|
| 1 | +--- |
| 2 | +description: Enabling engine authentication, provisioning JWT signing keys, and rotating them. |
| 3 | +sidebarTitle: Authentication |
| 4 | +title: Authentication |
| 5 | +--- |
| 6 | + |
| 7 | +This page shows how to enable authentication on the Firebolt Engine. |
| 8 | + |
| 9 | +`auth.enabled` turns on the engine's built-in authentication: a bootstrap administrator account and JWT signing keys for the engine's embedded authorization server. Everything beyond that — OIDC providers, `password_login`, JWT lifetime, just-in-time provisioning — is set through `customEngineConfig.instance.auth`, which the chart deep-merges alongside the admin account and signing keys it renders. |
| 10 | + |
| 11 | +The chart never accepts a literal password value for the admin account. Enabling auth always requires an existing Secret. |
| 12 | + |
| 13 | +### Values |
| 14 | + |
| 15 | +```yaml |
| 16 | +# my-values.yaml |
| 17 | +auth: |
| 18 | + enabled: true |
| 19 | + admin: |
| 20 | + name: firebolt |
| 21 | + password: |
| 22 | + existingSecret: |
| 23 | + secretRef: firebolt-admin-password # Secret with a `password` key |
| 24 | + |
| 25 | + signingKeys: |
| 26 | + - id: key-2026-01 |
| 27 | + existingSecret: |
| 28 | + secretRef: firebolt-signing-key-2026-01 # Secret with a `tls.key` PEM private key |
| 29 | +``` |
| 30 | +
|
| 31 | +### Install |
| 32 | +
|
| 33 | +Create the admin password Secret and a signing key Secret, then install the chart: |
| 34 | +
|
| 35 | +```bash |
| 36 | +kubectl create secret generic firebolt-admin-password -n firebolt \ |
| 37 | + --from-literal=password='…' |
| 38 | + |
| 39 | +# tls.key holds a PEM RSA private key; the chart uses only the private key, |
| 40 | +# not a certificate, to sign JSON Web Tokens. |
| 41 | +openssl genrsa -out signing-key.pem 2048 |
| 42 | +kubectl create secret generic firebolt-signing-key-2026-01 -n firebolt \ |
| 43 | + --from-file=tls.key=signing-key.pem |
| 44 | + |
| 45 | +helm install firebolt ./helm \ |
| 46 | + --namespace firebolt --create-namespace \ |
| 47 | + -f my-values.yaml |
| 48 | +``` |
| 49 | + |
| 50 | +<Note> |
| 51 | +A multi-node engine needs an explicit signing key. Without one, each engine node generates its own development key on first startup, and tokens signed by one node fail validation on another. The chart's render fails immediately if `auth.enabled` is true and `signingKeys` is empty. |
| 52 | +</Note> |
| 53 | + |
| 54 | +Kubernetes health probes and the gateway's active engine health check keep working without a token — the engine exempts `/health/live` and `/health/ready` from authentication. |
| 55 | + |
| 56 | +### Signing key rotation |
| 57 | + |
| 58 | +`signingKeys` is an ordered list. The **first** entry is the active signer used for new tokens; every entry in the list remains valid for verifying tokens already issued under it. To rotate, prepend a new entry rather than replacing the list, and remove the old entry only once every token it signed has expired: |
| 59 | + |
| 60 | +```yaml |
| 61 | +auth: |
| 62 | + signingKeys: |
| 63 | + - id: key-2026-02 # now active |
| 64 | + existingSecret: |
| 65 | + secretRef: firebolt-signing-key-2026-02 |
| 66 | + - id: key-2026-01 # still verifies old tokens until they expire |
| 67 | + existingSecret: |
| 68 | + secretRef: firebolt-signing-key-2026-01 |
| 69 | +``` |
| 70 | +
|
| 71 | +### cert-manager as a signing-key source |
| 72 | +
|
| 73 | +As an alternative to an existing Secret, a signing key entry can request a [cert-manager](https://cert-manager.io) `Certificate` instead: |
| 74 | + |
| 75 | +```yaml |
| 76 | +auth: |
| 77 | + signingKeys: |
| 78 | + - id: key-2026-01 |
| 79 | + certManager: |
| 80 | + algorithm: RSA |
| 81 | + size: 2048 |
| 82 | + issuerRef: |
| 83 | + name: internal-ca |
| 84 | + kind: ClusterIssuer |
| 85 | +``` |
| 86 | + |
| 87 | +The chart pins `privateKey.rotationPolicy: Never` on signing-key Certificates, so cert-manager's renewal timer never silently replaces an active signing key out from under already-issued tokens. Rotate by prepending a new `signingKeys` entry, the same as with an existing Secret. |
| 88 | + |
| 89 | +### OIDC and other auth settings |
| 90 | + |
| 91 | +OIDC providers, `password_login`, JWT lifetime, and just-in-time provisioning are not first-class values. Set them under `customEngineConfig.instance.auth`, which is deep-merged alongside the admin account and signing keys the chart renders: |
| 92 | + |
| 93 | +```yaml |
| 94 | +customEngineConfig: |
| 95 | + instance: |
| 96 | + auth: |
| 97 | + password_login: admin_only |
| 98 | + oidc: |
| 99 | + providers: |
| 100 | + - name: corporate_idp |
| 101 | + discovery_url: https://idp.example.com/.well-known/openid-configuration |
| 102 | + username_mapping: "{{ email }}" |
| 103 | +``` |
| 104 | + |
| 105 | +## See also |
| 106 | + |
| 107 | +- [TLS](./tls): enabling TLS on the gateway's client listener and the engine's query listener. |
| 108 | +- [Security model](../security): pod-hardening baseline and secrets handling across the whole chart. |
0 commit comments