K8s support

[robertofalk]

Hi,

can I use this library for token validation also on Kubernetes? I saw here (https://github.com/SAP/cloud-security-xsuaa-integration/blob/master/java-api/src/main/java/com/sap/cloud/security/config/Environment.java#L16) that K8s as environment is commented out, so I guess the answer is probably no. Any plans to support it in the near future?

Thanks and regards, Roberto Falk

[nenaraab]

Hi @robertofalk yes, Kubernetes support is on our backlog. If you like to contribute... feel free :-) Best regards, Nena

[robertofalk]

Hi @nenaraab, The truth is, my java knowledge is super rusty. Reading the secret created by xsuaa and using the fields from there, instead of VCAP_SERVICES I don't think is that complicated, but some details I don't really know how do you plan to implement, for example, class Environments method getCurrent (https://github.com/SAP/cloud-security-xsuaa-integration/blob/master/java-security/src/main/java/com/sap/cloud/security/config/Environments.java#L22), I have no idea how to identify if it's CF or K8s. Do you plan to use an environment variable like VCAP_APPLICATION for that?

btw: just fyi, since we're the main stakeholders for the python version, we're setting up a team (of volunteers) to helping supporting pysec, starting from the bug that I reported: https://github.com/SAP/cloud-pysec/issues/28

Best regards, Roberto Falk

[robertofalk]

for now, this is how I made it work:

env:
        - name: clientid
          valueFrom: { secretKeyRef: { name: my-xsuaa, key: clientid } }
        - name: identityzone
          valueFrom: { secretKeyRef: { name: my-xsuaa, key: identityzone } }
        - name: sburl
          valueFrom: { secretKeyRef: { name: my-xsuaa, key: sburl } }
        - name: trustedclientidsuffix
          valueFrom: { secretKeyRef: { name: my-xsuaa, key: trustedclientidsuffix } }
        - name: apiurl
          valueFrom: { secretKeyRef: { name: my-xsuaa, key: apiurl } }
        - name: clientsecret
          valueFrom: { secretKeyRef: { name: my-xsuaa, key: clientsecret } }
        - name: identityzoneid
          valueFrom: { secretKeyRef: { name: my-xsuaa, key: identityzoneid } }
        - name: tenantid
          valueFrom: { secretKeyRef: { name: my-xsuaa, key: tenantid } }
        - name: tenantmode
          valueFrom: { secretKeyRef: { name: my-xsuaa, key: tenantmode } }
        - name: uaadomain
          valueFrom: { secretKeyRef: { name: my-xsuaa, key: uaadomain } }
        - name: url
          valueFrom: { secretKeyRef: { name: my-xsuaa, key: url } }
        - name: verificationkey
          valueFrom: { secretKeyRef: { name: my-xsuaa, key: verificationkey } }
        - name: xsappname
          valueFrom: { secretKeyRef: { name: my-xsuaa, key: xsappname } }
        - name: VCAP_SERVICES
          value: "{\"xsuaa\":[{\"binding_name\":null,\"credentials\":{\"apiurl\":\"$(apiurl)\",\"clientid\":\"$(clientid)\",\"clientsecret\":\"$(clientsecret)\",\"identityzone\":\"$(identityzone)\",\"identityzoneid\":\"$(identityzoneid)\",\"sburl\":\"$(sburl)\",\"tenantid\":\"$(tenantid)\",\"tenantmode\":\"$(tenantmode)\",\"trustedclientidsuffix\":\"$(trustedclientidsuffix)\",\"uaadomain\":\"$(uaadomain)\",\"url\":\"$(url)\",\"verificationkey\":\"$(verificationkey)\",\"xsappname\":\"$(xsappname)\"},\"instance_name\":\"my-xsuaa\",\"label\":\"xsuaa\",\"name\":\"my-xsuaa\",\"plan\":\"broker\",\"provider\":null,\"syslog_drain_url\":null,\"tags\":[\"xsuaa\"],\"volume_mounts\":[]}]}"

[nenaraab]

Yes, instead of loading the Xsuaa configuration from the CF Environment (VCAP_SERVICES) as described here https://github.com/SAP/cloud-security-xsuaa-integration/tree/master/java-security#setup-step-1-load-the-service-configurations you can also create your own implementation of interface OAuth2ServiceConfiguration and return the information which is provided via Kubernetes secrets?

This is a workaround until this lib supports K8S secrets...