[Docs] Revise identity deployment documentation
Changes PlannedPublic
Actions

Authored by varun on Jul 28 2023, 11:09 AM.

Details

Reviewers

bartek
• jon
ashoat

Summary

Change documentation to use environment variable for server_setup
secrets instead of a docker volume introduced in https://phab.comm.dev/D8641.
Also ensure that secrets directory is created before generating secrets to
avoid docker creating it as sudo user.

Addresses https://linear.app/comm/issue/ENG-4531

Test Plan

Run each identity section

Diff Detail

Repository

rCOMM Comm

Branch

jonringer/identity-docs-followup

Lint

No Lint Coverage

Unit

No Test Coverage

Event Timeline

• jon created this revision.Jul 28 2023, 11:09 AM

Herald added a subscriber: tomek. · View Herald TranscriptJul 28 2023, 11:09 AM

• jon added inline comments.Jul 28 2023, 11:12 AM

docs/nix_services_deployment.md
23 ↗	(On Diff #29191)	since I'm writing this locally as well, decided to omit the mention of the docker volume

• jon mentioned this in D8581: [Docs] Document how to deploy identity service.Jul 28 2023, 11:12 AM

Setting @bartek and @varun both as blocking since they had separate comments

docs/nix_services_deployment.md
12 ↗	(On Diff #29191)	This isn't exactly what @varun asked for. Not sure if that was intentional or not
17 ↗	(On Diff #29191)	I think we can just say "authentication of a password" instead of "authentication of a password user". We don't explain the concept of a "password user" anywhere else in the docs, nor should we need to in order to explain what OPAQUE is.

varun added inline comments.Jul 28 2023, 11:40 AM

docs/nix_services_deployment.md
12 ↗	(On Diff #29191)	the file option still needs a file, not a directory
21 ↗	(On Diff #29191)	the `keygen` program creates the secrets directory i think. is there a way we can avoid calling `mkdir` ourselves and still avoid Docker creating it as sudo user? edit: the documented steps actually don't even work for me. getting this error: Creating secrets directory "secrets" Error: Os { code: 13, kind: PermissionDenied, message: "Permission denied" }
35 ↗	(On Diff #29191)	we don't need this, since we'll look for the file if the env var isn't present

Harbormaster completed remote builds in B21313: Diff 29191.Jul 28 2023, 11:48 AM

• jon requested review of this revision.Jul 28 2023, 11:48 AM

varun requested changes to this revision.Jul 28 2023, 11:49 AM

This revision now requires changes to proceed.Jul 28 2023, 11:49 AM

Address feedback

Minor corrections

• jon marked 3 inline comments as done.Aug 1 2023, 10:40 AM

• jon added inline comments.

docs/nix_services_deployment.md
17 ↗	(On Diff #29191)	Rewritten
21 ↗	(On Diff #29191)	do you mind doing `ls -lg` and see who owns the directory? If you already have a secrets directory, it could be causing issues. I was also tempted with just saying to run `cargo run -- keygen`. But then I would need a step saying to download cargo.
35 ↗	(On Diff #29191)	I either need to mount a secrets directory or expose the environment variable. Having neither will not work. I went with an environment variable since that is closer to what we want to use with ECS. Docker volumes also seem more prone to UID and GID issues between the host and container.