feat(deployment): move service account passwords to autogenerated secrets for production

.github/workflows/e2e-k3d.yml

@@ -46,7 +46,7 @@ jobs:
       - name: Template with helm
         uses: WyriHaximus/github-action-helm3@v4
         with:
-          exec: ./deploy.py --verbose helm --branch ${{ github.ref_name }} --sha ${{ github.sha }} --template > /tmp/helm_template.yaml
+          exec: ./deploy.py --verbose helm --branch ${{ github.ref_name }} --sha ${{ github.sha }}  --for-e2e --template > /tmp/helm_template.yaml
 
       - name: Upload default helm template
         uses: actions/upload-artifact@v4
@@ -55,7 +55,7 @@ jobs:
           path: /tmp/helm_template.yaml
       - name: Deploy with helm
         run: |
-          ./deploy.py --verbose helm --branch ${{ github.ref_name }} --sha ${{ github.sha }}
+          ./deploy.py --verbose helm --branch ${{ github.ref_name }} --sha ${{ github.sha }} --for-e2e
 
       - uses: actions/setup-node@v4
         with:

deploy.py

@@ -50,6 +50,7 @@
                          default=HELM_VALUES_FILE)
 helm_parser.add_argument('--template', help='Just template and print out the YAML produced',
                         action='store_true')
+helm_parser.add_argument('--for-e2e', action='store_true', help='Use the E2E values file')
 
 upgrade_parser = subparsers.add_parser('upgrade', help='Upgrade helm installation')
 
@@ -141,14 +142,18 @@ def handle_helm():
         branch = args.branch
     else:
         branch = 'latest'
+
+
 
     parameters = [
         'helm', 'template' if args.template else 'install', HELM_RELEASE_NAME, HELM_CHART_DIR,
         '-f', args.values,
         '--set', "environment=local",
         '--set', f"branch={branch}",
     ]
-
+
+    if args.for_e2e:
+        parameters += ['-f', 'kubernetes/loculus/values_e2e_test.yaml']
     if args.sha:
         parameters += ['--set', f"sha={args.sha[:7]}"]
 

ingest/config/config.yaml

@@ -129,8 +129,6 @@ column_mapping:
   Virus Pangolin Classification: ncbi_virus_pangolin
   Virus Taxonomic ID: ncbi_virus_tax_id
 group_name: insdc_ingest_group
-username: insdc_ingest_user
-password: insdc_ingest_user
 keycloak_client_id: backend-client
 backend_url: https://backend-main.loculus.org/
 keycloak_token_url: https://authentication-main.loculus.org/realms/loculus/protocol/openid-connect/token

ingest/scripts/submit_to_loculus.py

@@ -5,6 +5,7 @@
 import click
 import requests
 import yaml
+import os
 
 logging.basicConfig(level=logging.DEBUG)
 
@@ -33,9 +34,13 @@ def get_jwt(config: Config) -> str:
     Get a JWT token for the given username and password
     """
 
+    keycloak_ingest_password = os.getenv("KEYCLOAK_INGEST_PASSWORD")
+    if not keycloak_ingest_password:
+        keycloak_ingest_password = config.password
+
     data = {
         "username": config.username,
-        "password": config.password,
+        "password": keycloak_ingest_password,
         "grant_type": "password",
         "client_id": config.keycloak_client_id,
     }

kubernetes/loculus/templates/_config-processor.tpl

@@ -15,6 +15,26 @@
         secretKeyRef:
           name: smtp-password
           key: secretKey
+    - name: LOCULUSSUB_insdcIngestUserPassword
+      valueFrom:
+        secretKeyRef:
+          name: service-accounts
+          key: insdcIngestUserPassword
+    - name: LOCULUSSUB_dummyPreprocessingPipelinePassword
+      valueFrom:
+        secretKeyRef:
+          name: service-accounts
+          key: dummyPreprocessingPipelinePassword
+    - name: LOCULUSSUB_siloImportJobPassword
+      valueFrom:
+        secretKeyRef:
+          name: service-accounts
+          key: siloImportJobPassword
+    - name: LOCULUSSUB_backendUserPassword
+      valueFrom:
+        secretKeyRef:
+          name: service-accounts
+          key: backendUserPassword
     - name: LOCULUSSUB_backendKeycloakClientSecret
       valueFrom:
         secretKeyRef:

