Skip to content

support no-auth mode in k8s #2603

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
isegall-da merged 14 commits into from
Oct 13, 2025
Merged

support no-auth mode in k8s #2603

isegall-da merged 14 commits into from
Oct 13, 2025

Conversation

@isegall-da
Copy link
Contributor

@isegall-da isegall-da commented Oct 8, 2025
edited
Loading

Cluster test with no-auth validator1

(docs coming in a few minutes, sorry)

Pull Request Checklist

Cluster Testing

  • If a cluster test is required, comment /cluster_test on this PR to request it, and ping someone with access to the DA-internal system to approve it.
  • If a hard-migration test is required (from the latest release), comment /hdm_test on this PR to request it, and ping someone with access to the DA-internal system to approve it.

PR Guidelines

  • Include any change that might be observable by our partners or affect their deployment in the release notes.
  • Specify fixed issues with Fixes #n, and mention issues worked on using #n
  • Include a screenshot for frontend-related PRs - see README or use your favorite screenshot tool

Merge Guidelines

  • Make the git commit message look sensible when squash-merging on GitHub (most likely: just copy your PR description).

@isegall-da
support no-auth mode in k8s
1b65c08 
Signed-off-by: Itai Segall <itai.segall@digitalasset.com>
@isegall-da
with test
1790010 
Signed-off-by: Itai Segall <itai.segall@digitalasset.com>
@isegall-da isegall-da changed the title support no-auth mode in k8s WIP: support no-auth mode in k8s Oct 8, 2025
@isegall-da
[static] fixes
254e062 
Signed-off-by: Itai Segall <itai.segall@digitalasset.com>
@isegall-da
[static] fix not running splitwell
bce29e2 
Signed-off-by: Itai Segall <itai.segall@digitalasset.com>
@isegall-da
tests
b30aa71 
Signed-off-by: Itai Segall <itai.segall@digitalasset.com>
@isegall-da
[static] add unit tests
9d9bc63 
Signed-off-by: Itai Segall <itai.segall@digitalasset.com>
@isegall-da isegall-da changed the title WIP: support no-auth mode in k8s support no-auth mode in k8s Oct 9, 2025
@isegall-da isegall-da marked this pull request as ready for review October 9, 2025 13:07
@isegall-da
Merge remote-tracking branch 'origin/main' into isegall/hmac-k8s
c2aadbf 
Signed-off-by: Itai Segall <itai.segall@digitalasset.com>
OriolMunoz-da
OriolMunoz-da approved these changes Oct 9, 2025
View reviewed changes
Copy link
Contributor

@OriolMunoz-da OriolMunoz-da left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tihi

@isegall-da
Copy link
Contributor Author

isegall-da commented Oct 9, 2025

When writing the docs, I also realized I have a small testing gap in Pulumi, since I'm still creating auth-related secrets which the docs will say you can skip for no-auth, will fix the tests (and anything they expose...)

@isegall-da
[static] docs, and don't create the auth secrets when no-auth
3292b13 
Signed-off-by: Itai Segall <itai.segall@digitalasset.com>
@isegall-da
[static] argh
433db90 
Signed-off-by: Itai Segall <itai.segall@digitalasset.com>
@isegall-da
[static] don't assume the secret, and cleanup
345e318 
Signed-off-by: Itai Segall <itai.segall@digitalasset.com>
@isegall-da
works
a64292e 
Signed-off-by: Itai Segall <itai.segall@digitalasset.com>
@isegall-da
[static] cleanup
a07aa8c 
Signed-off-by: Itai Segall <itai.segall@digitalasset.com>
@isegall-da
Copy link
Contributor Author

isegall-da commented Oct 9, 2025
edited
Loading

@OriolMunoz-da @martinflorian-da indeed that exposed some issues when those secrets did not exist. All fixed now. Mind taking another look before I merge please, for sanity?

(successful test on the latest, FTR: https://app.circleci.com/pipelines/github/DACH-NY/canton-network-internal/35854/workflows/65f0f663-6c77-4290-beba-b4720d39c8fb)

@isegall-da
[static] formatfix
cb079a6 
Signed-off-by: Itai Segall <itai.segall@digitalasset.com>
@isegall-da
[static] username
41d3afa 
Signed-off-by: Itai Segall <itai.segall@digitalasset.com>
@isegall-da
Copy link
Contributor Author

isegall-da commented Oct 11, 2025

ping @OriolMunoz-da @martinflorian-da

@OriolMunoz-da
Copy link
Contributor

OriolMunoz-da commented Oct 13, 2025

(successful test on the latest, FTR: https://app.circleci.com/pipelines/github/DACH-NY/canton-network-internal/35854/workflows/65f0f663-6c77-4290-beba-b4720d39c8fb)

redeploy_sv_runbook (191761) failed, though at a quick glance I cannot tell if it's caused by this PR or just flaked

@isegall-da
Copy link
Contributor Author

isegall-da commented Oct 13, 2025

Thanks @OriolMunoz-da
Seems unrelated indeed, the point where it should matter has passed (the deploy_cluster and preflight_check), but definitely rerunning before merging: https://app.circleci.com/pipelines/github/DACH-NY/canton-network-internal/36175/workflows/5adbcca0-c573-4862-9c4b-5b9107323263

martinflorian-da
martinflorian-da approved these changes Oct 13, 2025
View reviewed changes
Copy link
Contributor

@martinflorian-da martinflorian-da left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks! (And sorry for ignoring for so long...)

OriolMunoz-da
OriolMunoz-da approved these changes Oct 13, 2025
View reviewed changes
Copy link
Contributor

@OriolMunoz-da OriolMunoz-da left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

also LGTM provided that ci run passes 😄

@isegall-da
Copy link
Contributor Author

isegall-da commented Oct 13, 2025

Thanks @OriolMunoz-da Seems unrelated indeed, the point where it should matter has passed (the deploy_cluster and preflight_check), but definitely rerunning before merging: https://app.circleci.com/pipelines/github/DACH-NY/canton-network-internal/36175/workflows/5adbcca0-c573-4862-9c4b-5b9107323263

Woohoo, that passed.

@isegall-da isegall-da merged commit 32473b0 into main Oct 13, 2025
40 checks passed
@isegall-da isegall-da deleted the isegall/hmac-k8s branch October 13, 2025 13:56
moritzkiefer-da
moritzkiefer-da reviewed Oct 14, 2025
View reviewed changes
cluster/helm/splice-participant/templates/participant.yaml
value: ledger-api-user
- name: ADDITIONAL_CONFIG_DISABLE_AUTH
value: |
canton.participants.participant.ledger-api.auth-services=[]
Copy link
Contributor

@moritzkiefer-da moritzkiefer-da Oct 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@isegall-da Sorry I only reviewed this now but I think this is the wrong approach. You now made the same mistake that we made in the docker compose deployment (but have an issue to fix and did fix for localnet): For the ledger API you disabled auth completely. For the validator we have hmac shared secret auth. This mismatch has caused confusion for a number of users. Imho we should use hmac shared secret auth for both.

@martinflorian-da martinflorian-da mentioned this pull request Oct 15, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@moritzkiefer-da moritzkiefer-da moritzkiefer-da left review comments

@martinflorian-da martinflorian-da martinflorian-da approved these changes

@OriolMunoz-da OriolMunoz-da OriolMunoz-da approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@isegall-da @OriolMunoz-da @moritzkiefer-da @martinflorian-da