feat: add secrets to sessions (#3591)

* wip: charts for secrets storage * add platform init script * fix init container mount, add helm hook * fix dockerfile * comment secret storage for now * update secrets storage chart * update deploy action * docs: add placeholder page for secrets documentation * wip: charts for secrets storage (#3585) * wip: charts for secrets storage * add platform init script * fix init container mount, add helm hook * fix dockerfile * comment secret storage for now * update secrets storage chart * update deploy action * fix secret mount * fix env var name --------- Co-authored-by: Ralf Grubenmann <[email protected]> * add network policy to allow notebooks access to secrets svc * fix deploy action * add secrets-storage values * fix secrets-storage rbac * add network policy for sidecar to data svc * Update changelog * Address some comments * change secrets generation, remove unneeded secret * remove leftover reference --------- Co-authored-by: Mohammad Alisafaee <[email protected]> Co-authored-by: Ralf Grubenmann <[email protected]>
SwissDataScienceCenter · May 27, 2024 · e63d0ad · e63d0ad
1 parent 4c3f1c2
commit e63d0ad
Show file tree

Hide file tree

Showing 18 changed files with 670 additions and 15 deletions.
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -1,8 +1,21 @@
 .. _changelog:
 
-0.52.x
+0.52.0
 ------
 
+Renku ``0.52.0`` contains a new secrets-storage service that allows users to store and use secrets in 
+sessions.
+
+
+**🌟 New Features**
+
+- **Data Services**: Added new secrets storage service for managing user session secrets, including
+  new endpoints on data-service to manage these secrets.
+
+Individual Components
+~~~~~~~~~~~~~~~~~~~~~
+
+- `renku-data-services 0.9.0 <https://github.com/SwissDataScienceCenter/renku-data-services/releases/tag/v0.9.0>`_
 
 0.51.1
 ------

diff --git a/chartpress.yaml b/chartpress.yaml
@@ -20,6 +20,7 @@ charts:
       - acceptance-tests
       - scripts/init-realm
       - scripts/init-db
+      - scripts/platform-init
     images:
       tests:
         buildArgs:
@@ -43,3 +44,9 @@ charts:
         valuesPath: initDb.image
         paths:
           - scripts/init-db
+      platform-init:
+        contextPath: scripts/platform-init
+        dockerfilePath: scripts/platform-init/Dockerfile
+        valuesPath: platformInit.image
+        paths:
+          - scripts/platform-init
diff --git a/docs/topic-guides/index.rst b/docs/topic-guides/index.rst
@@ -7,6 +7,6 @@ Topic Guides
    :maxdepth: 2
 
    Sessions <sessions/index>
-   Data <data/index>   
+   Data <data/index>
    Workflows <workflows/index>
    Miscellaneous <miscellaneous/index>
diff --git a/helm-chart/renku/templates/data-service/deployment.yaml b/helm-chart/renku/templates/data-service/deployment.yaml
@@ -66,6 +66,10 @@ spec:
                 secretKeyRef:
                   name: {{ include "renku.fullname" . }}
                   key: dataServiceKeycloakClientSecret
+            - name: ENCRYPTION_KEY_PATH
+              value: /secrets/encryptionKey/encryptionKey
+            - name: SECRETS_SERVICE_PUBLIC_KEY_PATH
+              value: /secrets/publicKey/publicKey
             - name: SERVER_DEFAULTS
               value: /etc/renku-data-service/server_options/server_defaults.json
             - name: SERVER_OPTIONS
@@ -103,6 +107,12 @@ spec:
           volumeMounts:
             - name: server-options
               mountPath: /etc/renku-data-service/server_options
+            - mountPath: "/secrets/encryptionKey"
+              name: encryption-key
+              readOnly: true
+            - mountPath: "/secrets/publicKey"
+              name: secret-service-public-key
+              readOnly: true
             {{- include "certificates.volumeMounts.system" . | nindent 12 }}
           livenessProbe:
             httpGet:
@@ -142,5 +152,17 @@ spec:
         - name: server-options
           configMap:
             name: {{ template "renku.fullname" . }}-server-options
+        - name: encryption-key
+          secret:
+            secretName: {{ template "renku.fullname" . }}-secrets-storage
+            items:
+            - key: encryptionKey
+              path: encryptionKey
+        - name: secret-service-public-key
+          secret:
+            secretName: {{ template "renku.fullname" . }}-secret-service-public-key
+            items:
+            - key: publicKey
+              path: publicKey
         {{- include "certificates.volumes" . | nindent 8 }}
       serviceAccountName: {{ template "renku.fullname" . }}-data-service
diff --git a/helm-chart/renku/templates/notebooks/network-policy.yaml b/helm-chart/renku/templates/notebooks/network-policy.yaml
@@ -93,3 +93,12 @@ spec:
           - 10.0.0.0/8
           - 172.16.0.0/12
           - 192.168.0.0/16
+    - to:
+      # Allow access to data service
+        - podSelector:
+            matchLabels:
+              app: renku-data-service
+      ports:
+        - port: http
+          protocol: TCP
+
diff --git a/helm-chart/renku/templates/notebooks/statefulset.yaml b/helm-chart/renku/templates/notebooks/statefulset.yaml
@@ -184,6 +184,10 @@ spec:
               value: {{ .Values.notebooks.dummyStores | quote }}
             - name: NB_DATA_SERVICE_URL
               value: {{ printf "http://%s-data-service/api/data" .Release.Name}}
+            - name: NB_USER_SECRETS__SECRETS_STORAGE_SERVICE_URL
+              value: {{ printf "http://%s-secrets-storage" .Release.Name}}
+            - name: NB_USER_SECRETS__IMAGE
+              value: "{{ .Values.notebooks.secretsMount.image.repository}}:{{.Values.notebooks.secretsMount.image.tag}}"
           ports:
             - name: http
               containerPort: 8000

