From 3c5899de48fb5694aefff8a221a04db0930abc7c Mon Sep 17 00:00:00 2001 From: TBThomas56 Date: Fri, 29 May 2026 12:50:53 +0100 Subject: [PATCH 1/2] fix(backend): add logic to hide workflow_name and namespace --- backend/auth-daemon/src/main.rs | 37 ++++++++++++++++++++++++++------- 1 file changed, 30 insertions(+), 7 deletions(-) diff --git a/backend/auth-daemon/src/main.rs b/backend/auth-daemon/src/main.rs index 54c335f93..0f310ec89 100644 --- a/backend/auth-daemon/src/main.rs +++ b/backend/auth-daemon/src/main.rs @@ -28,6 +28,7 @@ mod state; use axum_reverse_proxy::ReverseProxy; use config::DaemonConfig; +use k8s_openapi::api::core::v1::Pod; use kube::{ Api, Client, api::{ApiResource, DynamicObject}, @@ -39,21 +40,43 @@ type Result = std::result::Result; static CRYPTO_PROVIDER: OnceLock<()> = OnceLock::new(); async fn resolve_subject() -> anyhow::Result { - let workflow_name = std::env::var("ARGO_WORKFLOW_NAME") - .map_err(|_| anyhow::anyhow!("ARGO_WORKFLOW_NAME not set"))?; - let namespace = std::env::var("MY_POD_NAMESPACE") - .map_err(|_| anyhow::anyhow!("MY_POD_NAMESPACE not set"))?; + let namespace = + std::fs::read_to_string("/var/run/secrets/kubernetes.io/serviceaccount/namespace") + .context("failed to read namespace from service account token")?; + let namespace = namespace.trim(); + let pod_name = std::fs::read_to_string("/etc/hostname") + .context("failed to read pod name from /etc/hostname")?; + let pod_name = pod_name.trim(); let client = Client::try_default() .await .context("failed to create Kubernetes client (check service account token mount)")?; + + let pods: Api = Api::namespaced(client.clone(), namespace); + let pod = pods + .get(pod_name) + .await + .with_context(|| format!("failed to get pod {}/{}", namespace, pod_name))?; + let workflow_name = pod + .metadata + .labels + .as_ref() + .and_then(|l| l.get("workflows.argoproj.io/workflow")) + .ok_or_else(|| { + anyhow::anyhow!( + "label workflows.argoproj.io/workflow missing on pod {}", + pod_name + ) + })? + .clone(); + let gvk = GroupVersionKind::gvk("argoproj.io", "v1alpha1", "Workflow"); - let api = Api::::namespaced_with( + let wf_api = Api::::namespaced_with( client, - &namespace, + namespace, &ApiResource::from_gvk_with_plural(&gvk, "workflows"), ); - let workflow = api + let workflow = wf_api .get(&workflow_name) .await .with_context(|| format!("failed to get workflow {}/{}", namespace, workflow_name))?; From 5eb72ea8e0b6d97d68f7a7958c58ac901211d839 Mon Sep 17 00:00:00 2001 From: TBThomas56 Date: Fri, 29 May 2026 12:51:16 +0100 Subject: [PATCH 2/2] fix: modified template to hide workflow name and namespace --- .../conventional-templates/workflow-of-workflows.yaml | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/examples/conventional-templates/workflow-of-workflows.yaml b/examples/conventional-templates/workflow-of-workflows.yaml index d0630b2d0..3a3bca1b1 100644 --- a/examples/conventional-templates/workflow-of-workflows.yaml +++ b/examples/conventional-templates/workflow-of-workflows.yaml @@ -35,7 +35,7 @@ spec: secret: secretName: auth-daemon-config container: - image: ghcr.io/diamondlightsource/workflows-auth-daemon@sha256:b904a82a59a91d4d1ccc86198540ea44ff2112fd8b0f681b539dd8217bd4010b + image: ghcr.io/diamondlightsource/workflows-auth-daemon@sha256:389cbdf0c6fc2a15401da52094c041ff065080f36853e58131f068a4e370447e readinessProbe: httpGet: path: /healthz @@ -47,12 +47,6 @@ spec: mountPath: /etc/workflows-auth-daemon readOnly: true env: - - name: ARGO_WORKFLOW_NAME - value: "{{workflow.name}}" - - name: MY_POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - name: WORKFLOWS_AUTH_DAEMON_CONFIG value: /etc/workflows-auth-daemon/config.yaml args: