feat(cloud-native): change lock-master-configuration to lock-server-configuration

[iromli]

Prepare

• Read PR guidelines
• Read license information

---

Description

Target issue

closes #9176

Implementation Details

---

Test and Document the changes

• Static code analysis has been run locally and issues have been fixed
• Relevant unit and integration tests have been added/updated
• Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

• I confirm that there is no impact on the docs due to the code changes in this PR.

[dryrunsecurity]

DryRun Security Summary

The pull request updates the configuration and endpoints related to the Janssen Lock Server, transitioning from the older "Lock Master" architecture to the newer "Lock Server" architecture, and ensuring the proper exposure and security of the Lock Server-related endpoints.

Expand for full summary

Summary:

The code changes in this pull request focus on updating the configuration and endpoints related to the Janssen Lock Server, which is a critical component of the Janssen access and identity management system. The key changes include:

1. Updating the endpoint path from "/.well-known/lock-master-configuration" to "/.well-known/lock-server-configuration" to reflect the transition from the older "Lock Master" architecture to the newer "Lock Server" architecture.
2. Enabling the "/.well-known/lock-server-configuration" endpoint, which allows clients to discover and interact with the Lock Server configuration.
3. Updating the Ingress and Virtual Service configurations to ensure that the Lock Server-related endpoints are properly exposed and secured.
4. Modifying the Docker image configurations for the Janssen components to ensure that the Lock Server integration is properly handled and secured.

From an application security perspective, these changes are generally positive as they align the application with the newer and more secure "Lock Server" architecture. However, it's important to ensure that any clients or integrations that were relying on the older "/.well-known/lock-master-configuration" endpoint are updated to use the new "/.well-known/lock-server-configuration" endpoint.

Additionally, it's crucial to review the overall Ingress and Virtual Service configurations to ensure that all the exposed endpoints are properly secured and that there are no unintended exposures or misconfigurations. The Docker image configurations should also be reviewed to ensure that they follow best practices for securing the application's deployment.

Files Changed:

• charts/janssen-all-in-one/templates/nginx-ingress.yaml: Updates the path for the "lock-server-configuration" endpoint.
• charts/janssen-all-in-one/README.md: Enables the "/.well-known/lock-server-configuration" endpoint for the auth-server service.
• charts/janssen-all-in-one/values.yaml: Enables the "/.well-known/lock-server-configuration" endpoint and disables the "/.well-known/lock-master-configuration" endpoint.
• charts/janssen/README.md: Updates the lockConfigEnabled field in the global.auth-server.ingress section.
• charts/janssen/charts/auth-server/templates/auth-server-virtual-services.yaml: Updates the URI prefix for the "{{ .Release.Name }}-istio-lock-config" virtual service.
• charts/janssen/charts/nginx-ingress/templates/ingress.yaml: Updates the path for the ".well-known/lock-master-configuration" endpoint to ".well-known/lock-server-configuration".
• charts/janssen/values.yaml: Enables the "/.well-known/lock-server-configuration" endpoint.
• docker-jans-all-in-one/Dockerfile: Updates the source code version and base image version.
• docker-jans-all-in-one/app/templates/nginx/jans-auth-location.conf: Renames the location block for "/.well-known/lock-master-configuration" to "/.well-known/lock-server-configuration".
• docker-jans-auth-server/scripts/upgrade.py: Includes changes related to the Lock dynamic configuration update and Lock client scopes update.
• docker-jans-auth-server/Dockerfile: Updates the build date, source version, and various library versions.
• docs/admin/lock/cedarling.md: Updates the CEDARLING_LOCK_MASTER_CONFIGURATION_URI property to use the "/.well-known/lock-server-configuration" endpoint.
• docker-jans-persistence-loader/Dockerfile: Includes various security-related changes, such as environment variable management, permissions, and dependency management.
• docs/admin/reference/kubernetes/helm-chart.md: Updates the global.auth-server.ingress.lockConfigEnabled value to false.
• jans-lock/lock-server.yaml: Updates the path for the "/.well-known/lock-master-configuration" endpoint to "/.well-known/lock-server-configuration".

Code Analysis

We ran 9 analyzers against 15 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer	Findings
Sensitive Files Analyzer	3 findings

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.