Key Rotation#
Auth middleware’s HMAC signing keys rotate automatically via a dedicated CronJob, separate from the Extension API’s rotator.
Setup#
The helm charts deploy the following to support Auth middleware:
A Kubernetes Secret (default name:
authmiddleware-secrets) in the router namespaceA CronJob running the rotator image
Rotation behavior#
The rotator follows the same mechanism as the Extension API rotator:
Generates a new HMAC key and appends it to the Secret.
Retains up to a configurable number of keys (default: 3).
Prunes the oldest key when the limit is exceeded.
Graceful transition#
Auth middleware pods its signing Secret via controller-runtime event handlers. On update:
All keys are reloaded from the Secret.
A
newKeyUseDelay(default: 5 seconds) prevents using the new key for signing until all replicas have observed it.Tokens carry a
kidheader — validation looks up the key by ID, so tokens signed with a previous key remain valid as long as that key is retained.
Because session tokens have a 1-hour TTL (default) and refresh happens transparently, users experience no interruption during rotation.
Why separate from the Extension API#
The Auth middleware and Extension API run in different namespaces and serve different purposes:
Extension API |
Auth Middleware |
|
|---|---|---|
Namespace |
|
Router namespace (e.g. |
Token type |
|
|
Issuer |
|
|
Secret |
|
|
Each component only trusts tokens it signed itself. Auth middleware validates Extension API bearer tokens by calling BearerTokenReview — it never validates them locally.