Skip to content

support no-auth mode in k8s #2603

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
isegall-da merged 14 commits into from
Oct 13, 2025
Merged

support no-auth mode in k8s #2603

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
1b65c08
support no-auth mode in k8s
isegall-da Oct 8, 2025
1790010
with test
isegall-da Oct 8, 2025
254e062
[static] fixes
isegall-da Oct 9, 2025
bce29e2
[static] fix not running splitwell
isegall-da Oct 9, 2025
b30aa71
tests
isegall-da Oct 9, 2025
9d9bc63
[static] add unit tests
isegall-da Oct 9, 2025
c2aadbf
Merge remote-tracking branch 'origin/main' into isegall/hmac-k8s
isegall-da Oct 9, 2025
3292b13
[static] docs, and don't create the auth secrets when no-auth
isegall-da Oct 9, 2025
433db90
[static] argh
isegall-da Oct 9, 2025
345e318
[static] don't assume the secret, and cleanup
isegall-da Oct 9, 2025
a64292e
works
isegall-da Oct 9, 2025
a07aa8c
[static] cleanup
isegall-da Oct 9, 2025
cb079a6
[static] formatfix
isegall-da Oct 10, 2025
41d3afa
[static] username
isegall-da Oct 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
291 changes: 181 additions & 110 deletions ...centralizedtrust/splice/integration/tests/runbook/ValidatorPreflightIntegrationTest.scala
View file
Open in desktop

Large diffs are not rendered by default.

6 changes: 6 additions & 0 deletions apps/app/src/test/scala/org/lfdecentralizedtrust/splice/util/FrontendLoginUtil.scala
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,12 @@ trait FrontendLoginUtil extends WithAuth0Support { self: FrontendTestCommon =>
}
currentUrl should startWith(url)
}
loginOnceConfirmedToBeAtUrl(ledgerApiUser)
}

protected def loginOnceConfirmedToBeAtUrl(
ledgerApiUser: String
)(implicit webDriver: WebDriver) = {
eventually(timeUntilSuccess = 5.seconds) {
if (find(id("logout-button")).isDefined) {
eventuallyClickOn(id("logout-button"))
Expand Down
2 changes: 2 additions & 0 deletions cluster/expected/canton-network/expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1838,6 +1838,7 @@
},
"contactPoint": "sv-support@digitalasset.com",
"disableAllocateLedgerApiUserParty": true,
"disableAuth": false,
"enablePostgresMetrics": true,
"failOnAppVersionMismatch": true,
"imageRepo": "us-central1-docker.pkg.dev/da-cn-shared/ghcr/digital-asset/decentralized-canton-sync-dev/docker",
Expand Down Expand Up @@ -2657,6 +2658,7 @@
},
"contactPoint": "sv-support@digitalasset.com",
"disableAllocateLedgerApiUserParty": true,
"disableAuth": false,
"enablePostgresMetrics": true,
"failOnAppVersionMismatch": true,
"imageRepo": "us-central1-docker.pkg.dev/da-cn-shared/ghcr/digital-asset/decentralized-canton-sync-dev/docker",
Expand Down
2 changes: 2 additions & 0 deletions cluster/expected/splitwell/expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -548,6 +548,7 @@
"hostname": "mock.global.canton.network.digitalasset.com",
"name": "cn-mocknet"
},
"disableAuth": false,
"enableHealthProbes": true,
"enablePostgresMetrics": true,
"imageRepo": "us-central1-docker.pkg.dev/da-cn-shared/ghcr/digital-asset/decentralized-canton-sync-dev/docker",
Expand Down Expand Up @@ -913,6 +914,7 @@
"name": "cn-mocknet"
},
"contactPoint": "sv-support@digitalasset.com",
"disableAuth": false,
"enablePostgresMetrics": true,
"failOnAppVersionMismatch": true,
"imageRepo": "us-central1-docker.pkg.dev/da-cn-shared/ghcr/digital-asset/decentralized-canton-sync-dev/docker",
Expand Down
1 change: 1 addition & 0 deletions cluster/expected/validator-runbook/expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -440,6 +440,7 @@
"hostname": "mock.global.canton.network.digitalasset.com",
"name": "cn-mocknet"
},
"disableAuth": false,
"enableHealthProbes": true,
"enablePostgresMetrics": true,
"imageRepo": "us-central1-docker.pkg.dev/da-cn-shared/ghcr/digital-asset/decentralized-canton-sync-dev/docker",
Expand Down
2 changes: 2 additions & 0 deletions cluster/expected/validator1/expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -591,6 +591,7 @@
"hostname": "mock.global.canton.network.digitalasset.com",
"name": "cn-mocknet"
},
"disableAuth": false,
"enableHealthProbes": true,
"enablePostgresMetrics": true,
"extraVolumeMounts": [
Expand Down Expand Up @@ -901,6 +902,7 @@
"name": "cn-mocknet"
},
"contactPoint": "sv-support@digitalasset.com",
"disableAuth": false,
"enablePostgresMetrics": true,
"failOnAppVersionMismatch": true,
"imageRepo": "us-central1-docker.pkg.dev/da-cn-shared/ghcr/digital-asset/decentralized-canton-sync-dev/docker",
Expand Down
20 changes: 14 additions & 6 deletions cluster/helm/splice-participant/templates/participant.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,12 +44,6 @@ spec:
value: {{ .Values.persistence.port | quote }}
- name: CANTON_PARTICIPANT_POSTGRES_SCHEMA
value: {{ .Values.persistence.schema }}
- name: CANTON_PARTICIPANT_ADMIN_USER_NAME
valueFrom: {{ .Values.participantAdminUserNameFrom | toYaml | nindent 12 }}
- name: AUTH_JWKS_URL
value: {{ .Values.auth.jwksUrl }}
- name: AUTH_TARGET_AUDIENCE
value: {{ .Values.auth.targetAudience }}
- name: CANTON_PARTICIPANT_POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
Expand All @@ -73,6 +67,20 @@ spec:
}
}
{{- end }}
{{- if .Values.disableAuth }}
- name: CANTON_PARTICIPANT_ADMIN_USER_NAME
value: ledger-api-user
- name: ADDITIONAL_CONFIG_DISABLE_AUTH
value: |
canton.participants.participant.ledger-api.auth-services=[]
Copy link
Contributor

