add reana client, iam-reana sync and secrets secret (#296)

vre-hub · Nov 19, 2024 · 0b50d8d · 0b50d8d
1 parent c8f4cd6
commit 0b50d8d
Show file tree

Hide file tree

Showing 3 changed files with 135 additions and 7 deletions.
diff --git a/infrastructure/cluster/flux/reana/reana-cronjobs.yaml b/infrastructure/cluster/flux/reana/reana-cronjobs.yaml
@@ -0,0 +1,111 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: iam-reana-sync
+  namespace: reana
+spec:
+  schedule: "0 1 * * *" # every day at 1 am 
+  concurrencyPolicy: Forbid
+  successfulJobsHistoryLimit: 1
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          restartPolicy: OnFailure 
+          containers:
+            - name: iam-sync
+              image: ghcr.io/vre-hub/vre-iam-reana-sync:v1.0.0-rc0-35-02757b7 # to be changed to correct version    
+              env:            
+              # needed to poll the iam service 
+              - name: IAM_SERVER
+                value: "https://iam-escape.cloud.cnaf.infn.it"
+              - name: CLIENT_SECRET
+                valueFrom:
+                  secretKeyRef:
+                    name: reana-vre-iam-client
+                    key: client_secret
+              - name: CLIENT_ID
+                valueFrom:
+                  secretKeyRef:
+                    name: reana-vre-iam-client
+                    key: client_id
+              # needed to add users 
+              - name: REANA_ADMIN_TOKEN
+                valueFrom:
+                  secretKeyRef:
+                    name: reana-admin-access-token
+                    key: ADMIN_ACCESS_TOKEN
+              # needed for correct DB connection - internals of reana 
+              - name: REANA_SECRET_KEY
+                valueFrom:
+                  secretKeyRef:
+                    name: reana-secrets
+                    key: REANA_SECRET_KEY              
+              # to connect to DB       
+              - name: REANA_DB_NAME
+                value: "reana"
+              - name: REANA_DB_PORT
+                value: "6600"
+              - name: REANA_DB_HOST
+                value: "dbod-vre.cern.ch"
+              - name: REANA_DB_USERNAME
+                valueFrom:
+                  secretKeyRef:
+                    name: reana-db
+                    key: user
+              - name: REANA_DB_PASSWORD
+                valueFrom:
+                  secretKeyRef:
+                    name: reana-db
+                    key: password           
+              tty: true
+              imagePullPolicy: Always
+              command:
+              - /bin/sh
+              - -c
+              - date; echo Hello from iam-reana-sync container; 
+                flask reana-admin user-list --admin-access-token $REANA_ADMIN_TOKEN; 
+                python3 /home/generate_email_list.py; 
+                python3 /home/add_reana_users.py
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: reana-client
+  namespace: reana
+spec:
+  containers:
+  - name: rucio-client
+    image: ghcr.io/vre-hub/vre-iam-reana-sync:v1.0.0-rc0-35-02757b7
+    imagePullPolicy: Always
+    command: ["sleep","3600"]
+    env:
+    # needed to add users 
+    - name: REANA_ADMIN_TOKEN
+      valueFrom:
+        secretKeyRef:
+          name: reana-admin-access-token
+          key: ADMIN_ACCESS_TOKEN
+    # needed for correct DB connection - internals of reana 
+    - name: REANA_SECRET_KEY
+      valueFrom:
+        secretKeyRef:
+          name: reana-secrets
+          key: REANA_SECRET_KEY    
+    # to connect to DB       
+    - name: REANA_DB_NAME
+      value: "reana"
+    - name: REANA_DB_PORT
+      value: "6600"
+    - name: REANA_DB_HOST
+      value: "dbod-vre.cern.ch"
+    - name: REANA_DB_USERNAME
+      valueFrom:
+        secretKeyRef:
+          name: reana-db
+          key: user
+    - name: REANA_DB_PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: reana-db
+          key: password   
diff --git a/infrastructure/scripts/reana_secrets.sh b/infrastructure/scripts/reana_secrets.sh
@@ -41,15 +41,16 @@ cat ${RAW_REANA_IAM_FILE_SECRET} | kubeseal --controller-name=${CONTROLLER_NAME}
 kubectl apply -f ${SECRETS_DIR}/ss_${REANA_IAM_ACCOUNT_SECRET}
 
