From e4c00d305719c6b81ff89b9c4ffd94566c142979 Mon Sep 17 00:00:00 2001 From: Marco Donadoni Date: Tue, 30 Apr 2024 12:25:35 +0200 Subject: [PATCH] refactor(secrets): adapt to reana-commons secret-handling changes (#583) Closes reanahub/reana-commons#455 --- reana_workflow_controller/consumer.py | 22 +++++++++++++++---- reana_workflow_controller/rest/utils.py | 9 +++++--- .../workflow_run_manager.py | 8 +++---- tests/test_views.py | 4 ---- tests/test_workflow_run_manager.py | 2 -- 5 files changed, 28 insertions(+), 17 deletions(-) diff --git a/reana_workflow_controller/consumer.py b/reana_workflow_controller/consumer.py index f7b5b59d..efbfa0ba 100644 --- a/reana_workflow_controller/consumer.py +++ b/reana_workflow_controller/consumer.py @@ -23,7 +23,7 @@ current_k8s_batchv1_api_client, current_k8s_corev1_api_client, ) -from reana_commons.k8s.secrets import REANAUserSecretsStore +from reana_commons.k8s.secrets import UserSecretsStore from reana_commons.utils import ( calculate_file_access_time, calculate_hash_of_dir, @@ -180,8 +180,16 @@ def _update_commit_status(workflow, status): state = "canceled" else: state = "running" - secret_store = REANAUserSecretsStore(workflow.owner_id) - gitlab_access_token = secret_store.get_secret_value("gitlab_access_token") + + secret_store = UserSecretsStore(workflow.owner_id) + gitlab_access_token_secret = secret_store.get_secret("gitlab_access_token") + if not gitlab_access_token_secret: + logging.error( + f"Skipping updating commit status for workflow {workflow.id}: GitLab access token not found." + ) + return + gitlab_access_token = gitlab_access_token_secret.value_str + target_url = f"https://{REANA_HOSTNAME}/api/workflows/{workflow.id_}/logs" workflow_name = urlparse.quote_plus(workflow.git_repo) system_name = "reana" @@ -190,7 +198,13 @@ def _update_commit_status(workflow, status): f"{workflow.git_ref}?access_token={gitlab_access_token}&state={state}&" f"target_url={target_url}&name={system_name}" ) - requests.post(commit_status_url) + + res = requests.post(commit_status_url) + if res.status_code >= 400: + logging.error( + f"Failed to update commit status for workflow {workflow.id_}: " + f"status code {res.status_code}, content {res.text}" + ) def _update_run_progress(workflow_uuid, msg): diff --git a/reana_workflow_controller/rest/utils.py b/reana_workflow_controller/rest/utils.py index 235e514b..a7822cef 100644 --- a/reana_workflow_controller/rest/utils.py +++ b/reana_workflow_controller/rest/utils.py @@ -33,7 +33,7 @@ from kubernetes.client.rest import ApiException from reana_commons import workspace from reana_commons.config import REANA_WORKFLOW_UMASK, WORKFLOW_TIME_FORMAT -from reana_commons.k8s.secrets import REANAUserSecretsStore +from reana_commons.k8s.secrets import UserSecretsStore from reana_commons.utils import ( get_workflow_status_change_verb, remove_upper_level_references, @@ -367,8 +367,11 @@ def create_workflow_workspace( os.umask(REANA_WORKFLOW_UMASK) os.makedirs(path, exist_ok=True) if git_url and git_ref: - secret_store = REANAUserSecretsStore(user_id) - gitlab_access_token = secret_store.get_secret_value("gitlab_access_token") + secret_store = UserSecretsStore.fetch(user_id) + gitlab_access_token_secret = secret_store.get_secret("gitlab_access_token") + if not gitlab_access_token_secret: + raise Exception("GitLab access token not found.") + gitlab_access_token = gitlab_access_token_secret.value_str url = "https://oauth2:{0}@{1}/{2}.git".format( gitlab_access_token, REANA_GITLAB_HOST, git_url ) diff --git a/reana_workflow_controller/workflow_run_manager.py b/reana_workflow_controller/workflow_run_manager.py index 4dd22751..f3dec8fc 100644 --- a/reana_workflow_controller/workflow_run_manager.py +++ b/reana_workflow_controller/workflow_run_manager.py @@ -36,7 +36,7 @@ ) from reana_commons.k8s.api_client import current_k8s_batchv1_api_client from reana_commons.k8s.kerberos import get_kerberos_k8s_config -from reana_commons.k8s.secrets import REANAUserSecretsStore +from reana_commons.k8s.secrets import UserSecretsStore from reana_commons.k8s.volumes import ( create_cvmfs_persistent_volume_claim, get_workspace_volume, @@ -501,8 +501,7 @@ def _create_job_spec( namespace=REANA_RUNTIME_KUBERNETES_NAMESPACE, ) - secrets_store = REANAUserSecretsStore(owner_id) - + secrets_store = UserSecretsStore.fetch(owner_id) kerberos = None if self.requires_kerberos(): kerberos = get_kerberos_k8s_config( @@ -565,7 +564,8 @@ def _create_job_spec( job_controller_env_secrets = secrets_store.get_env_secrets_as_k8s_spec() - user = secrets_store.get_secret_value("CERN_USER") or WORKFLOW_RUNTIME_USER_NAME + user_secret = secrets_store.get_secret("CERN_USER") + user = user_secret.value_str if user_secret else WORKFLOW_RUNTIME_USER_NAME job_controller_container = client.V1Container( name=current_app.config["JOB_CONTROLLER_NAME"], diff --git a/tests/test_views.py b/tests/test_views.py index 8c561060..87517dce 100644 --- a/tests/test_views.py +++ b/tests/test_views.py @@ -1155,8 +1155,6 @@ def test_start_workflow_db_failure( app, session, default_user, - user_secrets, - corev1_api_client_with_user_secrets, sample_serial_workflow_in_db, ): """Test starting workflow with a DB failure.""" @@ -1193,8 +1191,6 @@ def test_start_workflow_kubernetes_failure( app, session, default_user, - user_secrets, - corev1_api_client_with_user_secrets, sample_serial_workflow_in_db, ): """Test starting workflow with a Kubernetes failure when creating jobs.""" diff --git a/tests/test_workflow_run_manager.py b/tests/test_workflow_run_manager.py index 190a7e4f..cf279491 100644 --- a/tests/test_workflow_run_manager.py +++ b/tests/test_workflow_run_manager.py @@ -19,8 +19,6 @@ RunStatus, InteractiveSession, InteractiveSessionType, - JobStatus, - Job, ) from reana_workflow_controller.errors import REANAInteractiveSessionError