apply reana iam secrets, update secrets script and add escape-iam as …

…loging on the reana chart
vre-hub · Nov 18, 2024 · f7d058c · f7d058c
1 parent a9b82f0
commit f7d058c
Show file tree

Hide file tree

Showing 3 changed files with 42 additions and 24 deletions.
diff --git a/infrastructure/cluster/flux/reana/reana-release.yaml b/infrastructure/cluster/flux/reana/reana-release.yaml
@@ -20,14 +20,14 @@ spec:
       version: 0.9.3
 
   valuesFrom:
-    # - kind: Secret
-    #   name: reana-vre-iam-client
-    #   valuesKey: client_id
-    #   targetPath: secrets.login.escape-iam.consumer_key
-    # - kind: Secret
-    #   name: reana-vre-iam-client
-    #   valuesKey: client_secret
-    #   targetPath: secrets.login.escape-iam.consumer_secret
+    - kind: Secret
+      name: reana-vre-iam-client
+      valuesKey: client_id
+      targetPath: secrets.login.escape-iam.consumer_key
+    - kind: Secret
+      name: reana-vre-iam-client
+      valuesKey: client_secret
+      targetPath: secrets.login.escape-iam.consumer_secret
     - kind: Secret
       name: reana-db
       valuesKey: user
@@ -91,18 +91,18 @@ spec:
       # REANA_DB_USERNAME: containing the database user name.
       # REANA_DB_PASSWORD: containing the password for the user previously set.
       # Both environment variables should be set inside a Kubernetes secret:
-      # `[release-name]-db-secrets`
+      # `[release-name]-db`
 
-    # login:
-    #   - name: "escape-iam"
-    #     type: "keycloak"
-    #     config:
-    #       title: "ESCAPE IAM"
-    #       base_url: "https://iam-escape.cloud.cnaf.infn.it"
-    #       realm_url: "https://iam-escape.cloud.cnaf.infn.it" 
-    #       auth_url: "https://iam-escape.cloud.cnaf.infn.it/authorize" 
-    #       token_url: "https://iam-escape.cloud.cnaf.infn.it/token" 
-    #       userinfo_url: "https://iam-escape.cloud.cnaf.infn.it/userinfo"
+    login:
+      - name: "escape-iam"
+        type: "keycloak"
+        config:
+          title: "ESCAPE IAM"
+          base_url: "https://iam-escape.cloud.cnaf.infn.it"
+          realm_url: "https://iam-escape.cloud.cnaf.infn.it" 
+          auth_url: "https://iam-escape.cloud.cnaf.infn.it/authorize" 
+          token_url: "https://iam-escape.cloud.cnaf.infn.it/token" 
+          userinfo_url: "https://iam-escape.cloud.cnaf.infn.it/userinfo"
 
     ingress:
       enabled: false

diff --git a/infrastructure/scripts/reana_secrets.sh b/infrastructure/scripts/reana_secrets.sh
@@ -13,6 +13,7 @@ REANA_NS="reana"
 SECRETS_DIR="/root/software/vre/infrastructure/secrets/reana"
 RAW_SECRETS_TMP_DIR="/root/software/vre/infrastructure/secrets/tmp_local_secrets"
 
+
 echo "Create REANA DB secret"
 
 name of output secret to apply
@@ -32,13 +33,13 @@ cat ${RAW_ADMIN_FILE_SECRET} | kubeseal --controller-name=${CONTROLLER_NAME} --c
 kubectl apply -f ${SECRETS_DIR}/ss_${ADMIN_ACCOUNT_SECRET}
 
 
-# echo "Create REANA IAM client credentials"
+echo "Create REANA IAM client credentials"
 
-# REANA_IAM_ACCOUNT_SECRET='reana-iam-secrets.yaml'
-# RAW_REANA_IAM_FILE_SECRET=${RAW_SECRETS_TMP_DIR}/${REANA_IAM_ACCOUNT_SECRET}
+REANA_IAM_ACCOUNT_SECRET='reana-iam-client.yaml'
+RAW_REANA_IAM_FILE_SECRET=${RAW_SECRETS_TMP_DIR}/${REANA_IAM_ACCOUNT_SECRET}
 
-# cat ${RAW_REANA_IAM_FILE_SECRET} | kubeseal --controller-name=${CONTROLLER_NAME} --controller-namespace=${CONTROLLER_NS} --format yaml --namespace=${REANA_NS} > ${SECRETS_DIR}/ss_${REANA_IAM_ACCOUNT_SECRET}
-# kubectl apply -f ${SECRETS_DIR}/ss_${REANA_IAM_ACCOUNT_SECRET}
+cat ${RAW_REANA_IAM_FILE_SECRET} | kubeseal --controller-name=${CONTROLLER_NAME} --controller-namespace=${CONTROLLER_NS} --format yaml --namespace=${REANA_NS} > ${SECRETS_DIR}/ss_${REANA_IAM_ACCOUNT_SECRET}
+kubectl apply -f ${SECRETS_DIR}/ss_${REANA_IAM_ACCOUNT_SECRET}
 
