I want to sign and validate jwt tokens in my quarkus rest app. The private- and public keys should be stored as kubernetes secrets.
What I did so far:
- Create keys
openssl genrsa -out keypair.pem 2048
openssl rsa -in keypair.pem -pubout -out publickey.crt
openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in keypair.pem -out pkcs8.key
- Create kubernetes secret
kubectl create secret generic jwt-keys -n my-namespace --from-file=privkey=pkcs8.key --from-file=pubkey=publickey.crt
- Edit application.properties
quarkus.kubernetes-config.secrets=jwt-keys
mp.jwt.sign.key=jwt-keys.privkey
mp.jwt.verify.publickey=jwt-keys.pubkey
smallrye.jwt.sign.key=jwt-keys.privkey
- Try to sign a token
private String createToken(Role role) {
long now = Instant.now().getEpochSecond();
long exp = now + TimeUnit.MINUTES.toSeconds(60);
return Jwt.issuer(issuer)
.claim(Claims.groups, role)
.issuedAt(Instant.ofEpochSecond(now))
.expiresAt(Instant.ofEpochSecond(exp))
.sign();
}
Behaviour when I call the createToken method:
io.smallrye.jwt.build.JwtSignatureException: SRJWT05009:
at io.smallrye.jwt.build.impl.JwtSignatureImpl.sign(JwtSignatureImpl.java:109)
at de.infinityq.auth.TokenManager.createToken(TokenManager.java:21)
at de.infinityq.auth.TokenManager.createUserToken(TokenManager.java:29)ethod:
.
.
.
.
.
Caused by: java.lang.IllegalArgumentException: SRJWT05028: Signing key can not be created from the loaded content
at io.smallrye.jwt.build.impl.JwtSignatureImpl.sign(JwtSignatureImpl.java:102)
So the sign function crashes when trying to load the key I defined in the kubernetes secret, but I do not understand why.
I verified that the keys are valid by passing them as files directly, as shown in the example here:
I verified that my approach should work by reading the smallrye documentation: .html which clearly states that I can pass the key as value
I don't know what else to do, hope someone can help.
EDIT:
As requested, here is the content of the jwt-keys secret (it's just for local testing, so sharing them here is fine. Will create new keys anyway).
"apiVersion": "v1",
"data": {
"privkey": "LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2QUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktZd2dnU2lBZ0VBQW9JQkFRQ2RuUStWWTdaUll2R1gKRTJ5Njh0cmxud29BYlpmZENuYWpEanJBQTBvaDRXSjR5Yy9ObVNlWUZ6cm1oaUlnaUZtdGtKMVBxNW5hRDloMQpZU0U1MEpXS1F0ZXB1TEFaSkpTNk15QVgrcWJRL2s5ZEpMaGx4WXliVzBFTWlZSjdQMCtOOWcwL05iTGR3VlpvCmd1S3RpTjNhcXpkMjUwMzNNNUpzdjhVQVVnOTBxQUZ1ZWVxZTE4OENsb0hqaHZRZFpJMEhMZlNwRC9TaktnS2QKdXlNcTRjelZwV2ZUZnJhWkZDcWNlNU92SVJzTkhLMDQ2b1RDY1ErL25TdmgzemQ0dnpubGRpYjkra2JrOG9xSApKQSswSUl3YXVXcWQyVUtCYmhvdG91aEsvUEZxcmpNbW1jVXFwenZic3VlL3Npay9sTkdvK0FmWGdjd0dlTE1kCkRPTVlqbmc5QWdNQkFBRUNnZ0VBQ1IwVFVScU9hTDlWWTl4eUxZOHNYQm1wbk9PNVk4VWVuZ2dOR3B3MkZhWncKS0xiV3ByZEQ1RlgzaUd2YUhsSjBDUWF6S2Urc3VrQ3ZUZjQ3U3hvR0E1UWczMFg0SE1RU080QUlTNHFwU2ExaQp6bXA0cFIzYXB3TU1URnJKS2pJN2VlUnYyS2RVdStEWmk3cUJ1L0lOamY3WGVxOGVRWHlBYTN4ZE9rc0ViTVRRCjhDb2NGWXN0Zit2ajhvaWNtaFQ1c2dWdDhBeCtFMlMyNzRQcituMFEvbDhuN1hRVnhZbEFuMXdPMmw0YnVEUHYKQ2puQU1sMkhXN2IyUHU0NnpwYUs4aFJwY012UEJBTzhUVHNwYjAwVTBYcU9rSFNHT1BjR2Jjb3F4ZklQK3dNawo2dzh2OFp3SnlRajlvNTZOYW1aRXdvKzkwOURBMzdTU0F0NytZRVBtK3dLQmdRRE5MUSsrb0VQMExRaUhDb2YzCklEWFY5U0h5OVdkc2xLODdkUUsvUmw4WUtQSEFpKy9mVmQ2V01nQk9ka2k0bnBNbjVNTHdGaXRoa0FpcnBGcmgKaW5RcXNabEVLV1l5RHBJY1NvWXRZQU5HTkZTOVR3cE5zS01jQkpmNHI0b0xRRHMrWXBXSGoydkUyODVWTUtnNApabWVSc0M0QjlGbnRGRlpBd0pzRnN0SkJld0tCZ1FERXArUi9VRE0vaExMWERHOXNyYUdTNVIxRkRrRWhSM242CmxqUHk2YXp0eSsrV25xdGVJTW5SbEZwOTUrSVNvTkpVSy9DUCtGTHduQjZXRVY4UUgvMTRXQU94OExMRG5VYVIKeGVRaFU0RlpERHVJZEtyRXdEbW52SEVCNkRQWFptVlFqeTV0dUNXbTB0bEhiaGZBNHpJOCtpUGc5dkdsSjc1SQpHLzgxQ0ZyenB3S0JnRGM3VENPNnJOQk1WeUZUR21yU0J1d0R3eEhPTWZzdXcwVTBLSHNwREd4S2lWbVYwZ3JDCjZOcHh0MWRuekFlMjJGSkM2SjhNdUx6WXN4elJiNDJMWWQ0a1ZPZmVaUjVRZ2RDUDF6TGJ4OFhjVEh0eGpZcUEKWkVna2pHeHJoTE9tcE13VWFjQkdRWEtLNFM1Wm5NOGg4ZnRyKzlhVzJxWlJkUzZWS3FZTUQwR0ZBb0dBUWcwUwpGaURkMWF2QVZiSjdpa2tYUjd0a2hWa3dUdmt1NHhlb0F5S3hUbjE4ejE0anVNM1NlMjRVcHMxSGhYSTJzc2EvCldkdlNIN2FRSDE5ZVNwQTBGa09abWg1NkxIR2F6a05sU0R3LzZhVE9LaHJsY0lnUDFXTFpvZ1pYd3pWRk9qV2QKSm9UL1FIVDVQYUNnb2N5dGh3V05IM1pSMjJMcDZsWmM5WGNFOVdrQ2dZQURHeXp0S1VTRTZ1VEJrKzBBWjZENgpjejVGNjJaRW8xS2xaMkNsSWNMMXNRQ0dLR2M4VzJLNnN4OFJ3NlEyZm1BNEk5eGVqNkpUaXZNbXc3NVJ3VC9oCm9mWGZvVW0xdWZBUDRFL1MzQ281d2hPdldiOEpBOEpBOXVrMzEzcE1sVFpXeUwxcElLczVMdzlsVDZoLzRmZHcKY1JMZmwxQms1dWk1TVRXSm9pYzYrZz09Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K",
"pubkey": "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFuWjBQbFdPMlVXTHhseE5zdXZMYQo1WjhLQUcyWDNRcDJvdzQ2d0FOS0llRmllTW5Qelprbm1CYzY1b1lpSUloWnJaQ2RUNnVaMmcvWWRXRWhPZENWCmlrTFhxYml3R1NTVXVqTWdGL3FtMFA1UFhTUzRaY1dNbTF0QkRJbUNlejlQamZZTlB6V3kzY0ZXYUlMaXJZamQKMnFzM2R1ZE45ek9TYkwvRkFGSVBkS2dCYm5ucW50ZlBBcGFCNDRiMEhXU05CeTMwcVEvMG95b0NuYnNqS3VITQoxYVZuMDM2Mm1SUXFuSHVUcnlFYkRSeXRPT3FFd25FUHY1MHI0ZDgzZUw4NTVYWW0vZnBHNVBLS2h5UVB0Q0NNCkdybHFuZGxDZ1c0YUxhTG9Tdnp4YXE0ekpwbkZLcWM3MjdMbnY3SXBQNVRScVBnSDE0SE1Cbml6SFF6akdJNTQKUFFJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg=="
},
"kind": "Secret",
"metadata": {
"creationTimestamp": "2025-01-20T12:34:19Z",
"name": "jwt-keys",
"namespace": "my-namespace",
"resourceVersion": "6222080",
"uid": "f3e1cb39-4e95-4af0-bef2-4eabf87e4777"
},
"type": "Opaque"
}