diff --git a/helm-chart/renku/templates/secrets-storage/deployment.yaml b/helm-chart/renku/templates/secrets-storage/deployment.yaml
@@ -0,0 +1,110 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "renku.fullname" . }}-secrets-storage
+  labels:
+    app: renku-secrets-storage
+    chart: {{ template "renku.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  {{- if not .Values.secretsStorage.autoscaling.enabled }}
+  replicas: {{ .Values.secretsStorage.replicaCount }}
+  {{- end }}
+  strategy: 
+    {{- toYaml .Values.secretsStorage.updateStrategy | nindent 4 }}
+  selector:
+    matchLabels:
+      app: renku-secrets-storage
+      release: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app: renku-secrets-storage
+        release: {{ .Release.Name }}
+      {{- with .Values.secretsStorage.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    spec:
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      automountServiceAccountToken: {{ .Values.global.debug }}
+      initContainers:
+        {{- include "certificates.initContainer" . | nindent 8 }}
+      containers:
+        - name: secrets-storage
+          image: "{{ .Values.secretsStorage.image.repository }}:{{ .Values.secretsStorage.image.tag }}"
+          imagePullPolicy: {{ .Values.secretsStorage.image.pullPolicy }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          ports:
+            - name: http
+              containerPort: 8000
+              protocol: TCP
+          env:
+            - name: VERSION
+              value: {{ .Values.secretsStorage.image.tag | quote }}
+            - name: DB_HOST
+              value: {{ template "postgresql.fullname" . }}
+            - name: DB_USER
+              value: {{ .Values.global.db.common.username }}
+            - name: DB_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.global.db.common.passwordSecretName }}
+                  key: password
+            - name: KEYCLOAK_URL
+              value: {{ (printf "%s://%s/auth/" (include "renku.http" .) .Values.global.renku.domain) | quote }}
+            - name: KEYCLOAK_TOKEN_SIGNATURE_ALGS
+              value: "RS256"
+            - name: KEYCLOAK_CLIENT_ID
+              value: {{ include "renku.dataService.keycloak.clientId" . | quote }}
+            - name: KEYCLOAK_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "renku.fullname" . }}
+                  key: dataServiceKeycloakClientSecret
+            - name: SECRETS_SERVICE_PRIVATE_KEY_PATH
+              value: /secrets/privateKey/privateKey
+            {{- include "certificates.env.python" $ | nindent 12 }}
+          livenessProbe:
+            httpGet:
+              path: /api/secrets/version
+              port: http
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            failureThreshold: 6
+          readinessProbe:
+            httpGet:
+              path: /api/secrets/version
+              port: http
+            initialDelaySeconds: 10
+            periodSeconds: 2
+            failureThreshold: 2
+          startupProbe:
+            httpGet:
+              path: /api/secrets/version
+              port: http
+            periodSeconds: 5
+            failureThreshold: 60
+          resources:
+            {{ toYaml .Values.secretsStorage.resources | nindent 12 }}
+          volumeMounts:
+            - mountPath: "/secrets/privateKey"
+              name: secret-service-private-key
+              readOnly: true
+            {{- include "certificates.volumeMounts.system" . | nindent 12 }}
+      volumes:
+        - name: secret-service-private-key
+          secret:
+            secretName: {{ template "renku.fullname" . }}-secret-service-private-key
+            items:
+            - key: privateKey
+              path: privateKey
+        {{- include "certificates.volumes" . | nindent 8 }}
+    {{- with .Values.secretsStorage.nodeSelector }}
+      nodeSelector:
+        {{ toYaml . | nindent 8 }}
+    {{- end }}
+      serviceAccountName: {{ template "renku.fullname" . }}-secrets-storage
diff --git a/helm-chart/renku/templates/secrets-storage/hpa.yaml b/helm-chart/renku/templates/secrets-storage/hpa.yaml
@@ -0,0 +1,39 @@
+{{- if .Values.secretsStorage.autoscaling.enabled }}
+{{- if semverCompare ">=1.23.0-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: autoscaling/v2