kubernetes/loculus/templates/keycloak-config-map.yaml

@@ -88,20 +88,20 @@ data:
             }
           },
           {
-            "username": "insdc_ingest_user",
+            "username": "superuser",
             "enabled": true,
-            "email": "insdc_ingest_user@void.o",
+            "email": "superuser@void.o",
             "emailVerified" : true,
-            "firstName": "INSDC Ingest",
-            "lastName": "User",
+            "firstName": "Dummy",
+            "lastName": "SuperUser",
             "credentials": [
               {
                 "type": "password",
-                "value": "insdc_ingest_user"
+                "value": "superuser"
               }
             ],
             "realmRoles": [
-              "user",
+              "super_user",
               "offline_access"
             ],
             "attributes": {
@@ -112,22 +112,23 @@ data:
                 "manage-account"
               ]
             }
-          },
+          }, 
+          {{ end }}
           {
-            "username": "dummy_preprocessing_pipeline",
+            "username": "insdc_ingest_user",
             "enabled": true,
-            "email": "dummy_preprocessing_pipeline@void.o",
+            "email": "insdc_ingest_user@void.o",
             "emailVerified" : true,
-            "firstName": "Dummy",
-            "lastName": "Preprocessing",
+            "firstName": "INSDC Ingest",
+            "lastName": "User",
             "credentials": [
               {
                 "type": "password",
-                "value": "dummy_preprocessing_pipeline"
+                "value": "[[insdcIngestUserPassword]]"
               }
             ],
             "realmRoles": [
-              "preprocessing_pipeline",
+              "user",
               "offline_access"
             ],
             "attributes": {
@@ -140,20 +141,20 @@ data:
             }
           },
           {
-            "username": "superuser",
+            "username": "preprocessing_pipeline",
             "enabled": true,
-            "email": "superuser@void.o",
+            "email": "preprocessing_pipeline@void.o",
             "emailVerified" : true,
             "firstName": "Dummy",
-            "lastName": "SuperUser",
+            "lastName": "Preprocessing",
             "credentials": [
               {
                 "type": "password",
-                "value": "superuser"
+                "value": "[[dummyPreprocessingPipelinePassword]]"
               }
             ],
             "realmRoles": [
-              "super_user",
+              "preprocessing_pipeline",
               "offline_access"
             ],
             "attributes": {
@@ -165,7 +166,6 @@ data:
               ]
             }
           },
-        {{ end }}
         {
           "username": "silo_import_job",
           "enabled": true,
@@ -176,7 +176,7 @@ data:
           "credentials": [
             {
               "type": "password",
-              "value": "silo_import_job"
+              "value": "[[siloImportJobPassword]]"
             }
           ],
           "realmRoles": [
@@ -205,7 +205,7 @@ data:
           "credentials": [
             {
               "type": "password",
-              "value": "backend"
+              "value": "[[backendUserPassword]]"
             }
           ],
           "clientRoles": {

kubernetes/loculus/templates/lapis-silo-import-cronjob.yaml

@@ -44,7 +44,10 @@ spec:
                 - name: IMPORT_JOB_USER
                   value: "silo_import_job"
                 - name: IMPORT_JOB_USER_PASSWORD
-                  value: "silo_import_job"
+                  valueFrom:
+                    secretKeyRef:
+                      name: service-accounts
+                      key: siloImportJobPassword
               volumeMounts:
                 - name: lapis-silo-database-config-processed
                   mountPath: /preprocessing/input/reference_genomes.json

kubernetes/loculus/templates/loculus-backend.yaml

@@ -43,7 +43,7 @@ spec:
             - "--crossref.endpoint=$(CROSSREF_TEST_ENDPOINT)"
             - "--crossref.username=$(CROSSREF_USERNAME)"
             - "--crossref.password=$(CROSSREF_TEST_PASSWORD)"
-            - "--keycloak.password=backend"
+            - "--keycloak.password=$(BACKEND_KEYCLOAK_PASSWORD)"
             - "--keycloak.realm=loculus"
             - "--keycloak.client=backend-client"
             - "--keycloak.url=http://loculus-keycloak-service:8083"
@@ -70,6 +70,11 @@ spec:
                  name: crossref
                  key: livePassword
            {{- end }}
+            - name: BACKEND_KEYCLOAK_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: service-accounts
+                  key: backendUserPassword
             - name: DB_URL
               valueFrom:
                secretKeyRef:

kubernetes/loculus/templates/loculus-ingest-deployment.yaml

@@ -26,6 +26,12 @@ spec:
         - name: ingest-{{ $key }}
           image: {{ $value.ingest.image}}:{{ $dockerTag }}
           imagePullPolicy: Always
+          env:
+            - name: KEYCLOAK_INGEST_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: service-accounts
+                  key: insdcIngestUserPassword
           args:
             {{- range $arg := $value.ingest.args }}
             - "{{ $arg }}"

kubernetes/loculus/templates/loculus-preprocessing-deployment.yaml

@@ -34,13 +34,20 @@ spec:
         - name: preprocessing-{{ $organism }}
           image: {{ $processingConfig.image}}:{{ $dockerTag }}
           imagePullPolicy: Always
+          env:
+            - name: KEYCLOAK_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: service-accounts
+                  key: dummyPreprocessingPipelinePassword
           args:
             {{- range $arg := $processingConfig.args }}
             - "{{ $arg }}"
             {{- end }}
             - "--backend-host={{ $backendHost }}/{{ $organism }}"
             - "--keycloak-host={{ $organismcloakHost }}"
             - "--pipeline-version={{ $processingConfig.version }}"
+            - "--keycloak-password=$(KEYCLOAK_PASSWORD)"
       {{- if $processingConfig.configFile }}
             - "--config=/etc/config/preprocessing-config.yaml"
           volumeMounts:

kubernetes/loculus/values.yaml

@@ -911,6 +911,13 @@ secrets:
       username: "dummy"
       testPassword: "dummy"
       livePassword: "dummy"
+  service-accounts:
+    type: autogen
+    data:
+      insdcIngestUserPassword: ""
+      dummyPreprocessingPipelinePassword: ""
+      siloImportJobPassword: ""
+      backendUserPassword: ""
   keycloak-admin:
     type: raw
     data:

kubernetes/loculus/values_e2e_test.yaml

@@ -0,0 +1,8 @@
+secrets:
+    service-accounts:
+      type: raw
+      data:
+        insdcIngestUserPassword: "insdc_ingest"
+        dummyPreprocessingPipelinePassword: "preprocessing_pipeline"
+        siloImportJobPassword: "silo_import_job"
+        backendUserPassword: "backend"

preprocessing/dummy/main.py

@@ -17,9 +17,9 @@
 parser.add_argument("--randomWarnError", action="store_true", help="Make errors and warnings occur stochastically")
 parser.add_argument("--maxSequences", type=int, help="Max number of sequence entry versions to process.")
 parser.add_argument("--keycloak-host", type=str, default="http://172.0.0.1:8083", help="Host address of Keycloak")
-parser.add_argument("--keycloak-user", type=str, default="dummy_preprocessing_pipeline",
+parser.add_argument("--keycloak-user", type=str, default="preprocessing_pipeline",
                     help="Keycloak user to use for authentication")
-parser.add_argument("--keycloak-password", type=str, default="dummy_preprocessing_pipeline",
+parser.add_argument("--keycloak-password", type=str,
                     help="Keycloak password to use for authentication")
 parser.add_argument("--keycloak-token-path", type=str, default="/realms/loculus/protocol/openid-connect/token", help="Path to Keycloak token endpoint")
 parser.add_argument("--pipeline-version", type=int, default=1)

preprocessing/nextclade/src/loculus_preprocessing/config.py

@@ -19,8 +19,8 @@
 class Config:
     backend_host: str = "http://127.0.0.1:8079"
     keycloak_host: str = "http://172.0.0.1:8083"
-    keycloak_user: str = "dummy_preprocessing_pipeline"
-    keycloak_password: str = "dummy_preprocessing_pipeline"
+    keycloak_user: str = "preprocessing_pipeline"
+    keycloak_password: str = ""
     keycloak_token_path: str = "realms/loculus/protocol/openid-connect/token"
     nextclade_dataset_name: str = "nextstrain/mpox/all-clades"
     nextclade_dataset_tag: str | None = None

website/tests/util/preprocessingPipeline.ts

@@ -56,8 +56,8 @@ async function submit(preprocessingOptions: PreprocessingOptions[]) {
 }
 
 async function getJwtTokenForPreprocessingPipeline(
-    username: string = 'dummy_preprocessing_pipeline',
-    password: string = 'dummy_preprocessing_pipeline',
+    username: string = 'preprocessing_pipeline',
+    password: string = 'preprocessing_pipeline',
 ): Promise<string> {
     const token = await getToken(username, password);