doc: add layer endpoints

Reviewed-on: #19

.dockerignore

@@ -7,3 +7,6 @@
 /bin
 /.bouncer-token
 /.env
+/misc/k8s
+/misc/k6s
+/misc/grafterm

doc/fr/general-architecture.md

@@ -5,14 +5,16 @@
 ### Déploiement mono-noeud
 
 ![](../resources/deployment_fr.png)
+
 ## Terminologie
 
 Voici une liste des termes utilisés dans le lexique Bouncer.
+
 ### Proxy
 
 Un "proxy" est une entité logique définissant le relation suivante:
 
-- Un ou plusieurs patrons de filtrage sous la forme `<host>:<port>`. Ceux ci identifient le ou les domaines associés à l'entité;
+- Un ou plusieurs patrons de filtrage sous la forme d'un patron d'URL avec le caractère `*` comme caractère générique. Ceux ci identifient le ou les domaines/chemins associés à l'entité;
 - Une URL cible qui servira de base pour la réécriture des requêtes.
 
 Un "proxy" peut avoir zéro ou plusieurs "layers" associés.

doc/fr/references/admin_api.md

@@ -25,7 +25,6 @@ Où:
   - droit en lecture sur l'ensemble des entités (proxy, layer);
   - droit en lecture ET en écriture sur l'ensemble des entités.
 
-
 ## Points d'entrée
 
 ### `POST /api/v1/proxies`
@@ -34,7 +33,7 @@ Créer un nouveau proxy
 
 #### Exemple de corps de requête
 
-```json5
+```json
 {
   "name": "myproxy", // OBLIGATOIRE - Nom du proxy
   "to": "https://www.cadoles.com", // OBLIGATOIRE - Site distant ciblé par le proxy
@@ -44,7 +43,7 @@ Créer un nouveau proxy
 
 #### Exemple de résultat
 
-```json5
+```json
 {
   "data": {
     "proxy": {
@@ -74,7 +73,7 @@ Récupérer les informations complètes sur un proxy
 
 #### Exemple de résultat
 
-```json5
+```json
 {
   "data": {
     "proxy": {
@@ -100,18 +99,18 @@ Modifier un proxy
 
