support no-auth mode in k8s (#2603)

Signed-off-by: Itai Segall <[email protected]>

Author: isegall-da

apps/app/src/test/scala/org/lfdecentralizedtrust/splice/integration/tests/runbook/ValidatorPreflightIntegrationTest.scala

@@ -34,6 +34,12 @@ trait FrontendLoginUtil extends WithAuth0Support { self: FrontendTestCommon =>
       }
       currentUrl should startWith(url)
     }
+    loginOnceConfirmedToBeAtUrl(ledgerApiUser)
+  }
+
+  protected def loginOnceConfirmedToBeAtUrl(
+      ledgerApiUser: String
+  )(implicit webDriver: WebDriver) = {
     eventually(timeUntilSuccess = 5.seconds) {
       if (find(id("logout-button")).isDefined) {
         eventuallyClickOn(id("logout-button"))

apps/app/src/test/scala/org/lfdecentralizedtrust/splice/util/FrontendLoginUtil.scala

@@ -1838,6 +1838,7 @@
         },
         "contactPoint": "[email protected]",
         "disableAllocateLedgerApiUserParty": true,
+        "disableAuth": false,
         "enablePostgresMetrics": true,
         "failOnAppVersionMismatch": true,
         "imageRepo": "us-central1-docker.pkg.dev/da-cn-shared/ghcr/digital-asset/decentralized-canton-sync-dev/docker",
@@ -2657,6 +2658,7 @@
         },
         "contactPoint": "[email protected]",
         "disableAllocateLedgerApiUserParty": true,
+        "disableAuth": false,
         "enablePostgresMetrics": true,
         "failOnAppVersionMismatch": true,
         "imageRepo": "us-central1-docker.pkg.dev/da-cn-shared/ghcr/digital-asset/decentralized-canton-sync-dev/docker",

cluster/expected/canton-network/expected.json

@@ -548,6 +548,7 @@
           "hostname": "mock.global.canton.network.digitalasset.com",
           "name": "cn-mocknet"
         },
+        "disableAuth": false,
         "enableHealthProbes": true,
         "enablePostgresMetrics": true,
         "imageRepo": "us-central1-docker.pkg.dev/da-cn-shared/ghcr/digital-asset/decentralized-canton-sync-dev/docker",
@@ -913,6 +914,7 @@
           "name": "cn-mocknet"
         },
         "contactPoint": "[email protected]",
+        "disableAuth": false,
         "enablePostgresMetrics": true,
         "failOnAppVersionMismatch": true,
         "imageRepo": "us-central1-docker.pkg.dev/da-cn-shared/ghcr/digital-asset/decentralized-canton-sync-dev/docker",

cluster/expected/splitwell/expected.json

@@ -440,6 +440,7 @@
           "hostname": "mock.global.canton.network.digitalasset.com",
           "name": "cn-mocknet"
         },
+        "disableAuth": false,
         "enableHealthProbes": true,
         "enablePostgresMetrics": true,
         "imageRepo": "us-central1-docker.pkg.dev/da-cn-shared/ghcr/digital-asset/decentralized-canton-sync-dev/docker",

cluster/expected/validator-runbook/expected.json

@@ -591,6 +591,7 @@
           "hostname": "mock.global.canton.network.digitalasset.com",
           "name": "cn-mocknet"
         },
+        "disableAuth": false,
         "enableHealthProbes": true,
         "enablePostgresMetrics": true,
         "extraVolumeMounts": [
@@ -901,6 +902,7 @@
           "name": "cn-mocknet"
         },
         "contactPoint": "[email protected]",
+        "disableAuth": false,
         "enablePostgresMetrics": true,
         "failOnAppVersionMismatch": true,
         "imageRepo": "us-central1-docker.pkg.dev/da-cn-shared/ghcr/digital-asset/decentralized-canton-sync-dev/docker",

