From c54f77024a7eaa35d4574c144860fc74787dcf77 Mon Sep 17 00:00:00 2001 From: Denys Fedoryshchenko Date: Thu, 30 Apr 2026 21:13:15 +0300 Subject: [PATCH 1/2] ci: pin actions/checkout in test workflow Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 12b12f15..4db2c821 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -25,7 +25,7 @@ jobs: steps: - name: Check out source code - uses: actions/checkout@v2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Export environment variables run: | From 5f410aca6a41441c353c15b4ed367ef64467b9c9 Mon Sep 17 00:00:00 2001 From: Denys Fedoryshchenko Date: Thu, 30 Apr 2026 21:15:40 +0300 Subject: [PATCH 2/2] docs: document unified secret deployment Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- doc/local-instance.md | 22 ++++++++++++++++++++++ env.sample | 7 +++++++ kube/aks/api.yaml | 9 +++++++++ 3 files changed, 38 insertions(+) diff --git a/doc/local-instance.md b/doc/local-instance.md index f08bbf7d..f8d20ffc 100644 --- a/doc/local-instance.md +++ b/doc/local-instance.md @@ -53,6 +53,28 @@ $ echo MONGO_SERVICE=mongodb://db:27017 >> .env `SECRET_KEY` and `MONGO_SERVICE` are always required. `KCI_INITIAL_PASSWORD` is required only when no admin user exists yet. +#### Unified secret (shared across KernelCI services) + +The API can additionally accept JWTs signed with a shared HS256 key called +`UNIFIED_SECRET`. When set, each incoming token is validated against +`SECRET_KEY` first and falls back to `UNIFIED_SECRET` on signature failure +(see `DualSecretJWTStrategy` in `api/auth.py`). The same key is installed +on `kernelci-pipeline` (`[jwt].unified_secret`), `kernelci-storage` +(`unified_secret` in its TOML) and `kcidb-restd-rs` (`--unified-secret` / +`UNIFIED_SECRET`), so a single token authenticates a user across all four +services. + +Generate it the same way as `SECRET_KEY`: + +``` +$ echo UNIFIED_SECRET=$(openssl rand -hex 32) >> .env +``` + +`UNIFIED_SECRET` is optional; leave it unset to disable the fallback. The +full token spec, per-service claim validation, and step-by-step deployment +migration are documented in `UNIFIED_TOKEN.md` in the `kernelci-deploy` +repository. + ### Start docker-compose To build the Docker images and start `docker-compose`: diff --git a/env.sample b/env.sample index 85c7ec8e..d2ae774e 100644 --- a/env.sample +++ b/env.sample @@ -1,4 +1,11 @@ SECRET_KEY= +# Optional second HS256 key accepted as a fallback on token verification. +# When set, the API tries SECRET_KEY first and UNIFIED_SECRET on signature +# failure, so a single JWT can authenticate the user across all KernelCI +# services (api, pipeline lava-callback, storage, kcidb-restd-rs). The same +# value must be installed on each service. See UNIFIED_TOKEN.md in the +# kernelci-deploy repo for the full spec and migration steps. +UNIFIED_SECRET= MONGO_SERVICE=mongodb://db:27017 #algorithm= #access_token_expire_minutes= diff --git a/kube/aks/api.yaml b/kube/aks/api.yaml index e7f7216b..a812f51b 100644 --- a/kube/aks/api.yaml +++ b/kube/aks/api.yaml @@ -50,6 +50,15 @@ spec: secretKeyRef: name: kernelci-api-secret key: secret-key + # Optional unified HS256 key shared with kernelci-pipeline, + # kernelci-storage and kcidb-restd-rs. Add a `unified-secret` + # key to the kernelci-api-secret Secret to enable. + - name: UNIFIED_SECRET + valueFrom: + secretKeyRef: + name: kernelci-api-secret + key: unified-secret + optional: true - name: EMAIL_SENDER valueFrom: configMapKeyRef: