HumioAction: How to improve secret handling? #685
Closed
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Both issue 636 as well as 479 point out that the current implementation of Humio Action CRs causes secrets to be exposed as plaintext values in the resources.
I had a few hours to look into how this could be improved and I made this PR mostly to spark some discussion. This PR is not meant to be merged as-is. I just wanted to get the maintainer's thoughts on it before going too far in either direction.
My thoughts on the topic
I just spent a little time looking into it, and it seems like the issue comes from the pattern of resolving secrets into the plaintext fields of the
ha
objects as is done here.In my opinion, this can be fixed in a couple of ways:
ha
object down to the point where the HumioClient can reconcile with Humio, such that theha
object only ever has a reference to the secret and the secret is never set on the actualha
resource. This would mean removing the plaintext fields such asha.Spec.SlackPostMessageProperties.ApiToken
from the resources altogether.ha.Spec.SlackPostMessageProperties.ApiToken
never make it into kubernetes, but they can still be used for DTO.In my opinion 1) would be the cleaner solution. However, it would require some changes in how secrets are handled in the Humio Actions and it would be a breaking change 馃檨 It should be noted that this is the recommended way of handling this from a kubernetes point of view.
Option 2) is much less clean, but it would likely be quicker to implement, and it is not a breaking change as it allows people to continue using the plain text versions of the secrets if they so choose.
What I actually implemented
I wanted to get a feel for what option 2) would look like, even though I don't feel like it is the best solution. As such, I added a hack to
ha.Spec.SlackPostMessageProperties.ApiToken
a few places just beforer.Update
is called. It is definitely the ugly way to solve the issue.What do the maintainers think? Should something like 2) be made for backward compatibility, should 1) be considered, or am I just completely off base here? 馃槃