Skip to content

Commit e540fa9

Browse files
leaftyRenkuBotaledeganodependabot[bot]lorenzo-cavazzi
authored
feat: use self-minted tokens for sessions and migrate resource pool checks to authz (#4419)
Add new internal features to Renku, including: * refactor access and refresh token handling in the backend, use internal tokens for sessions * migrate resource pool authorization checks to authz Note for @SwissDataScienceCenter/yat: the next release will need sessions to be paused during the upgrade. --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Renku Bot <renku@datascience.ch> Co-authored-by: Alessandro Degano <a.degano@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Lorenzo Cavazzi <43481553+lorenzo-cavazzi@users.noreply.github.com> Co-authored-by: Tasko Olevski <16360283+olevski@users.noreply.github.com> Co-authored-by: Lorenzo <lorenzo.cavazzi.tech@gmail.com> Co-authored-by: Salim Kayal <salim.kayal@idiap.ch>
1 parent 71113ce commit e540fa9

5 files changed

Lines changed: 77 additions & 8 deletions

File tree

helm-chart/renku/requirements.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@ dependencies:
1313
condition: redis.install
1414
- name: amalthea-sessions
1515
repository: "https://swissdatasciencecenter.github.io/helm-charts/"
16-
version: "0.27.2"
16+
version: "0.28.0"
1717
- name: dlf-chart
1818
repository: "https://swissdatasciencecenter.github.io/datashim/"
1919
version: "0.3.9-renku-2"

helm-chart/renku/templates/data-service/deployment.yaml

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -75,6 +75,8 @@ spec:
7575
value: /secrets/encryptionKey/encryptionKey
7676
- name: SECRETS_SERVICE_PUBLIC_KEY_PATH
7777
value: /secrets/publicKey/publicKey
78+
- name: INTERNAL_AUTHN_SECRET_KEY_PATH
79+
value: /secrets/internalSecretKey/secretKey
7880
- name: K8S_NAMESPACE
7981
value: {{ .Release.Namespace | quote }}
8082
- name: MAX_PINNED_PROJECTS
@@ -215,6 +217,9 @@ spec:
215217
- mountPath: "/secrets/publicKey"
216218
name: secret-service-public-key
217219
readOnly: true
220+
- mountPath: "/secrets/internalSecretKey"
221+
name: internal-authn-key
222+
readOnly: true
218223
{{- if .Values.dataService.remoteClustersKubeconfigSecretName }}
219224
- name: remote-cluster-kubeconfigs
220225
mountPath: "/secrets/kube_configs"
@@ -271,6 +276,12 @@ spec:
271276
items:
272277
- key: publicKey
273278
path: publicKey
279+
- name: internal-authn-key
280+
secret:
281+
secretName: {{ template "renku.fullname" . }}-internal-authn
282+
items:
283+
- key: secretKey
284+
path: secretKey
274285
{{- if .Values.dataService.remoteClustersKubeconfigSecretName }}
275286
- name: remote-cluster-kubeconfigs
276287
secret:

helm-chart/renku/templates/data-service/deployment_k8s_watcher.yaml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -69,6 +69,15 @@ spec:
6969
value: {{ .Values.dataService.k8sWatcher.sentry.environment | quote }}
7070
- name: SENTRY_SAMPLE_RATE
7171
value: {{ .Values.dataService.k8sWatcher.sentry.sampleRate | quote }}
72+
- name: AUTHZ_DB_HOST
73+
value: {{ include "renku.fullname" . }}-authz
74+
- name: AUTHZ_DB_KEY
75+
valueFrom:
76+
secretKeyRef:
77+
name: {{ template "renku.fullname" . }}-authz
78+
key: SPICEDB_GRPC_PRESHARED_KEY
79+
- name: AUTHZ_DB_GRPC_PORT
80+
value: "50051"
7281
{{- if .Values.dataService.remoteClustersKubeconfigSecretName }}
7382
- name: K8S_CONFIGS_ROOT
7483
value: "/secrets/kube_configs"