 #### Exemple de corps de requête
 
-```json5
+```json
 {
   "to": "https://www.cadoles.com", // OPTIONNEL - Site distant ciblé par le proxy
   "from": ["mylocalproxydomain:*"], // OPTIONNEL - Liste de patrons de filtrage associés au proxy
   "weight": 100, // OPTIONNEL - Poids à associer au proxy
-  "enabled": true,                  // OPTIONNEL - Activer/désactiver le proxy
+  "enabled": true // OPTIONNEL - Activer/désactiver le proxy
 }
 ```
 
 #### Exemple de résultat
 
-```json5
+```json
 {
   "data": {
     "proxy": {
@@ -141,7 +140,7 @@ Lister les proxies existants
 
 #### Exemple de résultat
 
-```json5
+```json
 {
   "data": {
     "proxies": [
@@ -149,6 +148,8 @@ Lister les proxies existants
         "name": "myproxy",
         "weight": 0,
         "enabled": false,
+        "createdAt": "2018-12-10T13:45:00.000Z",
+        "updatedAt": "2018-12-10T13:45:00.000Z"
       }
     ]
   }
@@ -169,7 +170,7 @@ Supprimer le proxy
 
 #### Exemple de résultat
 
-```json5
+```json
 {
   "data": {
     "proxyName": "myproxy"
@@ -180,3 +181,169 @@ Supprimer le proxy
 #### Source
 
 Voir [`internal/admin/proxy_route.go#deleteProxy()`](../../../internal/admin/proxy_route.go#deleteProxy)
+
+### `POST /api/v1/proxies/{proxyName}/layers`
+
+Créer un nouveau layer pour un proxy donné
+
+#### Paramètres
+
+- `{proxyName}` - Nom du proxy sur lequel créer le layer
+
+#### Exemple de corps de requête
+
+```json
+{
+  "name": "mylayer", // OBLIGATOIRE - Nom du layer
+  "type": "<layer_type>", // OBLIGATOIRE - Type du layer, voir doc/fr/references/layers
+  "options": {} // OPTIONNEL - Options associées au layer, voir doc/fr/references/layers
+}
+```
+
+#### Exemple de résultat
+
+```json
+{
+  "data": {
+    "layer": {
+      "name": "mylayer",
+      "type": "<layer_type>",
+      "enabled": false,
+      "weight": 0,
+      "options": {},
+      "createdAt": "2018-12-10T13:45:00.000Z",
+      "updatedAt": "2018-12-10T13:45:00.000Z"
+    }
+  }
+}
+```
+
+#### Source
+
+Voir [`internal/admin/layer_route.go#createLayer()`](../../../internal/admin/layer_route.go#createLayer)
+
+### `GET /api/v1/proxies/{proxyName}/layers/{layerName}`
+
+Récupérer les informations complètes sur un layer
+
+#### Paramètres
+
+- `{proxyName}` - Nom du proxy parent
+- `{layerName}` - Nom du layer
+
+#### Exemple de résultat
+
+```json
+{
+  "data": {
+    "layer": {
+      "name": "mylayer",
+      "type": "<layer_type>",
+      "enabled": false,
+      "weight": 0,
+      "options": {},
+      "createdAt": "2018-12-10T13:45:00.000Z",
+      "updatedAt": "2018-12-10T13:45:00.000Z"
+    }
+  }
+}
+```
+
+#### Source
+
+Voir [`internal/admin/layer_route.go#getLayer()`](../../../internal/admin/layer_route.go#getLayer)
+
+### `PUT /api/v1/proxies/{proxyName}/layers/{layerName}`
+
+Modifier un layer
+
+#### Paramètres
+
+- `{proxyName}` - Nom du proxy parent
+- `{layerName}` - Nom du layer
+
+#### Exemple de corps de requête
+
+```json
+{
+  "weight": 100, // OPTIONNEL - Poids à associer au layer
+  "enabled": true, // OPTIONNEL - Activer/désactiver le layer
+  "options": {} // OPTIONNEL - Modifier les options associées au layer, voir doc/fr/references/layers
+}
+```
+
+#### Exemple de résultat
+
+```json
+{
+  "data": {
+    "layer": {
+      "name": "mylayer",
+      "type": "<layer_type>",
+      "enabled": false,
+      "weight": 0,
+      "options": {},
+      "createdAt": "2018-12-10T13:45:00.000Z",
+      "updatedAt": "2018-12-10T13:45:00.000Z"
+    }
+  }
+}
+```
+
+#### Source
+
+Voir [`internal/admin/layer_route.go#updateLayer()`](../../../internal/admin/layer_route.go#updateLayer)
+
+### `GET /api/v1/proxies/{proxyName}/layers?names={name1,name2,...}`
+
+Lister les layers existants
+
+#### Paramètres
+
+- `{proxyName}` - Nom du proxy parent
+- `{names}` - Optionnel - Liste des noms de proxy à appliquer en tant que filtre
+
+#### Exemple de résultat
+
+```json
+{
+  "data": {
+    "layers": [
+      {
+        "name": "mylayer",
+        "weight": 0,
+        "enabled": false,
+        "createdAt": "2018-12-10T13:45:00.000Z",
+        "updatedAt": "2018-12-10T13:45:00.000Z"
+      }
+    ]
+  }
+}
+```
+
+#### Source
+
+Voir [`internal/admin/layer_route.go#queryLayers()`](../../../internal/admin/layer_route.go#queryLayers)
+
+## `DELETE /api/v1/proxies/{proxyName}/layers/{layerName}`
+
+Supprimer le layer
+
+#### Paramètres
+
+- `{proxyName}` - Nom du proxy parent
+- `{layerName}` - Nom du layer
+
+#### Exemple de résultat
+
+```json
+{
+  "data": {
+    "layerName": "mylayer"
+  }
+}
+```
+
+#### Source
+
+Voir [`internal/admin/layer_route.go#deleteLayer()`](../../../internal/admin/layer_route.go#deleteLayer)

go.mod

@@ -14,6 +14,7 @@ require (
 	github.com/go-chi/chi/v5 v5.0.8
 	github.com/jedib0t/go-pretty/v6 v6.4.6
 	github.com/mitchellh/mapstructure v1.4.1
+	github.com/oklog/ulid/v2 v2.1.0
 	github.com/ory/dockertest/v3 v3.10.0
 	github.com/prometheus/client_golang v1.16.0
