Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

secrets: do not mount secrets if not needed by workflow #467

Open
diegodelemos opened this issue Nov 26, 2020 · 0 comments
Open

secrets: do not mount secrets if not needed by workflow #467

diegodelemos opened this issue Nov 26, 2020 · 0 comments
Labels
type/bug

Comments

@diegodelemos
Copy link
Member

REANA always mounts user secrets inside jobs even if they don't need them.

This causes an issue which can be reproduced as follows:

  1. User creates secrets CERN_USER and CERN_KEYTAB.
  2. User runs workflow W1 which uses CERN_USER and CERN_KEYTAB.
  3. User is done with W1 and starts working on workflow W2. 
    $ reana-client run -n W2
  4. But W2 doesn't depend on CERN_USER nor CERN_KEYTAB, so the user deletes those secrets: 
    $ reana-client secrets-delete CERN_USER CERN_KEYTAB
  5. As a side effect W2 fails under unknown circumstances.
  6. The admin can see: 
    $ kubectl describe pod reana-run-job-xxxxx-yyy-zz | grep Error
  Reason:       CreateContainerConfigError
  Warning  Failed       6m26s (x3 over 6m27s)  kubelet, reana-xxxxx-node-2  Error: couldn't find key CERN_USER in Secret default/reana-secretsstore-xxxxx-yyy-zz
  Warning  Failed       5m24s (x5 over 6m13s)  kubelet, reana-xxxxx-node-2  Error: couldn't find key CERN_KEYTAB in Secret default/reana-secretsstore-xxxxx-yyy-zz
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@diegodelemos