cluster/expected/validator1/expected.json

@@ -44,12 +44,6 @@ spec:
           value: {{ .Values.persistence.port | quote }}
         - name: CANTON_PARTICIPANT_POSTGRES_SCHEMA
           value: {{ .Values.persistence.schema }}
-        - name: CANTON_PARTICIPANT_ADMIN_USER_NAME
-          valueFrom: {{ .Values.participantAdminUserNameFrom | toYaml | nindent 12 }}
-        - name: AUTH_JWKS_URL
-          value: {{ .Values.auth.jwksUrl }}
-        - name: AUTH_TARGET_AUDIENCE
-          value: {{ .Values.auth.targetAudience }}
         - name: CANTON_PARTICIPANT_POSTGRES_PASSWORD
           valueFrom:
             secretKeyRef:
@@ -73,6 +67,20 @@ spec:
               }
             }
         {{- end }}
+        {{- if .Values.disableAuth }}
+        - name: CANTON_PARTICIPANT_ADMIN_USER_NAME
+          value: ledger-api-user
+        - name: ADDITIONAL_CONFIG_DISABLE_AUTH
+          value: |
+            canton.participants.participant.ledger-api.auth-services=[]
+        {{- else }}
+        - name: CANTON_PARTICIPANT_ADMIN_USER_NAME
+          valueFrom: {{ .Values.participantAdminUserNameFrom | toYaml | nindent 12 }}
+        - name: AUTH_JWKS_URL
+          value: {{ .Values.auth.jwksUrl }}
+        - name: AUTH_TARGET_AUDIENCE
+          value: {{ .Values.auth.targetAudience }}
+        {{- end }}
         {{- include "splice-util-lib.additional-env-vars" .Values.additionalEnvVars | indent 8}}
         {{- include "splice-util-lib.log-level" .Values | indent 8}}
         ports:

cluster/helm/splice-participant/templates/participant.yaml

@@ -104,7 +104,22 @@ tests:
           content:
             # We don't really care about the name of the env var but helm unittest wants it
             name: ADDITIONAL_CONFIG_SPLICE_PARTICIPANT_CRYPTO_PROVIDER_KMS
-            value: "canton.participants.participant.crypto {\n  provider = kms\n  kms = {\n    extra-canton-key = mock_value\n    map-canton-key = {\n      first-map-entry = first_map_value\n      recursive-map-entry = {\n        recursive-map = recursive_value\n      }\n      second-map-entry = second_map_value\n    }\n    region = mock_region\n    type = awwws\n  }\n}        \n"
+            value: |
+              canton.participants.participant.crypto {
+                provider = kms
+                kms = {
+                  extra-canton-key = mock_value
+                  map-canton-key = {
+                    first-map-entry = first_map_value
+                    recursive-map-entry = {
+                      recursive-map = recursive_value
+                    }
+                    second-map-entry = second_map_value
+                  }
+                  region = mock_region
+                  type = awwws
+                }
+              }
       # Secret configured via Helm with valueFrom
       - contains:
           path: spec.template.spec.containers[0].env
@@ -166,3 +181,30 @@ tests:
               persistentVolumeClaim:
                 claimName: claim_name
             - name: empty-dir-volume
+  - it: "defaults to auth"
+    documentSelector:
+      path: kind
+      value: Deployment
+    asserts:
+      - notExists:
+          path: spec.template.spec.containers[?(@.name=='participant')].env[?(@.name=='CANTON_PARTICIPANT_ADMIN_USER_NAME')].value
+      - notExists:
+          path: spec.template.spec.containers[?(@.name=='participant')].env[?(@.name=='ADDITIONAL_CONFIG_DISABLE_AUTH')].value
+  - it: "supports disabling auth"
+    set:
+      disableAuth: true
+    documentSelector:
+      path: kind
+      value: Deployment
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[?(@.name=='participant')].env[?(@.name=='CANTON_PARTICIPANT_ADMIN_USER_NAME')].value
+          value: ledger-api-user
+      - equal:
+          path: spec.template.spec.containers[?(@.name=='participant')].env[?(@.name=='ADDITIONAL_CONFIG_DISABLE_AUTH')].value
+          value: |
+            canton.participants.participant.ledger-api.auth-services=[]
+      - notExists:
+          path: spec.template.spec.containers[?(@.name=='participant')].env[?(@.name=='AUTH_JWKS_URL')].value
+      - notExists:
+          path: spec.template.spec.containers[?(@.name=='participant')].env[?(@.name=='AUTH_TARGET_AUDIENCE')].value

cluster/helm/splice-participant/tests/participant_test.yaml

@@ -44,3 +44,6 @@ persistence:
 # tolerations:
 
 extraInitContainers: []
+
+# set to true to disable auth (this is highly insecure)
+disableAuth: false

cluster/helm/splice-participant/values-template.yaml

@@ -2,7 +2,6 @@
   "$schema": "http://json-schema.org/schema#",
   "type": "object",
   "required": [
-    "auth",
     "defaultJvmOptions",
     "imageRepo",
     "participantAdminUserNameFrom",
@@ -100,6 +99,21 @@
         }
       }
     },
+    "disableAuth": {
+      "type": "boolean"
+    },
+    "if": {
+      "properties": {
+        "disableAuth": {
+          "const": "true"
+        }
+      }
+    },
+    "then": {
+      "required": [
+        "auth"
+      ]
+    },
     "metrics": {
       "type": "object",
       "properties": {