@moritzkiefer-da moritzkiefer-da Oct 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@isegall-da Sorry I only reviewed this now but I think this is the wrong approach. You now made the same mistake that we made in the docker compose deployment (but have an issue to fix and did fix for localnet): For the ledger API you disabled auth completely. For the validator we have hmac shared secret auth. This mismatch has caused confusion for a number of users. Imho we should use hmac shared secret auth for both.

{{- else }}
- name: CANTON_PARTICIPANT_ADMIN_USER_NAME
valueFrom: {{ .Values.participantAdminUserNameFrom | toYaml | nindent 12 }}
- name: AUTH_JWKS_URL
value: {{ .Values.auth.jwksUrl }}
- name: AUTH_TARGET_AUDIENCE
value: {{ .Values.auth.targetAudience }}
{{- end }}
{{- include "splice-util-lib.additional-env-vars" .Values.additionalEnvVars | indent 8}}
{{- include "splice-util-lib.log-level" .Values | indent 8}}
ports:
Expand Down
44 changes: 43 additions & 1 deletion cluster/helm/splice-participant/tests/participant_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -104,7 +104,22 @@ tests:
content:
# We don't really care about the name of the env var but helm unittest wants it
name: ADDITIONAL_CONFIG_SPLICE_PARTICIPANT_CRYPTO_PROVIDER_KMS
value: "canton.participants.participant.crypto {\n provider = kms\n kms = {\n extra-canton-key = mock_value\n map-canton-key = {\n first-map-entry = first_map_value\n recursive-map-entry = {\n recursive-map = recursive_value\n }\n second-map-entry = second_map_value\n }\n region = mock_region\n type = awwws\n }\n} \n"
value: |
canton.participants.participant.crypto {
provider = kms
kms = {
extra-canton-key = mock_value
map-canton-key = {
first-map-entry = first_map_value
recursive-map-entry = {
recursive-map = recursive_value
}
second-map-entry = second_map_value
}
region = mock_region
type = awwws
}
}
# Secret configured via Helm with valueFrom
- contains:
path: spec.template.spec.containers[0].env
Expand Down Expand Up @@ -166,3 +181,30 @@ tests:
persistentVolumeClaim:
claimName: claim_name
- name: empty-dir-volume
- it: "defaults to auth"
documentSelector:
path: kind
value: Deployment
asserts:
- notExists:
path: spec.template.spec.containers[?(@.name=='participant')].env[?(@.name=='CANTON_PARTICIPANT_ADMIN_USER_NAME')].value
- notExists:
path: spec.template.spec.containers[?(@.name=='participant')].env[?(@.name=='ADDITIONAL_CONFIG_DISABLE_AUTH')].value
- it: "supports disabling auth"
set:
disableAuth: true
documentSelector:
path: kind
value: Deployment
asserts:
- equal:
path: spec.template.spec.containers[?(@.name=='participant')].env[?(@.name=='CANTON_PARTICIPANT_ADMIN_USER_NAME')].value
value: ledger-api-user
- equal:
path: spec.template.spec.containers[?(@.name=='participant')].env[?(@.name=='ADDITIONAL_CONFIG_DISABLE_AUTH')].value
value: |
canton.participants.participant.ledger-api.auth-services=[]
- notExists:
path: spec.template.spec.containers[?(@.name=='participant')].env[?(@.name=='AUTH_JWKS_URL')].value
- notExists:
path: spec.template.spec.containers[?(@.name=='participant')].env[?(@.name=='AUTH_TARGET_AUDIENCE')].value
3 changes: 3 additions & 0 deletions cluster/helm/splice-participant/values-template.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,3 +44,6 @@ persistence:
# tolerations:

extraInitContainers: []

