITY_TOKEN_JWT_SIGNATURES_SECRET_GENERATOR_SECRET
    valueFrom:
      secretKeyRef:
        name: akhq-jwt-secret
        key: secret
        optional: false

This works and results in the following environment in the executed AKHQ pod:

$ env | grep -i micro
MICRONAUT_CONFIG_FILES=/app/application.yml
MICRONAUT_SECURITY_TOKEN_JWT_SIGNATURES_SECRET_GENERATOR_SECRET=<redacted>

As a remark for others reading this, the initial answer stated the following MICRONAUT_SECURITY_TOKEN_JWT_SIGNATURES_SECRET_GENERATOR environment variable which was missing the _SECRET at the end.

@tchiotludo if you find time I have two additional questions:

• Is this behaviour for setting configs via environment variables documented in the AKHQ docs? I wasn't able to find it.
• What is your opinion on integrating some of this into the default Helm Chart settings (I would also consider contributing some of this myself)? I always like apps being as secure as possible by default. With the current Helm Chart the deployed application is somewhat insecure with default settings applied. I thought about including a default creation of a Kubernetes secret with a random generated secret.

[tchiotludo]

@danielhass
For behaviour for setting configs: it's a feature of micronaut but it's true that it's not documented explicitly on AKHQ, If you want to add a PR about that, it will be really appreciate

For the generation of the JWT, it's a good idea and PR are welcome on that