dumplingmiku/ubicloud
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
shikhar/victoriametrics-resource-test
ubicloud/spec/routes/runtime/spec_helper.rb
Enes Cakir befeedab8d Introduce runtime API endpoints 
Generally, the controlplane has been passing necessary data to the
dataplane at the start of operations. However, this approach can't
pre-determine the information needed for future operations. There are
instances where the control plane sends additional data to the dataplane
during later stages, once it identifies the needed data. However, this
polling method introduces delays. In some scenarios, the dataplane
should have the capability to directly request this information from the
controlplane during runtime, eliminating any delay. I needed this
feature for implementing GitHub Actions Cache integration. The GitHub
runner requires pre-signed blob storage URLs for uploading and
downloading cache, a decision made at runtime. It calculates the
required cache keys and versions.  Rather than developing this feature
solely for GitHub integration, I opted to create a more generic solution
to identify the requesting virtual machine. This can be utilized for
other integrations as well. The dataplane may need information from the
controlplane or may need to trigger an operation on the controlplane.

When a request arrives at the controlplane, we must verify that it
originates from our virtual machines and authenticate it. I selected JWT
tokens for this authentication process, the same method we use for our
customer API. We embed the UBID of the virtual machines into the JWT
token. Thus, if the token signature is valid, we can identify the source
virtual machines. One common criticism of JWT tokens is their
statelessness; they can't be revoked by default. However, there are
workarounds. Firstly, the token is only valid for the lifetime of the
virtual machine. Once the runner is destroyed, the token is no longer
valid. Additionally, we include a creation date in the token, allowing
us to set an expiration time. I haven't yet implemented this expiration
feature since the runners are typically short-lived. However, it can be
easily added when we introduce runtime API endpoints for long-lived
resources.
2024-06-25 10:02:01 +03:00

14 lines
302 B
Ruby
Raw Permalink Blame History

# frozen_string_literal: true
require_relative "../spec_helper"
RSpec.configure do |config|
config.before {
allow(Config).to receive(:clover_runtime_token_secret).and_return(Config.clover_session_secret)
}
end
def login_runtime(vm)
header "Authorization", "Bearer #{vm.runtime_token}"
end
Reference in New Issue View Git Blame Copy Permalink