New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consume authorize_url from Secret #288
Conversation
/assign @metalmatze |
Hmm I’m pretty sure I actually remember having had this before and then switching to our current configuration. In any case, the authorization URL is not a secret and putting in there with the actual secret values makes it harder to maintain and debug IMO. Also, once nice thing about having this value outside of a secret is that any time that the argument is changed, the statefulset will be automatically rolled, whereas if the value in the secret changes we have to manually kick the pods. |
thanks for your comments @squat! this is not a secret, but it is non-public information IMO, as it discloses our architecture, even if only a small bit. regarding kicking the pods - we can create an automation to recycle pods after a secret changed if we decide. |
/test e2e-aws |
Adding more automation creates extra complexity rather than using an already simple solution. The information is not “non public”: as long as there is an authorization URL flag at all then it is publicly known that we use an authorization server. The URL says nothing about the architecture other than “this thing that you already know exists is at this URL that you already can not access”. Also, the tollbooth auth flow/protocol is completely reversible from the code contained in this repo. Please help me understand why this is a desired change. |
the url says what is the authorization server. its one thing to know that it exists, and another to know where it is. we just want to add a bit of mystery to the game. another reason for this change is that we want to allow you to deploy additional resources from upstream, such as ConfigMaps. To allow that, we looked at "what is non-public information" and how we can detect it, to prevent such info from residing in public repos. surprisingly, we found that in the majority of cases, a string starting with This is the method that we are using at the moment to detect non-public information in public repos, and we plan to enable this check for this repo as well in the near future (https://gitlab.cee.redhat.com/service/app-interface/merge_requests/2554). This change does not really make a huge difference IMO, so if we can get you on board that would be fantastic. for the record, we will not allow deploying ConfigMaps via this repo unless that app-interface PR is merged, so we have a shared interest here. what do you think? |
:/ it doesn’t sound like this is really a choice
Any publicly accessible endpoint should always be treated as if everyone already knows it and may try to abuse it. Obscuring the URL is not a security measure IMO and should not be considered to make any progress towards protecting the resource. |
@@ -135,6 +135,7 @@ local clusterPort = 8082; | |||
local secret = k.core.v1.secret; | |||
|
|||
secret.new(secretName, { | |||
authorize_url: std.base64($._config.telemeterServer.authorizeUrl), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
With these changes Jsonnet will fail build this because there is no field named authorize_url
in the config. How about leaving it as ''
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed
/retest |
/test e2e-aws |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: maorfr, squat The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/test benchmark |
/test e2e-aws-upgrade |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
1 similar comment
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
9 similar comments
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/test benchmark |
/retest Please review the full test history for this PR and help us cut down flakes. |
This PR intends to take the authorization URL out of the template and into the telemeter-server Secret.
required for observatorium/observatorium#149
ultimately the purpose of this PR is to allow deploying ConfigMaps via upstream!