Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: add user secret key when using saved secrets #519

Merged
merged 1 commit into from
Nov 8, 2024
Merged

fix: add user secret key when using saved secrets #519

merged 1 commit into from
Nov 8, 2024

Conversation

olevski
Copy link
Member

@olevski olevski commented Nov 8, 2024
edited
Loading

/deploy renku=feat-jupyter-free-sessions amalthea-sessions=main renku-ui=andrea/jupyter-free-build renku-gateway=master extra-values=amalthea-sessions.deployCrd=false

@olevski olevski requested a review from a team as a code owner November 8, 2024 01:26
@olevski
Copy link
Member Author

olevski commented Nov 8, 2024
edited
Loading

This change is part of the following stack:

Change managed by git-spice.

@olevski olevski mentioned this pull request Nov 8, 2024
Merged
@RenkuBot
Copy link
Contributor

RenkuBot commented Nov 8, 2024

You can access the deployment of this PR at https://renku-ci-ds-519.dev.renku.ch

@leafty
Copy link
Member

leafty commented Nov 8, 2024
edited
Loading

Note: for user secrets, we inject the data service API URL along with the user's Renku token to decrypt the secrets and not the cipher key directly. Should this approach be used for data connector secrets as well?

The init user secrets container then grabs the key from the internal API endpoint.

m-alisafaee
m-alisafaee approved these changes Nov 8, 2024
View reviewed changes
Copy link
Contributor

@m-alisafaee m-alisafaee left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Tasko!

Base automatically changed from reapply-missing-pr-504 to release-amaltheas-migration November 8, 2024 14:33
@olevski
Copy link
Member Author

olevski commented Nov 8, 2024

Note: for user secrets, we inject the data service API URL along with the user's Renku token to decrypt the secrets and not the cipher key directly. Should this approach be used for data connector secrets as well?

The init user secrets container then grabs the key from the internal API endpoint.

@leafty for the data connectors I followed the same thing we do right now in the renku repo. There we add the the decryption key in the secret that contains the configuration. And the csi rclone finishes the decryption of the saved secret.

We cannot use an init container because the pod cannot start at all (including the init containers) until the volumes are mounted. And the volume (i.e. data connector) cannot be mounted until rclone has the fully decrypted secret in order to do the mounting. So we cannot use an init container to decrypt the data connector secrets.

@olevski olevski merged commit 43cd25b into release-amaltheas-migration Nov 8, 2024
13 of 16 checks passed
@olevski olevski deleted the fix-missing-secret-key branch November 8, 2024 15:12
@RenkuBot
Copy link
Contributor

RenkuBot commented Nov 8, 2024

Tearing down the temporary RenkuLab deplyoment for this PR.

olevski added a commit that referenced this pull request Nov 11, 2024
@olevski
fix: add user secret key when using saved secrets (#519)
8d63208
olevski added a commit that referenced this pull request Nov 11, 2024
@olevski
fix: add user secret key when using saved secrets (#519)
1f7c9d1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@m-alisafaee m-alisafaee m-alisafaee approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@olevski @RenkuBot @leafty @m-alisafaee