-
Notifications
You must be signed in to change notification settings - Fork 19
Coffea casa secrets, credentials and tokens
There are numerous secrets and tokens that should be in place in the deployment, either created by hand or sealed and stored in your flux repo. If these are not present the user's servers will fail to launch unable to find the needed secrets. Required secrets, along with the jhub client_id/secret you'll need: a) a condor token b) a servicex token c) an xcache_token
Example: Creating and sealing the condor 'token'.
Although the secret is called a 'token', the actual value placed in the secret is the POOL PASSWORD for the condor pool. The logic of the hub creation script creates actual condor tokens from the POOL PASSWORD. So do not generate a condor token and attempt to use that as your condor token in kubernetes.
Building a sealed secret for the POOL PASSWORD: SUFtTm90QVJlYWxQb29sUGFzc3dvcmQK
now create a yaml file with the POOL PASSWORD:
cat condor-poolpassword.yaml
apiVersion: v1
kind: Secret
metadata:
name: condor-token
data:
token: SUFtTm90QVJlYWxQb29sUGFzc3dvcmQK
<Note the data: type. NOT StringData:, StringData: will result in the secret being set to the base64 encoded value of the secret and not work.>
You should never commit a bare secret into git; rather, you should use kubeseal to create an encrypted, namespace specific yaml file to check in. For example, if I wished to add this token to the namespace "cmsaf-example" I'd see the secret with my kubeseal certificate (see kubeseal docs) via:
kubeseal -o yaml -n cmsaf-example --cert kubeseal.pem < condor-poolpassword.yaml > flux/git/repo/cmsaf-example/condor-token.yaml
If you examine the file, condor-token.yaml, it should look something like, but not exactly:
kind: SealedSecret
metadata:
creationTimestamp: null
name: condor-token
namespace: cmsaf-example
spec:
encryptedData:
token: AgCEKYT2j5FwV6V3eQNCgmno0BLcmN/R9VCAC5jtoH/2YtmMyqmmcmnrrKSUteXJAnFWmEvRV0pEwzk8/y8zMMQLJGNZOu/XDG46E9lsMjhjYbcyXdJrRjfe5g8zaWdXVKGak6Rt+HtH5EAI7BasJozzbRAu0OWzBQ8h0l/11W2sPpYkl4xPzGRABQA87YyHLwK7TQMMILLS6PUYjwaO5d2GteJ/6BlBd+b4s+Qnu9UxRg7yAdxY1sVk+fMqAyebL/nh0dcuV5jjmJ/U5eZZUmeLIGv8GoLBl3sVv58bHy3o7EdAEEE6HqiD7lLHEoxAIqa4fHWHchY3oPiSil9I0HscHkqxzCgjkmZ+9tUoowmbUVtuEipxgupwZ0EgyM/O8Q4XjeZvsq3X8wrml1jwPFm68MX/CdglcY5SJocg3I2DtnwXde0GSStmbgg37y3FgQSc0itVAEO5u7i3l/ERXbWH6F9bqbHytSR1/lxmIuheW8RHoH/QC+Wb/F0a5bQUelpRBT/9BQmZP1Ug78cMAeZRVxpWD+CXupZbQQK401prXrCmor3g4Xzryjel7tuzeJacBarlHvSPTuIO/NDrixHpt1SeORiAK1VGsccVxlNFlLZsvkR6KCI0ShKjfn91mk51ul0lKje3q/scu4yb76KjZvpScE3QXvdIDIjZOMOmig4Wa3GYtihLYLaXssm153JzvAUMYUbVBiB/ws1WKGbgH0nwjXV0tVYNk/pnpx0dkQ==
template:
metadata:
creationTimestamp: null
name: condor-token
namespace: cmsaf-example
Note the secret name "condor-token" and the namespace that this secret is good for "cmsaf-example".
If you are deploying the secret by hand a simple:
kubectl create -f condor-poolpassword.yaml
will suffice.