Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WINC-632: Secure BYOH username annotation #508

Merged
merged 7 commits into from
Aug 2, 2021
Merged

WINC-632: Secure BYOH username annotation #508

merged 7 commits into from
Aug 2, 2021

Conversation

saifshaikh48
Copy link
Contributor

@saifshaikh48 saifshaikh48 commented Jul 8, 2021
edited

This PR introduces symmetric encryption and decryption into the usage of the instance username annotation to secure potentially sensitive user info. When a user changes the private key used to SSH into the instances, each BYOH node's annotation is updated to be encrypted with the new key.

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 8, 2021
@openshift-ci openshift-ci bot requested review from aravindhp and sebsoto July 8, 2021 16:53
@openshift-ci openshift-ci bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 11, 2021
@saifshaikh48 saifshaikh48 force-pushed the encrypt-username-annotation branch 2 times, most recently from 34718d7 to 1b6a36b Compare July 14, 2021 15:13
@openshift-ci openshift-ci bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 14, 2021
@saifshaikh48
Copy link
Contributor Author

saifshaikh48 commented Jul 14, 2021
edited by openshift-ci bot

/retitle WINC-632: Secure BYOH username annotation

@openshift-ci openshift-ci bot changed the title WIP: WINC-632: Secure BYOH username annotation WINC-632: Secure BYOH username annotation Jul 14, 2021
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 14, 2021
@saifshaikh48
Copy link
Contributor Author

/hold

Holding until CI (vsphere) is fixed.

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 14, 2021
@saifshaikh48
Copy link
Contributor Author

This PR is blocked by #518, which fixes an error when applying node annotations.

@aravindhp
Copy link
Contributor

Why is this PR blocked by #518? Doesn't the Node object get updated on the second try with Update()? At least that is what I have been observing.

@saifshaikh48
Copy link
Contributor Author

Why is this PR blocked by #518? Doesn't the Node object get updated on the second try with Update()? At least that is what I have been observing.

You're right, badly worded on my end -- #518 should ideally merge first.

@openshift-ci openshift-ci bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 18, 2021
@saifshaikh48 saifshaikh48 force-pushed the encrypt-username-annotation branch 2 times, most recently from a938eb5 to a423e5c Compare July 19, 2021 15:33
@openshift-ci openshift-ci bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 19, 2021
@saifshaikh48
Copy link
Contributor Author

/unhold
/test ci/prow/ci-index

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 19, 2021
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jul 19, 2021

@saifshaikh48: The specified target(s) for /test were not found.
The following commands are available to trigger jobs:

  • /test aws-e2e-operator
  • /test aws-e2e-upgrade
  • /test azure-e2e-operator
  • /test build
  • /test ci-index
  • /test images
  • /test lint
  • /test unit
  • /test vsphere-e2e-operator

Use /test all to run all jobs.

In response to this:

/unhold
/test ci/prow/ci-index

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@saifshaikh48
Copy link
Contributor Author

/test ci-index

saifshaikh48
saifshaikh48 commented Jul 19, 2021
View reviewed changes
controllers/secret_controller.go Outdated
Comment on lines 176 to 192
// For BYOH nodes, patch the username annotation, encrpyting with the new private key
username, err := r.usernameFromNode(ctx, &node)
if err != nil {
return reconcile.Result{}, err
}
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewing the logic here -- could I get another pair of eyes:

If usernameFromNode finds no associated instance then that means its entry has been removed from the ConfigMap, and the instance should be deconfigured (or is currently being deconfigured, since the configmap controller can be running in parallel). Therefore, this isn't an error scenario and should return reconcile.Result{}, nil.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we still want an err check so maybe you could instead add in the empty instance check that returns reconcile.Result{}, nil

@saifshaikh48 saifshaikh48 force-pushed the encrypt-username-annotation branch 3 times, most recently from 811a854 to 4d76992 Compare July 21, 2021 22:29
aravindhp
aravindhp approved these changes Jul 30, 2021
View reviewed changes
Copy link
Contributor

@aravindhp aravindhp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work @saifshaikh48

/approve
/hold

Adding a hold that @sebsoto can remove given I did not review the e2e tests very closely.