 	github.com/qri-io/jsonschema v0.2.1

go.sum

@@ -410,6 +410,8 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/nkovacs/streamquote v0.0.0-20170412213628-49af9bddb229/go.mod h1:0aYXnNPJ8l7uZxf45rWW1a/uME32OF0rhiYGNQ2oF2E=
 github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
+github.com/oklog/ulid/v2 v2.1.0 h1:+9lhoxAP56we25tyYETBBY1YLA2SaoLvUFgrP2miPJU=
+github.com/oklog/ulid/v2 v2.1.0/go.mod h1:rcEKHmBBKfef9DhnvX7y1HZBYxjXb0cP5ExxNsTT1QQ=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.7.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
@@ -434,6 +436,7 @@ github.com/opencontainers/selinux v1.10.0/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuh
 github.com/ory/dockertest/v3 v3.10.0 h1:4K3z2VMe8Woe++invjaTB7VRyQXQy5UY+loujO4aNE4=
 github.com/ory/dockertest/v3 v3.10.0/go.mod h1:nr57ZbRWMqfsdGdFNLHz5jjNdDb7VVFnzAeW1n5N1Lg=
 github.com/oxtoacart/bpool v0.0.0-20190530202638-03653db5a59c/go.mod h1:X07ZCGwUbLaax7L0S3Tw4hpejzu63ZrrQiUe6W0hcy0=
+github.com/pborman/getopt v0.0.0-20170112200414-7148bc3a4c30/go.mod h1:85jBQOZwpVEaDAr341tbn15RS4fCAsIst0qp7i8ex1o=
 github.com/pingcap/errors v0.11.4 h1:lFuQV/oaUMGcD2tqt+01ROSmJs75VG1ToEOkZIZ4nE4=
 github.com/pingcap/errors v0.11.4/go.mod h1:Oi8TUi2kEtXXLMJk9l1cGmz20kV3TaQ0usTwv5KuLY8=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=

internal/admin/bootstrap.go

@@ -22,7 +22,7 @@ func (s *Server) bootstrapProxies(ctx context.Context) error {
 	layerRepo := s.layerRepository
 
 	lockTimeout := time.Duration(s.bootstrapConfig.LockTimeout)
-	locker := redis.NewLocker(s.redisClient)
+	locker := redis.NewLocker(s.redisClient, int(s.bootstrapConfig.MaxConnectionRetries))
 
 	err := locker.WithLock(ctx, "bouncer-admin-bootstrap", lockTimeout, func(ctx context.Context) error {
 		logger.Info(ctx, "bootstrapping proxies")

internal/admin/init.go

@@ -3,8 +3,11 @@ package admin
 import (
 	"context"
 
+	"forge.cadoles.com/cadoles/bouncer/internal/integration"
+	"forge.cadoles.com/cadoles/bouncer/internal/jwk"
 	"forge.cadoles.com/cadoles/bouncer/internal/setup"
 	"github.com/pkg/errors"
+	"gitlab.com/wpetit/goweb/logger"
 )
 
 func (s *Server) initRepositories(ctx context.Context) error {
@@ -52,3 +55,34 @@ func (s *Server) initProxyRepository(ctx context.Context) error {
 
 	return nil
 }
+
+func (s *Server) initPrivateKey(ctx context.Context) error {
+	localKey, err := jwk.LoadOrGenerate(string(s.serverConfig.Auth.PrivateKey), jwk.DefaultKeySize)
+	if err != nil {
+		return errors.WithStack(err)
+	}
+
+	ctx = integration.WithPrivateKey(ctx, localKey)
+
+	key, err := integration.RunOnKeyLoad(ctx, s.integrations)
+	if err != nil {
+		return errors.WithStack(err)
+	}
+
+	if key != nil {
+		s.privateKey = key
+	} else {
+		s.privateKey = localKey
+	}
+
+	logger.Info(ctx, "using private key", logger.F("keyID", s.privateKey.KeyID()))
+
+	publicKeys, err := jwk.PublicKeySet(s.privateKey)
+	if err != nil {
+		return errors.WithStack(err)
+	}
+
+	s.publicKeys = publicKeys
+
+	return nil
+}

internal/admin/server.go

@@ -35,6 +35,9 @@ type Server struct {
 	bootstrapConfig config.BootstrapConfig
 	proxyRepository store.ProxyRepository
 	layerRepository store.LayerRepository
+
+	privateKey jwk.Key
+	publicKeys jwk.Set
 }
 
 func (s *Server) Start(ctx context.Context) (<-chan net.Addr, <-chan error) {
@@ -67,6 +70,15 @@ func (s *Server) run(parentCtx context.Context, addrs chan net.Addr, errs chan e
 		return
 	}
 
+	if err := s.initPrivateKey(ctx); err != nil {
+		errs <- errors.WithStack(err)
+
+		return
+	}
+
+	ctx = integration.WithPrivateKey(ctx, s.privateKey)
+	ctx = integration.WithPublicKeySet(ctx, s.publicKeys)
+
 	if err := integration.RunOnStartup(ctx, s.integrations); err != nil {
 		errs <- errors.WithStack(err)
 
@@ -96,20 +108,6 @@ func (s *Server) run(parentCtx context.Context, addrs chan net.Addr, errs chan e
 		}
 	}()
 
-	key, err := jwk.LoadOrGenerate(string(s.serverConfig.Auth.PrivateKey), jwk.DefaultKeySize)
-	if err != nil {
-		errs <- errors.WithStack(err)
-
-		return
-	}
-
-	keys, err := jwk.PublicKeySet(key)
-	if err != nil {
-		errs <- errors.WithStack(err)
-
-		return
-	}
-
 	router := chi.NewRouter()
 
 	if s.serverConfig.HTTP.UseRealIP {
@@ -160,7 +158,7 @@ func (s *Server) run(parentCtx context.Context, addrs chan net.Addr, errs chan e
 	router.Route("/api/v1", func(r chi.Router) {
 		r.Group(func(r chi.Router) {
 			r.Use(auth.Middleware(
-				jwt.NewAuthenticator(keys, string(s.serverConfig.Auth.Issuer), jwt.DefaultAcceptableSkew),
+				jwt.NewAuthenticator(s.publicKeys, string(s.serverConfig.Auth.Issuer), jwt.DefaultAcceptableSkew),
 			))
 
 			r.Route("/proxies", func(r chi.Router) {

internal/chi/log_formatter.go

@@ -16,6 +16,7 @@ type LogFormatter struct{}
 func (*LogFormatter) NewLogEntry(r *http.Request) middleware.LogEntry {
 	return &LogEntry{
 		method: r.Method,
+		host:   r.Host,
 		path:   r.URL.Path,
 		ctx:    r.Context(),
 	}
@@ -29,6 +30,7 @@ var _ middleware.LogFormatter = &LogFormatter{}
 
