Skip to content

Coffea casa secrets, credentials and tokens

Carl Lundstedt edited this page Aug 3, 2021 · 5 revisions

Coffea-casa secrets, credentials and tokens

There are numerous secrets and tokens that should be in place in the deployment, either created by hand or sealed and stored in your flux repo. If these are not present the user's servers will fail to launch unable to find the needed secrets. Required secrets, along with the jhub client_id/secret you'll need: a) a condor token b) a servicex token c) an xcache_token

Example: Creating and sealing the condor 'token'.

Although the secret is called a 'token', the actual value placed in the secret is the POOL PASSWORD for the condor pool. The logic of the hub creation script creates actual condor tokens from the POOL PASSWORD. So do not generate a condor token and attempt to use that as your condor token in kubernetes.

Building a sealed secret for the POOL PASSWORD: SUFtTm90QVJlYWxQb29sUGFzc3dvcmQK

now create a yaml file with the POOL PASSWORD:

cat condor-poolpassword.yaml

apiVersion: v1
kind: Secret
metadata:
  name: condor-token
data:
  token: SUFtTm90QVJlYWxQb29sUGFzc3dvcmQK

<Note the data: type. NOT StringData:, StringData: will result in the secret being set to the base64 encoded value of the secret and not work.>

You should never commit a bare secret into git; rather, you should use kubeseal to create an encrypted, namespace specific yaml file to check in. For example, if I wished to add this token to the namespace "cmsaf-example" I'd see the secret with my kubeseal certificate (see kubeseal docs) via:

kubeseal -o yaml -n cmsaf-example --cert kubeseal.pem < condor-poolpassword.yaml > flux/git/repo/cmsaf-example/condor-token.yaml

If you examine the file, condor-token.yaml, it should look something like, but not exactly:

kind: SealedSecret
metadata:
  creationTimestamp: null
  name: condor-token
  namespace: cmsaf-example
spec:
  encryptedData:
    token: AgCEKYT2j5FwV6V3eQNCgmno0BLcmN/R9VCAC5jtoH/2YtmMyqmmcmnrrKSUteXJAnFWmEvRV0pEwzk8/y8zMMQLJGNZOu/XDG46E9lsMjhjYbcyXdJrRjfe5g8zaWdXVKGak6Rt+HtH5EAI7BasJozzbRAu0OWzBQ8h0l/11W2sPpYkl4xPzGRABQA87YyHLwK7TQMMILLS6PUYjwaO5d2GteJ/6BlBd+b4s+Qnu9UxRg7yAdxY1sVk+fMqAyebL/nh0dcuV5jjmJ/U5eZZUmeLIGv8GoLBl3sVv58bHy3o7EdAEEE6HqiD7lLHEoxAIqa4fHWHchY3oPiSil9I0HscHkqxzCgjkmZ+9tUoowmbUVtuEipxgupwZ0EgyM/O8Q4XjeZvsq3X8wrml1jwPFm68MX/CdglcY5SJocg3I2DtnwXde0GSStmbgg37y3FgQSc0itVAEO5u7i3l/ERXbWH6F9bqbHytSR1/lxmIuheW8RHoH/QC+Wb/F0a5bQUelpRBT/9BQmZP1Ug78cMAeZRVxpWD+CXupZbQQK401prXrCmor3g4Xzryjel7tuzeJacBarlHvSPTuIO/NDrixHpt1SeORiAK1VGsccVxlNFlLZsvkR6KCI0ShKjfn91mk51ul0lKje3q/scu4yb76KjZvpScE3QXvdIDIjZOMOmig4Wa3GYtihLYLaXssm153JzvAUMYUbVBiB/ws1WKGbgH0nwjXV0tVYNk/pnpx0dkQ==
  template:
    metadata:
      creationTimestamp: null
      name: condor-token
      namespace: cmsaf-example

Note the secret name "condor-token" and the namespace that this secret is good for "cmsaf-example".

If you are deploying the secret by hand a simple:

kubectl create -f condor-poolpassword.yaml

will suffice.

CMS instance

Opendata instance