automatically mount service account tokens when needed #3888
Conversation
piax93
force-pushed
the
u/mpiano/SEC-18955_deploy
branch
from
fa5aab9
to
c36e89d
Compare
One thought that comes to mind is that now a change in ServiceA's yelpsoa-configs can cause a bounce for ServiceB, which I think is a necessary evil for this, but it's worth thinking about how we can make this clear to users since it likely wouldn't be intuitive (maybe jenkins posts this detail as a PR comment or something). I also could envision eventually unconditionally mounting the token for all services, regardless of whether they currently need to authenticate or not, which would alleviate this problem but could have other downsides (e.g. additional load on api server). |
No strong opinions here. Right now afaict this value is only in this repo and in puppet, which isn't too widespread and probably fine to be hard coded. |
…sa_volumes_token_automount test case
@danielpops i think as long as we're not bouncing every service when this happens, this isn't the end of the world: part of the paasta contract is that a paasta instance can be restarted at any time (see here: (which isn't to say we should yolo restart - but we do generally expect that service bounces are safe at any time) |
|
@danielpops @piax93 i guess i should confirm: what's the worst case scenario for how many services would be bounced when updating the auth rules for 1 service? could we end up bouncing everything should there be a change that involves internalapi? |
|
@danielpops thanks for the example - that makes things a lot clearer. i think in steady-state operation this probably wouldn't be too bad, but while we're rolling out this might cause a lot of churn (and some services like y-m are a bit noisy when restarted - which is made worse by the fact that it has many callers so it would presumably be in many authorization.yamls) |
|
(i've started a CI thread to see what folks think here) |
|
@nemacysts @danielpops I think one easy solution for the issue is to keep a separate list of critical services which will always have the token mounted, so we can be sure they are not affected by someone referencing/removing them from an authorization config. |
|
@nemacysts a bounce will only happen when a service that previously was not referenced in any other service's authorization.yaml is added OR the opposite, a service previously in any other service's authorization.yaml has all references removed. ExamplesService starts being referencedsecurity_happyhour/authorization.yaml starting state: anti_phishing is added to a rule: When this ships it will cause anti_phishing to bounce Service no longer referencedsecurity_happyhour/authorization.yaml starting state: yelp_main removed from authorization.yaml file and not referenced in any other authorization.yaml files: When this ships it will cause yelp_main to bounce |
|
@nemacysts if yelp-main is in 10 authorization.yaml's and removed from one of them, a bounce wouldn't happen. The bounce would only happen when yelp-main is removed from all of them, since it would no longer have the projected token volume mount causing a bounce. so from that perspective, the removal is a much less likely scenario that we'd encounter. The main problem is that the unsuspecting PR author and reviewer probably wouldn't realize that adding |
piax93
force-pushed
the
u/mpiano/SEC-18955_deploy
branch
from
50fc76e
to
f997e49
Compare
piax93
force-pushed
the
u/mpiano/SEC-18955_deploy
branch
from
a6df45f
to
7e86692
Compare
| if ( | ||
| token_config | ||
| and service_name in get_authenticating_services(soa_dir) | ||
| and not any(volume == token_config for volume in config_volumes) |
There was a problem hiding this comment.
i think it might be worth doing a more generic dedupe in the future - presumably having user-supplied duplicates is also something we'd like to avoid on top of preventing folks from colliding with the auto-mounted token-config volume
i.e., we probably wanna figure out a central place to dedupe all volume configs and handle all of them consistently :p
paasta/paasta_tools/kubernetes_tools.py
Line 1482 in 7e86692
paasta_tools/kubernetes_tools.py
Outdated
| def get_projected_sa_volumes(self) -> List[ProjectedSAVolume]: | ||
| config_volumes = super().get_projected_sa_volumes() | ||
| token_config = ( | ||
| load_system_paasta_config().get_service_auth_token_volume_config() |
There was a problem hiding this comment.
So each service needs only a single token if it needs to auth to any number of services?
And the token format will be basically the same across all services (coming from a system-level paasta config, not service/instance-level)?
There was a problem hiding this comment.
The "PaaSTA Services" of CEP-2167 describes in more detail, but in short, yes. The only thing that we can actually control is the token audience, a that's going to be the same everywhere. Identity is then inferred from other metadata fields.
| def get_service_auth_token_volume_config(self) -> ProjectedSAVolume: | ||
| return self.config_dict.get("service_auth_token_settings", {}) |
There was a problem hiding this comment.
lol this difference in name is going to trip me up in the future, I just know it.
There was a problem hiding this comment.
lol, apologies, I'm a terrible human being. I created this config first thinking that each JSON file is loaded in a different "namespace", but then realized that everything gets flattened out, so started adding words over words to the key.
I thought I would need to jump through many hoops, but this simple of a change should work.
The only thing I'm not crazy about is hardcoding that "authenticating.yaml". Maybe I could place that in a field of the system config? Although that may be a way to add a step without much of a benefit. Very open to suggestions here.