 type LogEntry struct {
 	method string
+	host   string
 	path   string
 	ctx    context.Context
 }
@@ -41,6 +43,7 @@ func (e *LogEntry) Panic(v interface{}, stack []byte) {
 // Write implements middleware.LogEntry
 func (e *LogEntry) Write(status int, bytes int, header http.Header, elapsed time.Duration, extra interface{}) {
 	logger.Info(e.ctx, fmt.Sprintf("%s %s - %d", e.method, e.path, status),
+		logger.F("host", e.host),
 		logger.F("status", status),
 		logger.F("bytes", bytes),
 		logger.F("elapsed", elapsed),

internal/command/server/admin/run.go

@@ -5,9 +5,7 @@ import (
 	"strings"
 
 	"forge.cadoles.com/cadoles/bouncer/internal/admin"
-	"forge.cadoles.com/cadoles/bouncer/internal/auth/jwt"
 	"forge.cadoles.com/cadoles/bouncer/internal/command/common"
-	"forge.cadoles.com/cadoles/bouncer/internal/jwk"
 	"forge.cadoles.com/cadoles/bouncer/internal/setup"
 	"github.com/pkg/errors"
 	"github.com/urfave/cli/v2"
@@ -21,11 +19,6 @@ const (
 func RunCommand() *cli.Command {
 	flags := append(
 		common.Flags(),
-		&cli.BoolFlag{
-			Name:  flagPrintDefaultToken,
-			Usage: "Generate and print a default writer token in console at startup",
-			Value: true,
-		},
 	)
 
 	return &cli.Command{
@@ -49,22 +42,6 @@ func RunCommand() *cli.Command {
 
 			defer flushSentry()
 
-			if printDefaultToken := ctx.Bool(flagPrintDefaultToken); printDefaultToken {
-				key, err := jwk.Generate(jwk.DefaultKeySize)
-				if err != nil {
-					return errors.Wrap(err, "could not generate default key")
-				}
-
-				token, err := jwt.GenerateToken(ctx.Context, key, string(conf.Admin.Auth.Issuer), "default-admin", jwt.Role(jwt.RoleWriter))
-				if err != nil {
-					return errors.WithStack(err)
-				}
-
-				logger.SetLevel(logger.LevelInfo)
-				logger.Info(ctx.Context, "default writer token", logger.F("token", token))
-				logger.SetLevel(logger.Level(conf.Logger.Level))
-			}
-
 			integrations, err := setup.SetupIntegrations(ctx.Context, conf)
 			if err != nil {
 				return errors.Wrap(err, "could not setup integrations")

internal/config/bootstrap.go

@@ -15,6 +15,7 @@ type BootstrapConfig struct {
 	Proxies              map[store.ProxyName]BootstrapProxyConfig `yaml:"proxies"`
 	Dir                  InterpolatedString                       `yaml:"dir"`
 	LockTimeout          InterpolatedDuration                     `yaml:"lockTimeout"`
+	MaxConnectionRetries InterpolatedInt                          `yaml:"maxRetries"`
 }
 
 func (c *BootstrapConfig) UnmarshalYAML(unmarshal func(interface{}) error) error {
@@ -64,6 +65,7 @@ func NewDefaultBootstrapConfig() BootstrapConfig {
 	return BootstrapConfig{
 		Dir:                  "",
 		LockTimeout:          *NewInterpolatedDuration(30 * time.Second),
+		MaxConnectionRetries: 10,
 	}
 }
 

internal/config/integrations.go

@@ -11,6 +11,10 @@ func NewDefaultIntegrationsConfig() IntegrationsConfig {
 		Kubernetes: KubernetesConfig{
 			Enabled:                    false,
 			WriterTokenSecret:          "",
+			WriterTokenSecretNamespace: "",
+			ReaderTokenSecretNamespace: "",
+			PrivateKeySecret:           "",
+			PrivateKeySecretNamespace:  "",
 			ReaderTokenSecret:          "",
 			LockTimeout:                *NewInterpolatedDuration(30 * time.Second),
 		},
@@ -23,5 +27,7 @@ type KubernetesConfig struct {
 	WriterTokenSecretNamespace InterpolatedString   `yaml:"writerTokenSecretNamespace"`
 	ReaderTokenSecret          InterpolatedString   `yaml:"readerTokenSecret"`
 	ReaderTokenSecretNamespace InterpolatedString   `yaml:"readerTokenSecretNamespace"`
+	PrivateKeySecret           InterpolatedString   `yaml:"privateKeySecret"`
+	PrivateKeySecretNamespace  InterpolatedString   `yaml:"privateKeySecretNamespace"`
 	LockTimeout                InterpolatedDuration `yaml:"lockTimeout"`
 }

internal/config/redis.go

@@ -14,6 +14,7 @@ type RedisConfig struct {
 	ReadTimeout    InterpolatedDuration    `yaml:"readTimeout"`
 	WriteTimeout   InterpolatedDuration    `yaml:"writeTimeout"`
 	DialTimeout    InterpolatedDuration    `yaml:"dialTimeout"`
+	LockMaxRetries InterpolatedInt         `yaml:"lockMaxRetries"`
 }
 
 func NewDefaultRedisConfig() RedisConfig {
@@ -23,5 +24,6 @@ func NewDefaultRedisConfig() RedisConfig {
 		ReadTimeout:    InterpolatedDuration(30 * time.Second),
 		WriteTimeout:   InterpolatedDuration(30 * time.Second),
 		DialTimeout:    InterpolatedDuration(30 * time.Second),
+		LockMaxRetries: 10,
 	}
 }

internal/integration/context.go

@@ -0,0 +1,49 @@
+package integration
+
+import (
+	"context"
+
+	"forge.cadoles.com/cadoles/bouncer/internal/jwk"
+	"github.com/pkg/errors"
+)
+
+var (
+	ErrNotFound = errors.New("not found")
+)
+
+type contextKey string
+
+const (
+	ctxPublicKeySet contextKey = "public-key-set"
+	ctxPrivateKey   contextKey = "private-key"
+)
+
+func CtxPublicKeySet(ctx context.Context) (jwk.Set, error) {
+	return ctxValue[jwk.Set](ctx, ctxPublicKeySet)
+}
+
+func WithPublicKeySet(ctx context.Context, set jwk.Set) context.Context {
