set jwt token as env

deploy/cloud/scripts/init.sh

@@ -10,9 +10,12 @@ cockroachdbGlobalUri=""
 localRegionUID=""
 
 tlsCrtPlaceholder="<tls-crt-placeholder>"
-tlsKeyPlaceholder="<tls-key-placeholder>"
 acmednsSecretPlaceholder="<acmedns-secret-placeholder>"
+
 saltKey=""
+jwtInternal=""
+jwtRegional=""
+jwtGlobal=""
 
 function prepare {
   # source .env
@@ -36,6 +39,9 @@ function prepare {
   # gen regionUID if not set or not found in secret
   gen_regionUID
 
+  # gen jwt tokens
+  gen_jwt_tokens
+
   # create tls secret
   create_tls_secret
 }
@@ -132,6 +138,7 @@ function gen_cockroachdbUri() {
   cockroachdbGlobalUri="$cockroachdbUri/global"
 }
 
+# TODO: use a better way to check saltKey
 function gen_saltKey() {
     password_salt=$(kubectl get configmap desktop-frontend-config -n sealos -o jsonpath='{.data.config\.yaml}' | grep "salt:" | awk '{print $2}' 2>/dev/null | tr -d '"' || true)
     if [[ -z "$password_salt" ]]; then
@@ -141,6 +148,28 @@ function gen_saltKey() {
     fi
 }
 
+# TODO: use a better way to check jwt tokens
+function gen_jwt_tokens() {
+    jwt_internal=$(kubectl get configmap desktop-frontend-config -n sealos -o jsonpath='{.data.config\.yaml}' | grep "internal:" | awk '{print $2}' 2>/dev/null | tr -d '"' || true)
+    if [[ -z "$jwt_internal" ]]; then
+        jwtInternal=$(tr -dc 'a-z0-9' </dev/urandom | head -c64)
+    else
+        jwtInternal=$jwt_internal
+    fi
+    jwt_regional=$(kubectl get configmap desktop-frontend-config -n sealos -o jsonpath='{.data.config\.yaml}' | grep "regional:" | awk '{print $2}' 2>/dev/null | tr -d '"' || true)
+    if [[ -z "$jwt_regional" ]]; then
+        jwtRegional=$(tr -dc 'a-z0-9' </dev/urandom | head -c64)
+    else
+        jwtRegional=$jwt_regional
+    fi
+    jwt_global=$(kubectl get configmap desktop-frontend-config -n sealos -o jsonpath='{.data.config\.yaml}' | grep "global:" | awk '{print $2}' 2>/dev/null | tr -d '"' || true)
+    if [[ -z "$jwt_global" ]]; then
+        jwtGlobal=$(tr -dc 'a-z0-9' </dev/urandom | head -c64)
+    else
+        jwtGlobal=$jwt_global
+    fi
+}
+
 function gen_regionUID(){
     uid=$(kubectl get configmap desktop-frontend-config -n sealos -o jsonpath='{.data.config\.yaml}' | grep "regionUID:" | awk '{print $2}' 2>/dev/null | tr -d '"' || true)
     if [[ -z "$uid" ]]; then
@@ -176,7 +205,10 @@ function sealos_run_desktop {
       --env regionUID="$localRegionUID" \
       --env databaseMongodbURI="${mongodbUri}/sealos-auth?authSource=admin" \
       --env databaseLocalCockroachdbURI="$cockroachdbLocalUri" \
-      --env databaseGlobalCockroachdbURI="$cockroachdbGlobalUri"
+      --env databaseGlobalCockroachdbURI="$cockroachdbGlobalUri" \
+      --env jwtInternal="$jwtInternal" \
+      --env jwtRegional="$jwtRegional" \
+      --env jwtGlobal="$jwtGlobal"
 }
 
 function sealos_run_controller {

frontend/desktop/deploy/Kubefile

@@ -13,5 +13,8 @@ ENV databaseMongodbURI=""
 ENV databaseGlobalCockroachdbURI=""
 ENV databaseLocalCockroachdbURI=""
 ENV passwordSalt="randomSalt"
+ENV jwtInternal=""
+ENV jwtRegional=""
+ENV jwtGlobal=""
 
 CMD ["bash scripts/init.sh"]

frontend/desktop/deploy/manifests/configmap.yaml.tmpl

@@ -43,9 +43,9 @@ data:
         invite:
           enabled: false
         jwt:
-          internal: "<your-internal-jwt-secret>"
-          regional: "<your-regional-jwt-secret>"
-          global: "<your-global-jwt-secret>"
+          internal: "{{ .jwtInternal }}"
+          regional: "{{ .jwtRegional }}"
+          global: "{{ .jwtGlobal }}"
         idp:
           password:
             enabled: true

frontend/desktop/deploy/scripts/init.sh

@@ -6,8 +6,5 @@ if [[ -n "$cm_exists" ]]; then
   echo "desktop-frontend-config already exists, skip create desktop config"
 else
   echo "create desktop config"
-    sed -i -e "s;<your-internal-jwt-secret>;$(tr -cd 'a-z0-9' </dev/urandom | head -c64);" manifests/configmap.yaml
-    sed -i -e "s;<your-regional-jwt-secret>;$(tr -cd 'a-z0-9' </dev/urandom | head -c64);" manifests/configmap.yaml
-    sed -i -e "s;<your-global-jwt-secret>;$(tr -cd 'a-z0-9' </dev/urandom | head -c64);" manifests/configmap.yaml
   kubectl apply -f manifests/configmap.yaml --validate=false
 fi