From be1207630b9cb6c694139d458cd3ea545747b95f Mon Sep 17 00:00:00 2001 From: Marco Donadoni Date: Thu, 23 May 2024 12:25:39 +0200 Subject: [PATCH 1/4] feat(helm): support password-protected redis (#847) REANA can now connect to password-protected Redis instances. --- helm/reana/README.md | 1 + helm/reana/templates/reana-cache.yaml | 9 +++++++++ helm/reana/templates/reana-server.yaml | 5 +++++ helm/reana/templates/secrets.yaml | 11 +++++++++++ helm/reana/values.yaml | 1 + 5 files changed, 27 insertions(+) diff --git a/helm/reana/README.md b/helm/reana/README.md index 0786f189..b7224126 100644 --- a/helm/reana/README.md +++ b/helm/reana/README.md @@ -98,6 +98,7 @@ This Helm automatically prefixes all names using the release name to avoid colli | `reana_hostname` | REANA hostname (e.g. reana.example.org) | None | | `namespace_runtime` | Namespace in which the REANA runtime pods (workflow engines, jobs etc...) will run | `.Release.Namespace` | | `naming_scheme` | REANA component naming scheme | None | +| `secrets.cache.password` | **[Do not use in production, use secrets instead]** Cache (Redis) password | None | | `secrets.cern.sso.CERN_CONSUMER_KEY` | CERN SSO consumer key | None | | `secrets.cern.sso.CERN_CONSUMER_SECRET` | **[Do not use in production, use secrets instead]** CERN SSO consumer secret | None | | `secrets.database.password` | **[Do not use in production, use secrets instead]** PostgreSQL database password | None | diff --git a/helm/reana/templates/reana-cache.yaml b/helm/reana/templates/reana-cache.yaml index 1f3fb8e2..4e79055a 100644 --- a/helm/reana/templates/reana-cache.yaml +++ b/helm/reana/templates/reana-cache.yaml @@ -31,6 +31,15 @@ spec: containers: - name: cache image: docker.io/library/redis:5.0.5 + env: + - name: REANA_CACHE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "reana.prefix" . }}-cache-secrets + key: password + args: + - "--requirepass" + - "$(REANA_CACHE_PASSWORD)" ports: - containerPort: 6379 {{- if .Values.node_label_infrastructure }} diff --git a/helm/reana/templates/reana-server.yaml b/helm/reana/templates/reana-server.yaml index 82d4449e..422a0da3 100644 --- a/helm/reana/templates/reana-server.yaml +++ b/helm/reana/templates/reana-server.yaml @@ -151,6 +151,11 @@ spec: secretKeyRef: name: {{ include "reana.prefix" . }}-secrets key: REANA_SECRET_KEY + - name: REANA_CACHE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "reana.prefix" . }}-cache-secrets + key: password {{- if .Values.debug.enabled }} # Disable CORS in development environment, for example # to connect from an external React application. diff --git a/helm/reana/templates/secrets.yaml b/helm/reana/templates/secrets.yaml index 2e165571..6c5be07d 100644 --- a/helm/reana/templates/secrets.yaml +++ b/helm/reana/templates/secrets.yaml @@ -13,6 +13,17 @@ data: --- apiVersion: v1 kind: Secret +metadata: + name: {{ include "reana.prefix" . }}-cache-secrets + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/resource-policy": keep +type: Opaque +data: + password: {{ .Values.secrets.cache.password | default "" | b64enc | quote }} +--- +apiVersion: v1 +kind: Secret metadata: name: {{ include "reana.prefix" . }}-cern-sso-secrets namespace: {{ .Release.Namespace }} diff --git a/helm/reana/values.yaml b/helm/reana/values.yaml index 219f2cff..0697b8ec 100644 --- a/helm/reana/values.yaml +++ b/helm/reana/values.yaml @@ -49,6 +49,7 @@ infrastructure_storage: {} secrets: database: {} + cache: {} gitlab: {} cern: sso: {} From 20a0ea8fcf854c74a508f0b415c066a9912fbe34 Mon Sep 17 00:00:00 2001 From: Marco Donadoni Date: Thu, 23 May 2024 15:14:46 +0200 Subject: [PATCH 2/4] feat(helm): support password-protected rabbitmq (#847) --- helm/reana/README.md | 2 ++ .../reana/templates/reana-message-broker.yaml | 15 ++++++++++++++ helm/reana/templates/reana-server.yaml | 20 +++++++++++++++++++ .../templates/reana-workflow-controller.yaml | 20 +++++++++++++++++++ helm/reana/templates/secrets.yaml | 12 +++++++++++ helm/reana/values.yaml | 1 + 6 files changed, 70 insertions(+) diff --git a/helm/reana/README.md b/helm/reana/README.md index b7224126..0697a532 100644 --- a/helm/reana/README.md +++ b/helm/reana/README.md @@ -107,6 +107,8 @@ This Helm automatically prefixes all names using the release name to avoid colli | `secrets.gitlab.REANA_GITLAB_OAUTH_APP_ID` | GitLab OAuth application id | None | | `secrets.gitlab.REANA_GITLAB_OAUTH_APP_SECRET` | **[Do not use in production, use secrets instead]** GitLab OAuth application secret | None | | `secrets.login` | **[Do not use in production, use secrets instead]** Third-party Keycloak identity provider consumer key and secret ([configuration details](https://docs.reana.io/administration/configuration/configuring-access/#keycloak-single-sign-on-configuration)) | `{}` | +| `secrets.message_broker.user` | Message broker (RabbitMQ) username. | test | +| `secrets.message_broker.password` | **[Do not use in production, use secrets instead]** Message broker (RabbitMQ) password | 1234 | | `secrets.reana.REANA_SECRET_KEY` | **[Do not use in production, use secrets instead]** REANA encryption secret key | None | | `serviceAccount.create` | Create a service account for the REANA system user | true | | `serviceAccount.name` | Service account name | reana | diff --git a/helm/reana/templates/reana-message-broker.yaml b/helm/reana/templates/reana-message-broker.yaml index 60ad1791..05dbf614 100644 --- a/helm/reana/templates/reana-message-broker.yaml +++ b/helm/reana/templates/reana-message-broker.yaml @@ -45,11 +45,26 @@ spec: - name: message-broker image: {{ .Values.components.reana_message_broker.image }} imagePullPolicy: {{ .Values.components.reana_message_broker.imagePullPolicy }} + env: + - name: RABBIT_MQ_USER + valueFrom: + secretKeyRef: + name: {{ include "reana.prefix" . }}-message-broker-secrets + key: user + - name: RABBIT_MQ_PASS + valueFrom: + secretKeyRef: + name: {{ include "reana.prefix" . }}-message-broker-secrets + key: password ports: - containerPort: 5672 name: tcp - containerPort: 15672 name: management + command: + - "/start.sh" + - "$(RABBIT_MQ_USER)" + - "$(RABBIT_MQ_PASS)" volumeMounts: - mountPath: /var/lib/rabbitmq/mnesia subPath: rabbitmq/mnesia diff --git a/helm/reana/templates/reana-server.yaml b/helm/reana/templates/reana-server.yaml index 422a0da3..4397b5ac 100644 --- a/helm/reana/templates/reana-server.yaml +++ b/helm/reana/templates/reana-server.yaml @@ -156,6 +156,16 @@ spec: secretKeyRef: name: {{ include "reana.prefix" . }}-cache-secrets key: password + - name: RABBIT_MQ_USER + valueFrom: + secretKeyRef: + name: {{ include "reana.prefix" . }}-message-broker-secrets + key: user + - name: RABBIT_MQ_PASS + valueFrom: + secretKeyRef: + name: {{ include "reana.prefix" . }}-message-broker-secrets + key: password {{- if .Values.debug.enabled }} # Disable CORS in development environment, for example # to connect from an external React application. @@ -282,6 +292,16 @@ spec: name: {{ include "reana.prefix" $ }}-login-provider-secrets key: PROVIDER_SECRETS {{- end }} + - name: RABBIT_MQ_USER + valueFrom: + secretKeyRef: + name: {{ include "reana.prefix" . }}-message-broker-secrets + key: user + - name: RABBIT_MQ_PASS + valueFrom: + secretKeyRef: + name: {{ include "reana.prefix" . }}-message-broker-secrets + key: password volumes: - name: reana-shared-volume {{- if not (eq .Values.shared_storage.backend "hostpath") }} diff --git a/helm/reana/templates/reana-workflow-controller.yaml b/helm/reana/templates/reana-workflow-controller.yaml index 028d07a2..93fb205a 100644 --- a/helm/reana/templates/reana-workflow-controller.yaml +++ b/helm/reana/templates/reana-workflow-controller.yaml @@ -206,6 +206,16 @@ spec: name: {{ include "reana.prefix" . }}-db-secrets key: password {{ end }} + - name: RABBIT_MQ_USER + valueFrom: + secretKeyRef: + name: {{ include "reana.prefix" . }}-message-broker-secrets + key: user + - name: RABBIT_MQ_PASS + valueFrom: + secretKeyRef: + name: {{ include "reana.prefix" . }}-message-broker-secrets + key: password - name: job-status-consumer image: {{ .Values.components.reana_workflow_controller.image }} imagePullPolicy: {{ .Values.components.reana_workflow_controller.imagePullPolicy }} @@ -269,6 +279,16 @@ spec: secretKeyRef: name: {{ include "reana.prefix" . }}-cern-gitlab-secrets key: REANA_GITLAB_HOST + - name: RABBIT_MQ_USER + valueFrom: + secretKeyRef: + name: {{ include "reana.prefix" . }}-message-broker-secrets + key: user + - name: RABBIT_MQ_PASS + valueFrom: + secretKeyRef: + name: {{ include "reana.prefix" . }}-message-broker-secrets + key: password volumes: - name: reana-shared-volume {{- if not (eq .Values.shared_storage.backend "hostpath") }} diff --git a/helm/reana/templates/secrets.yaml b/helm/reana/templates/secrets.yaml index 6c5be07d..9947c1ce 100644 --- a/helm/reana/templates/secrets.yaml +++ b/helm/reana/templates/secrets.yaml @@ -24,6 +24,18 @@ data: --- apiVersion: v1 kind: Secret +metadata: + name: {{ include "reana.prefix" . }}-message-broker-secrets + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/resource-policy": keep +type: Opaque +data: + user: {{ .Values.secrets.message_broker.user | default "test" | b64enc | quote }} + password: {{ .Values.secrets.message_broker.password | default "1234" | b64enc | quote }} +--- +apiVersion: v1 +kind: Secret metadata: name: {{ include "reana.prefix" . }}-cern-sso-secrets namespace: {{ .Release.Namespace }} diff --git a/helm/reana/values.yaml b/helm/reana/values.yaml index 0697b8ec..11a27eeb 100644 --- a/helm/reana/values.yaml +++ b/helm/reana/values.yaml @@ -50,6 +50,7 @@ infrastructure_storage: {} secrets: database: {} cache: {} + message_broker: {} gitlab: {} cern: sso: {} From e1772ffb39d2b1b4c91893f6eda0301edabb105f Mon Sep 17 00:00:00 2001 From: Marco Donadoni Date: Fri, 24 May 2024 14:39:15 +0200 Subject: [PATCH 3/4] feat(helm): allow only reana-server to connect to reana-cache (#847) Add `NetworkPolicy` that only allows reana-server to connect to reana-cache, as other services do not rely on it. --- helm/reana/templates/reana-cache.yaml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/helm/reana/templates/reana-cache.yaml b/helm/reana/templates/reana-cache.yaml index 4e79055a..96088c3a 100644 --- a/helm/reana/templates/reana-cache.yaml +++ b/helm/reana/templates/reana-cache.yaml @@ -13,6 +13,23 @@ spec: targetPort: 6379 protocol: TCP --- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "reana.prefix" . }}-cache + namespace: {{ .Release.Namespace }} +spec: + podSelector: + matchLabels: + app: {{ include "reana.prefix" . }}-cache + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: {{ include "reana.prefix" . }}-server +--- apiVersion: apps/v1 kind: Deployment metadata: From fab559187a49c21d368c4863cd0a888ff831c330 Mon Sep 17 00:00:00 2001 From: Marco Donadoni Date: Thu, 27 Jun 2024 17:36:39 +0200 Subject: [PATCH 4/4] docs(helm): clarify secrets-related warning in README (#847) --- helm/reana/README.