feat: use internal tokens for git-clone

leafty · leafty · commit fb8e82a56c22 · 2026-04-27T14:24:45.000Z
diff --git a/components/renku_data_services/notebooks/api/amalthea_patches/git_proxy.py b/components/renku_data_services/notebooks/api/amalthea_patches/git_proxy.py
@@ -27,7 +27,7 @@ async def main_container(
     internal_token_mint: RenkuSelfTokenMint,
 ) -> client.V1Container | None:
     """The patch that adds the git proxy container to a session statefulset."""
-    if not user.is_authenticated or not repositories or user.access_token is None or user.refresh_token is None:
+    if not user.is_authenticated or not repositories or user.access_token is None:
         return None
 
     etc_cert_volume_mount = get_certificates_volume_mounts(
diff --git a/components/renku_data_services/notebooks/api/amalthea_patches/init_containers.py b/components/renku_data_services/notebooks/api/amalthea_patches/init_containers.py
@@ -10,6 +10,7 @@
 
 from kubernetes import client
 
+from renku_data_services.authn.renku import RenkuSelfTokenMint
 from renku_data_services.base_models.core import AnonymousAPIUser, AuthenticatedAPIUser
 from renku_data_services.notebooks.api.amalthea_patches.utils import (
     get_certificates_volume_mounts,
@@ -30,8 +31,10 @@
 
 
 async def git_clone_container_v2(
+    server_name: str,
     user: AuthenticatedAPIUser | AnonymousAPIUser,
     config: NotebooksConfig,
+    internal_token_mint: RenkuSelfTokenMint,
     repositories: list[Repository],
     git_providers: list[GitProvider],
     workspace_mount_path: PurePosixPath,
@@ -52,6 +55,9 @@ async def git_clone_container_v2(
         read_only_etc_certs=True,
     )
 
+    internal_token_scope = f"session:{server_name}"
+    internal_access_token = internal_token_mint.create_access_token(user=user, scope=internal_token_scope)
+
     prefix = "GIT_CLONE_"
     env = [
         {
@@ -68,7 +74,8 @@ async def git_clone_container_v2(
         },
         {
             "name": f"{prefix}USER__RENKU_TOKEN",
-            "value": str(user.access_token),
+            # "value": str(user.access_token),
+            "value": internal_access_token,
         },
         {"name": f"{prefix}IS_GIT_PROXY_ENABLED", "value": "0" if user.is_anonymous else "1"},
         {
diff --git a/components/renku_data_services/notebooks/core_sessions.py b/components/renku_data_services/notebooks/core_sessions.py
@@ -113,7 +113,9 @@
 
 async def get_extra_init_containers(
     nb_config: NotebooksConfig,
+    server_name: str,
     user: AnonymousAPIUser | AuthenticatedAPIUser,
+    internal_token_mint: RenkuSelfTokenMint,
     repositories: list[Repository],
     git_providers: list[GitProvider],
     storage_mount: PurePosixPath,
@@ -127,8 +129,10 @@ async def get_extra_init_containers(
     session_init_containers = [InitContainer.model_validate(sanitizer(cert_init))]
     extra_volumes = [ExtraVolume.model_validate(sanitizer(volume)) for volume in cert_vols]
     git_clone = await init_containers.git_clone_container_v2(
+        server_name=server_name,
         user=user,
         config=nb_config,
+        internal_token_mint=internal_token_mint,
         repositories=repositories,
         git_providers=git_providers,
         workspace_mount_path=storage_mount,
@@ -692,7 +696,7 @@ def get_remote_secret(
     internal_token_mint: RenkuSelfTokenMint,
 ) -> ExtraSecret | None:
     """Returns the secret containing the configuration for the remote session controller."""
-    if not user.is_authenticated or user.access_token is None or user.refresh_token is None:
+    if not user.is_authenticated or user.access_token is None:
         return None
     remote_provider = next(filter(lambda p: p.id == remote_provider_id, git_providers), None)
     if not remote_provider:
@@ -841,12 +845,14 @@ async def start_session(
     # More init containers
     session_extras = session_extras.concat(
         await get_extra_init_containers(
-            nb_config,
-            user,
-            repositories,
-            git_providers,
-            storage_mount,
-            work_dir,
+            nb_config=nb_config,
+            server_name=server_name,
+            user=user,
+            internal_token_mint=internal_token_mint,
+            repositories=repositories,
+            git_providers=git_providers,
+            storage_mount=storage_mount,
+            work_dir=work_dir,
             uid=environment.uid,
             gid=environment.gid,
         )
@@ -1197,12 +1203,14 @@ async def patch_session(
     # More init containers
     session_extras = session_extras.concat(
         await get_extra_init_containers(
-            nb_config,
-            user,
-            repositories,
-            git_providers,
-            storage_mount,
-            work_dir,
+            nb_config=nb_config,
+            server_name=server_name,
+            user=user,
+            internal_token_mint=internal_token_mint,
+            repositories=repositories,
+            git_providers=git_providers,
+            storage_mount=storage_mount,
+            work_dir=work_dir,
             uid=environment.uid,
             gid=environment.gid,
         )