+	return context.WithValue(ctx, ctxPublicKeySet, set)
+}
+
+func CtxPrivateKey(ctx context.Context) (jwk.Key, error) {
+	return ctxValue[jwk.Key](ctx, ctxPrivateKey)
+}
+
+func WithPrivateKey(ctx context.Context, key jwk.Key) context.Context {
+	return context.WithValue(ctx, ctxPrivateKey, key)
+}
+
+func ctxValue[T any](ctx context.Context, key contextKey) (T, error) {
+	raw := ctx.Value(key)
+	if raw == nil {
+		return *new(T), errors.WithStack(ErrNotFound)
+	}
+
+	value, ok := raw.(T)
+	if !ok {
+		return *new(T), errors.Errorf("unexpected value type '%T'", raw)
+	}
+
+	return value, nil
+}

internal/integration/integration.go

@@ -3,6 +3,7 @@ package integration
 import (
 	"context"
 
+	"forge.cadoles.com/cadoles/bouncer/internal/jwk"
 	"github.com/pkg/errors"
 )
 
@@ -15,6 +16,11 @@ type OnStartup interface {
 	OnStartup(ctx context.Context) error
 }
 
+type OnKeyLoad interface {
+	Integration
+	OnKeyLoad(ctx context.Context) (jwk.Key, error)
+}
+
 func RunOnStartup(ctx context.Context, integrations []Integration) error {
 	for _, it := range integrations {
 		onStartup, ok := it.(OnStartup)
@@ -29,3 +35,23 @@ func RunOnStartup(ctx context.Context, integrations []Integration) error {
 
 	return nil
 }
+
+func RunOnKeyLoad(ctx context.Context, integrations []Integration) (jwk.Key, error) {
+	for _, it := range integrations {
+		onKeyLoad, ok := it.(OnKeyLoad)
+		if !ok {
+			continue
+		}
+
+		key, err := onKeyLoad.OnKeyLoad(ctx)
+		if err != nil {
+			return nil, errors.WithStack(err)
+		}
+
+		if key != nil {
+			return key, nil
+		}
+	}
+
+	return nil, nil
+}

internal/integration/kubernetes/integration.go

@@ -2,8 +2,7 @@ package kubernetes
 
 import (
 	"context"
-	"crypto"
+	"encoding/json"
-	"fmt"
 	"os"
 
 	"forge.cadoles.com/cadoles/bouncer/internal/auth/jwt"
@@ -28,6 +27,38 @@ type Integration struct {
 	Options *Options
 }
 
+// OnKeyLoad implements integration.OnKeyLoad.
+func (i *Integration) OnKeyLoad(ctx context.Context) (jwk.Key, error) {
+	locker := i.Options.Locker
+	timeout := i.Options.LockTimeout
+
+	var key jwk.Key
+	err := locker.WithLock(ctx, "bouncer-kubernetes-onkeyload", timeout, func(ctx context.Context) error {
+		client, err := i.getClient()
+		if err != nil {
+			return errors.WithStack(err)
+		}
+
+		if i.Options.PrivateKeySecret != "" {
+			sharedPrivateKey, err := i.getSharedPrivateKey(ctx, client, i.Options.PrivateKeySecretNamespace, i.Options.PrivateKeySecret)
+			if err != nil {
+				return errors.WithStack(err)
+			}
+
+			if sharedPrivateKey != nil {
+				key = sharedPrivateKey
+			}
+		}
+
+		return nil
+	})
+	if err != nil {
+		return nil, errors.WithStack(err)
+	}
+
+	return key, nil
+}
+
 // Integration implements integration.OnStartup.
 func (i *Integration) Integration() {}
 
@@ -36,12 +67,7 @@ func (i *Integration) OnStartup(ctx context.Context) error {
 	locker := i.Options.Locker
 	timeout := i.Options.LockTimeout
 	err := locker.WithLock(ctx, "bouncer-kubernetes-onstartup", timeout, func(ctx context.Context) error {
-		config, err := rest.InClusterConfig()
+		client, err := i.getClient()
-		if err != nil {
-			return errors.WithStack(err)
-		}
-
-		client, err := kubernetes.NewForConfig(config)
 		if err != nil {
 			return errors.WithStack(err)
 		}
@@ -67,6 +93,20 @@ func (i *Integration) OnStartup(ctx context.Context) error {
 	return nil
 }
 
+func (i *Integration) getClient() (*kubernetes.Clientset, error) {
+	config, err := rest.InClusterConfig()
+	if err != nil {
+		return nil, errors.WithStack(err)
+	}
+
+	client, err := kubernetes.NewForConfig(config)
+	if err != nil {
+		return nil, errors.WithStack(err)
+	}
+
+	return client, nil
+}
+
 const (
 	annotationPublicKey = "bouncer.cadoles.com/public-key"
 )
@@ -90,23 +130,6 @@ func (i *Integration) upsertTokenSecret(ctx context.Context, client *kubernetes.
 
 	logger.Debug(ctx, "generating new token")
 
-	key, err := jwk.LoadOrGenerate(i.Options.PrivateKey, jwk.DefaultKeySize)
-	if err != nil {
-		return errors.WithStack(err)
-	}
-
-	publicKey, err := key.PublicKey()
-	if err != nil {
-		return errors.WithStack(err)
-	}
-
-	publicKeyThumbprint, err := publicKey.Thumbprint(crypto.SHA256)
-	if err != nil {
-		return errors.WithStack(err)
-	}
-
-	publicKeyHash := fmt.Sprintf("%x", publicKeyThumbprint)
-
 	alreadyExists := true
 	secret, err := client.CoreV1().Secrets(namespace).Get(ctx, name, metav1.GetOptions{})
 	if err != nil {
@@ -117,8 +140,23 @@ func (i *Integration) upsertTokenSecret(ctx context.Context, client *kubernetes.
 		}
 	}
 
+	privateKey, err := integration.CtxPrivateKey(ctx)
+	if err != nil {
+		return errors.WithStack(err)
+	}
+
+	keySet, err := integration.CtxPublicKeySet(ctx)
+	if err != nil {
+		return errors.WithStack(err)
+	}
+
+	publicKeyThumbprint, err := getKeySetThumbprint(keySet)
+	if err != nil {
+		return errors.WithStack(err)
+	}
+
 	if !alreadyExists {
-		token, err := jwt.GenerateToken(ctx, key, i.Options.Issuer, subject, role)
