Versions Compared

Version Old Version 7 New Version Current
Changes made by

Technische Redaktion

Technische Redaktion

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Page Properties
hiddentrue
idPROGRESSDONE

Product Version2021 Autumn
Report Note
AssigneeAntje

Resources & Remarks

Modification History

NameDateProduct VersionAction
Antje07 JUL 20212021 Autumn

Security of Actuator Endpoints

Agnieszka14 JUL 20212021 AutumnrLANG
Agnieszka29 JUL 20212021 AutumnrLANG




Excerpt

When updating your yuuvis® Momentum installation to version 2021 Autumn, manual configuration changes are required for some services. 


Please also pay attention to the Breaking Changes.


Section
bordertrue


Column

Table of Contents

Table of Contents
maxLevel3
exclude(Table of Contents|Read on|Another Tutorial|Another Concept Article|Another interesting Tutorial|Ressources|Remarks|Authentication against the Core API|Graphical Overview \/ Use Cases \(Flows\)|Login to the Core API \(Java\)|yuuvis® Momentum Services|Basic Use Case Flows)



Core

Cross-Tenant Service Accounts

In order to allow for the configuration and usage of Cross-Tenant Service Accountsan ancillary Kubernetes Service has to be created as follows.

  • Create a file authentication-internal.yml with the following content:

    Code Block
    languageyml
    apiVersion: v1
kind: Service
metadata:
  labels:
    app: yuuvis
    name: authentication-internal
  name: authentication-internal
spec:
  ports:
  - name: "80"
    port: 80
    targetPort: 8081
  selector:
    name: authentication
  type: ClusterIP


  • Run the command:

    Code Block
    languagepowershell
    kubectl -n yuuvis apply -f authentication-internal.yml


Note
titleSafety Note

The AUTHENTICATION service manages the cross-tenant requests of service accounts via the separate port 8081. This port must be accessible only within the yuuvis® Momentum cluster to ensure strict separation of tenants for users. Be sure to never expose this internal port for public access!

Anchor
Actuator
Actuator

Configuration Changes for the AUTHENTICATION Service

Access to '/manage/**' Endpoints

The /manage/** endpoints provided by the AUTHENTICATION Service are now available via a separate port that is protected from external access. Especially for customers using the Tenant Management services, the configuration of the AUTHENTICATION Service has to be adjusted as follows in order to request the /manage endpoints as usual:adjusted and an ancillary Kubernetes Service has to be created as follows.

Adjust the

...

'authentication-prod.yml' file:

  • Expose the individual /manage endpoints in the section authorization.accesses section.

    Deprecated ConfigurationNew Configuration


    Code Block
    languageyml
    authorization.accesses:
### manage-endpoints
  - endpoints: /manage/info,/manage/health
    expose: true



    Code Block
    languageyml
    authorization.accesses:
### manage-endpoints
  - endpoints: /manage/**
    expose: true



  • Add the following two lines in order to select the port number 9091 for the /manage endpoints.

    Code Block
    languageyml
    management.server.port: 9091
management.server.servlet.context-path: /


...

  • Run the command:

    Code Block
    languagepowershell
    kubectl -n yuuvis edit deploy authentication


  • Adjust the configuration:

    Deprecated ConfigurationNew Configuration


    Code Block
    languageyml
    livenessProbe:
  failureThreshold: 3
  httpGet:
    path: /manage/info
    port: 8080
    scheme: HTTP
...
readinessProbe:
  failureThreshold: 3
  httpGet:
    path: /manage/info
    port: 8080
    scheme: HTTP



    Code Block
    languageyml
    livenessProbe:
  failureThreshold: 3
  httpGet:
    path: /manage/info
    port: 9091
    scheme: HTTP
...
readinessProbe:
  failureThreshold: 3
  httpGet:
    path: /manage/info
    port: 9091
    scheme: HTTP



Restart the AUTHENTICATION service.
Anchor
Cross-Tenant
Cross-Tenant