Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Grid proxy #242

Merged
merged 5 commits into from
Mar 31, 2020
Merged

Grid proxy #242

merged 5 commits into from
Mar 31, 2020

Conversation

alintulu
Copy link
Member

@alintulu alintulu commented Mar 23, 2020
edited
Loading

Sidecar container that creates a proxy certificate when user specifies proxy: true in reana.yaml. The pem files needed to create the certificate is added to reana secrets as files, the password is added as an environment variable

reana-client secrets-add --env VOMSPROXY_PASS=
--file userkey.pem
--file usercert.pem

The security context was before set on pod level to self.kubernetes_uid (default 1000). To read the pem files inside of reana secrets we need root privileges. Set the security context on container level instead at reana_job_controller/kubernetes_job_manager.py. Set the job container to self.kubernetes_uid and leave the sidecar as root.

closes reanahub/reana#256

@alintulu alintulu force-pushed the grid-proxy branch 2 times, most recently from 4728dd4 to 06ce6ac Compare March 30, 2020 15:47
diegodelemos
diegodelemos reviewed Mar 30, 2020
View reviewed changes
reana_job_controller/kubernetes_job_manager.py Outdated
}
]

proxy_pass = os.environ.get('VOMSPROXY_PASS')
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Even if we are inside the function that creates the voms_proxy side card, we could use the voms_ prefix wherever we call the variable proxy_xxx, for more clarity, what do you think? i.e. voms_proxy_pass.

Copy link
Member Author

@alintulu alintulu Mar 30, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Absolutely agree, that's a relic from when the field was just called proxy!

@alintulu alintulu marked this pull request as ready for review March 31, 2020 11:55
alintulu and others added 4 commits March 31, 2020 14:42
kubernetes: add proxy field
1fa636a 
kubernetes: add sidecar for proxy

proxy: change field from proxy to voms_proxy

proxy: change env variable of proxy password

kubernetes: change field name from proxy to voms-proxy
voms-proxy: reformat script
9294020
voms-proxy: change VO to be specified by user
1fd3792
voms-proxy: pass user secrets as env variables
80ec769 
* Used to securely read the password and the virtual
  organisation (VO).
@diegodelemos diegodelemos force-pushed the grid-proxy branch 3 times, most recently from 5de0b1a to cf3b991 Compare March 31, 2020 13:00
@diegodelemos diegodelemos merged commit f2d0796 into reanahub:master Mar 31, 2020
@alintulu alintulu deleted the grid-proxy branch April 7, 2020 07:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@diegodelemos diegodelemos diegodelemos approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

demo: using grid proxy
2 participants
@alintulu @diegodelemos