+{{- else -}}
+apiVersion: autoscaling/v2beta2
+{{- end }}
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ template "renku.fullname" . }}-secrets-storage
+  labels:
+    app: renku-secrets-storage
+    chart: {{ template "renku.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: {{ template "renku.fullname" . }}-secrets-storage
+  minReplicas: {{ .Values.secretsStorage.autoscaling.minReplicas }}
+  maxReplicas: {{ .Values.secretsStorage.autoscaling.maxReplicas }}
+  metrics:
+    {{- if .Values.secretsStorage.autoscaling.targetCPUUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.secretsStorage.autoscaling.targetCPUUtilizationPercentage }}
+    {{- end }}
+    {{- if .Values.secretsStorage.autoscaling.targetMemoryUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: memory
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.secretsStorage.autoscaling.targetMemoryUtilizationPercentage }}
+    {{- end }}
+{{- end }}
diff --git a/helm-chart/renku/templates/secrets-storage/network-policy.yaml b/helm-chart/renku/templates/secrets-storage/network-policy.yaml
@@ -0,0 +1,22 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ template "renku.fullname" . }}-secrets-storage
+spec:
+  podSelector:
+    matchLabels:
+      app: {{ template "renku.fullname" . }}-secrets-storage
+      release: {{ .Release.Name }}
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+        # Only allow ingress to secrets storage from notebooks
+        - podSelector:
+            matchLabels:
+              app: {{ template "renku.notebooks.name" . }}
+              release: {{ .Release.Name }}
+      ports:
+        - protocol: TCP
+          port: http
+
diff --git a/helm-chart/renku/templates/secrets-storage/pdb.yaml b/helm-chart/renku/templates/secrets-storage/pdb.yaml
@@ -0,0 +1,17 @@
+{{- if or (gt (int .Values.secretsStorage.replicaCount) 1) (and .Values.secretsStorage.autoscaling.enabled (gt (int .Values.secretsStorage.autoscaling.minReplicas) 1)) }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ template "renku.fullname" . }}-secrets-storage
+  labels:
+    app: renku-secrets-storage
+    chart: {{ template "renku.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  minAvailable: 50%
+  selector:
+    matchLabels:
+      app: renku-secrets-storage
+      release: {{ .Release.Name }}
+{{- end }}
diff --git a/helm-chart/renku/templates/secrets-storage/rbac.yaml b/helm-chart/renku/templates/secrets-storage/rbac.yaml
@@ -0,0 +1,54 @@
+{{- $namespaces := list -}}
+{{ if .Values.notebooks.sessionsNamespace }}
+{{- $namespaces = list .Release.Namespace .Values.notebooks.sessionsNamespace | uniq -}}
+{{ else }}
+{{- $namespaces = list .Release.Namespace -}}
+{{ end }}
+{{ range $namespaces }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "renku.fullname" $ }}-secrets-storage
+  namespace: {{ . }}
+  labels:
+    app: {{ template "renku.name" $ }}
+    chart: {{ template "renku.chart" $ }}
+    release: {{ $.Release.Name }}
+    heritage: {{ $.Release.Service }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ template "renku.fullname" $ }}-secrets-storage
+  labels:
+    app: {{ template "renku.name" $ }}
+    chart: {{ template "renku.chart" $ }}
+    release: {{ $.Release.Name }}
+    heritage: {{ $.Release.Service }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "renku.fullname" $ }}-secrets-storage
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "renku.fullname" $ }}-secrets-storage
+    namespace: {{ $.Release.Namespace }}
+{{ end }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "renku.fullname" . }}-secrets-storage
+  labels:
+    app: {{ template "renku.name" . }}
+    chart: {{ template "renku.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
diff --git a/helm-chart/renku/templates/secrets-storage/service.yaml b/helm-chart/renku/templates/secrets-storage/service.yaml
@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "renku.fullname" . }}-secrets-storage
+  labels:
+    app: renku-secrets-storage
+    chart: {{ template "renku.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  type: {{ .Values.secretsStorage.service.type }}
+  ports:
+    - port: {{ .Values.secretsStorage.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    app: {{ template "renku.name" . }}-secrets-storage
+    release: {{ .Release.Name }}