+		token, err := jwt.GenerateToken(ctx, privateKey, i.Options.Issuer, subject, role)
 		if err != nil {
 			return errors.WithStack(err)
 		}
@@ -128,7 +166,7 @@ func (i *Integration) upsertTokenSecret(ctx context.Context, client *kubernetes.
 			ObjectMeta: metav1.ObjectMeta{
 				Name: name,
 				Annotations: map[string]string{
-					annotationPublicKey: publicKeyHash,
+					annotationPublicKey: publicKeyThumbprint,
 				},
 			},
 			StringData: map[string]string{
@@ -143,8 +181,8 @@ func (i *Integration) upsertTokenSecret(ctx context.Context, client *kubernetes.
 		}
 	} else {
 		existingPublicKeyHash, exists := secret.Annotations[annotationPublicKey]
-		if !exists || publicKeyHash != existingPublicKeyHash {
+		if !exists || publicKeyThumbprint != existingPublicKeyHash {
-			token, err := jwt.GenerateToken(ctx, key, i.Options.Issuer, subject, role)
+			token, err := jwt.GenerateToken(ctx, privateKey, i.Options.Issuer, subject, role)
 			if err != nil {
 				return errors.WithStack(err)
 			}
@@ -157,7 +195,7 @@ func (i *Integration) upsertTokenSecret(ctx context.Context, client *kubernetes.
 				secret.Annotations = make(map[string]string)
 			}
 
-			secret.Annotations[annotationPublicKey] = publicKeyHash
+			secret.Annotations[annotationPublicKey] = publicKeyThumbprint
 
 			logger.Info(ctx, "updating token secret")
 
@@ -172,6 +210,66 @@ func (i *Integration) upsertTokenSecret(ctx context.Context, client *kubernetes.
 	return nil
 }
 
+func (i *Integration) getSharedPrivateKey(ctx context.Context, client *kubernetes.Clientset, namespace string, name string) (jwk.Key, error) {
+	if namespace == "" {
+		defaultNamespace, err := i.getCurrentNamespace()
+		if err != nil {
+			return nil, errors.WithStack(err)
+		}
+
+		namespace = defaultNamespace
+	}
+
+	ctx = logger.With(ctx,
+		logger.F("secretNamespace", namespace),
+		logger.F("secretName", name),
+	)
+
+	logger.Debug(ctx, "searching shared private key from secret")
+
+	secret, err := client.CoreV1().Secrets(namespace).Get(ctx, name, metav1.GetOptions{})
+	if err != nil && !k8serr.IsNotFound(err) {
+		return nil, errors.WithStack(err)
+	}
+
+	rawPrivateKey, exists := secret.Data["key"]
+
+	if exists && len(rawPrivateKey) != 0 {
+		key, err := jwk.ParseKey(rawPrivateKey)
+		if err != nil {
+			return nil, errors.WithStack(err)
+		}
+
+		return key, nil
+	}
+
+	localKey, err := integration.CtxPrivateKey(ctx)
+	if err != nil {
+		return nil, errors.WithStack(err)
+	}
+
+	rawLocalKey, err := json.Marshal(localKey)
+	if err != nil {
+		return nil, errors.WithStack(err)
+	}
+
+	secret = &v1.Secret{
+		Type: v1.SecretTypeOpaque,
+		ObjectMeta: metav1.ObjectMeta{
+			Name: name,
+		},
+		Data: map[string][]byte{
+			"key": rawLocalKey,
+		},
+	}
+
+	if _, err := client.CoreV1().Secrets(namespace).Create(ctx, secret, metav1.CreateOptions{}); err != nil {
+		return nil, errors.WithStack(err)
+	}
+
+	return localKey, nil
+}
+
 func (i *Integration) getCurrentNamespace() (string, error) {
 	namespace, err := os.ReadFile(namespaceFile)
 	if err != nil {
@@ -191,4 +289,5 @@ func NewIntegration(funcs ...OptionFunc) *Integration {
 
 var (
 	_ integration.OnStartup = &Integration{}
+	_ integration.OnKeyLoad = &Integration{}
 )

internal/integration/kubernetes/keyset.go

@@ -0,0 +1,41 @@
+package kubernetes
+
+import (
+	"bytes"
+	"crypto"
+	"crypto/sha256"
+	"fmt"
+	"slices"
+
+	"forge.cadoles.com/cadoles/bouncer/internal/jwk"
+	"github.com/pkg/errors"
+)
+
+func getKeySetThumbprint(set jwk.Set) (string, error) {
+	data := make([][]byte, 0, set.Len())
+
+	for i := 0; i < set.Len(); i++ {
+		key, exists := set.Key(i)
+		if !exists {
+			continue
+		}
+
+		thumbprint, err := key.Thumbprint(crypto.SHA256)
+		if err != nil {
+			return "", errors.WithStack(err)
+		}
+
+		data = append(data, thumbprint)
+	}
+
+	slices.SortFunc(data, bytes.Compare)
+
+	hash := sha256.New()
+	for _, d := range data {
+		if _, err := hash.Write(d); err != nil {
+			return "", errors.WithStack(err)
+		}
+	}
+
+	return fmt.Sprintf("%x", hash.Sum(nil)), nil
+}

internal/integration/kubernetes/options.go

@@ -12,7 +12,8 @@ type Options struct {
 	WriterTokenSecretNamespace string
 	ReaderTokenSecret          string
 	ReaderTokenSecretNamespace string
-	PrivateKey                 string
+	PrivateKeySecret           string
+	PrivateKeySecretNamespace  string
 	Issuer                     string
 	Locker                     lock.Locker
 	LockTimeout                time.Duration
@@ -26,7 +27,8 @@ func NewOptions(funcs ...OptionFunc) *Options {
 		WriterTokenSecretNamespace: "",
 		ReaderTokenSecret:          "",
 		ReaderTokenSecretNamespace: "",
-		PrivateKey:                 "",
+		PrivateKeySecret:           "",
+		PrivateKeySecretNamespace:  "",
 		Issuer:                     "",
 		Locker:                     memory.NewLocker(),
 		LockTimeout:                30 * time.Second,
@@ -62,9 +64,15 @@ func WithReaderTokenSecretNamespace(namespace string) OptionFunc {
