Skip to content

Commit

Permalink
perf(k8s): avoid fetching secrets multiple times (reanahub#456)
Browse files Browse the repository at this point in the history 
Closes reanahub#455
  • Loading branch information
@mdonadoni
mdonadoni committed Aug 19, 2024
1 parent 273b72d commit 6d0f7f8
Show file tree
Hide file tree
Showing 5 changed files with 421 additions and 326 deletions.
19 changes: 11 additions & 8 deletions reana_commons/k8s/kerberos.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@
KRB5_TOKEN_CACHE_LOCATION,
)
from reana_commons.errors import REANASecretDoesNotExist
from reana_commons.k8s.secrets import REANAUserSecretsStore
from reana_commons.k8s.secrets import UserSecrets


KerberosConfig = namedtuple(
Expand All @@ -33,13 +33,13 @@


def get_kerberos_k8s_config(
secrets_store: REANAUserSecretsStore, kubernetes_uid: int
user_secrets: UserSecrets, kubernetes_uid: int
) -> KerberosConfig:
"""Get the k8s specification for the Kerberos init and renew containers.
These containers are used to generate and renew the Kerberos tickets.
:param secrets_stores: User's secrets store
:param user_secrets: User's secrets store
:param kubernetes_uid: UID of the user who needs Kerberos
:returns: - specification of the sidecar container
- volumes needed by the sidecar container
Expand All @@ -48,15 +48,18 @@ def get_kerberos_k8s_config(
- specification for init container used to generate Kerberos ticket
- specification for renew container used to periodically renew Kerberos ticket
"""
secrets_volume_mount = secrets_store.get_secrets_volume_mount_as_k8s_spec()
keytab_file = secrets_store.get_secret_value("CERN_KEYTAB")
cern_user = secrets_store.get_secret_value("CERN_USER")
secrets_volume_mount = user_secrets.get_secrets_volume_mount_as_k8s_spec()
keytab_file_name = user_secrets.get_secret("CERN_KEYTAB")
cern_user = user_secrets.get_secret("CERN_USER")

if not keytab_file:
if not keytab_file_name:
raise REANASecretDoesNotExist(missing_secrets_list=["CERN_KEYTAB"])
if not cern_user:
raise REANASecretDoesNotExist(missing_secrets_list=["CERN_USER"])

keytab_file_name = keytab_file_name.value_str
cern_user = cern_user.value_str

ticket_cache_volume = {
"name": "krb5-cache",
"emptyDir": {},
Expand Down Expand Up @@ -95,7 +98,7 @@ def get_kerberos_k8s_config(
"command": [
"kinit",
"-kt",
f"/etc/reana/secrets/{keytab_file}",
f"/etc/reana/secrets/{keytab_file_name}",
f"{cern_user}@CERN.CH",
],
"name": KRB5_INIT_CONTAINER_NAME,
Expand Down
Loading

0 comments on commit 6d0f7f8

Please sign in to comment.