-
Notifications
You must be signed in to change notification settings - Fork 66
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[release-4.8] WINC-632: Secure BYOH username annotation #604
[release-4.8] WINC-632: Secure BYOH username annotation #604
Conversation
This commit removes the username from logging statements when attempting to establish SHH connection to an instance. Usernames are potentially sensitive data, so it is best to avoid exposing them as plaintext.
This commit introduces the crypto package functions to symmetrically encrypt/decrypt information. This package is used to encrypt instance usernames before adding them as node annotations, no longer exposing usernames as cleartext. This identifier is then decrypted when it is accessed again during the BYOH node deconfigure process. The SSH private key is used as the symmetric passphrase.
This commit reacts to changes to the private key secret used to SSH into Windows instances. A patch is applied to each BYOH node, updating its public key hash and encrypted username annotations using the new private key data.
This commit edits the parsing helpers for the BYOH instances ConfigMap to be decoupled from any single controller. Also now uses the introduced helper to split entries in the instances map.
This commit modifies the existing function that gets the SSH public key in the test suite to also return the associated private key secret, which is already pulled down within the function body.
This commit updates the e2e tests to validate BYOH node annotations. Criteria was added to the waitForNodes to ensure that the BYOH annotation and the username annotation are present, decipherable, and correct. Also, a reconfiguration test case was added to ensure nodes are properly updated when the SSH private key is changed to a random key.
`go get golang.org/x/crypto/openpgp` `go mod vendor && go mod tidy`
/lgtm |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: aravindhp, openshift-cherrypick-robot The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
1 similar comment
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
2 similar comments
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
…penshift-cherrypick-robot/cherry-pick-508-to-release-4.8 Updated upstream source commit. Commit details follow: Project: https://github.com/openshift/windows-machine-config-operator.git Branch: release-4.8 Commit: 0a96544 Author: openshift-ci[bot] Date: Tue, 17 Aug 2021 01:27:53 +0000 Merge pull request openshift#604 from openshift-cherrypick-robot/cherry-pick-508-to-release-4.8 [release-4.8] WINC-632: Secure BYOH username annotation Additional included commits: e5e0f2e, 29ba629, a31d8b0, b9a8d81, 793054f, 0762db7, e52da6a automerge: yes x-md5: d37dbd38ab0382695d5858edae2a9cbb Change-Id: Ic951ca73d5e759c9f09268d5b7ab941c6e6e9a0b
This is an automated cherry-pick of #508
/assign mansikulkarni96