feat(client): scaffolding for stateless requests-proxy auth (HC-1)#100
Open
feat(client): scaffolding for stateless requests-proxy auth (HC-1)#100
Conversation
Adds the chart-side resources required by the stateless JWT auth path that CR-1 (proxy verify) and CR-2 (jobs-manager mint) land in client-runtime: a multi-version HMAC keys Secret, a revoked-jti ConfigMap, RBAC rules scoped to those two resources via resourceNames, and the deployment mounts/env both pods need to find them. Both new resources are rendered with helm.sh/resource-policy: keep, and both use lookup() to preserve existing data across helm upgrade — losing the keys Secret invalidates every JWT held by running training pods, and resetting the revoked list silently re-authorizes previously-stopped jobs. The runtime path is gated by requestsProxy.statelessTokens (default false). Flipping the flag is OPS-1. Refs #96
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Chart-side scaffolding for the stateless requests-proxy auth path. Companion to client-runtime#26 (CR-1, proxy verify) and client-runtime#27 (CR-2, jobs-manager mint). Cutover is tracked in #99 (OPS-1).
<release>-requests-proxy-keysSecret holds HMAC keys (active,v1, …).lookup-preserved across upgrades andhelm.sh/resource-policy: keep— losing it invalidates every JWT held by running training pods.<release>-requests-proxy-revokedConfigMap holds the revoked-jti list. Same preservation pattern; withoutlookup, everyhelm upgradewould silently re-authorize previously-stopped jobs.clusterScopepaths inrbac.yaml) areresourceNames-scoped to those two specific objects so jobs-manager can't touch unrelated configmaps/secrets in the namespace./etc/proxy/keys/. The proxy also mounts the revoked ConfigMap at/etc/proxy/revoked/. New env vars:REQUESTS_PROXY_STATELESS,RELEASE_NAME,NAMESPACE, plusREQUESTS_PROXY_TOKEN_TTL_SECONDSandREVOKED_CONFIGMAP_NAMEon jobs-manager.requestsProxy.statelessTokens(defaultfalse) andrequestsProxy.tokenTtlSeconds(default7776000= 90d, aligned to the quarterly key-rotation cadence).The runtime path is gated entirely by the
requestsProxy.statelessTokensenv var on the pods — chart-side resources always render so OPS-1 is a one-linehelm upgrade --setoperation, not a chart-shape change.Test plan
helm templateclean against default values and--set requestsProxy.statelessTokens=truehelm lintcleanhelm unittest ./client— 127/127 passing, including 9 new cases inrequests_proxy_stateless_test.yamlcovering the keys Secret, revoked ConfigMap, RBAC under bothclusterScope=trueandclusterScope=false, and both deployments.helm upgrade --set requestsProxy.statelessTokens=true, kill the proxy pod, verify in-flight training pods continue without 401s. Tracked under OPS-1 (ops: enable stateless requests-proxy in staging then prod #99).Closes #96
Note
Medium Risk
Adds new Helm-managed Secret/ConfigMap plus new RBAC and pod mounts/env vars; while gated by a flag, mistakes could break proxy authentication or leave behind persistent auth artifacts due to
resource-policy: keep. Changes touch deployment manifests and permissions but not application logic.Overview
Introduces chart scaffolding for stateless
requests-proxyauth by adding a persistent<release>-requests-proxy-keysSecret (lookup-preserved,helm.sh/resource-policy: keep) and a<release>-requests-proxy-revokedConfigMap to store revoked token IDs.Updates
jobs-managerandrequests-proxyDeployments to mount these resources and inject new env vars (includingREQUESTS_PROXY_STATELESSgated byrequestsProxy.statelessTokens, plus release/namespace metadata and JWT TTL/revoked ConfigMap name). RBAC is extended (both cluster- and namespace-scoped paths) with resourceName-scoped access to read the keys Secret and update the revoked ConfigMap.Adds
requestsProxy.statelessTokensandrequestsProxy.tokenTtlSecondstovalues.yaml/schema and includes Helm unittest coverage for the new templates and wiring.Reviewed by Cursor Bugbot for commit 4974fb5. Bugbot is set up for automated code reviews on this repo. Configure here.