SS testing and conditional SS update on make deploy

.gitignore

@@ -13,3 +13,8 @@ _sample-*/
 credentials-templates/
 fence-config.yaml
 user.yaml
+
+# ohsu
+venv/
+.SSToken.*
+Secrets-local/

Makefile

@@ -97,7 +97,7 @@ deploy: check-context check-secrets check-venv
 	@read -p "Deploy $(DEPLOY)? [y/N]: " sure && \
 		case "$$sure" in \
 			[yY]) true;; \
-			*) false;; \
+			*) echo "exiting..." && false;; \
 		esac
 
 	@echo "Deploying $(DEPLOY)"
@@ -106,9 +106,12 @@ deploy: check-context check-secrets check-venv
 		-f Secrets/user.yaml \
 		-f Secrets/fence-config.yaml \
 		-f Secrets/TLS/gen3-certs.yaml
-
-
-	$(VENV)/bin/python $(SCRIPT) post $(DEPLOY);
+
+	@read -p "Update Secret Server secrets for $(DEPLOY)? [y/N]: " sure && \
+		case "$$sure" in \
+			[yY]) $(VENV)/bin/python $(SCRIPT) post $(DEPLOY);; \
+			*) echo "secrets were not updated in SS";; \
+		esac
 
 ENV :=
 VENV := venv

SSClient.py

@@ -34,7 +34,8 @@ def cli():
 class CustomHttpAdapter (requests.adapters.HTTPAdapter):
     """Python 3.12 uses openSSL v3 which doesn't allow for
         unsafe legacy renegotiation. Secretserver endpoint is
-        making me have to use unsafe legacy renegotiation"""
+        making me have to use unsafe legacy renegotiation
+        see https://stackoverflow.com/questions/71603314/ssl-error-unsafe-legacy-renegotiation-disabled/73519818#73519818"""
 
     def __init__(self, ssl_context=None, **kwargs):
         self.ssl_context = ssl_context
@@ -243,7 +244,6 @@ def _update_secret(env: str, username: str, password: str, id: int, otp: int):
                                data={'fileName': f"{env_dir}.zip"},
                                headers=headers, files=files)
 
-        print(response.content)
         response.raise_for_status()
     except requests.exceptions.RequestException as e:
         response_body = e.response.json() if e.response else None
@@ -301,14 +301,18 @@ def _get_token(username: str, password: str, otp: int) -> str:
     except requests.exceptions.RequestException as e:
         response_body = e.response.json() if e.response else None
         error_message = response_body.get("error") if response_body else str(e)
-        if "Failed to resolve 'secretserver.ohsu.edu'" in str(e):
+
+        if "Failed to resolve 'secretserver.ohsu.edu'" in error_message:
             print("You must be connected to the secure network in order to access secretserver.ohsu.edu")
-            exit(1)
-        elif "400 Client Error: Bad Request for url: https://secretserver.ohsu.edu/secretserver/oauth2/token" in str(e):
+        elif "400 Client Error: Bad Request for url: https://secretserver.ohsu.edu/secretserver/oauth2/token" in error_message:
             print("Invalid login credentials.")
+        elif "403" in error_message:
+            print(error_message)
+            print("User either does not have access or has had too many failed attempts")
         else:
             print(f"ERROR: {error_message}")
-            exit(1)
+
+        exit(1)
 
 
 if __name__ == '__main__':

helm/etl-pod/values.yaml

@@ -29,7 +29,7 @@ imagePullSecrets: []
 nameOverride: ""
 fullnameOverride: ""
 
-serviceAccount: 
+serviceAccount:
   # Specifies whether a service account should be created
   create: true
   # Annotations to add to the service account
@@ -71,13 +71,13 @@ ingress:
   #    hosts:
   #      - chart-example.local
 
-resources: 
-   limits:
-     cpu: 1.0
-     memory: 1Gi
-   requests:
-     cpu: 0.2
-     memory: 256Mi
+resources:
+  limits:
+    cpu: 1.0
+    memory: 1Gi
+  requests:
+    cpu: 0.2
+    memory: 256Mi
 
 autoscaling:
   enabled: false

helm/gen3/values.yaml

@@ -4,7 +4,7 @@
 
 # Global configuration
 global:
-  
+
   # -- (map) AWS configuration
   dbRestoreBucket: aced-development
   dbRestorePath: meta_graph_load.py