helm-chart/renku/values.yaml

Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,7 @@ global:
1414
# secretServicePrivateKey: ... RSA Private Key in PKCS8 PEM format (`ssh-keygen -m PKCS8 -t rsa -b 4096`)
1515
# secretServicePreviousPrivateKey: ... Previous Private key in PEM format, only set this when rotating keys
1616
# dataServiceEncryptionKey: 32 byte random string
17+
# dataServiceInternalAuthnKey: 64 byte random string
1718
gitlab:
1819
## Name of the postgres database to be used by Gitlab
1920
postgresDatabase: gitlabhq_production
@@ -992,7 +993,7 @@ notebooks:
992993
gitHttpsProxy:
993994
image:
994995
name: renku/sidecars
995-
tag: 0.26.2
996+
tag: "0.28.0"
996997
args: ["gitproxy", "proxy"]
997998
port: 65480
998999
healthPort: 65481
@@ -1091,7 +1092,7 @@ gateway:
10911092
secretKey:
10921093
image:
10931094
repository: renku/renku-gateway
1094-
tag: "1.9.0"
1095+
tag: "1.10.0"
10951096
pullPolicy: IfNotPresent
10961097
service:
10971098
type: ClusterIP
@@ -1183,12 +1184,12 @@ dataService:
11831184
existingPriorityClass: ""
11841185
image:
11851186
repository: renku/renku-data-service
1186-
tag: "0.72.2"
1187+
tag: "0.73.0"
11871188
pullPolicy: IfNotPresent
11881189
k8sWatcher:
11891190
image:
11901191
repository: renku/data-service-k8s-watcher
1191-
tag: "0.72.2"
1192+
tag: "0.73.0"
11921193
pullPolicy: IfNotPresent
11931194
resources: {}
11941195
sentry:
@@ -1199,7 +1200,7 @@ dataService:
11991200
dataTasks:
12001201
image:
12011202
repository: renku/data-service-data-tasks
1202-
tag: "0.72.2"
1203+
tag: "0.73.0"
12031204
pullPolicy: IfNotPresent
12041205
resources: {}
12051206
enableResourceRequestTracking: false
@@ -1330,7 +1331,7 @@ authz:
13301331
secretsStorage:
13311332
image:
13321333
repository: renku/secrets-storage
1333-
tag: "0.72.2"
1334+
tag: "0.73.0"
13341335
pullPolicy: IfNotPresent
13351336
service:
13361337
type: ClusterIP

scripts/platform-init/platform-init.py

Lines changed: 49 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
1-
from base64 import b64decode, b64encode
1+
from base64 import b64decode, b64encode, urlsafe_b64encode
22
import yaml
33
import logging
4+
import random
45
from typing import cast
56
from kubernetes import client as k8s_client, config as k8s_config
67
from dataclasses import dataclass, field
@@ -23,6 +24,7 @@ class Config:
2324
secret_service_private_key: str | None = field(repr=False)
2425
encryption_key: str | None = field(repr=False)
2526
previous_secret_service_private_key: str | None = field(repr=False)
27+
internal_authn_secret_key : str | None = field(repr=False)
2628

2729
@classmethod
2830
def from_env(cls):
@@ -40,6 +42,7 @@ def from_env(cls):
4042
),
4143
secret_service_private_key_secret_name=f"{renku_fullname}-secret-service-private-key",
4244
secret_service_public_key_secret_name=f"{renku_fullname}-secret-service-public-key",
45+
internal_authn_secret_key=config_map.get("dataServiceInternalAuthnKey"),
4346
)
4447

4548

@@ -257,6 +260,50 @@ def init_secret_and_data_service_encryption(config: Config):
257260
),
258261
)
259262

263+
def init_data_service_internal_authentication_secret_key(config: Config):
264+
"""Initialize symmetric signing key for internal authentication in data service."""
265+
logging.info("Initializing data service internal secret key")
266+
v1 = k8s_client.CoreV1Api()
267+
268+
internal_secret_key = f"{config.renku_fullname}-internal-authn"
269+
internal_secret_key_name = "secretKey"
270+
existing_internal_secret_key = _get_k8s_secret(
271+
config.k8s_namespace, internal_secret_key, internal_secret_key_name
272+
)
273+
274+
if existing_internal_secret_key is None and config.internal_authn_secret_key is None:
275+
# generate a random string
276+
rand = random.SystemRandom()
277+
key = urlsafe_b64encode (rand.randbytes(64))
278+
v1.create_namespaced_secret(
279+
config.k8s_namespace,
280+
k8s_client.V1Secret(
281+
api_version="v1",
282+
data={internal_secret_key_name: b64encode(key).decode()},
283+
kind="Secret",
284+
metadata={
285+
"name": internal_secret_key,
286+
"namespace": config.k8s_namespace,
287+
},
288+
type="Opaque",
289+
),
290+
)
291+
elif existing_internal_secret_key is None and config.internal_authn_secret_key is not None:
292+
key = config.internal_authn_secret_key.encode()
293+
v1.create_namespaced_secret(
294+
config.k8s_namespace,
295+
k8s_client.V1Secret(
296+
api_version="v1",
297+
data={internal_secret_key_name: b64encode(key).decode()},
298+
kind="Secret",
299+
metadata={
300+
"name": internal_secret_key,
301+
"namespace": config.k8s_namespace,
302+
},
303+
type="Opaque",
304+
),
305+
)
306+
260307

261308
def main():
262309
config = Config.from_env()
@@ -265,6 +312,7 @@ def main():
265312
logging.info("Initializing Renku platform")
266313
set_secret_service_secrets(config)
267314
init_secret_and_data_service_encryption(config)
315+
init_data_service_internal_authentication_secret_key(config)
268316

269317

270318
if __name__ == "__main__":

0 commit comments

Comments
 (0)