Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow to read OpenStack config from the secret #75062

Merged

Conversation

@Fedosin
Copy link
Contributor

commented Mar 6, 2019

Currently OpenStack cloud provider reads user credentials from config
file, where data is stored in clear text. This approach is not recommended,
as it is a serious security issue.

This commit add an ability to read the config from secrets, if necessary.
To do so, two new parameters are added to the config: SecretNamespace and
SecretName. If they are specified, the provider will try to read config
from the secret.

/kind feature

Allow to read OpenStack user credentials from a secret instead of a local config file.

@k8s-ci-robot k8s-ci-robot requested review from FengyunPan2 and NickrenREN Mar 6, 2019

@Fedosin Fedosin force-pushed the Fedosin:openstack_config_from_secrets branch 2 times, most recently from d600661 to 63a8e38 Mar 6, 2019

@k8s-ci-robot k8s-ci-robot added size/L sig/storage and removed size/M labels Mar 6, 2019

@Fedosin Fedosin force-pushed the Fedosin:openstack_config_from_secrets branch 2 times, most recently from 3c3fd92 to 87ff37f Mar 7, 2019

@Fedosin Fedosin changed the title Allow to read OpenStack user credentials from the secret Allow to read OpenStack config from the secret Mar 7, 2019

return err
}

for credentialKey, credentialValue := range secret.Data {

This comment has been minimized.

Copy link
@flaper87

flaper87 Mar 7, 2019

Member

I think you can simply access the key like this: content, ok := secret.Data["clouds.conf] which should already decode the value for you or return ok == false if the key doesn't exist.

This comment has been minimized.

Copy link
@Fedosin

Fedosin Mar 7, 2019

Author Contributor

done

Allow to read OpenStack config from the secret
Currently OpenStack cloud provider reads user credentials from config
file, where data is stored in clear text. This approach is not recommended,
as it is a serious security issue.

This commit add an ability to read the config from secrets, if necessary.
To do so, two new parameters are added to the config: SecretNamespace and
SecretName. If they are specified, the provider will try to read config
from the secret.

@Fedosin Fedosin force-pushed the Fedosin:openstack_config_from_secrets branch from 87ff37f to cf8c193 Mar 7, 2019

@flaper87

This comment has been minimized.

Copy link
Member

commented Mar 21, 2019

/approve

@dims @hogepodge u guys cool merging this? I think it's a great security enhancement for the cloud provider. We should prob get it in regardless of the frozen state of the cloud provider.

@flaper87

This comment has been minimized.

Copy link
Member

commented Mar 21, 2019

oh, right. I can't approve patches here 😄

@dims

This comment has been minimized.

Copy link
Member

commented Mar 21, 2019

/approve
/lgtm

@Fedosin please ensure that the same functionality is available in the external cloud provider as well

@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

commented Mar 21, 2019

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dims, Fedosin, flaper87

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@derekwaynecarr

This comment has been minimized.

Copy link
Member

commented Mar 21, 2019

super happy the community was able to work together to get this change in.

@hogepodge

This comment has been minimized.

Copy link
Member

commented Mar 21, 2019

/lgtm

@k8s-ci-robot k8s-ci-robot merged commit 0550616 into kubernetes:master Mar 25, 2019

17 checks passed

cla/linuxfoundation Fedosin authorized
Details
pull-kubernetes-bazel-build Job succeeded.
Details
pull-kubernetes-bazel-test Job succeeded.
Details
pull-kubernetes-conformance-image-test Skipped.
pull-kubernetes-cross Skipped.
pull-kubernetes-e2e-gce Job succeeded.
Details
pull-kubernetes-e2e-gce-100-performance Job succeeded.
Details
pull-kubernetes-e2e-gce-device-plugin-gpu Job succeeded.
Details
pull-kubernetes-godeps Skipped.
pull-kubernetes-integration Job succeeded.
Details
pull-kubernetes-kubemark-e2e-gce-big Job succeeded.
Details
pull-kubernetes-local-e2e Skipped.
pull-kubernetes-node-e2e Job succeeded.
Details
pull-kubernetes-typecheck Job succeeded.
Details
pull-kubernetes-verify Job succeeded.
Details
pull-publishing-bot-validate Skipped.
tide In merge pool.
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.