github/TREK
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6f5550dc5066b7ba4f3ce42e7b3a41a8a8918728
TREK/chart/values.yaml
jubnl 6f5550dc50 fix: decouple at-rest encryption from JWT_SECRET, add JWT rotation 
Introduces a dedicated ENCRYPTION_KEY for encrypting stored secrets
(API keys, MFA TOTP, SMTP password, OIDC client secret) so that
rotating the JWT signing secret no longer invalidates encrypted data,
and a compromised JWT_SECRET no longer exposes stored credentials.

- server/src/config.ts: add ENCRYPTION_KEY (auto-generated to
  data/.encryption_key if not set, same pattern as JWT_SECRET);
  switch JWT_SECRET to `export let` so updateJwtSecret() keeps the
  CJS module binding live for all importers without restart
- apiKeyCrypto.ts, mfaCrypto.ts: derive encryption keys from
  ENCRYPTION_KEY instead of JWT_SECRET
- admin POST /rotate-jwt-secret: generates a new 32-byte hex secret,
  persists it to data/.jwt_secret, updates the live in-process binding
  via updateJwtSecret(), and writes an audit log entry
- Admin panel (Settings → Danger Zone): "Rotate JWT Secret" button
  with a confirmation modal warning that all sessions will be
  invalidated; on success the acting admin is logged out immediately
- docker-compose.yml, .env.example, README, Helm chart (values.yaml,
  secret.yaml, deployment.yaml, NOTES.txt, README): document
  ENCRYPTION_KEY and its upgrade migration path
2026-04-01 07:57:55 +02:00

67 lines
1.6 KiB
YAML
Raw Blame History

image:
repository: mauriceboe/trek
tag: latest
pullPolicy: IfNotPresent
# Optional image pull secrets for private registries
imagePullSecrets: []
# - name: my-registry-secret
service:
type: ClusterIP
port: 3000
env:
NODE_ENV: production
PORT: 3000
# ALLOWED_ORIGINS: ""
# NOTE: If using ingress, ensure env.ALLOWED_ORIGINS matches the domains in ingress.hosts for proper CORS configuration.
# Secret environment variables stored in a Kubernetes Secret
secretEnv:
# JWT signing secret. Auto-generated and persisted to the data PVC if not set.
JWT_SECRET: ""
# At-rest encryption key for stored secrets (API keys, MFA, SMTP, OIDC, etc.).
# Auto-generated and persisted to the data PVC if not set.
# Upgrading from a version that used JWT_SECRET for encryption: set this to your
# old JWT_SECRET value to keep existing encrypted data readable, then re-save
# credentials via the admin panel and rotate to a fresh random key.
ENCRYPTION_KEY: ""
# If true, random values for JWT_SECRET and ENCRYPTION_KEY are generated at install
# and preserved across upgrades (overrides secretEnv values)
generateJwtSecret: false
# If set, use an existing Kubernetes secret for JWT_SECRET (and optionally ENCRYPTION_KEY)
existingSecret: ""
existingSecretKey: JWT_SECRET
persistence:
enabled: true
data:
size: 1Gi
uploads:
size: 1Gi
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 500m
memory: 512Mi
ingress:
enabled: false
annotations: {}
hosts:
- host: chart-example.local
paths:
- /
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
Reference in New Issue View Git Blame Copy Permalink