Skip to content

Commit 3acdd02

Browse files
jsell-rhclaude
andcommitted
fix(manifests): add jwk-cert-url flag, harden SaaS template security
- Add --jwk-cert-url CLI flag pointing to Keycloak JWKS endpoint; without it the framework defaults to sso.redhat.com and rejects tokens signed by our Keycloak instance - Remove unused JWK_CERT_URL env var (framework reads the CLI flag) - Remove CREDENTIAL_ENCRYPTION_ALLOW_PLAINTEXT=true - Add readOnlyRootFilesystem: true to all container securityContexts Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
1 parent 34fd7a2 commit 3acdd02

1 file changed

Lines changed: 4 additions & 4 deletions

File tree

components/manifests/templates/template-services.yaml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -105,6 +105,7 @@ objects:
105105
initialDelaySeconds: 30
106106
periodSeconds: 30
107107
securityContext:
108+
readOnlyRootFilesystem: true
108109
allowPrivilegeEscalation: false
109110
capabilities:
110111
drop:
@@ -189,6 +190,7 @@ objects:
189190
cpu: 500m
190191
memory: 512Mi
191192
securityContext:
193+
readOnlyRootFilesystem: true
192194
allowPrivilegeEscalation: false
193195
capabilities:
194196
drop:
@@ -205,8 +207,6 @@ objects:
205207
secretKeyRef:
206208
name: ambient-control-plane-token
207209
key: token
208-
- name: JWK_CERT_URL
209-
value: "${KEYCLOAK_REALM_URL}/protocol/openid-connect/certs"
210210
- name: CREDENTIAL_ENCRYPTION_KEYRING
211211
valueFrom:
212212
secretKeyRef:
@@ -219,8 +219,6 @@ objects:
219219
name: credential-encryption-key
220220
key: version
221221
optional: true
222-
- name: CREDENTIAL_ENCRYPTION_ALLOW_PLAINTEXT
223-
value: "true"
224222
command:
225223
- /usr/local/bin/ambient-api-server
226224
- serve
@@ -232,6 +230,7 @@ objects:
232230
- --enable-jwt=true
233231
- --enable-authz=true
234232
- --jwk-cert-file=/configs/authentication/jwks.json
233+
- --jwk-cert-url=${KEYCLOAK_REALM_URL}/protocol/openid-connect/certs
235234
- --enable-https=false
236235
- --enable-grpc=true
237236
- --grpc-enable-tls=false
@@ -295,6 +294,7 @@ objects:
295294
initialDelaySeconds: 20
296295
periodSeconds: 10
297296
securityContext:
297+
readOnlyRootFilesystem: true
298298
allowPrivilegeEscalation: false
299299
capabilities:
300300
drop:

0 commit comments

Comments
 (0)