From 96013abaf75d69de8f9418bb1301ff27adff5797 Mon Sep 17 00:00:00 2001 From: Aleksandr Kurlov Date: Thu, 11 Apr 2024 18:27:31 +0200 Subject: [PATCH] Rotate fleet manager static tokens --- .secrets.baseline | 11 ++---- config/jwks-file-static.json | 2 +- config/static-token-admin-payload.json | 36 +++++++++++++++++++ docs/development/test-locally-static-token.md | 1 + templates/service-template.yml | 4 +-- 5 files changed, 42 insertions(+), 12 deletions(-) create mode 100644 config/static-token-admin-payload.json diff --git a/.secrets.baseline b/.secrets.baseline index 2efa472ed0..687eb60fb2 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -172,7 +172,7 @@ { "type": "Base64 High Entropy String", "filename": "config/jwks-file-static.json", - "hashed_secret": "3744e3d32aa35c3bb53d76d1832699b723f07812", + "hashed_secret": "3fb3c5865e6594120f0007ec7f6983a563f51eff", "is_verified": false, "line_number": 41 } @@ -403,13 +403,6 @@ "is_verified": false, "line_number": 511 }, - { - "type": "Base64 High Entropy String", - "filename": "templates/service-template.yml", - "hashed_secret": "14736999d9940728c5294277831a702f7882dece", - "is_verified": false, - "line_number": 548 - }, { "type": "Secret Keyword", "filename": "templates/service-template.yml", @@ -445,5 +438,5 @@ } ] }, - "generated_at": "2024-03-21T17:47:35Z" + "generated_at": "2024-04-11T16:27:17Z" } diff --git a/config/jwks-file-static.json b/config/jwks-file-static.json index af27a0fe83..4c9e54d3a8 100644 --- a/config/jwks-file-static.json +++ b/config/jwks-file-static.json @@ -38,7 +38,7 @@ "use": "sig", "kid": "acs-dev-bitwarden-static-token-jwks", "alg": "RS256", - "n": "s6bi3xECYj1V_QksbRme4wRMm9X8NoCPqqYRqn3PGTYSpNpTsvOohSd2b3gtbtR_89N1YXFYbjMmk-dqaaZNGCVfg45KuCjaore62yiExAzMA8N-gw6IiBXe6TUN6kZP84OLDhfDZXmrpL1tOepWY1mSAN3IT_lmDFqU06MS7AXOTz7qWXOp6s_-Bwbl3GmP6OhAdc955-WAizTxiWdKWGZ0aXlhP167GE45IRjVarB_TIemDYfN1PBfznfgW7F4JZvwzC--oiH2mps8xaDvby7Y0W-LHFL_64lXgTs1OW9vcIisSH-1YsiVIraQDbiVtNTjzDrF7ouNKSL5uTQ2pQ" + "n": "sOxtMpVCVOUu0eX-yJ6PTv4yTTunZFQDvkbR4DM5XJ4nwyPYZpCFu9CnHbmnyUm6TVAbaESYGz8FR4ljb9QsEJMox1SMX_2_q2vNGh_l3_3OHsvJSgtW0fZb-V9nXm40iYbZlvHEqZuhkfKbd6mKtWq6Lz5tV-Y5WgAbxkMAe240MT9XxBdNn-uiwrGuQFYbl3628ECpG6XF7NAuhytaypgddSy4j0Md98tqg1pjT8jPGl-iBKJpv9zMPv-b78ZwrRn_4EDWlc3CqyzuTvu1sW_FnqvPPfMfyuxkk2iSrVFad1bqk23A3oALWWingJdIkD03gmGTFcd9h9s0_XfeJQ" } ] } diff --git a/config/static-token-admin-payload.json b/config/static-token-admin-payload.json new file mode 100644 index 0000000000..bbab3786ba --- /dev/null +++ b/config/static-token-admin-payload.json @@ -0,0 +1,36 @@ +{ + "account_id": "12345678", + "account_number": "1234567", + "acr": "0", + "aud": "cloud-services", + "azp": "cloud-services", + "email": "rhacs-ms-test@redhat.com", + "exp": 7955112142, + "first_name": "Test", + "iat": 