feat: add secrets to sessions #3591
Conversation
lorenzo-cavazzi
temporarily deployed
to
ci-renku-3591
GitHub Actions
Inactive
* wip: charts for secrets storage * add platform init script * fix init container mount, add helm hook * fix dockerfile * comment secret storage for now * update secrets storage chart * update deploy action * fix secret mount * fix env var name --------- Co-authored-by: Ralf Grubenmann <[email protected]>
Panaetius
had a problem deploying
to
ci-renku-3591
GitHub Actions
Failure
Panaetius
had a problem deploying
to
ci-renku-3591
GitHub Actions
Failure
Panaetius
had a problem deploying
to
ci-renku-3591
GitHub Actions
Failure
Panaetius
had a problem deploying
to
ci-renku-3591
GitHub Actions
Failure
Panaetius
had a problem deploying
to
ci-renku-3591
GitHub Actions
Failure
Panaetius
had a problem deploying
to
ci-renku-3591
GitHub Actions
Failure
Panaetius
had a problem deploying
to
ci-renku-3591
GitHub Actions
Failure
Panaetius
had a problem deploying
to
ci-renku-3591
GitHub Actions
Failure
|
You can access the deployment of this PR at https://ci-renku-3591.dev.renku.ch |
lorenzo-cavazzi
temporarily deployed
to
ci-renku-3591
GitHub Actions
Inactive
lorenzo-cavazzi
temporarily deployed
to
ci-renku-3591
GitHub Actions
Inactive
lorenzo-cavazzi
temporarily deployed
to
ci-renku-3591
GitHub Actions
Inactive
lorenzo-cavazzi
had a problem deploying
to
ci-renku-3591
GitHub Actions
Failure
lorenzo-cavazzi
temporarily deployed
to
ci-renku-3591
GitHub Actions
Inactive
lorenzo-cavazzi
temporarily deployed
to
ci-renku-3591
GitHub Actions
Inactive
| existing_private_key != config.secret_service_private_key | ||
| and config.secret_service_private_key is not None | ||
| ): | ||
| # update private key |
There was a problem hiding this comment.
Can we actually support updating the private key? What happens to all the secrets that are sitting in k8s secrets or in the database that are encrypted with the old key?
Same question for the public key.
There was a problem hiding this comment.
Also I think we should support two cases only:
- Both private and public key are specified in the config and they are proper and valid
- Neither public nor private key are specified in the config, in this case we generate the secret only if the secret does not already exist
Right now we are independently checking for the pivate and public keys and also generating them independently. I think this is too complicated and I dont think anyone would or should be using this option. I.e. provide a public key but let renku generate the private one.
Lastly there is no documentation on what algorithm/standard should be used for the keys. And I assume this matters or it does not? Like RSA, eliptic curve, etc...
There was a problem hiding this comment.
rotating keys is a nice to have that still needs to be handled.
I guess we could also just not require a public key at all and always generate it.
There was a problem hiding this comment.
I guess we could also just not require a public key at all and always generate it.
I think that is fine
rotating keys is a nice to have that still needs to be handled.
For this you would have to have some kind of watch in the secret service to restart it when the secret changes. I dont know how easy it is to implement this though. An easier way is to take the sha256 hash of the secret and make it an environment variable in the secret service. Then when the secret changes the secret service will automatically update. See https://helm.sh/docs/chart_template_guide/function_list/#sha256sum
There was a problem hiding this comment.
And taking the sha256 digest still does not address the issue of how you decrypt already encrypted secrets that may be still lying around. So perhaps it is better to keep this simple in the first implementation and improve this later during cooldown.
lorenzo-cavazzi
temporarily deployed
to
ci-renku-3591
GitHub Actions
Inactive
…ceCenter/renku into build/secrets-in-sessions
* wip: charts for secrets storage * add platform init script * fix init container mount, add helm hook * fix dockerfile * comment secret storage for now * update secrets storage chart * update deploy action * docs: add placeholder page for secrets documentation * wip: charts for secrets storage (#3585) * wip: charts for secrets storage * add platform init script * fix init container mount, add helm hook * fix dockerfile * comment secret storage for now * update secrets storage chart * update deploy action * fix secret mount * fix env var name --------- Co-authored-by: Ralf Grubenmann <[email protected]> * add network policy to allow notebooks access to secrets svc * fix deploy action * add secrets-storage values * fix secrets-storage rbac * add network policy for sidecar to data svc * Update changelog * Address some comments * change secrets generation, remove unneeded secret * remove leftover reference --------- Co-authored-by: Mohammad Alisafaee <[email protected]> Co-authored-by: Ralf Grubenmann <[email protected]>
Feature branch for the build "Secrets in sessions"
https://www.notion.so/Session-Secrets-Build-Team-c6d62656018841109dfe52d831b97f9f
/deploy renku-ui=lorenzo/shape-up-secrets-in-sessions renku-data-services=main renku-gateway=limit-user-secret renku-notebooks=secrets-sidecar extra-values=secretsStorage.encryptionKey=vMqdVXcSIwjwONvGiNE2vjzRjmi8NJ8Y9lTB8m3l/Xg=