Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add reana client, iam-reana sync and secrets secret #296

Merged
merged 1 commit into from
Nov 19, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
111 changes: 111 additions & 0 deletions infrastructure/cluster/flux/reana/reana-cronjobs.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,111 @@
apiVersion: batch/v1
kind: CronJob
metadata:
name: iam-reana-sync
namespace: reana
spec:
schedule: "0 1 * * *" # every day at 1 am
concurrencyPolicy: Forbid
successfulJobsHistoryLimit: 1
jobTemplate:
spec:
template:
spec:
restartPolicy: OnFailure
containers:
- name: iam-sync
image: ghcr.io/vre-hub/vre-iam-reana-sync:v1.0.0-rc0-35-02757b7 # to be changed to correct version
env:
# needed to poll the iam service
- name: IAM_SERVER
value: "https://iam-escape.cloud.cnaf.infn.it"
- name: CLIENT_SECRET
valueFrom:
secretKeyRef:
name: reana-vre-iam-client
key: client_secret
- name: CLIENT_ID
valueFrom:
secretKeyRef:
name: reana-vre-iam-client
key: client_id
# needed to add users
- name: REANA_ADMIN_TOKEN
valueFrom:
secretKeyRef:
name: reana-admin-access-token
key: ADMIN_ACCESS_TOKEN
# needed for correct DB connection - internals of reana
- name: REANA_SECRET_KEY
valueFrom:
secretKeyRef:
name: reana-secrets
key: REANA_SECRET_KEY
# to connect to DB
- name: REANA_DB_NAME
value: "reana"
- name: REANA_DB_PORT
value: "6600"
- name: REANA_DB_HOST
value: "dbod-vre.cern.ch"
- name: REANA_DB_USERNAME
valueFrom:
secretKeyRef:
name: reana-db
key: user
- name: REANA_DB_PASSWORD
valueFrom:
secretKeyRef:
name: reana-db
key: password
tty: true
imagePullPolicy: Always
command:
- /bin/sh
- -c
- date; echo Hello from iam-reana-sync container;
flask reana-admin user-list --admin-access-token $REANA_ADMIN_TOKEN;
python3 /home/generate_email_list.py;
python3 /home/add_reana_users.py
---
apiVersion: v1
kind: Pod
metadata:
name: reana-client
namespace: reana
spec:
containers:
- name: rucio-client
image: ghcr.io/vre-hub/vre-iam-reana-sync:v1.0.0-rc0-35-02757b7
imagePullPolicy: Always
command: ["sleep","3600"]
env:
# needed to add users
- name: REANA_ADMIN_TOKEN
valueFrom:
secretKeyRef:
name: reana-admin-access-token
key: ADMIN_ACCESS_TOKEN
# needed for correct DB connection - internals of reana
- name: REANA_SECRET_KEY
valueFrom:
secretKeyRef:
name: reana-secrets
key: REANA_SECRET_KEY
# to connect to DB
- name: REANA_DB_NAME
value: "reana"
- name: REANA_DB_PORT
value: "6600"
- name: REANA_DB_HOST
value: "dbod-vre.cern.ch"
- name: REANA_DB_USERNAME
valueFrom:
secretKeyRef:
name: reana-db
key: user
- name: REANA_DB_PASSWORD
valueFrom:
secretKeyRef:
name: reana-db
key: password
15 changes: 8 additions & 7 deletions infrastructure/scripts/reana_secrets.sh
Original file line number Diff line number Diff line change
Expand Up @@ -41,15 +41,16 @@ cat ${RAW_REANA_IAM_FILE_SECRET} | kubeseal --controller-name=${CONTROLLER_NAME}
kubectl apply -f ${SECRETS_DIR}/ss_${REANA_IAM_ACCOUNT_SECRET}


# echo "Create 'REANA secrets' secret"
# # This secret is unknow for what is used - no doc :harold:
# # Kept commented for the moment
echo "Create 'REANA secrets' secret"
# :harold:
# REANA_SECRET_KEY is used for some security-related things, including the encryption of some DB columns. So if that's not set, the database columns will not be decrypted correctly
# Said in other words, it is a secret needed when interacting with REANA via `--admin-access-token $REANA_ADMIN_TOKEN`

# REANA_SECRETS_SECRET='reana-secrets.yaml'
# RAW_REANA_SECRETS_FILE_SECRET=${RAW_SECRETS_TMP_DIR}/${REANA_SECRETS_SECRET}
REANA_SECRETS_SECRET='reana-secrets.yaml'
RAW_REANA_SECRETS_FILE_SECRET=${RAW_SECRETS_TMP_DIR}/${REANA_SECRETS_SECRET}

# cat ${RAW_REANA_SECRETS_FILE_SECRET} | kubeseal --controller-name=${CONTROLLER_NAME} --controller-namespace=${CONTROLLER_NS} --format yaml --namespace=${REANA_NS} > ${SECRETS_DIR}/ss_${REANA_SECRETS_SECRET}
# kubectl apply -f ${SECRETS_DIR}/ss_${REANA_SECRETS_SECRET}
cat ${RAW_REANA_SECRETS_FILE_SECRET} | kubeseal --controller-name=${CONTROLLER_NAME} --controller-namespace=${CONTROLLER_NS} --format yaml --namespace=${REANA_NS} > ${SECRETS_DIR}/ss_${REANA_SECRETS_SECRET}
kubectl apply -f ${SECRETS_DIR}/ss_${REANA_SECRETS_SECRET}


echo "END REANA Secret Script"
16 changes: 16 additions & 0 deletions infrastructure/secrets/reana/ss_reana-secrets.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: reana-secrets
namespace: reana
spec:
encryptedData:
REANA_SECRET_KEY: AgBkHvUFBE/ntpPiUhYywwa5eUo0WpBahy3Y1U2DAwhHHKByh/VJDI18M3GdPjAzucu8h8WlcfKoxQjpj/FAE5+bS7kehsct500hQyMazhqqdeVjjd1t1q/wucjjaeDSli7sGZLs+/xItawm142sHXMK0PeKTP5gso8LL/h62K6nfeAleGfrZR6yVA4Yfsze8wcbxybiWKOFOc0whHeekD8Z09NiLrzYZkxJS8+STB4tqxQw0Cph+e0w0OCBJ6l5gEhb1/Q295C9KXf9Vbx25zanISvS1BjE9Vcgtq/IhiM+tJYiYnzVI3NXvCvznnXX/Xl+XvkXVEBojJ6ySjwLHb+0l7t/XSMS4uJrz6cokZSV4nLhqQPs8DhTre4Ywb09B8Z/nbolQOOOG9jBgnbrCim44MxlYcq6Ma8lBbuRAzAp8JfaAkguainsrIdVojf7avs5JpFp0krcdIccb7lsXyudXNnpF8HUJbuJVFmOgGMOPMNc8jNK/2ezBNoug8cJKEsbYZAkM3dCoL3ctd3Ag4lUprczla0y7pYrh44SrZxsmWKg2QbnRcI98Bb8GPMo3YGuKnnDC9jrl0Rwc0tyoDUNYLRbhS4bHyxTvro9/HwMIl515MsBO3gwg5bLEqwlHTZax9/JpMP3yJHpMSPc7jZ9EKCmb/dGmTdkmxVYWMAVND2cj7e3c+Bg+J60r90ZLXWf3z8Z6Webs+TB
template:
metadata:
creationTimestamp: null
name: reana-secrets
namespace: reana
type: Opaque
Loading