Enabling Authorization
Before proceeding with this installation, please review the Security model used by Portworx.
Enabling authorization
To enable authorization you must simply edit your Portworx yaml
configuration
to add the appropriate information. You must first create a Kubernetes Secret which holds the values of the environment variables. Then populate the environment variables required from your Secret. Here is an example of how to
setup an environment variable from a Secret:
- Create a secret:
kubectl create secret generic mysecret \
--from-literal=system-secret='RmlqRSfh9'
- Then we can access the key as follows:
...
- name: "PORTWORX_AUTH_SYSTEM_KEY"
valueFrom:
secretKeyRef:
name: mysecret
key: system-secret
...
Example
The following example shows how to enable Portworx authorization to verify
self-signed tokens. The example uses a shared secret to validate tokens from an
issuer called myissuer
.
- Save the sensitive information in a secret
kubectl create secret generic mysecret \
--from-literal=system-secret='RmlqRSfh9' \
--from-literal=shared-secret='hnuiUDFHf' \
--from-literal=stork-secret='hn23nfsFD'
- The Portworx
yaml
configuration would look like this:
...
name: stork
env:
- name: "PX_SHARED_SECRET"
valueFrom:
secretKeyRef:
name: mysecret
key: stork-secret
...
name: portworx
args:
[..."-jwt_issuer", "myissuer", ...]
env:
- name: "PORTWORX_AUTH_JWT_SHAREDSECRET"
valueFrom:
secretKeyRef:
name: mysecret
key: shared-secret
- name: "PORTWORX_AUTH_SYSTEM_KEY"
valueFrom:
secretKeyRef:
name: mysecret
key: system-secret
- name: "PORTWORX_AUTH_STORK_KEY"
valueFrom:
secretKeyRef:
name: mysecret
key: stork-secret
...
You will now need to apply the change to update the Stork deployment and the Portworx DaemonSet. Wait until the update is complete and all pods are ready
with 1/1
.