 
-# echo "Create 'REANA secrets' secret"
-# # This secret is unknow for what is used - no doc :harold:
-# # Kept commented for the moment
+echo "Create 'REANA secrets' secret"
+# :harold:
+# REANA_SECRET_KEY is used for some security-related things, including the encryption of some DB columns. So if that's not set, the database columns will not be decrypted correctly
+# Said in other words, it is a secret needed when interacting with REANA via `--admin-access-token $REANA_ADMIN_TOKEN`
 
-# REANA_SECRETS_SECRET='reana-secrets.yaml'
-# RAW_REANA_SECRETS_FILE_SECRET=${RAW_SECRETS_TMP_DIR}/${REANA_SECRETS_SECRET}
+REANA_SECRETS_SECRET='reana-secrets.yaml'
+RAW_REANA_SECRETS_FILE_SECRET=${RAW_SECRETS_TMP_DIR}/${REANA_SECRETS_SECRET}
 
-# cat ${RAW_REANA_SECRETS_FILE_SECRET} | kubeseal --controller-name=${CONTROLLER_NAME} --controller-namespace=${CONTROLLER_NS} --format yaml --namespace=${REANA_NS} > ${SECRETS_DIR}/ss_${REANA_SECRETS_SECRET}
-# kubectl apply -f ${SECRETS_DIR}/ss_${REANA_SECRETS_SECRET}
+cat ${RAW_REANA_SECRETS_FILE_SECRET} | kubeseal --controller-name=${CONTROLLER_NAME} --controller-namespace=${CONTROLLER_NS} --format yaml --namespace=${REANA_NS} > ${SECRETS_DIR}/ss_${REANA_SECRETS_SECRET}
+kubectl apply -f ${SECRETS_DIR}/ss_${REANA_SECRETS_SECRET}
 
 
 echo "END REANA Secret Script"
diff --git a/infrastructure/secrets/reana/ss_reana-secrets.yaml b/infrastructure/secrets/reana/ss_reana-secrets.yaml
@@ -0,0 +1,16 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: reana-secrets
+  namespace: reana
+spec:
+  encryptedData:
+    REANA_SECRET_KEY: AgBkHvUFBE/ntpPiUhYywwa5eUo0WpBahy3Y1U2DAwhHHKByh/VJDI18M3GdPjAzucu8h8WlcfKoxQjpj/FAE5+bS7kehsct500hQyMazhqqdeVjjd1t1q/wucjjaeDSli7sGZLs+/xItawm142sHXMK0PeKTP5gso8LL/h62K6nfeAleGfrZR6yVA4Yfsze8wcbxybiWKOFOc0whHeekD8Z09NiLrzYZkxJS8+STB4tqxQw0Cph+e0w0OCBJ6l5gEhb1/Q295C9KXf9Vbx25zanISvS1BjE9Vcgtq/IhiM+tJYiYnzVI3NXvCvznnXX/Xl+XvkXVEBojJ6ySjwLHb+0l7t/XSMS4uJrz6cokZSV4nLhqQPs8DhTre4Ywb09B8Z/nbolQOOOG9jBgnbrCim44MxlYcq6Ma8lBbuRAzAp8JfaAkguainsrIdVojf7avs5JpFp0krcdIccb7lsXyudXNnpF8HUJbuJVFmOgGMOPMNc8jNK/2ezBNoug8cJKEsbYZAkM3dCoL3ctd3Ag4lUprczla0y7pYrh44SrZxsmWKg2QbnRcI98Bb8GPMo3YGuKnnDC9jrl0Rwc0tyoDUNYLRbhS4bHyxTvro9/HwMIl515MsBO3gwg5bLEqwlHTZax9/JpMP3yJHpMSPc7jZ9EKCmb/dGmTdkmxVYWMAVND2cj7e3c+Bg+J60r90ZLXWf3z8Z6Webs+TB
+  template:
+    metadata:
+      creationTimestamp: null
+      name: reana-secrets
+      namespace: reana
+    type: Opaque