From 0b50d8db6f29b69a1fb6dce8bf4fbfc50b5b04e9 Mon Sep 17 00:00:00 2001 From: Enrique Garcia <40355845+garciagenrique@users.noreply.github.com> Date: Tue, 19 Nov 2024 11:42:50 +0100 Subject: [PATCH] add reana client, iam-reana sync and secrets secret (#296) --- .../cluster/flux/reana/reana-cronjobs.yaml | 111 ++++++++++++++++++ infrastructure/scripts/reana_secrets.sh | 15 +-- .../secrets/reana/ss_reana-secrets.yaml | 16 +++ 3 files changed, 135 insertions(+), 7 deletions(-) create mode 100644 infrastructure/cluster/flux/reana/reana-cronjobs.yaml create mode 100644 infrastructure/secrets/reana/ss_reana-secrets.yaml diff --git a/infrastructure/cluster/flux/reana/reana-cronjobs.yaml b/infrastructure/cluster/flux/reana/reana-cronjobs.yaml new file mode 100644 index 00000000..d104222d --- /dev/null +++ b/infrastructure/cluster/flux/reana/reana-cronjobs.yaml @@ -0,0 +1,111 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: iam-reana-sync + namespace: reana +spec: + schedule: "0 1 * * *" # every day at 1 am + concurrencyPolicy: Forbid + successfulJobsHistoryLimit: 1 + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: iam-sync + image: ghcr.io/vre-hub/vre-iam-reana-sync:v1.0.0-rc0-35-02757b7 # to be changed to correct version + env: + # needed to poll the iam service + - name: IAM_SERVER + value: "https://iam-escape.cloud.cnaf.infn.it" + - name: CLIENT_SECRET + valueFrom: + secretKeyRef: + name: reana-vre-iam-client + key: client_secret + - name: CLIENT_ID + valueFrom: + secretKeyRef: + name: reana-vre-iam-client + key: client_id + # needed to add users + - name: REANA_ADMIN_TOKEN + valueFrom: + secretKeyRef: + name: reana-admin-access-token + key: ADMIN_ACCESS_TOKEN + # needed for correct DB connection - internals of reana + - name: REANA_SECRET_KEY + valueFrom: + secretKeyRef: + name: reana-secrets + key: REANA_SECRET_KEY + # to connect to DB + - name: REANA_DB_NAME + value: "reana" + - name: REANA_DB_PORT + value: "6600" + - name: REANA_DB_HOST + value: "dbod-vre.cern.ch" + - name: REANA_DB_USERNAME + valueFrom: + secretKeyRef: + name: reana-db + key: user + - name: REANA_DB_PASSWORD + valueFrom: + secretKeyRef: + name: reana-db + key: password + tty: true + imagePullPolicy: Always + command: + - /bin/sh + - -c + - date; echo Hello from iam-reana-sync container; + flask reana-admin user-list --admin-access-token $REANA_ADMIN_TOKEN; + python3 /home/generate_email_list.py; + python3 /home/add_reana_users.py +--- +apiVersion: v1 +kind: Pod +metadata: + name: reana-client + namespace: reana +spec: + containers: + - name: rucio-client + image: ghcr.io/vre-hub/vre-iam-reana-sync:v1.0.0-rc0-35-02757b7 + imagePullPolicy: Always + command: ["sleep","3600"] + env: + # needed to add users + - name: REANA_ADMIN_TOKEN + valueFrom: + secretKeyRef: + name: reana-admin-access-token + key: ADMIN_ACCESS_TOKEN + # needed for correct DB connection - internals of reana + - name: REANA_SECRET_KEY + valueFrom: + secretKeyRef: + name: reana-secrets + key: REANA_SECRET_KEY + # to connect to DB + - name: REANA_DB_NAME + value: "reana" + - name: REANA_DB_PORT + value: "6600" + - name: REANA_DB_HOST + value: "dbod-vre.cern.ch" + - name: REANA_DB_USERNAME + valueFrom: + secretKeyRef: + name: reana-db + key: user + - name: REANA_DB_PASSWORD + valueFrom: + secretKeyRef: + name: reana-db + key: password \ No newline at end of file diff --git a/infrastructure/scripts/reana_secrets.sh b/infrastructure/scripts/reana_secrets.sh index 34b3e03d..bff398c3 100644 --- a/infrastructure/scripts/reana_secrets.sh +++ b/infrastructure/scripts/reana_secrets.sh @@ -41,15 +41,16 @@ cat ${RAW_REANA_IAM_FILE_SECRET} | kubeseal --controller-name=${CONTROLLER_NAME} kubectl apply -f ${SECRETS_DIR}/ss_${REANA_IAM_ACCOUNT_SECRET} -# echo "Create 'REANA secrets' secret" -# # This secret is unknow for what is used - no doc :harold: -# # Kept commented for the moment +echo "Create 'REANA secrets' secret" +# :harold: +# REANA_SECRET_KEY is used for some security-related things, including the encryption of some DB columns. So if that's not set, the database columns will not be decrypted correctly +# Said in other words, it is a secret needed when interacting with REANA via `--admin-access-token $REANA_ADMIN_TOKEN` -# REANA_SECRETS_SECRET='reana-secrets.yaml' -# RAW_REANA_SECRETS_FILE_SECRET=${RAW_SECRETS_TMP_DIR}/${REANA_SECRETS_SECRET} +REANA_SECRETS_SECRET='reana-secrets.yaml' +RAW_REANA_SECRETS_FILE_SECRET=${RAW_SECRETS_TMP_DIR}/${REANA_SECRETS_SECRET} -# cat ${RAW_REANA_SECRETS_FILE_SECRET} | kubeseal --controller-name=${CONTROLLER_NAME} --controller-namespace=${CONTROLLER_NS} --format yaml --namespace=${REANA_NS} > ${SECRETS_DIR}/ss_${REANA_SECRETS_SECRET} -# kubectl apply -f ${SECRETS_DIR}/ss_${REANA_SECRETS_SECRET} +cat ${RAW_REANA_SECRETS_FILE_SECRET} | kubeseal --controller-name=${CONTROLLER_NAME} --controller-namespace=${CONTROLLER_NS} --format yaml --namespace=${REANA_NS} > ${SECRETS_DIR}/ss_${REANA_SECRETS_SECRET} +kubectl apply -f ${SECRETS_DIR}/ss_${REANA_SECRETS_SECRET} echo "END REANA Secret Script" \ No newline at end of file diff --git a/infrastructure/secrets/reana/ss_reana-secrets.yaml b/infrastructure/secrets/reana/ss_reana-secrets.yaml new file mode 100644 index 00000000..6b367302 --- /dev/null +++ b/infrastructure/secrets/reana/ss_reana-secrets.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: reana-secrets + namespace: reana +spec: + encryptedData: + REANA_SECRET_KEY: AgBkHvUFBE/ntpPiUhYywwa5eUo0WpBahy3Y1U2DAwhHHKByh/VJDI18M3GdPjAzucu8h8WlcfKoxQjpj/FAE5+bS7kehsct500hQyMazhqqdeVjjd1t1q/wucjjaeDSli7sGZLs+/xItawm142sHXMK0PeKTP5gso8LL/h62K6nfeAleGfrZR6yVA4Yfsze8wcbxybiWKOFOc0whHeekD8Z09NiLrzYZkxJS8+STB4tqxQw0Cph+e0w0OCBJ6l5gEhb1/Q295C9KXf9Vbx25zanISvS1BjE9Vcgtq/IhiM+tJYiYnzVI3NXvCvznnXX/Xl+XvkXVEBojJ6ySjwLHb+0l7t/XSMS4uJrz6cokZSV4nLhqQPs8DhTre4Ywb09B8Z/nbolQOOOG9jBgnbrCim44MxlYcq6Ma8lBbuRAzAp8JfaAkguainsrIdVojf7avs5JpFp0krcdIccb7lsXyudXNnpF8HUJbuJVFmOgGMOPMNc8jNK/2ezBNoug8cJKEsbYZAkM3dCoL3ctd3Ag4lUprczla0y7pYrh44SrZxsmWKg2QbnRcI98Bb8GPMo3YGuKnnDC9jrl0Rwc0tyoDUNYLRbhS4bHyxTvro9/HwMIl515MsBO3gwg5bLEqwlHTZax9/JpMP3yJHpMSPc7jZ9EKCmb/dGmTdkmxVYWMAVND2cj7e3c+Bg+J60r90ZLXWf3z8Z6Webs+TB + template: + metadata: + creationTimestamp: null + name: reana-secrets + namespace: reana + type: Opaque