 	}
 }
 
-func WithPrivateKey(privateKeyFile string) OptionFunc {
+func WithPrivateKeySecret(secretName string) OptionFunc {
 	return func(opts *Options) {
-		opts.PrivateKey = privateKeyFile
+		opts.PrivateKeySecret = secretName
+	}
+}
+
+func WithPrivateKeySecretNamespace(namespace string) OptionFunc {
+	return func(opts *Options) {
+		opts.PrivateKeySecretNamespace = namespace
 	}
 }
 

internal/jwk/jwk.go

@@ -10,6 +10,7 @@ import (
 	"github.com/lestrrat-go/jwx/v2/jwa"
 	"github.com/lestrrat-go/jwx/v2/jwk"
 	"github.com/lestrrat-go/jwx/v2/jws"
+	"github.com/oklog/ulid/v2"
 
 	"github.com/pkg/errors"
 )
@@ -25,6 +26,7 @@ type (
 var (
 	FromRaw  = jwk.FromRaw
 	NewSet   = jwk.NewSet
+	ParseKey = jwk.ParseKey
 )
 
 const AlgorithmKey = jwk.AlgorithmKey
@@ -95,6 +97,12 @@ func Generate(size int) (jwk.Key, error) {
 		return nil, errors.WithStack(err)
 	}
 
+	keyID := ulid.Make().String()
+
+	if err := key.Set(jwk.KeyIDKey, keyID); err != nil {
+		return nil, errors.WithStack(err)
+	}
+
 	return key, nil
 }
 

internal/lock/redis/locker.go

@@ -13,7 +13,7 @@ import (
 
 type Locker struct {
 	client     redis.UniversalClient
-	timeout time.Duration
+	maxRetries int
 }
 
 // WithLock implements lock.Locker.
@@ -26,6 +26,7 @@ func (l *Locker) WithLock(ctx context.Context, key string, timeout time.Duration
 
 	logger.Debug(ctx, "acquiring lock")
 
+	err := retryWithBackoff(ctx, l.maxRetries, func(ctx context.Context) error {
 		lock, err := locker.Obtain(ctx, key, timeout, &redislock.Options{
 			RetryStrategy: backoff,
 		})
@@ -48,11 +49,18 @@ func (l *Locker) WithLock(ctx context.Context, key string, timeout time.Duration
 		}
 
 		return nil
+	})
+	if err != nil {
+		return errors.WithStack(err)
 	}
 
-func NewLocker(client redis.UniversalClient) *Locker {
+	return nil
+}
+
+func NewLocker(client redis.UniversalClient, maxRetries int) *Locker {
 	return &Locker{
 		client:     client,
+		maxRetries: maxRetries,
 	}
 }
 

internal/lock/redis/retry.go

@@ -0,0 +1,42 @@
+package redis
+
+import (
+	"context"
+	"time"
+
+	"github.com/pkg/errors"
+	"gitlab.com/wpetit/goweb/logger"
+)
+
+const (
+	baseWatchBackoffDelay = time.Millisecond * 500
+	maxDelay              = time.Minute * 10
+)
+
+func retryWithBackoff(ctx context.Context, attempts int, fn func(ctx context.Context) error) error {
+	backoffDelay := baseWatchBackoffDelay
+	count := 0
+
+	for {
+		err := fn(ctx)
+		if err == nil {
+			return nil
+		}
+
+		err = errors.WithStack(err)
+
+		count++
+		if count >= attempts {
+			return errors.Wrapf(err, "execution failed after %d attempts", attempts)
+		}
+
+		logger.Error(ctx, "error while executing func, retrying with backoff", logger.E(err), logger.F("backoffDelay", backoffDelay), logger.F("remainingAttempts", attempts-count))
+
+		time.Sleep(backoffDelay)
+
+		backoffDelay *= 2
+		if backoffDelay > maxDelay {
+			backoffDelay = maxDelay
+		}
+	}
+}

internal/proxy/director/director.go

@@ -3,7 +3,6 @@ package director
 import (
 	"context"
 	"net/http"
-	"net/url"
 	"sort"
 
 	"forge.cadoles.com/Cadoles/go-proxy"
@@ -28,15 +27,27 @@ func (d *Director) rewriteRequest(r *http.Request) (*http.Request, error) {
 		return r, errors.WithStack(err)
 	}
 
+	url := getRequestURL(r)
+	ctx = logger.With(r.Context(), logger.F("url", url.String()))
+
 	var match *store.Proxy
 
 MAIN:
 	for _, p := range proxies {
 		for _, from := range p.From {
-			if matches := wildcard.Match(r.Host, from); !matches {
+			logger.Debug(
+				ctx, "matching request with proxy's from",
+				logger.F("from", from),
+			)
+			if matches := wildcard.Match(url.String(), from); !matches {
 				continue
 			}
 
+			logger.Debug(
+				ctx, "proxy's from matched",
+				logger.F("from", from),
+			)
+
 			match = p
 			break MAIN
 		}

internal/proxy/director/util.go

@@ -2,6 +2,7 @@ package director
 
 import (
 	"net/http"
+	"net/url"
 
 	"forge.cadoles.com/Cadoles/go-proxy"
 	"forge.cadoles.com/Cadoles/go-proxy/util"
@@ -16,3 +17,19 @@ func createMiddlewareChain(handler http.Handler, middlewares []proxy.Middleware)
 
 	return handler
 }
+
+func getRequestURL(r *http.Request) *url.URL {
+	scheme := "http"
+	if r.URL.Scheme != "" {
+		scheme = r.URL.Scheme
+	}
+
+	url := url.URL{
+		Host:     r.Host,
+		Scheme:   scheme,
+		Path:     r.URL.Path,
+		RawQuery: r.URL.RawQuery,
+	}
+
+	return &url
+}

internal/setup/integrations.go

@@ -28,15 +28,16 @@ func SetupIntegrations(ctx context.Context, conf *config.Config) ([]integration.
 
 func setupKubernetesIntegration(ctx context.Context, conf *config.Config) (*kubernetes.Integration, error) {
 	client := newRedisClient(conf.Redis)
-	locker := redis.NewLocker(client)
+	locker := redis.NewLocker(client, 10)
 
 	integration := kubernetes.NewIntegration(
 		kubernetes.WithReaderTokenSecret(string(conf.Integrations.Kubernetes.ReaderTokenSecret)),
 		kubernetes.WithReaderTokenSecretNamespace(string(conf.Integrations.Kubernetes.ReaderTokenSecretNamespace)),
