onyxia-init.sh / Vault : add optional mode for service account based auth (+ other fixes) #197
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hello,
This PR is pushing forward a new feature as well as fixing a couple of implementation flaws related to Vault management in
onyxia-init.sh
. Both are detailed below in distinct sections.Feature
Feature-wise, we aim to allow for a secondary mode of authentication using the JWT generated for the service account used for the pod a service is running in. The relevant part in the changes is this :
This supposes the presence of four "new" environment variables, whose names were set arbitrarily, and can be changed if needed :
VAULT_INJECTION_SA_ENABLED
VAULT_INJECTION_SA_MODE
VAULT_INJECTION_SA_AUTH_PATH
VAULT_INJECTION_SA_AUTH_ROLE
These variables mirror the not-yet-existing region parameters suggested in this issue : InseeFrLab/onyxia-api#409. How these variables are to be set in the interactive-services is out of this scope, but the probable candidate would be to change the Helm charts to support them (values.schema.json to inject default from region into values + add a new CM or Secret to actually set the environment variables).
Also related to Vault is a minor change in the implementation : adding a new
if [[ -n "$VAULT_TOKEN" ]]
test prior to querying Vault - this should be transparent to existing deployments of Onyxia, but prevents errors that could happen if the SA auth method is misconfigured for instance.The SA based auth promoted in this PR was tested with the
vault-prefix
tag ofonyxia-api
advertised in this issue : InseeFrLab/onyxia#783Fixes
Unrelated to Vault are a couple of fixes in the code :
echo
command :images-datascience/scripts/onyxia-init.sh
Lines 43 to 55 in 1dd4302
This has the drawback of "eating" the quotes, resulting on problems for secrets whose value contain a whitespace :
(though this problem appears to be limited to the "sudo-less" mode ; secrets defined in
/etc/environment
appear to be parsed correctly even without quotes).To counter this, I replaced
echo
with aprintf
command, while defining a $value variable to remove some copy/pasting.images-datascience/scripts/onyxia-init.sh
Line 46 in 1dd4302
In its current implementation, on any service not running R,
$R_HOME
is evaluated to an empty string, which in turn causes the test to check if/etc
exists, which it always does. In other words, every service - with or without R - attempted to append to Renviron.site. For a R based service, it works as intended, but for the others, it in fact creates (or attempts to create) a/etc/Renviron.site
file.I replaced that test with a different one, used in a different location in
onyxia-init.sh
:if command -v R;