feat: add authorization service to Renku Helm chart #3340
Conversation
olevski
had a problem deploying
to
ci-renku-3340
GitHub Actions
Failure
olevski
force-pushed
the
add-authorization-service
branch
from
f62293b to
175e635
Compare
olevski
had a problem deploying
to
ci-renku-3340
GitHub Actions
Failure
olevski
had a problem deploying
to
ci-renku-3340
GitHub Actions
Failure
olevski
force-pushed
the
add-authorization-service
branch
from
2242717 to
6bf20b7
Compare
olevski
force-pushed
the
add-authorization-service
branch
from
2566628 to
1e37b83
Compare
olevski
had a problem deploying
to
ci-renku-3340
GitHub Actions
Failure
olevski
had a problem deploying
to
ci-renku-3340
GitHub Actions
Failure
olevski
force-pushed
the
add-authorization-service
branch
from
1e37b83 to
9bf5f33
Compare
olevski
had a problem deploying
to
ci-renku-3340
GitHub Actions
Failure
olevski
force-pushed
the
add-authorization-service
branch
from
f0daa27 to
364942e
Compare
olevski
had a problem deploying
to
ci-renku-3340
GitHub Actions
Failure
olevski
had a problem deploying
to
ci-renku-3340
GitHub Actions
Failure
|
You can access the deployment of this PR at https://ci-renku-3340.dev.renku.ch |
olevski
force-pushed
the
build-authorization
branch
from
b8627c7 to
0e7f9d2
Compare
| ports: | ||
| - port: 8443 | ||
| targetPort: http | ||
| protocol: TCP | ||
| name: http | ||
| - port: 50051 | ||
| targetPort: grpc | ||
| protocol: TCP | ||
| name: grpc |
There was a problem hiding this comment.
We need a port for the metrics too, as well as the prometheus annotations
There was a problem hiding this comment.
I thought the idea was that you will add all the stuff around logging and monitoring. So I leave this up to you.
There was a problem hiding this comment.
Ok after the discussion in the weekly sync meeting it is clear to me that I will be doing this. So I will do this in a separate followup PR.
| --- | ||
| {{- $db_password := randAlphaNum 64 }} | ||
| {{- $db_password_enc := $db_password | b64enc | quote }} | ||
| {{- $db_conn_uri := (printf "postgres://authz:%s@%s:5432/authz" $db_password (include "postgresql.fullname" .)) | b64enc | quote }} | ||
| {{- $api_key := randAlphaNum 64 | b64enc | quote }} | ||
|
|
||
| {{- $renkuFullname := include "renku.fullname" . -}} | ||
|
|
||
| {{- $secretName := cat $renkuFullname "-authz" | nospace }} | ||
| {{- $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) }} | ||
| {{- if $secret }} | ||
| {{- $db_password_enc = index $secret.data "SPICEDB_POSTGRES_PASSWORD" }} | ||
| {{- $db_conn_uri = index $secret.data "SPICEDB_DATASTORE_CONN_URI" }} | ||
| {{- $api_key = index $secret.data "SPICEDB_GRPC_PRESHARED_KEY" }} | ||
| {{- end -}} |
There was a problem hiding this comment.
This doesn't seem to allow for existing postgres credentials to be provided in the values file
There was a problem hiding this comment.
This is similar to the database name. I do not want to allow people to change this. What we accept is a single postgres admin password that can be passed through the values file. Then using this password renku makes different postgres accounts with their own passwords and gives them access to specific hardcoded databases. If I accept this in the values file I also have to add logic and jobs to compare it with a previous value and to then if needed update the database so that everything works.
| - name: AUTHZ_DB_USERNAME | ||
| value: authz | ||
| - name: AUTHZ_DB_NAME | ||
| value: authz |
There was a problem hiding this comment.
We should allow for these values to be set in the values instead of hard coding them. See setup-job-gitlab.yaml
There was a problem hiding this comment.
I dont want anyone to change this. The deployment/app manages this. We do not allow people to change any of the database names we create for the data service as well.
If this is in the values file and it is changed then the deployment will break because no one will be able to access anything since there will be a new blank database without any permissions.
If you look at the setup-job-renku-dbs.yaml file you will see that the DB names for the KG and the data services (we call the db renku) are also all hardcoded.
setup-job-gitlab.yaml is only used for the internal gitlab only. So it is actually never used and it will be removed soon.
helm-chart/renku/values.yaml
Outdated
| autoscaling: | ||
| enabled: false | ||
| minReplicas: 1 | ||
| maxReplicas: 10 |
There was a problem hiding this comment.
This seems quite high. Has this been necessary during testing?
There was a problem hiding this comment.
I have not been able to do any load testing. It is still too early for this because the authorization service is not hooked up to anything in the backend yet. So I cannot do any meaningful load tests. I changed this to 3 and we can revise it further.
But this is also very dependent on each deployment. If the deployment serves 10 people it will need less replicas than something like renkulab.io.
Either way I can do some tests when I implement stuff on the backend and revise this. The autoscaling is also off by default.
This adds Authzed's SpiceDB as an authorization service.
/deploy