 		kubernetes.WithWriterTokenSecret(string(conf.Integrations.Kubernetes.WriterTokenSecret)),
 		kubernetes.WithWriterTokenSecretNamespace(string(conf.Integrations.Kubernetes.WriterTokenSecretNamespace)),
+		kubernetes.WithPrivateKeySecret(string(conf.Integrations.Kubernetes.PrivateKeySecret)),
+		kubernetes.WithPrivateKeySecretNamespace(string(conf.Integrations.Kubernetes.PrivateKeySecretNamespace)),
 		kubernetes.WithIssuer(string(conf.Admin.Auth.Issuer)),
-		kubernetes.WithPrivateKey(string(conf.Admin.Auth.PrivateKey)),
 		kubernetes.WithLocker(locker),
 		kubernetes.WithLockTimeout(time.Duration(conf.Integrations.Kubernetes.LockTimeout)),
 	)

internal/setup/lock.go

@@ -10,6 +10,6 @@ import (
 
 func SetupLocker(ctx context.Context, conf *config.Config) (lock.Locker, error) {
 	client := newRedisClient(conf.Redis)
-	locker := redis.NewLocker(client)
+	locker := redis.NewLocker(client, int(conf.Redis.LockMaxRetries))
 	return locker, nil
 }

misc/k8s/kustomization/base/resources/bouncer-admin/files/admin-key.json

@@ -1 +0,0 @@
-{"d":"JuBw5OsGv3rPgVczxUgtJ6iUQ41LQu4Xpu-t8IKI_z8r-BZBlbndxidPmRlGZASLGL3rhY4qw6_ScFxakrMpCreO1RMU0kqtz--N48BXFnW5tEgr1voyyKP__bPssQNn6PgkoyAd11es7MEKlBff_DtGrcSkVRgU0zDZB-vIU0aNEIZPNw0icbYqc1u_QQNPpBU9cw6P33WHhzvfCVAkZKRszwznhiPM08n1vjpiA7e1kQ8a6OC4IFZBvohkmpmyOq1g1OLRABQ83YPCjGjCAejO-jEWkbLksp6rAl_YYpCvfBAjFV76JuZq4eh5IU82LsSfi3PGYBkhxWuLY779XQ","dp":"gljHOQowGK7fVn2DJizWtgRIDJuKpKnoX2PWNJUbm2WZwcEPZalAkxn7Y-w_reLVJZuRpfKEUMS-Tn3-CwI1ZjCHPqMPTXcoG0Pe2E-Z88jOs9lW4XSOASiiM980VIvkV1xCxDJkN3NsDFQ9j9kRGnKuMnsucCW3AKaU917hXNU","dq":"mqY19JcEBDnzS70_XkAsOKqPzemOScax66b-4N6zrsgeLVlRjHffY9uCAgBWzlxOidRdQN8q23ZJB4fqsKB2w00Iw7Jxx94IoAKGjKDT5iB48Y_kdKLAwSHRTXsqA9GG3po_H_JpP_EqX4TDBYtqQZuBD_tACP9HbLYMi_V2YU8","e":"AQAB","kty":"RSA","n":"sam0X0BGcuFwX8z3Wde8cv2o_zl6A9ghpkT0tCjw8qH3GNWrbAqzncSWdHBzoChBgAbuTOVs-ixYC0KeUhwFdc8Ul-jmKJWFaS8kIr3y4EH62-vLgMuIKfaxbsyUG6KMkJfnftge1jPO4ccddNej9msxcqTxu37dcgstutwtd6QkS9p5RrNbDBc8-Z7SQ4TuxJfP8msXRnCPJ-I44yszGdQF1Np2DXakJHVn8PBrDh3iSFwORw8jxNS4oS0OlBl5aSc0t5XkkaNcSU2a50SKts290w54fl6MPJ1sLnnznLy4uu37-nrfEUvqRLDZL9B1F82RM1dtLIIiN4gnSrMlpQ","p":"wOmFPhAT_wXWzMuwtEdYIer3-CiOWxFKpFL09eEJkJ29MIUchEaoiJaUAghqPxM48llfOVaUaLbFVxmo5U3fyjNMaP-nHMUBwojutykMK-gC2R3J4bQgFWfKbGSL7M7UsextAvpq9iiOuR0LNE-xTfCgPIxHVdPZskO3yx0DkjM","q":"68OGRb0tLRjb_PpkGctcSjEz_vvcyjzxGL-fn4_h4GCw98Xrj6Y4rZ4lfWWRSeDohSvdd-ICSlxvxkQOIOcA0H7jyJcBC0KDs4hX5BRGJNDri3QX0ry4_F1ptAdbfiFgQGqCfMRCr7L60Tfd_6tLczvny7eEBKQNGdj6dLfhgMc","qi":"DFwixyxUDf0REPLLa8hOKieRL95_AH9rbYWzStBOdSjKWra5l0reD6a4bbvAYvl0e8qCcRI6S8Nzpz0BYm4sJL7poVOnjxqvBY3Q9Ppf4Mq8lW39pOCJcqOHIvvYHsMjTC5uwp7Yg2p0GvxuUibbyNL1PXf6WZ_szVP_oSMrCXA"}

misc/k8s/kustomization/base/resources/bouncer-admin/files/config.yml

@@ -20,7 +20,7 @@ admin:
     debug: false
   auth:
     issuer: http://127.0.0.1:8081
-    privateKey: /etc/bouncer/admin-key.json
+    privateKey: /var/lib/bouncer/admin-key.json
   metrics:
     enabled: true
     endpoint: /.bouncer/metrics
@@ -44,3 +44,4 @@ integrations:
     enabled: true
     writerTokenSecret: ${BOUNCER_WRITER_TOKEN_SECRET}
     readerTokenSecret: ${BOUNCER_READER_TOKEN_SECRET}
+    privateKeySecret: ${BOUNCER_PRIVATE_KEY_SECRET}

misc/k8s/kustomization/base/resources/bouncer-admin/kustomization.yaml

@@ -10,10 +10,10 @@ configMapGenerator:
   - name: bouncer-admin-config
     files:
       - ./files/config.yml
-      - ./files/admin-key.json
   - name: bouncer-admin-bootstrap
   - name: bouncer-admin-env
     literals:
       - BOUNCER_LOG_LEVEL=2
       - BOUNCER_WRITER_TOKEN_SECRET=bouncer-admin-writer-token
       - BOUNCER_READER_TOKEN_SECRET=bouncer-admin-reader-token
+      - BOUNCER_PRIVATE_KEY_SECRET=bouncer-admin-private-key

misc/k8s/kustomization/base/resources/bouncer-admin/resources/deployment.yaml

@@ -23,6 +23,10 @@ spec:
       containers:
         - name: bouncer-admin
           image: bouncer
+          securityContext:
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1000
           command:
             [
               "bouncer",
@@ -46,6 +50,8 @@ spec:
               name: bouncer-admin-config
             - mountPath: /etc/bouncer/bootstrap.d
               name: bouncer-admin-bootstrap
+            - mountPath: /var/lib/bouncer
+              name: bouncer-admin-var
       volumes:
         - name: bouncer-admin-config
           configMap:
@@ -53,3 +59,7 @@ spec:
         - name: bouncer-admin-bootstrap
           configMap:
             name: bouncer-admin-bootstrap
+        - name: bouncer-admin-var
+          emptyDir:
+            sizeLimit: 10Mi
+            medium: Memory

misc/k8s/kustomization/base/resources/bouncer-server/resources/deployment.yaml

@@ -21,6 +21,10 @@ spec:
       containers:
         - name: bouncer-server
           image: bouncer
+          securityContext:
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1000
           command:
             [
               "bouncer",