-
Notifications
You must be signed in to change notification settings - Fork 39k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix an issue about generation of secret key with invalid key size in gce #67139
Fix an issue about generation of secret key with invalid key size in gce #67139
Conversation
Replace /dev/random to /dev/urandom to avoid generation of secret key with invalid key size.
/cc @kubernetes/sig-gcp-bugs @yogi-sagar please add a release note explaining the change. |
@neolit123 Please review, if the Release Notes comment is sufficient. |
make the note in imperative form and give a location of the change, here is how:
|
Thanks @neolit123 ! Updated the release notes comments. |
@yogi-sagar |
/assign @tallclair |
I think this LGTM. |
@tallclair: GitHub didn't allow me to assign the following users: immutableT. Note that only kubernetes members and repo collaborators can be assigned. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
LGTM |
/lgtm |
/retest |
1 similar comment
/retest |
What about using the "iflag=fullblock" flag for dd? And adding logic, since this is a shell script, to confirm the requested length was received? Since this is the deprecated cluster/ area, do we not care about security implications to use of urandom? Does GCE make a high entropy device available to guest instances? |
/assign @mwielgus |
/milestone v1.12 |
Remove hold once @destijl approves |
/retest |
@yogi-sagar just waiting on fullblock, can you do that today?
|
/lgtm cancel |
Replace /dev/random to /dev/urandom to avoid generation of secret key with invalid key size.
/retest |
/lgtm |
/retest |
@destijl Uploaded new patch with the suggested change. |
/retest |
1 similar comment
/retest |
Related: #68256 /approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: destijl, mikedanese, tallclair, yogi-sagar The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest |
@mikedanese can you remove the merge hold? |
/hold cancel |
Low impact bug fix that reduces flakiness of cluster-up |
/test all [submit-queue is verifying that this PR is safe to merge] |
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md. |
Replace /dev/random to /dev/urandom to avoid generation of secret key with invalid key size.
What this PR does / why we need it:
In GCE env, AESGCM encryption of secrets by default generates a secret key with /dev/random which sometime generates a key with invalid size.
This cause the cluster/kube-up.sh to fail in gce environment.
This PR replaces /dev/random with /dev/urandom to have a secret key generated consistently with right size.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when PR gets merged):Fixes #67091
Special notes for your reviewer:
Release note: