Fix an issue about generation of secret key with invalid key size in gce #67139
Conversation
Replace /dev/random to /dev/urandom to avoid generation of secret key with invalid key size.
k8s-ci-robot
added
size/XS
yogi-sagar
changed the title
|
/cc @kubernetes/sig-gcp-bugs @yogi-sagar please add a release note explaining the change. |
k8s-ci-robot
added
sig/gcp
kind/bug
|
@neolit123 Please review, if the Release Notes comment is sufficient. |
make the note in imperative form and give a location of the change, here is how:
|
|
Thanks @neolit123 ! Updated the release notes comments. |
|
@yogi-sagar |
|
/assign @tallclair |
|
I think this LGTM. |
|
@tallclair: GitHub didn't allow me to assign the following users: immutableT. Note that only kubernetes members and repo collaborators can be assigned. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
LGTM |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
/retest |
1 similar comment
|
/retest |
|
What about using the "iflag=fullblock" flag for dd? And adding logic, since this is a shell script, to confirm the requested length was received? Since this is the deprecated cluster/ area, do we not care about security implications to use of urandom? Does GCE make a high entropy device available to guest instances? |
|
/assign @mwielgus |
|
/milestone v1.12 |
saad-ali
added
the
do-not-merge/hold
|
Remove hold once @destijl approves |
|
/retest |
|
@yogi-sagar just waiting on fullblock, can you do that today? |
|
/lgtm cancel |
k8s-ci-robot
removed
lgtm
Replace /dev/random to /dev/urandom to avoid generation of secret key with invalid key size.
k8s-ci-robot
added
the
sig/cluster-lifecycle
|
/retest |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
/retest |
|
@destijl Uploaded new patch with the suggested change. |
|
/retest |
1 similar comment
|
/retest |
|
Related: #68256 /approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: destijl, mikedanese, tallclair, yogi-sagar The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
/retest |
|
@mikedanese can you remove the merge hold? |
|
/hold cancel |
k8s-ci-robot
removed
the
do-not-merge/hold
mikedanese
added
the
priority/critical-urgent
|
Low impact bug fix that reduces flakiness of cluster-up |
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md. |
Replace /dev/random to /dev/urandom to avoid generation of secret key with invalid key size.
What this PR does / why we need it:
In GCE env, AESGCM encryption of secrets by default generates a secret key with /dev/random which sometime generates a key with invalid size.
This cause the cluster/kube-up.sh to fail in gce environment.
This PR replaces /dev/random with /dev/urandom to have a secret key generated consistently with right size.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #67091
Special notes for your reviewer:
Release note: