Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Credential plugins: lookup command relative to config's dir, nil = opt-out #375

Merged
merged 2 commits into from Dec 20, 2018
Merged

Credential plugins: lookup command relative to config's dir, nil = opt-out #375

merged 2 commits into from Dec 20, 2018

Conversation

cben
Copy link
Collaborator

@cben cben commented Dec 9, 2018
edited

Follow-up to #363.

Refine lookup to match Go client's behavior: Distinguish 3 cases:

  • absolute (e.g. /path/to/foo)
  • $PATH-based (e.g. curl)
  • relative to config file's dir, or specified base dir (e.g. ./foo)

If base dir explicitly set to nil, refuse to execute external commands, matching existing opt-out from file lookups (#372).

Document security aspects of credential plugins.

EDIT: ref https://banzaicloud.com/blog/kubeconfig-security/, kubernetes/kubectl#697

@cben
Credential plugins: lookup command relative to config's dir, nil = op…
a42b3d3 
…t out

Matches Go client's behavior:
kubernetes/kubernetes#59495 (comment)
Distinguish 3 cases:
- absolute (e.g. /path/to/foo)
- $PATH-based (e.g. curl)
- relative to config file's dir (e.g. ./foo)

If base dir explicitly set to nil, refuse to execute external commands,
matching existing opt-out from file lookups (ManageIQ#372).

Document security aspects of credential plugins.
@cben
Update CHANGELOG
875aeb3
@cben
Copy link
Collaborator Author

cben commented Dec 9, 2018

@motymichaely @KnVerey @rhodrid @f4tq please review.

@cben cben mentioned this pull request Dec 9, 2018
Merged
@cben
Copy link
Collaborator Author

cben commented Dec 20, 2018

@motymichaely @KnVerey @rhodrid @f4tq @jeremywadsack @fw42 @yaacov @grosser looking for at least one review.
I consider at least some of the things here necessary to able to release a new version with credential plugins exec support from #363.
(I'm open to pushback too of course, otherwise I wouldn't ask for review ;-)

motymichaely
motymichaely approved these changes Dec 20, 2018
View reviewed changes
Copy link
Contributor

@motymichaely motymichaely left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cben Awesome! Looks good to me.

@cben cben merged commit bc8d41b into ManageIQ:master Dec 20, 2018
@cben cben mentioned this pull request Dec 20, 2018
Merged
@jeremywadsack
Copy link
Contributor

@cben Looks good. I'll be excited when GCP moves this this instead of the customer provider.

@cben
Copy link
Collaborator Author

cben commented Dec 20, 2018

Released 4.2.0.

@cben cben mentioned this pull request Apr 28, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@motymichaely motymichaely motymichaely approved these changes

Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@cben @jeremywadsack @motymichaely