Cloudigrade Pre Shared Keys (PSKs) - cloudigrade/cloudigrade GitHub Wiki

Background

The pre-shared keys for accessing cloudigrade is intended for cluster services needing to access the cloudigrade APIs (either public or internal). Currently micro-services need to forward or construct an x-rh-identity header with the necessary information needed (account_number and is_org_admin) in the header for cloudigrade to honor such requests. With the pre-shared keys, the authentication for the micro-services is now trusted upon cloudigrade receiving the following headers:

• x-rh-cloudigrade-psk
  • the PSK that cloudigrade generated and reserved for a particular service.
• x-rh-cloudigrade-account-number
  • the additional account-number that may be required by the API being accessed.

Generating PSKs

While the pre-shared keys themselves can be any opaque values, we decided on simply using a lower-cased, uuid value. For services, we also assign a different PSK value for them for stage and prod.

A couple of ways to generate a new PSK included here:

  # plain old bash
  $ uuidgen | tr '[A-Z]' '[a-z]'
  6da01674-0985-404c-affc-27c735052882

  # python
  $ python3 -c "import uuid; print(uuid.uuid4())"
  c004035b-3419-4503-b1aa-76b08d60733e

Assigning PSKs

The cloudigrade PSKs are stored in a single JSON key named cloudigrade-psks in the cloudigrade-app-secret secret. The JSON simply includes the psk values keyed by the respective service names as follows:

    {
      "source":"c9a98753-2092-4617-b226-5c2653330b3d",
      "swatch":"0a095486-317d-40d4-a8f6-b2b481ab8e54"
    }

Adding a new service, let's say new-service can simply be done by adding the new key in that JSON:

    {
      "new-service":"b32c6eca-dd5e-4fb2-8c57-e0e5aa9f5d07",
      "source":"c9a98753-2092-4617-b226-5c2653330b3d",
      "swatch":"0a095486-317d-40d4-a8f6-b2b481ab8e54"
    }

Deploying the new PSKs

Finally, to deploy the new PSKs to stage and prod for the new micro service is done by updating the cloudigrade-psks JSON for both stage and prod by creating new versions of the cloudigrade-app-secret via:

• Stage vault: https://vault.devshift.net/ui/vault/secrets/insights/show/secrets/insights-stage/cloudigrade-stage/cloudigrade-app-secret

• Prod vault: https://vault.devshift.net/ui/vault/secrets/insights/show/secrets/insights-prod/cloudigrade-prod/cloudigrade-app-secret

And finally create an MR to app-interface to bump up the versions of the cloudigrade-app-secret secrets:

• Stage: https://gitlab.cee.redhat.com/service/app-interface/-/blob/master/data/services/insights/cloudigrade/namespaces/stage-cloudigrade-stage.yml#L62

• Prod: https://gitlab.cee.redhat.com/service/app-interface/-/blob/master/data/services/insights/cloudigrade/namespaces/cloudigrade-prod.yml#L53

Here's an example MR: https://gitlab.cee.redhat.com/service/app-interface/-/merge_requests/27181

After the MR is merged and updated secrets deployed to Stage and Prod, the new micro-services can now use the new PSK internally in the cluster.

Using a cloudigrade PSK in the Ephemeral cluster

For dev and testing purposes in the ephemeral cluster, any service or test framework can grab the cloudigrade PSK that is reserved for that purpose. The psk is provided in the cloudigrade-psk secret and can be obtained as follows:

$ CLOUDIGRADE_PSK="`oc get secrets/cloudigrade-psk -o jsonpath='{.data.psk}' | base64 -d`"

Example accessing the cloudigrade API in the ephemeral cluster with port 8000 being forwarded to the cloudigrade-api pod:

$ http localhost:8000/api/cloudigrade/v2/instances/ x-rh-cloudigrade-psk:${CLOUDIGRADE_PSK} x-rh-cloudigrade-account-number:1234567