-
Notifications
You must be signed in to change notification settings - Fork 657
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
When bootstraping a new VM, BOSH stores credentials in the metadata services of the different IAASes. This includes the certificates the VM uses to access NATS. This is a security concern for some environments where a malicious user that can access the metadata service gets the NATS credentials. He will be able to connect to NATS and listen to the traffic between the the VMs and the director. This feature removes that risk by making the credentials stored in the metadata service ephemeral/short lived, so if a user gets access to them, they won't be useful after the VM bootstrap. These credentials will be used only while starting a new VM, and after that, they will be replaced by permanent credentials that are not stored in the metadata service. This feature is enabled by default. To disable it a new parameter called `enable_short_lived_nats_credentials` should be added with false as its value in the director manifest during the create-env. This feature will affect only newly created/recreated VMs. When an installation is using this feature its a MUST to ensure that the stemcells used in the director are compatible with it; stemcells that are incompatible will result in unresponsive VMs. The oldest compatible stemcell versions are: Windows 2019 - 2019.41 Ubuntu Xenial - 621.171 Ubuntu Bionic - 1.36 Ubuntu Jammy - All versions are suported. [#183316690] [Deadline: Before End of FYQ1] [AHA] Short-lived NATS bootstrap credential Co-authored-by: Daniel Felipe Ochoa <danielfelipo@vmware.com> Co-authored-by: Brian Upton <bupton@vmware.com> Co-authored-by: Brian Cunnie <bcunnie@vmware.com>
- Loading branch information
1 parent
7a1dd63
commit dec31de
Showing
26 changed files
with
354 additions
and
47 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
7 changes: 7 additions & 0 deletions
7
...h-director/db/migrations/director/20230103143246_add_permanent_nats_credentials_to_vms.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
Sequel.migration do | ||
up do | ||
alter_table(:vms) do | ||
add_column :permanent_nats_credentials, 'boolean', null: false, default: false | ||
end | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
96 changes: 96 additions & 0 deletions
96
.../unit/db/migrations/director/20230103143246_add_permanent_nats_credentials_to_vms_spec.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,96 @@ | ||
require 'db_spec_helper' | ||
|
||
module Bosh::Director | ||
describe '20230103143246_add_permanent_nats_credentials_to_vms.rb' do | ||
subject(:migration) { '20230103143246_add_permanent_nats_credentials_to_vms.rb' } | ||
let(:db) { DBSpecHelper.db } | ||
let(:created_at_time) { Time.now } | ||
|
||
before do | ||
DBSpecHelper.migrate_all_before(subject) | ||
db[:deployments] << { id: 1, name: 'fake-deployment-name', manifest: '{}' } | ||
db[:variable_sets] << { deployment_id: db[:deployments].first[:id], created_at: Time.now } | ||
db[:instances] << { | ||
id: 1, | ||
job: 'fake-instance-group', | ||
uuid: 'uuid1', | ||
index: 1, | ||
deployment_id: 1, | ||
state: 'started', | ||
availability_zone: 'az1', | ||
variable_set_id: 1, | ||
spec_json: '{}', | ||
} | ||
attrs = { | ||
id: 1, | ||
instance_id: 1, | ||
agent_id: 'fake-agent-id-1', | ||
cid: 'fake-vm-cid-1', | ||
env_json: 'fake-env-json', | ||
trusted_certs_sha1: 'fake-trusted-certs-sha1', | ||
} | ||
db[:vms] << attrs | ||
|
||
DBSpecHelper.migrate(subject) | ||
end | ||
|
||
it 'should add permanent_nats_credentials to the vms table' do | ||
expect(db[:vms].columns).to include(:permanent_nats_credentials) | ||
end | ||
|
||
it 'should migrate existing vms records to permanent_nats_credentials equals false' do | ||
expect(db[:vms].where(id: 1).first[:permanent_nats_credentials]).to eq(false) | ||
end | ||
|
||
it 'should add new vm records with permanent_nats_credentials equals false' do | ||
db[:instances] << { | ||
id: 2, | ||
job: 'fake-instance-group', | ||
uuid: 'uuid2', | ||
index: 1, | ||
deployment_id: 1, | ||
state: 'started', | ||
availability_zone: 'az1', | ||
variable_set_id: 1, | ||
spec_json: '{}', | ||
} | ||
attrs = { | ||
id: 2, | ||
instance_id: 2, | ||
agent_id: 'fake-agent-id-2', | ||
cid: 'fake-vm-cid-2', | ||
env_json: 'fake-env-json', | ||
trusted_certs_sha1: 'fake-trusted-certs-sha1', | ||
} | ||
db[:vms] << attrs | ||
|
||
expect(db[:vms].where(id: 2).first[:permanent_nats_credentials]).to eq(false) | ||
end | ||
|
||
it 'should add new vm records with permanent_nats_credentials equals true.' do | ||
db[:instances] << { | ||
id: 2, | ||
job: 'fake-instance-group', | ||
uuid: 'uuid2', | ||
index: 1, | ||
deployment_id: 1, | ||
state: 'started', | ||
availability_zone: 'az1', | ||
variable_set_id: 1, | ||
spec_json: '{}', | ||
} | ||
attrs = { | ||
id: 2, | ||
instance_id: 2, | ||
agent_id: 'fake-agent-id-2', | ||
cid: 'fake-vm-cid-2', | ||
env_json: 'fake-env-json', | ||
trusted_certs_sha1: 'fake-trusted-certs-sha1', | ||
permanent_nats_credentials: true, | ||
} | ||
db[:vms] << attrs | ||
|
||
expect(db[:vms].where(id: 2).first[:permanent_nats_credentials]).to eq(true) | ||
end | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.