Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat!: add support for session secrets #545

Draft
wants to merge 7 commits into
base: main
Choose a base branch
from
Draft

feat!: add support for session secrets #545

wants to merge 7 commits into from

Conversation

leafty
Copy link
Member

@leafty leafty commented Nov 27, 2024
edited
Loading

Feature branch. Closes #509.

Details:

  • Add support for session secret slots which describe files with secret contents to be mounted in sessions. Session secret slots exist at the project level and can be managed by users with at the WRITE permission on the project. Session secrets can be used by all users with the READ permission on the project.
  • Add support for session secrets which connect a project's session secret slots to user secrets. Session secrets can be used by all users with the READ permission on the project.
  • Add support for mounting user secrets in sessions according to the project's session secret slots.
  • Add support for multiple names in key_mapping when creating a kubernetes secret. This allows the same user secret to be supplied more than once in sessions.
  • Re-work user secrets to make them more usable in Renku 2.0.
    • Change the name field to be default_filename. This field is only meaningful in the context of Renku 1.0.
    • Add a new name field (which does not have constraints) to let users name their secrets, e.g. "AWS Secret Key ID for Project XYZ".
    • User secret objects now include back references to Session secret slots and Data connectors -> session_secret_slot_ids and data_connector_ids fields returned from the API.
    • The UserSecretsRepo class has been split into LowLevelUserSecretsRepo and UserSecretsRepo. LowLevelUserSecretsRepo is used internally, e.g. for key rotation and UserSecretsRepo is used for the UserSecretsBP blueprint
  • Add a new field secrets_mount_directory to projects, which allows user to configure where secrets are mounted in sessions.

Content:

  1. feat: add support for session secret slots #529
  2. feat: add support for session secrets #531
  3. feat: mount session secrets #517
  4. fix: use stable order for secrets and secret slots #553
  5. feat: support multiple names for key_mapping with kubernetes secrets #537
  6. feat!: re-work user secrets #538
  7. feat: make the session secret mount location configurable #548

@coveralls
Copy link

coveralls commented Nov 27, 2024
edited
Loading

Pull Request Test Coverage Report for Build 12234146021

Details

  • 632 of 683 (92.53%) changed or added relevant lines in 27 files are covered.
  • 4 unchanged lines in 3 files lost coverage.
  • Overall coverage increased (+0.2%) to 85.965%
Changes Missing Coverage Covered Lines Changed/Added Lines %
components/renku_data_services/project/blueprints.py 71 72 98.61%
components/renku_data_services/secrets/core.py 16 17 94.12%
components/renku_data_services/project/core.py 29 31 93.55%
components/renku_data_services/secrets/orm.py 16 18 88.89%
components/renku_data_services/migrations/versions/a59e60e0338f_update_user_secrets.py 22 25 88.0%
components/renku_data_services/secrets/db.py 70 75 93.33%
components/renku_data_services/notebooks/api/amalthea_patches/init_containers.py 4 11 36.36%
components/renku_data_services/project/db.py 144 153 94.12%
components/renku_data_services/notebooks/blueprints.py 2 23 8.7%
Files with Coverage Reduction New Missed Lines %
components/renku_data_services/notebooks/blueprints.py 1 45.89%
components/renku_data_services/secrets/core.py 1 79.41%
components/renku_data_services/crc/db.py 2 85.68%
Totals Coverage Status
Change from base Build 12230524828: 0.2%
Covered Lines: 15031
Relevant Lines: 17485
💛 - Coveralls

@leafty leafty force-pushed the build/session-secrets branch from d4d85bd to ec4cbe1 Compare December 6, 2024 09:02
leafty and others added 6 commits December 9, 2024 11:36
@leafty
feat: add support for session secret slots (#529)
813c4d4 
Add support for session secret slots which describe files with secret contents to be mounted in sessions. Session secret slots exist at the project level and can be managed by users with at the `WRITE` permission on the project. Session secrets can be used by all users with the `READ` permission on the project.
@leafty @olevski
feat: add support for session secrets (#531)
815915a 
Add support for session secrets which connect a project's session secret slots to user secrets. Session secrets can be used by all users with the `READ` permission on the project.

---------

Co-authored-by: Tasko Olevski <[email protected]>
@leafty
feat: mount session secrets (#517)
b9342a8 
Add support for mounting user secrets in sessions according to the project's session secret slots.
@leafty
fix: use stable order for secrets and secret slots (#553)
bf1cc35
@leafty @Panaetius
feat: support multiple names for key_mapping with kubernetes secrets (#…
c76fb1a 
…537)

Add support for multiple names in `key_mapping` when creating a kubernetes secret. This allows the same user secret to be supplied more than once in sessions.

---------

Co-authored-by: Ralf Grubenmann <[email protected]>
@leafty
feat!: re-work user secrets (#538)
a566df5 
Re-work user secrets to make them more usable in Renku 2.0.

Changes:
* Change the `name` field to be `default_filename`. This field is only meaningful in the context of Renku 1.0.
* Add a new `name` field (which does not have constraints) to let users name their secrets, e.g. "AWS Secret Key ID for Project XYZ".
* User secret objects now include back references to Session secret slots and Data connectors -> `session_secret_slot_ids` and `data_connector_ids` fields returned from the API.
* The `UserSecretsRepo` class has been split into `LowLevelUserSecretsRepo` and `UserSecretsRepo`. `LowLevelUserSecretsRepo` is used internally, e.g. for key rotation  and `UserSecretsRepo` is used for the `UserSecretsBP` blueprint.
@leafty leafty force-pushed the build/session-secrets branch from ec4cbe1 to a566df5 Compare December 9, 2024 10:36
@leafty
feat: make the session secret mount location configurable (#548)
8faf424 
Add a new field `secrets_mount_directory` to projects, which allows user to configure where secrets are mounted in sessions.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[ShapeUp] Session Secrets in Renku 2.0
2 participants
@leafty @coveralls