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 30, 2021
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jul 30, 2021

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: aravindhp, saifshaikh48

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 30, 2021
sebsoto
sebsoto reviewed Aug 2, 2021
View reviewed changes
test/e2e/secrets_test.go
Comment on lines +152 to +154
// Re-create the known private key so SSH connection can be re-established
// TODO: Remove dependency on this secret by rotating keys as part of https://issues.redhat.com/browse/WINC-655
require.NoError(t, tc.createPrivateKeySecret(true), "error confirming known private key secret exists")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm still on the fence about this but it seems to be working...
This operation is going to bleed into the deletion suite as the WMCO will be handling this first and could taint the results that we expect when doing certain deletion actions. But what we are testing for in the BYOH reconfiguration, specifically the removal of binaries and services, shouldnt be triggered by this.

I'm fine with this going in but we need to handle the TODO story ASAP so that we dont open ourselves up to missing certain edge cases

@sebsoto
Copy link
Contributor

sebsoto commented Aug 2, 2021

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Aug 2, 2021
@sebsoto
Copy link
Contributor

sebsoto commented Aug 2, 2021

/hold cancel

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Aug 2, 2021
@openshift-bot
Copy link

/retest-required

Please review the full test history for this PR and help us cut down flakes.

1 similar comment
@openshift-bot
Copy link

/retest-required

Please review the full test history for this PR and help us cut down flakes.

@sebsoto
Copy link
Contributor

sebsoto commented Aug 2, 2021

/hold

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Aug 2, 2021
@sebsoto
Copy link
Contributor

sebsoto commented Aug 2, 2021

/hold cancel

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Aug 2, 2021
@mansikulkarni96
Copy link
Member

/test vsphere-e2e-operator

@openshift-bot
Copy link

/retest-required

Please review the full test history for this PR and help us cut down flakes.

@openshift-ci openshift-ci bot merged commit 445c027 into openshift:master Aug 2, 2021
@mansikulkarni96
Copy link
Member

/cherry-pick community-4.8

@mansikulkarni96
Copy link
Member

/cherry-pick release-4.8

@openshift-cherrypick-robot
Copy link

@mansikulkarni96: #508 failed to apply on top of branch "community-4.8":

Applying: Remove exposing username in logs
Applying: Secure username anno with cloud private key
Using index info to reconstruct a base tree...
M	controllers/configmap_controller.go
M	controllers/controllers.go
Falling back to patching base and 3-way merge...
Auto-merging controllers/controllers.go
Auto-merging controllers/configmap_controller.go
CONFLICT (content): Merge conflict in controllers/configmap_controller.go
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0002 Secure username anno with cloud private key
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

In response to this:

/cherry-pick community-4.8

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-cherrypick-robot
Copy link

@mansikulkarni96: #508 failed to apply on top of branch "release-4.8":

Applying: Remove exposing username in logs
Applying: Secure username anno with cloud private key
Using index info to reconstruct a base tree...
M	controllers/configmap_controller.go
M	controllers/controllers.go
Falling back to patching base and 3-way merge...
Auto-merging controllers/controllers.go
CONFLICT (content): Merge conflict in controllers/controllers.go
Auto-merging controllers/configmap_controller.go
CONFLICT (content): Merge conflict in controllers/configmap_controller.go
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0002 Secure username anno with cloud private key
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

In response to this:

/cherry-pick release-4.8

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@sebsoto
Copy link
Contributor

sebsoto commented Aug 4, 2021

/cherry-pick community-4.8

@openshift-cherrypick-robot openshift-cherrypick-robot mentioned this pull request Aug 4, 2021
Merged
@openshift-cherrypick-robot
Copy link

@sebsoto: new pull request created: #560

In response to this:

/cherry-pick community-4.8

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@mansikulkarni96
Copy link
Member

/cherry-pick release-4.8

1 similar comment
@mansikulkarni96
Copy link
Member

/cherry-pick release-4.8

@openshift-cherrypick-robot
Copy link

@mansikulkarni96: new pull request created: #604

In response to this:

/cherry-pick release-4.8

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-cherrypick-robot openshift-cherrypick-robot mentioned this pull request Aug 16, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sebsoto sebsoto sebsoto requested changes

@mansikulkarni96 mansikulkarni96 mansikulkarni96 left review comments

@alinaryan alinaryan alinaryan left review comments

@jrvaldes jrvaldes jrvaldes requested changes

@aravindhp aravindhp aravindhp approved these changes

Assignees

@sebsoto sebsoto

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
8 participants
@saifshaikh48 @aravindhp @sebsoto @openshift-bot @mansikulkarni96 @openshift-cherrypick-robot @alinaryan @jrvaldes