Merge pull request #1 from ThePooN/listen-https

✨ Add HTTPS support and built-in client authentication
ppy · Apr 17, 2024 · fef430d · fef430d
2 parents 962f1a9 + 3ce47e6
commit fef430d
Show file tree

Hide file tree

Showing 5 changed files with 453 additions and 910 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,12 +1,11 @@
-FROM node:16-alpine
-
-COPY ./src/ /srv/src/
-COPY package.json package-lock.json /srv/
+FROM node:20-alpine3.19
 
 WORKDIR /srv
 
+COPY package.json package-lock.json /srv/
 RUN npm ci
 
-USER 1000:1000
+COPY ./src/ /srv/src/
 
+USER 1000:1000
 CMD [ "/usr/local/bin/node", "/srv/src/index.js"]
diff --git a/README.md b/README.md
@@ -2,19 +2,19 @@
 
 Micro-service to expose Kubernetes secrets to clients using client certificates over HTTPS
 
-## Deployment & Usage
-
-We only support deployment and usage of this micro-service through our Helm chart. See: https://github.com/ppy/helm-charts/tree/master/osu/kubernetes-secrets-exporter
-
 ## Architecture
 
-This back-end only handles authorizing and serving the configured secrets through a ConfigMap manifest.
-
-This app leaves *all* authentication to the ingress-nginx instance placed in front and trusts all incoming traffic. Identity is passed through the header configured by the SSL_CLIENT_SUBJECT_HEADER env var (defaults to `ssl-client-subject-dn` as is ingress-nginx's default).
+This application serves secrets to allow-listed clients, both defined in a ConfigMap manifest. It can be deployed in two listening modes:
+- In HTTP mode, the back-end expects a reverse proxy in front of the application to handle HTTPS and client certificate authentication. The back-end trusts the reverse proxy to pass the client certificate subject's common name via the `ssl-client-subject-dn` header. The application must not be exposed to anything but the reverse proxy.
+- In HTTPS mode, the back-end handles the TLS termination and client certificate authentication directly.
 
-The ConfigMap manifest (name configured by the `CONFIGMAP_NAME` env var, defaults to `kubernetes-secrets-exporter`) contains a single entry: `secrets.json` which is the secrets definition.  
+The ConfigMap manifest (name configured by the `CONFIGMAP_NAME` env var, defaults to `kubernetes-secrets-exporter`) contains a single entry: `secrets.json` which lists secrets with allow-listed clients for each.  
 See the schema in [configmap.schema.json](/configmap.schema.json).
 
+## Deployment & Usage
+
+We only support deployment and usage of this micro-service through our Helm chart. See: https://github.com/ppy/helm-charts/tree/master/osu/kubernetes-secrets-exporter
+
 ## API
 
 A single API call is available: `/secrets/:secretName/download/:key`.