-
Notifications
You must be signed in to change notification settings - Fork 66
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WINC-632: Secure BYOH username annotation #508
WINC-632: Secure BYOH username annotation #508
Conversation
0a22845
to
f01de8f
Compare
34718d7
to
1b6a36b
Compare
/retitle WINC-632: Secure BYOH username annotation |
/hold Holding until CI (vsphere) is fixed. |
1b6a36b
to
63b7af4
Compare
This PR is blocked by #518, which fixes an error when applying node annotations. |
Why is this PR blocked by #518? Doesn't the Node object get updated on the second try with |
63b7af4
to
9ba07c2
Compare
a938eb5
to
a423e5c
Compare
/unhold |
@saifshaikh48: The specified target(s) for
Use In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/test ci-index |
controllers/secret_controller.go
Outdated
// For BYOH nodes, patch the username annotation, encrpyting with the new private key | ||
username, err := r.usernameFromNode(ctx, &node) | ||
if err != nil { | ||
return reconcile.Result{}, err | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewing the logic here -- could I get another pair of eyes:
If usernameFromNode
finds no associated instance then that means its entry has been removed from the ConfigMap, and the instance should be deconfigured (or is currently being deconfigured, since the configmap controller can be running in parallel). Therefore, this isn't an error scenario and should return reconcile.Result{}, nil
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we still want an err check so maybe you could instead add in the empty instance check that returns reconcile.Result{}, nil
811a854
to
4d76992
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice work @saifshaikh48
/approve
/hold
Adding a hold that @sebsoto can remove given I did not review the e2e tests very closely.
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: aravindhp, saifshaikh48 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
// Re-create the known private key so SSH connection can be re-established | ||
// TODO: Remove dependency on this secret by rotating keys as part of https://issues.redhat.com/browse/WINC-655 | ||
require.NoError(t, tc.createPrivateKeySecret(true), "error confirming known private key secret exists") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm still on the fence about this but it seems to be working...
This operation is going to bleed into the deletion suite as the WMCO will be handling this first and could taint the results that we expect when doing certain deletion actions. But what we are testing for in the BYOH reconfiguration, specifically the removal of binaries and services, shouldnt be triggered by this.
I'm fine with this going in but we need to handle the TODO story ASAP so that we dont open ourselves up to missing certain edge cases
/lgtm |
/hold cancel |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
1 similar comment
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/hold |
/hold cancel |
/test vsphere-e2e-operator |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/cherry-pick community-4.8 |
/cherry-pick release-4.8 |
@mansikulkarni96: #508 failed to apply on top of branch "community-4.8":
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@mansikulkarni96: #508 failed to apply on top of branch "release-4.8":
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/cherry-pick community-4.8 |
@sebsoto: new pull request created: #560 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/cherry-pick release-4.8 |
1 similar comment
/cherry-pick release-4.8 |
@mansikulkarni96: new pull request created: #604 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This PR introduces symmetric encryption and decryption into the usage of the instance username annotation to secure potentially sensitive user info. When a user changes the private key used to SSH into the instances, each BYOH node's annotation is updated to be encrypted with the new key.