search

nais / digdirator

Kubernetes Operator for automated registration and configuration of Digdir clients (ID-porten & Maskinporten)
MIT License
9 stars 3 forks source link

Forking for use at Domstolsadministrasjonen #264

Open thoraage opened 6 months ago

thoraage commented 6 months ago

Hi

We're looking into something similar to what you've created here and have some questions:

Best regards Thor Åge Eldby

tronghn commented 6 months ago

Hello 👋

Do you have any idea of how portable it is today?

There are some defaults that are specific to NAV, but they should be overridable in the configuration. I believe Kartverket either uses Digdirator directly or a fork of it, though they're also users of GCP AFAIK.

The implementation here requires use of Google Secret Manager for loading in some client metadata, though these aren't really secrets and could be provided as environment variables.

We also use Google Cloud KMS for generating signatures for the client assertions, so you'd have to implement a signer that satisfies the jose.Signer interface to replace the KMS signer:

type Signer interface {
    Sign(payload []byte) (*JSONWebSignature, error)
    Options() SignerOptions
}

Have you implemented automatic recreation of expired keys?

No, this is an issue that we're aware of and we'll likely address it by Q1 or Q2.

We're not in a position to make this more generic at this time, though you're free to fork and customize as needed (or even contribute back if you want to!)

thoraage commented 6 months ago

Thanks for the answer! We think we'll be able to generalize it to our needs and hopefully contribute back on a later stage. The recreation of keys is currently the most wanted feature. We don't think we're comfortable both implementing it and generalize the operator at the same time, so we will put it on watch for later updates.