[Feature Request] Handle region-specific configurations to inject jwt token in services

[alexisdondon]

We could add some region configuration to let the onyxia administrator choose in the region if some jwt that onyxia ui collect could be injected in the helm charts exposed as a service in the catalog.

For instance:

• jwt.kubernetes,
• jwt.onyxia,
• jwt.minio,
• jwt.atlas,
• jwt.generique for a generique client in the same realm at least.

This is a first proposal that could be discussed.

[Feature Amelioration]
The jwt are currently in the json payload of the PUT request when the user ask to launch a service over https.
It could be good for a long run like this but for more security as jwt could be a sensitive information we could think about some feature ameliration.
For instance : the jwt could be sign with a public key exposed by onyxia and the onyxia-api could own the private key to decript the jwt.

[alexisdondon]

Is this feature group ready or should it be allowed only in personnal workspace.

Indeed, if :

• userA and userB are in the same group (same namespace)
• userA launch a shared service with injection of some of his jwts.
• userB could collect the jwts of userA by connecting to the containers in the group.

Is this beyond of the scope to onyxia to have a control on this?

[alexisdondon]

InseeFrLab/onyxia#410