Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[release-4.8] WINC-632: Secure BYOH username annotation #604

Merged
merged 7 commits into from
Aug 17, 2021
Merged

[release-4.8] WINC-632: Secure BYOH username annotation #604

merged 7 commits into from
Aug 17, 2021

Conversation

openshift-cherrypick-robot
Copy link

This is an automated cherry-pick of #508

/assign mansikulkarni96

@saifshaikh48
Remove exposing username in logs
e5e0f2e 
This commit removes the username from logging statements when attempting
to establish SHH connection to an instance. Usernames are potentially
sensitive data, so it is best to avoid exposing them as plaintext.
@saifshaikh48
Secure username anno with cloud private key
29ba629 
This commit introduces the crypto package functions to symmetrically
encrypt/decrypt information. This package is used to encrypt instance
usernames before adding them as node annotations, no longer exposing
usernames as cleartext. This identifier is then decrypted when it is
accessed again during the BYOH node deconfigure process. The SSH private
key is used as the symmetric passphrase.
@saifshaikh48
Update BYOH node annos on priv key change
a31d8b0 
This commit reacts to changes to the private key secret used to SSH into
Windows instances. A patch is applied to each BYOH node, updating its public
key hash and encrypted username annotations using the new private key data.
@saifshaikh48
Refactor BYOH instance retrieval helper
b9a8d81 
This commit edits the parsing helpers for the BYOH instances ConfigMap
to be decoupled from any single controller.
Also now uses the introduced helper to split entries in the instances map.
@saifshaikh48
Get expected SSH key pair
793054f 
This commit modifies the existing function that gets the SSH public key in
the test suite to also return the associated private key secret, which
is already pulled down within the function body.
@saifshaikh48
Test username annotation lifecycle
0762db7 
This commit updates the e2e tests to validate BYOH node annotations.
Criteria was added to the waitForNodes to ensure that the BYOH annotation and
the username annotation are present, decipherable, and correct.

Also, a reconfiguration test case was added to ensure nodes are properly
updated when the SSH private key is changed to a random key.
@saifshaikh48
Vendor golang.org/x/crypto
e52da6a 
`go get golang.org/x/crypto/openpgp`
`go mod vendor && go mod tidy`
@openshift-cherrypick-robot openshift-cherrypick-robot mentioned this pull request Aug 16, 2021
Merged
@mansikulkarni96
Copy link
Member

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Aug 16, 2021
@aravindhp
Copy link
Contributor

/approve

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Aug 16, 2021

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: aravindhp, openshift-cherrypick-robot

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 16, 2021
@openshift-bot
Copy link

/retest-required

Please review the full test history for this PR and help us cut down flakes.

1 similar comment
@openshift-bot
Copy link

/retest-required

Please review the full test history for this PR and help us cut down flakes.

@mansikulkarni96
Copy link
Member

/retest

@openshift-bot
Copy link

/retest-required

Please review the full test history for this PR and help us cut down flakes.

2 similar comments
@openshift-bot
Copy link

/retest-required

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link

/retest-required

Please review the full test history for this PR and help us cut down flakes.

@openshift-ci openshift-ci bot merged commit 0a96544 into openshift:release-4.8 Aug 17, 2021
mansikulkarni96 pushed a commit to mansikulkarni96/windows-machine-config-operator that referenced this pull request Aug 7, 2023
@cp-paas-bot
Updated US source to: 0a96544 Merge pull request openshift#604 from o…
0a9433c 
…penshift-cherrypick-robot/cherry-pick-508-to-release-4.8

Updated upstream source commit.
Commit details follow:

Project: https://github.com/openshift/windows-machine-config-operator.git
Branch:  release-4.8
Commit:  0a96544
Author:  openshift-ci[bot]
Date:    Tue, 17 Aug 2021 01:27:53 +0000

    Merge pull request openshift#604 from openshift-cherrypick-robot/cherry-pick-508-to-release-4.8

    [release-4.8] WINC-632: Secure BYOH username annotation

Additional included commits:
  e5e0f2e, 29ba629, a31d8b0, b9a8d81, 793054f, 0762db7, e52da6a

automerge: yes
x-md5: d37dbd38ab0382695d5858edae2a9cbb
Change-Id: Ic951ca73d5e759c9f09268d5b7ab941c6e6e9a0b
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aravindhp aravindhp Awaiting requested review from aravindhp

@sebsoto sebsoto Awaiting requested review from sebsoto

Assignees

@mansikulkarni96 mansikulkarni96

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@openshift-cherrypick-robot @mansikulkarni96 @aravindhp @openshift-bot @saifshaikh48