@erran are you happy with the suggestions above? 😅 They look drastically the same to me 😅

Patrick Cyiza (7eaa54c1) at 13 Mar 17:52

Hey @erran @fneill Could review this MR? It fills the Documentation GAP.

Patrick Cyiza (286bb9fd) at 13 Mar 17:41

What does this MR do and why?

This change updates the GitLab AI Gateway installation documentation to require two separate security keys instead of just one. Previously, the system only needed a single JWT signing key, but now it requires both a signing key and a validation key for better security when handling authentication tokens. The documentation has been updated across all installation methods (Docker, Docker Compose, and Kubernetes) to show how to generate both keys, store them securely, and configure the system to use them. Additionally, authentication is now explicitly enabled by default in the configuration.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Patrick Cyiza (b6faab63) at 13 Mar 17:33

@erran Turn out the MR is ready now 😅

DUO_WORKFLOW_SELF_SIGNED_JWT__SIGNING_KEY and DUO_WORKFLOW_SELF_SIGNED_JWT__VALIDATION_KEY are required to have DUO_WORKFLOW_AUTH__ENABLED to true and not relying on auth bypass.

By implementing we are this we are secure by default. Because this generate the secrets needed auto generate the private keys for DUO_WORKFLOW_SELF_SIGNED_JWT__SIGNING_KEY and DUO_WORKFLOW_SELF_SIGNED_JWT__VALIDATION_KEY without user intervention.

Patrick Cyiza (f181781c) at 13 Mar 17:10

DUO_WORKFLOW_SELF_SIGNED_JWT__SIGNING_KEY and DUO_WORKFLOW_SELF_SIGNED_JWT__VALIDATION_KEY are required to have DUO_WORKFLOW_AUTH__ENABLED to true and not relying on auth bypass.

By implementing we are this we are secure by default. Because this generate the secrets needed auto generate the private keys for DUO_WORKFLOW_SELF_SIGNED_JWT__SIGNING_KEY and DUO_WORKFLOW_SELF_SIGNED_JWT__VALIDATION_KEY without user intervention.

Just had a call with erran turnout all this can be achied way easier with https://helm.sh/docs/v3/chart_template_guide/function_list/#genprivatekey 😅 I'm going to close this MR and restart this.

FYI this could be a RC for version 1.0 🎉

CC/ @vtak

This was giving me an error. I'm not sure if it's needed since I'm thing that with the code below $envEmpty was never "false"

@clemensbeck Could you take a look as well?

Hey @erran, could you review this when you have the time?

I'll be on PTO next week but leave your comments and I get through it.

Patrick Cyiza (9af69a39) at 13 Mar 15:34

Patrick Cyiza (7c7cdb20) at 13 Mar 14:20

Patrick Cyiza (405c3679) at 13 Mar 14:07

Patrick Cyiza (5ae02a07) at 13 Mar 13:48

Patrick Cyiza (7d92184a) at 13 Mar 13:38