 
 # echo "Create 'REANA secrets' secret"

diff --git a/infrastructure/secrets/reana/ss_reana-iam-client.yaml b/infrastructure/secrets/reana/ss_reana-iam-client.yaml
@@ -0,0 +1,17 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: reana-iam-client
+  namespace: reana
+spec:
+  encryptedData:
+    client_id: AgBkYqtXaUN0flPAMp9Bhtgy0d4dtUUQ3JhdcyMoQwveTqTjX63EwGePB0PA5jLxdj3wC81BWM040dP4WWxw0SR2xxSg6PaNKvPiT8PU2NuG3HJjL+swYhlPDyfXOE65iEDl3qQTYZ5wAuNqN8hDVOjPC0LDm0cr4X4xs61S1dAa8r7aJ9HVV5VLrST8RORKeqF+Kn8QSOQ5lZB/G/c1aIqyQDmnrGICl+U6XT5GaebrZJ12a4qy4Gwi7hSz400mfjPwxZfdEkAojqchrhpIF91tCfdlVvcNUTE+J2b9cs5ifZ9necFYyGDjrxs6hcR8Aaj7c5xVfH6hDFtZRiFxUCPGm0RSaIIW/35cbtX1oP+kemAbK5dGh+H4/pJYxI55pF5yT+FVCig+4/UprHxk5BJLyxom7145nTXOEwRtpWi8o2nsVDiDlsXbewe5UXIw+UuUMVVZZl7J5C7r6bXJHvDf+6s2ZHfSd43iH6FSDv5q3u56BSdRmh9puqPE/OE55y63n8WUGczFfdWvwSVzBOvojn18SB9nw/jY/o5o2ZlLiPkjQ+rMC56XWOI2OknvyiXwpCzFUqRBdZZ4Tij0PmC8Zyeg5MheRxadmVTHCKiDKzR2sltIPLVFu/d8NQyB7hjzftV07OxWHG72L3lhrOalYt/lbFvC/B/MdZGMdVhPBJYsGyZG/zGRxKn/a093Q9mAUeu4uQCQnINA6sckAv6Ea/FQcNNWgqsDItB0gzyKHciENlY=
+    client_secret: AgAO1v1pkFqc17PVbPQ5uZFFIAre+SqgH+1SlUkUs8qBkJZzvSPmfsqj0xI9LCpwC89GRO6nNDXsgwe/VSQppi6FlnrD0Hkb9C0vfZ21bhZ3G49U8rncNV4lh82xQEiuV0ePiCxNHZes6N+077/qiElemTGo5gM0O8pilHl6kGKeh3eBHrn6YWv4RcOguyg8viRE9FeHs19FTPZeVTdPBCJ8XTuckm3GC5U0IftHK5dOLP6GRYJ2IjHtcXCKljhnpKcmi6/8QBYIRl0HiBJZ4B6fx5lKHMkzNNpMcps5bKpr8cIut1OyK1AsMn3WYPC/ko6XPyx/nEqze3ZwevoK2tqxY9RcRKo/RfoaP9I3sSOgNJq+kd4xo920PKGf4/VlldLhpLAqK3fvJbT9e1uqSZb2wYIKBY3TXvurOlilqU4b/p+9hPtoSDNFEuyoj/RDUNtUUS2IuVLWt1GpIrFepA7TBMH+Zbf54itJFO1r/x7BlsD3GUaryRYiaY5sV3b0Vb0Bo5rAX2WApQSMfZarie5NgYEVcC4x9nyrBqPPUQUREMBrkK71wiWcnbChLaxgyydF0hx9VDjAo3ldwpRfBiiO6WKSY0/uo5zL7ARC+L6L/ZfKWqsfCOCBO/TXBBF+2fUqhF2pLEI9LZ9uIutDqG/DedVstWZOEFvc6BfTwBy+UYH7Jcz6yEcWBqFrkryvhHMBXo+Hu9/XoVwvXEi8tfIs13M8HGUu33wL/ie9Sw3PMsFe9TG6Wm1vgpltGwpSY488EmaiT1y0hFAbG5RKAcVaop137786RallR9G+prxqEpU/kHcHo98=
+  template:
+    metadata:
+      creationTimestamp: null
+      name: reana-iam-client
+      namespace: reana
+    type: Opaque