The CC blobstore access key is stored as a plain text value to cloud-controller-ng-yaml configmap #227

Syerram · 2020-06-11T17:46:06Z

Summary

The CC blobstore access key is stored as a plain text value to the Cloud Controller config map cloud-controller-ng-yaml

    resource_pool:
      ...
      fog_connection:
        ...
        aws_access_key_id: admin
        aws_secret_access_key: 87scyz57wpwn13g38z6s
        aws_signature_version: "2"

The CC config creates multiple blobstore directories and stores the access key as plain text value for each of the directory configs

Expected behavior

CAPI should use the k8s secret mechanism to consume the secret key. As per Kubernetes docs, the options are to either mount them as files or consume them as environment variables.

The text was updated successfully, but these errors were encountered:

cf-gitbot · 2020-06-11T17:46:08Z

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/173294964

The labels on this github issue will be updated when the story is started.

matt-royal · 2020-08-12T21:57:13Z

We've made this change in capi-k8s-release and cf-for-k8s.

cf-gitbot added the unscheduled label Jun 11, 2020

Syerram added known-issue release-1.0 release-blocker secrets labels Jun 11, 2020

cf-gitbot added scheduled and removed unscheduled labels Jun 11, 2020

cwlbraa mentioned this issue Jul 21, 2020

capi-k8s-release should follow cf-for-k8s best practices for generating, storing, and reading secrets cloudfoundry/capi-k8s-release#56

Closed

cf-gitbot added unscheduled and removed scheduled labels Aug 4, 2020

Syerram added this to v1.0.0 Release in Cloud Foundry for Kubernetes (cf-for-k8s) Aug 4, 2020

Syerram moved this from v1.0.0 Release to v0.6.0 Release in Cloud Foundry for Kubernetes (cf-for-k8s) Aug 5, 2020

Syerram added Type: Refactor Refactor that doesn't impact users directly but improves the project (tests, perf, best practice..) and removed release-1.0 release-blocker labels Aug 5, 2020

Syerram added this to the v0.6.0 milestone Aug 6, 2020

matt-royal closed this as completed Aug 12, 2020

cf-gitbot removed the unscheduled label Aug 12, 2020

cf-gitbot added delivered accepted and removed delivered labels Aug 21, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

The CC blobstore access key is stored as a plain text value to cloud-controller-ng-yaml configmap #227

The CC blobstore access key is stored as a plain text value to cloud-controller-ng-yaml configmap #227

Syerram commented Jun 11, 2020

cf-gitbot commented Jun 11, 2020

matt-royal commented Aug 12, 2020

The CC blobstore access key is stored as a plain text value to cloud-controller-ng-yaml configmap #227

The CC blobstore access key is stored as a plain text value to cloud-controller-ng-yaml configmap #227

Comments

Syerram commented Jun 11, 2020

Summary

Expected behavior

cf-gitbot commented Jun 11, 2020

matt-royal commented Aug 12, 2020