Support groups without password authentication #108
Conversation
|
I think this is fine. @nineinchnick opinion? |
| @@ -58,13 +58,15 @@ spec: | |||
| configMap: | |||
| name: trino-access-control-volume-coordinator | |||
| {{- end }}{{- end }} | |||
| {{- if eq .Values.server.config.authenticationType "PASSWORD" }} | |||
| {{- if or (eq .Values.server.config.authenticationType "PASSWORD") .Values.auth.groups }} | |||
| - name: password-volume | |||
There was a problem hiding this comment.
Nit: it might be a bit confusing for users when they see this volume name (and the trino-password-authentication secret) with only groups; consider renaming this to something more generic, like file-authentication. This is just a suggestion, shouldn't block this PR.
huw0
force-pushed
the
support-groups-without-password-auth
branch
from
150a315 to
e5261b4
Compare
huw0
force-pushed
the
support-groups-without-password-auth
branch
from
e5261b4 to
a7ec41d
Compare
|
Thanks for your feedback. I've amended the PR with the following changes:
Larger changes:
|
No, backward compatibility is more important. |
|
Great thanks, I will leave as-is. Is this good to merge? |
|
I think this broke |
|
@jkoelker - Do you have a reproducer config you can share? With |
|
@huw0 yep, here's a redacted version from my deployment: server:
config:
authenticationType: PASSWORD
auth:
passwordAuthSecret: trino-password-authentication
additionalConfigProperties:
- "internal-communication.shared-secret=shared-secret"
ingress:
enabled: true
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
hosts:
- host: trino.my.cloud
paths:
- path: /
pathType: Prefix
tls:
- secretName: trino-cert
hosts:
- trino.my.cloudAdding the secret mount in will get it to work: coordinator:
secretMounts:
- name: trino-password-authentication
secretName: trino-password-authentication
path: /etc/trino/auth |
|
ok, so I see the issue that setting However, the password file is not present because no passwords are configured. Therefore, how are you using password authentication? |
You just create a secret with a key I think the fix is to just add |
|
The fix you've suggested reverts to the previous behaviour and I'd be happy to raise a PR that does this (since this is after all my breakage!) However this does not seem like an ideal fix? The Therefore should it not be the case that you maintain a separate secret outside of the trino chart? In which case a better fix would be to modify Either this should take a configurable path to the password file or when using a custom secret this file should be omitted and instead set through |
|
I'm not sure that's really the intention of This is the pattern in many other charts that have some sort of auth secret that they end up using, you can either let the chart manage it (like if you're just testing things out), or you can set the secret name where the chart will refer to, so an external service will manage the auth, which is much more suited for real world deployments. Either way, I think it should just be documented, and if the choice is made that this chart must manage the secret insecurely, it should be strongly reccomended to not use password auth then. |
|
I believe it will as i stated prior that adding the secret to the or condition would work. Do note that the linked commit also introduces a new requirement that the secret contain the |
…thSecret is set
|
Great - raised as #143 |
…thSecret is set
Presently the chart only supports groups where password authentication is used.
This removes the limitation so that groups can be used with any authentication type. My specific use case is to enable groups with certificate authentication. However, I've also found it beneficial to be able to set groups with no authentication which has been helpful for testing.