In my company, we have an internal Security Token Service consumed by all web apps to validate the STS token issued by the company central access management server (e.g BigIP/APM). Therefore the same endpoint for token validation REST API has to be repeatedly set as an environment variable in Deployment Configuration for each individual web app (Openshift project). So is an ES256 public key used by each web app for validating JWT token.
I'm wondering if there exists a way to set up a global Environment variable or ConfigMap or anything else in Openshift for these kind of common, shared settings per cluster such that they can be by default accessible for all web apps running in all PODs in the cluster? of coz, each individual Deployment Config should override these default values from the global settings at will.
I'm wondering if there exists a way to set up a global Environment variable or ConfigMap or anything else in Openshift for these kind of common, shared
When it comes to Microservices it is a good practice to share nothing and avoid "tight coupling". Its typically not good to have global variables.
This will be difficult when you want to evolve and maintain it. Keys are something you regularly should rotate.
In my company, we have an internal Security Token Service consumed by all web apps to validate the STS token issued by the company central access management server (e.g BigIP/APM).
So is an ES256 public key used by each web app for validating JWT token.
When you receive a JWT token, you should inspect the iss
(issuer - the value can be an HTTP URL) claim, and if you trust the issuer, you typically can find an OpenID Connect Discovery endpoint where the issuer publishes Json Web Key Set with keys to validate the token.
With this architecture, you have a central service that issue tokens - and also publish keys to validate them. So no need to distributed them in another way - no shared variables. Now you also have a single place to rotate the token, so it becomes more easy to maintain.
Nothing built in. You could built that yourself with some webhooks and custom code. Otherwise you need to add the envFrom
pointing at a Secret and/or ConfigMap to each pod template and copy that Secret/ConfigMap to all namespaces that needed it (kubed can help with that part at least).