[community-4.8] WINC-632: Secure BYOH username annotation #560
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit removes the username from logging statements when attempting to establish SHH connection to an instance. Usernames are potentially sensitive data, so it is best to avoid exposing them as plaintext.
This commit introduces the crypto package functions to symmetrically encrypt/decrypt information. This package is used to encrypt instance usernames before adding them as node annotations, no longer exposing usernames as cleartext. This identifier is then decrypted when it is accessed again during the BYOH node deconfigure process. The SSH private key is used as the symmetric passphrase.
This commit reacts to changes to the private key secret used to SSH into Windows instances. A patch is applied to each BYOH node, updating its public key hash and encrypted username annotations using the new private key data.
This commit edits the parsing helpers for the BYOH instances ConfigMap to be decoupled from any single controller. Also now uses the introduced helper to split entries in the instances map.
This commit modifies the existing function that gets the SSH public key in the test suite to also return the associated private key secret, which is already pulled down within the function body.
This commit updates the e2e tests to validate BYOH node annotations. Criteria was added to the waitForNodes to ensure that the BYOH annotation and the username annotation are present, decipherable, and correct. Also, a reconfiguration test case was added to ensure nodes are properly updated when the SSH private key is changed to a random key.
`go get golang.org/x/crypto/openpgp` `go mod vendor && go mod tidy`
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: openshift-cherrypick-robot, sebsoto The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is an automated cherry-pick of #508
/assign sebsoto