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/helm/reana/README.md b/helm/reana/README.md index 0697a532..2518f711 100644 --- a/helm/reana/README.md +++ b/helm/reana/README.md @@ -98,18 +98,18 @@ This Helm automatically prefixes all names using the release name to avoid colli | `reana_hostname` | REANA hostname (e.g. reana.example.org) | None | | `namespace_runtime` | Namespace in which the REANA runtime pods (workflow engines, jobs etc...) will run | `.Release.Namespace` | | `naming_scheme` | REANA component naming scheme | None | -| `secrets.cache.password` | **[Do not use in production, use secrets instead]** Cache (Redis) password | None | +| `secrets.cache.password` | **[Do not save it in `values.yaml`, pass it to Helm with `--set`]** Cache (Redis) password | None | | `secrets.cern.sso.CERN_CONSUMER_KEY` | CERN SSO consumer key | None | -| `secrets.cern.sso.CERN_CONSUMER_SECRET` | **[Do not use in production, use secrets instead]** CERN SSO consumer secret | None | -| `secrets.database.password` | **[Do not use in production, use secrets instead]** PostgreSQL database password | None | +| `secrets.cern.sso.CERN_CONSUMER_SECRET` | **[Do not save it in `values.yaml`, pass it to Helm with `--set`]** CERN SSO consumer secret | None | +| `secrets.database.password` | **[Do not save it in `values.yaml`, pass it to Helm with `--set`]** PostgreSQL database password | None | | `secrets.database.user` | PostgreSQL database username | None | | `secrets.gitlab.REANA_GITLAB_HOST` | Hostname of the GitLab instance | None | | `secrets.gitlab.REANA_GITLAB_OAUTH_APP_ID` | GitLab OAuth application id | None | -| `secrets.gitlab.REANA_GITLAB_OAUTH_APP_SECRET` | **[Do not use in production, use secrets instead]** GitLab OAuth application secret | None | -| `secrets.login` | **[Do not use in production, use secrets instead]** Third-party Keycloak identity provider consumer key and secret ([configuration details](https://docs.reana.io/administration/configuration/configuring-access/#keycloak-single-sign-on-configuration)) | `{}` | +| `secrets.gitlab.REANA_GITLAB_OAUTH_APP_SECRET` | **[Do not save it in `values.yaml`, pass it to Helm with `--set`]** GitLab OAuth application secret | None | +| `secrets.login` | **[Do not save it in `values.yaml`, pass it to Helm with `--set`]** Third-party Keycloak identity provider consumer key and secret ([configuration details](https://docs.reana.io/administration/configuration/configuring-access/#keycloak-single-sign-on-configuration)) | `{}` | | `secrets.message_broker.user` | Message broker (RabbitMQ) username. | test | -| `secrets.message_broker.password` | **[Do not use in production, use secrets instead]** Message broker (RabbitMQ) password | 1234 | -| `secrets.reana.REANA_SECRET_KEY` | **[Do not use in production, use secrets instead]** REANA encryption secret key | None | +| `secrets.message_broker.password` | **[Do not save it in `values.yaml`, pass it to Helm with `--set`]** Message broker (RabbitMQ) password | 1234 | +| `secrets.reana.REANA_SECRET_KEY` | **[Do not save it in `values.yaml`, pass it to Helm with `--set`]** REANA encryption secret key | None | | `serviceAccount.create` | Create a service account for the REANA system user | true | | `serviceAccount.name` | Service account name | reana | | `shared_storage.access_modes` | Shared volume access mode | ReadWriteMany | @@ -121,7 +121,7 @@ This Helm automatically prefixes all names using the release name to avoid colli | `shared_storage.cephfs.os_secret_namespace` | **[CERN only]** Namespace of the OpenStack credentials Secret object | kube-system | | `shared_storage.cephfs.provisioner` | **[CERN only]** CephFS provisioner | manila-provisioner | | `shared_storage.cephfs.type` | **[CERN only]** CephFS availability zone | "Geneva CephFS Testing" | -| `shared_storage.volume_size`               | Shared volume size | 200 | +| `shared_storage.volume_size` | Shared volume size | 200 | | `shared_storage.shared_volume_mount_path` | Path inside the REANA components where the shared volume will be mounted | /var/reana | | `shared_storage.hostpath.root_path` | Path to the REANA directory inside the underlying storage volume | /var/reana | | `traefik.*` | Pass any value from [Traefik Helm chart values](https://github.com/helm/charts/tree/master/stable/traefik#configuration) here, e.g. `traefik.rbac.enabled=true` | - |