Currently the Slurm charms are exchanging both the JWT and MUNGE keys through Juju relations, but as of Juju v3, we can now use Juju Secrets to exchange sensitive information between applications rather than as plain text through relation data bags. We should use Juju's secrets implementation to exchange the JWT and MUNGE keys between our Slurm applications as it provides several benefits over our current implementation.
Juju Secrets offer the ability to control which applications are allowed to access specific secrets, and it is easier to rotate out stale secrets using SecretRotateEvent. You can also set expiration dates for secrets which enables us to determine how long a MUNGE key should be in use. Juju Secrets also enable us to more securely handle these keys within the charms.
The only downside to Juju Secrets is that anyone who has a Slurm cluster on Juju v2 will be unable to automatically refresh to the secrets-enabled Slurm charms. They will need to redeploy their Charmed HPC cluster.
jamesbeedy
commented
5 days ago
Currently the Slurm charms are exchanging both the JWT and MUNGE keys through Juju relations, but as of Juju v3, we can now use Juju Secrets to exchange sensitive information between applications rather than as plain text through relation data bags. We should use Juju's secrets implementation to exchange the JWT and MUNGE keys between our Slurm applications as it provides several benefits over our current implementation.
Juju Secrets offer the ability to control which applications are allowed to access specific secrets, and it is easier to rotate out stale secrets using
SecretRotateEvent. You can also set expiration dates for secrets which enables us to determine how long a MUNGE key should be in use. Juju Secrets also enable us to more securely handle these keys within the charms.The only downside to Juju Secrets is that anyone who has a Slurm cluster on Juju v2 will be unable to automatically refresh to the secrets-enabled Slurm charms. They will need to redeploy their Charmed HPC cluster.