allow provide optional static jwt seed

Signed-off-by: Jeeva Kandasamy <jkandasa@gmail.com>

Author: jkandasa

cmd/helper/helper.go

@@ -63,6 +63,7 @@ func setEnvironmentVariables(cfg *cfgTY.Config) error {
 		types.ENV_LOG_ENCODING:           cfg.Logger.Encoding,
 		types.ENV_LOG_ENABLE_STACK_TRACE: cfg.Logger.EnableStacktrace,
 		types.ENV_RUNNING_SINCE:          time.Now().Format(time.RFC3339),
+		types.ENV_JWT_SEED:               cfg.JwtSeed,
 	}
 
 	for key, value := range envMap {

pkg/http_router/middleware/auth.go

@@ -218,7 +218,11 @@ func GetUserID(r *http.Request) string {
 }
 
 func getJwtSecret() []byte {
-	return []byte(fmt.Sprintf("%s_%s", types.GetEnvString(types.ENV_JWT_ACCESS_SECRET), version.Get().HostID))
+	jwtSeed := types.GetEnvString(types.ENV_JWT_SEED)
+	if jwtSeed == "" {
+		jwtSeed = version.Get().HostID
+	}
+	return []byte(fmt.Sprintf("%s_%s", types.GetEnvString(types.ENV_JWT_ACCESS_SECRET), jwtSeed))
 }
 
 // doSignout clears the cookies

pkg/types/config/config.go

@@ -12,7 +12,8 @@ const (
 
 // Config of the system
 type Config struct {
-	Secret           string             `yaml:"secret"` // secret used to encrypt sensitive data
+	Secret           string             `yaml:"secret"`   // secret used to encrypt sensitive data
+	JwtSeed          string             `yaml:"jwt_seed"` // optional static seed used when deriving JWT secret, otherwise host-id is used
 	Telemetry        TelemetryConfig    `yaml:"telemetry"`
 	Web              WebConfig          `yaml:"web"`
 	Logger           LoggerConfig       `yaml:"logger"`

pkg/types/environment.go

@@ -29,6 +29,7 @@ const (
 	ENV_RUNNING_SINCE = "MC_RUNNING_SINCE" // update starting time
 
 	ENV_JWT_ACCESS_SECRET = "JWT_ACCESS_SECRET" // environment variable to set secret for JWT token
+	ENV_JWT_SEED          = "JWT_SEED"          // environment variable to set seed for JWT token
 )
 
 func GetEnvBool(key string) bool {

resources/sample-binary-gateway.yaml

@@ -24,5 +24,5 @@ gateway:
   disabled: false
   types: []
   ids: []
-  labels: 
+  labels:
     location: external_gw1

resources/sample-binary-handler.yaml

@@ -24,5 +24,5 @@ handler:
   disabled: false
   types: []
   ids: []
-  labels: 
+  labels:
     location: external_handler1

resources/sample-binary-server.yaml

@@ -3,14 +3,17 @@ secret: 5a2f6ff25b0025aeae12ae096363b51a # !!! WARNING: CHANGE THIS SECRET !!!
 # disable telemetry service, if you do not wish to share non-PII data
 # non-PII - non Personally Identifiable Information
 telemetry:
-  enabled: true 
+  enabled: true
+
+# optional static jwt seed used when deriving JWT secret, otherwise host-id is used
+jwt_seed:
 
 web:
   web_directory: web_console
   enable_profiling: false
   read_timeout: 60s
   http:
-    enabled: true 
+    enabled: true
     bind_address: "0.0.0.0"
     port: 8080
   https_ssl:
@@ -23,7 +26,7 @@ web:
     bind_address: "0.0.0.0"
     port: 9443
     cache_dir: mc_home/certs/https_acme
-    acme_directory: 
+    acme_directory:
     email: hello@example.com
     domains: ["mycontroller.example.com"]
 
@@ -71,17 +74,17 @@ database:
     dump_enabled: true
     dump_interval: 10m
     dump_dir: "memory_db"
-    dump_format: ["yaml","json"]
+    dump_format: ["yaml", "json"]
     load_format: "yaml"
 
   metric:
     disabled: true
     type: influxdb
     uri: http://127.0.0.1:8086
-    token: 
+    token:
     username:
     password:
-    organization_name: 
+    organization_name:
     bucket_name: mycontroller
     batch_size:
     flush_interval: 1s

resources/sample-docker-gateway.yaml

@@ -25,4 +25,4 @@ gateway:
   types: []
   ids: []
   labels:
-    location: external_gw1
+    location: external_gw1

resources/sample-docker-handler.yaml

@@ -25,4 +25,4 @@ handler:
   types: []
   ids: []
   labels:
-    location: external_handler1
+    location: external_handler1

resources/sample-docker-server.yaml

@@ -3,14 +3,17 @@ secret: 5a2f6ff25b0025aeae12ae096363b51a # !!! WARNING: CHANGE THIS SECRET !!!
 # disable telemetry service, if you do not wish to share non-PII data
 # non-PII - non Personally Identifiable Information
 telemetry:
-  enabled: true 
+  enabled: true
+
+# optional static jwt seed used when deriving JWT secret, otherwise host-id is used
+jwt_secret:
 
 web:
   web_directory: /ui
   enable_profiling: false
   read_timeout: 60s
   http:
-    enabled: true 
+    enabled: true
     bind_address: "0.0.0.0"
     port: 8080
   https_ssl:
@@ -23,7 +26,7 @@ web:
     bind_address: "0.0.0.0"
     port: 9443
     cache_dir: /mc_home/certs/https_acme
-    acme_directory: 
+    acme_directory:
     email: hello@example.com
     domains: ["mycontroller.example.com"]
 
@@ -71,17 +74,17 @@ database:
     dump_enabled: true
     dump_interval: 10m
     dump_dir: "memory_db"
-    dump_format: ["yaml","json"]
+    dump_format: ["yaml", "json"]
     load_format: "yaml"
 
   metric:
     disabled: true
     type: influxdb
     uri: http://192.168.1.21:8086
-    token: 
+    token:
     username:
     password:
-    organization_name: 
+    organization_name:
     bucket_name: mycontroller
     batch_size:
     flush_interval: 1s