Versions Compared

Version Old Version 2 New Version 3
Changes made by

Technische Redaktion

Technische Redaktion

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Page Properties
hiddentrue
idPROGRESS

Product Version2021 SummerAutumn
Report Note
AssigneeAntje

Resources & Remarks

Modification History

NameDateProduct VersionAction
Antje26 MAY 20212021 Autumncreated07 JUL 20212021 Autumn

Security of Actuator Endpoints


Core

Configuration Changes for the AUTHENTICATION Service

Especially for customers using the Tenant Management services, the configuration of the AUTHENTICATION Service has to be adjusted as follows:

Adjust the file 'authentication-prod.yml':

  • Expose the individual /manage endpoints in the section authorization.accesses.

    Deprecated ConfigurationNew Configuration


    Code Block
    languageyml
    authorization.accesses:
### manage-endpoints
  - endpoints: /manage/info,/manage/health
    expose: true



    Code Block
    languageyml
    authorization.accesses:
### manage-endpoints
  - endpoints: /manage/**
    expose: true



  • Add the following two lines in order to select the port number 9091 for the /manage endpoints.

    Code Block
    languageyml
    management.server.port: 9091
management.server.servlet.context-path: /


Adjust the Kubernetes Service:

  • Run the command.

    Code Block
    languagepowershell
    kubectl -n yuuvis edit svc authentication


  • Remove the label yuuvis: "true".

    Deprecated ConfigurationNew Configuration


    Code Block
    languageyml
      labels:
    app: yuuvis
    name: authentication
    yuuvis: "true"
  name: authentication



    Code Block
    languageyml
    labels:
  app: yuuvis
  name: authentication
name: authentication



Create a new Kubernetes Service:

  • Create a new file authentication-manage-service.yaml with the following content:

    Code Block
    languageyml
    apiVersion: v1
kind: Service
metadata:
  labels:
    app: yuuvis
    name: authentication-manage
  name: authentication-manage
spec:
  ports:
  - name: "80"
    port: 80
    targetPort: 9091
  selector:
    name: authentication
  type: ClusterIP


  • Run the command:

    Code Block
    languagepowershell
    kubectl -n yuuvis apply -f authentication-manage-service.yaml


Adjust the ports for liveness probe and readiness probe:

  • Run the command:

    Code Block
    languagepowershell
    kubectl -n yuuvis edit deploy authentication


  • Adjust the configuration:

    Deprecated ConfigurationNew Configuration


    Code Block
    languageyml
    livenessProbe:
  failureThreshold: 3
  httpGet:
    path: /manage/info
    port: 8080
    scheme: HTTP
...
readinessProbe:
  failureThreshold: 3
  httpGet:
    path: /manage/info
    port: 8080
    scheme: HTTP



    Code Block
    languageyml
    livenessProbe:
  failureThreshold: 3
  httpGet:
    path: /manage/info
    port: 9091
    scheme: HTTP
...
readinessProbe:
  failureThreshold: 3
  httpGet:
    path: /manage/info
    port: 9091
    scheme: HTTP



Restart the AUTHENTICATION service.