1656293927, + "is_active": true, + "is_internal": true, + "is_org_admin": true, + "iss": "https://auth.redhat.com/auth/realms/EmployeeIDP", + "jti": "03f0bd7b-003f-43cc-a169-fc4a7a582655", + "last_name": "Test", + "locale": "en_us", + "nonce": "eb1485d6-8351-4494-978d-8b62bebe126b", + "org_id": "16155304", + "preferred_username": "rhacs-ms-test@redhat.com", + "realm_access": { + "roles": [ + "authenticated", + "fleet-manager-admin-full", + "acs-general-engineering" + ] + }, + "scope": "openid iam.clients.service_accounts offline_access", + "session_state": "20873d12-aae8-4d3b-9c14-44a5a253c367", + "sid": "20873d12-aae8-4d3b-9c14-44a5a253c367", + "sub": "f:528d76ff-f708-43ed-8cd5-fe16f4fe0ce6:rhacs-ms-test@redhat.com", + "typ": "Bearer", + "type": "User", + "user_id": "12345678", + "username": "rhacs-ms-test@redhat.com" +} diff --git a/docs/development/test-locally-static-token.md b/docs/development/test-locally-static-token.md index 03a811edce..099cd16294 100644 --- a/docs/development/test-locally-static-token.md +++ b/docs/development/test-locally-static-token.md @@ -28,6 +28,7 @@ Show X.509: Yes 7. Copy the values of from Bitwarden's `ACS Fleet* Static token JWKS` item respectively, pasting them into the `VERIFY SIGNATURE` fields. 8. Copy the payload data contained within `config/static-token-payload.json` and adjust the payload to your liking. 9. Once finished copy the payload data and update the value within `config/static-token-payload.json`. + Use `config/static-token-admin-payload.json` for admin static token 10. Also, ensure that the ConfigMap `fleet-manager-authentication` is up-to-date, specifically the `jwks-file-static.json` item. If you have re-created the JWKS files, ensure that fleet manager is re-started with the new values of the `config/jwks-file-static.json`. diff --git a/templates/service-template.yml b/templates/service-template.yml index f4ba0b6a69..6d47d91c5f 100644 --- a/templates/service-template.yml +++ b/templates/service-template.yml @@ -545,7 +545,7 @@ objects: } ] } - jwks-file-static.json: | + jwks-file-static.json: | # pragma: allowlist secret { "keys": [ { @@ -586,7 +586,7 @@ objects: "use": "sig", "kid": "acs-dev-bitwarden-static-token-jwks", "alg": "RS256", - "n": "s6bi3xECYj1V_QksbRme4wRMm9X8NoCPqqYRqn3PGTYSpNpTsvOohSd2b3gtbtR_89N1YXFYbjMmk-dqaaZNGCVfg45KuCjaore62yiExAzMA8N-gw6IiBXe6TUN6kZP84OLDhfDZXmrpL1tOepWY1mSAN3IT_lmDFqU06MS7AXOTz7qWXOp6s_-Bwbl3GmP6OhAdc955-WAizTxiWdKWGZ0aXlhP167GE45IRjVarB_TIemDYfN1PBfznfgW7F4JZvwzC--oiH2mps8xaDvby7Y0W-LHFL_64lXgTs1OW9vcIisSH-1YsiVIraQDbiVtNTjzDrF7ouNKSL5uTQ2pQ" + "n": "sOxtMpVCVOUu0eX-yJ6PTv4yTTunZFQDvkbR4DM5XJ4nwyPYZpCFu9CnHbmnyUm6TVAbaESYGz8FR4ljb9QsEJMox1SMX_2_q2vNGh_l3_3OHsvJSgtW0fZb-V9nXm40iYbZlvHEqZuhkfKbd6mKtWq6Lz5tV-Y5WgAbxkMAe240MT9XxBdNn-uiwrGuQFYbl3628ECpG6XF7NAuhytaypgddSy4j0Md98tqg1pjT8jPGl-iBKJpv9zMPv-b78ZwrRn_4EDWlc3CqyzuTvu1sW_FnqvPPfMfyuxkk2iSrVFad1bqk23A3oALWWingJdIkD03gmGTFcd9h9s0_XfeJQ" } ] }