Defined Type: jwt_authorizer::service

Defined in:
modules/jwt_authorizer/manifests/service.pp

Overview

SPDX-License-Identifier: Apache-2.0 Provisions a systemd service instance of jwt-authorizer.

The jwt-authorizer service provides integrated auth with GitLab CI jobs via their short lived JSON Web Tokens to other services like docker_registry_ha. See the nginx configuration of the latter for usage.

Parameters:

  • listen (String)

    Address or UNIX socket to bind to (e.g. tcp://127.0.0.1:1337, unix:///some/unix.sock)

  • keys_url (Stdlib::HTTPUrl)

    URL from which to periodically fetch public JSON Web Token issuer keys for validating bearer tokens.

  • issuers (Array[String])

    List of accepted issuers for tokens.

  • ensure (Wmflib::Ensure) (defaults to: 'present')

    Systemd service state.

  • owner (String) (defaults to: 'www-data')

    Service process owner.

  • group (String) (defaults to: 'www-data')

    Service process group owner.

  • mode (Stdlib::Filemode) (defaults to: '0700')

    Creation mode of the unix socket if used.

  • request_prefix (Stdlib::Unixpath) (defaults to: '/')

    Request path prefix to ignore when comparing against project_path during token validation.

  • validation_template (Optional[Stdlib::Filesource]) (defaults to: undef)

    Go template used to further validate JWT claims beyond signature correctness and expiry. See gitlab.wikimedia.org/repos/releng/jwt-authorizer



22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
 
# File 'modules/jwt_authorizer/manifests/service.pp', line 22

define jwt_authorizer::service(
    String $listen,
    Stdlib::HTTPUrl $keys_url,
    Array[String] $issuers,
    Wmflib::Ensure $ensure = 'present',
    String $owner = 'www-data',
    String $group = 'www-data',
    Stdlib::Filemode $mode = '0700',
    Stdlib::Unixpath $request_prefix = '/',
    Optional[Stdlib::Filesource] $validation_template = undef,
) {
    require jwt_authorizer

    $validation_template_path = "/etc/jwt-authorizer/${title}-validations.tmpl"
    $validation_template_ensure = $validation_template ? {
        undef   => 'absent',
        default => $ensure,
    }

    file { $validation_template_path:
        ensure => stdlib::ensure($validation_template_ensure, 'file'),
        source => $validation_template,
        owner  => 'root',
        group  => 'www-data',
        mode   => '0640',
        before => Systemd::Service[$title],
        notify => Service[$title],
    }

    systemd::service { $title:
        ensure  => $ensure,
        content => template('jwt_authorizer/authorizer.service.erb'),
        restart => true,
    }
}