# set to true to disable auth (this is highly insecure)
disableAuth: false
16 changes: 15 additions & 1 deletion cluster/helm/splice-participant/values.schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,6 @@
"$schema": "http://json-schema.org/schema#",
"type": "object",
"required": [
"auth",
"defaultJvmOptions",
"imageRepo",
"participantAdminUserNameFrom",
Expand Down Expand Up @@ -100,6 +99,21 @@
}
}
},
"disableAuth": {
"type": "boolean"
},
"if": {
"properties": {
"disableAuth": {
"const": "true"
}
}
},
"then": {
"required": [
"auth"
]
},
"metrics": {
"type": "object",
"properties": {
Expand Down
37 changes: 23 additions & 14 deletions cluster/helm/splice-validator/templates/ans-web-ui.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,20 +34,6 @@ spec:
imagePullPolicy: {{ . }}
{{- end }}
env:
- name: SPLICE_APP_UI_AUTH_CLIENT_ID
valueFrom:
secretKeyRef:
key: client-id
name: splice-app-cns-ui-auth
optional: false
- name: SPLICE_APP_UI_AUTH_URL
valueFrom:
secretKeyRef:
key: url
name: splice-app-cns-ui-auth
optional: false
- name: SPLICE_APP_UI_AUTH_AUDIENCE
value: {{ .Values.auth.audience | quote }}
- name: SPLICE_APP_UI_NETWORK_NAME
value: {{ .Values.spliceInstanceNames.networkName | quote }}
- name: SPLICE_APP_UI_NETWORK_FAVICON_URL
Expand All @@ -62,6 +48,29 @@ spec:
value: {{ .Values.spliceInstanceNames.nameServiceNameAcronym | quote }}
- name: SPLICE_APP_UI_POLL_INTERVAL
value: {{ .Values.uiPollInterval | quote }}
{{- if .Values.disableAuth }}
- name: SPLICE_APP_UI_UNSAFE
value: "true"
- name: SPLICE_APP_UI_UNSAFE_SECRET
value: "unsafe"
- name: SPLICE_APP_UI_AUTH_AUDIENCE
value: "https://validator.example.com"
{{- else }}
- name: SPLICE_APP_UI_AUTH_CLIENT_ID
valueFrom:
secretKeyRef:
key: client-id
name: splice-app-cns-ui-auth
optional: false
- name: SPLICE_APP_UI_AUTH_URL
valueFrom:
secretKeyRef:
key: url
name: splice-app-cns-ui-auth
optional: false
- name: SPLICE_APP_UI_AUTH_AUDIENCE
value: {{ .Values.auth.audience | quote }}
{{- end }}
ports:
- containerPort: 8080
name: http
Expand Down
49 changes: 36 additions & 13 deletions cluster/helm/splice-validator/templates/validator.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,6 @@ spec:
- name: SPLICE_APP_DARS
value: {{ .Values.appDars | toJson | quote }}
{{ end }}
{{- include "splice-util-lib.auth0-env-vars" (dict "appName" "validator" "keyName" "validator" "fixedTokens" (.Values.cluster).fixedTokens) | indent 8}}
{{- range $ii, $user := .Values.additionalUsers }}
- name: {{ $user.name }}
{{ if $user.value }}
Expand Down Expand Up @@ -89,18 +88,6 @@ spec:
- name: SPLICE_APP_VALIDATOR_PARTY_HINT
value: {{ .Values.validatorPartyHint }}
{{ end }}
- name: SPLICE_APP_VALIDATOR_AUTH_AUDIENCE
value: {{ .Values.auth.audience | quote }}
- name: SPLICE_APP_VALIDATOR_AUTH_JWKS_URL
value: {{ .Values.auth.jwksUrl | quote }}
{{ if (.Values.auth.jwks).connectionTimeout }}
- name: SPLICE_APP_VALIDATOR_AUTH_JWKS_CONNECTION_TIMEOUT
value: {{ .Values.auth.jwks.connectionTimeout | quote }}
{{ end }}
{{ if (.Values.auth.jwks).readTimeout }}
- name: SPLICE_APP_VALIDATOR_AUTH_JWKS_READ_TIMEOUT
value: {{ .Values.auth.jwks.readTimeout | quote }}
{{ end }}
{{ if .Values.svValidator }}
- name: SPLICE_APP_VALIDATOR_SV_VALIDATOR
value: "true"
Expand Down Expand Up @@ -282,6 +269,42 @@ spec:
- name: ADDITIONAL_CONFIG_MAX_VETTING_DELAY
value: canton.validator-apps.validator_backend.max-vetting-delay = "{{ . }}"
{{- end }}
{{- if .Values.disableAuth }}
- name: ADDITIONAL_CONFIG_DISABLE_AUTH
value: |
canton.validator-apps.validator_backend {
auth=""
}
canton.validator-apps.validator_backend {
auth={
algorithm = "hs-256-unsafe"
audience = "https://validator.example.com"
secret = "unsafe"
}
}
canton.validator-apps.validator_backend.participant-client.ledger-api.auth-config=""
canton.validator-apps.validator_backend.participant-client.ledger-api.auth-config {
type="none"
}
- name: SPLICE_APP_VALIDATOR_LEDGER_API_AUTH_USER_NAME
value: ledger-api-user
- name: SPLICE_APP_VALIDATOR_LEDGER_API_AUTH_AUDIENCE
value: "https://ledger_api.example.com"
{{- else }}
- name: SPLICE_APP_VALIDATOR_AUTH_AUDIENCE
value: {{ .Values.auth.audience | quote }}
- name: SPLICE_APP_VALIDATOR_AUTH_JWKS_URL
value: {{ .Values.auth.jwksUrl | quote }}
{{ if (.Values.auth.jwks).connectionTimeout }}
- name: SPLICE_APP_VALIDATOR_AUTH_JWKS_CONNECTION_TIMEOUT
value: {{ .Values.auth.jwks.connectionTimeout | quote }}
{{ end }}
{{ if (.Values.auth.jwks).readTimeout }}
- name: SPLICE_APP_VALIDATOR_AUTH_JWKS_READ_TIMEOUT
value: {{ .Values.auth.jwks.readTimeout | quote }}
{{ end }}
{{- include "splice-util-lib.auth0-env-vars" (dict "appName" "validator" "keyName" "validator" "fixedTokens" (.Values.cluster).fixedTokens) | indent 8}}
{{- end }}
ports:
- containerPort: 5003
name: val-http
Expand Down
37 changes: 23 additions & 14 deletions cluster/helm/splice-validator/templates/wallet-web-ui.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,20 +29,6 @@ spec:
{{- include "splice-util-lib.service-account" .Values | nindent 6 }}
containers:
- env:
- name: SPLICE_APP_UI_AUTH_CLIENT_ID
valueFrom:
secretKeyRef:
key: client-id
name: splice-app-wallet-ui-auth
optional: false
- name: SPLICE_APP_UI_AUTH_URL
valueFrom:
secretKeyRef:
key: url
name: splice-app-wallet-ui-auth
optional: false
- name: SPLICE_APP_UI_AUTH_AUDIENCE
value: {{ .Values.auth.audience | quote }}
- name: SPLICE_APP_UI_NETWORK_NAME
value: {{ .Values.spliceInstanceNames.networkName | quote }}
- name: SPLICE_APP_UI_NETWORK_FAVICON_URL
Expand All @@ -57,6 +43,29 @@ spec:
value: {{ .Values.spliceInstanceNames.nameServiceNameAcronym | quote }}
- name: SPLICE_APP_UI_POLL_INTERVAL
value: {{ .Values.uiPollInterval | quote }}
{{- if .Values.disableAuth }}
- name: SPLICE_APP_UI_UNSAFE
value: "true"
- name: SPLICE_APP_UI_UNSAFE_SECRET
value: "unsafe"
- name: SPLICE_APP_UI_AUTH_AUDIENCE
value: "https://validator.example.com"
{{- else }}
- name: SPLICE_APP_UI_AUTH_URL
valueFrom:
secretKeyRef:
key: url
name: splice-app-wallet-ui-auth
optional: false
- name: SPLICE_APP_UI_AUTH_AUDIENCE
value: {{ .Values.auth.audience | quote }}
- name: SPLICE_APP_UI_AUTH_CLIENT_ID
valueFrom:
secretKeyRef:
key: client-id
name: splice-app-wallet-ui-auth
optional: false
{{- end }}
image: "{{ .Values.imageRepo }}/wallet-web-ui:{{ .Chart.AppVersion }}{{ ((.Values.imageDigests).wallet_web_ui) }}"
{{- with .Values.imagePullPolicy }}
imagePullPolicy: {{ . }}
Expand Down
Loading