Secrets handled incorrectly in helm chart #698

ncsibra · 2019-08-08T11:04:50Z

I'm trying to use the new secret provider feature introduced in pulumi/pulumi#2994.
Using aws kms as provider.

Sample code:

apiVersion: v1
kind: ConfigMap
metadata:
  name: {{ template "rabbitmq-ha.fullname" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    app: {{ template "rabbitmq-ha.name" . }}
    chart: {{ template "rabbitmq-ha.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
data:
  definitions.json: |
    {
      "users": [
      {
        "name": "admin",
        "password": "{{ .Values.adminPassword }}",
        "tags": "administrator"
      },
      ]
    }

apiVersion: v1
kind: Secret
metadata:
  name: {{ template "rabbitmq-ha.fullname" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    app: {{ template "rabbitmq-ha.name" . }}
    chart: {{ template "rabbitmq-ha.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
type: Opaque
data:
  rabbitmq-admin-password: {{ .Values.adminPassword| b64enc | quote }}

  const config = new pulumi.Config(pulumi.getProject())
  new k8s.helm.v2.Chart(
    `${env}-rabbitmq`,
    {
      path: path.join('helm', 'rabbitmq'),
      values: {
        adminPassword: config.requireSecret('adminPassword')
      }
    }
  )

When checking the details view during up, in the ConfigMap it shows as [secret], but in the Secret, it shows the base64 encoded string, a simple decode reveals the plain secret value.
After stack creation, the stack state contains the secret as a plain text, both for the ConfigMap and for Secret.

Versions:

➜  pulumi (28-rabbitmq) ✗ pulumi version  
v0.17.28
➜  pulumi (28-rabbitmq) ✗ yarn list --pattern "@pulumi"                      
yarn list v1.15.2
warning package.json: No license field
warning prmrgt-infra: No license field
├─ @pulumi/aws@0.18.26
├─ @pulumi/cloudflare@0.17.8
├─ @pulumi/kubernetes@0.25.6
├─ @pulumi/pulumi@0.17.28
├─ @pulumi/query@0.3.0
└─ @pulumi/random@0.5.6
Done in 0.18s.
➜  pulumi (28-rabbitmq) ✗ pulumi plugin ls             
NAME        KIND      VERSION  SIZE    INSTALLED  LAST USED
aws         resource  0.18.26  209 MB  n/a        1 day ago
aws         resource  0.18.25  209 MB  n/a        1 week ago
aws         resource  0.18.24  209 MB  n/a        1 week ago
aws         resource  0.18.10  204 MB  n/a        1 week ago
cloudflare  resource  0.17.8   41 MB   n/a        1 week ago
cloudflare  resource  0.17.3   40 MB   n/a        1 week ago
kubernetes  resource  0.25.6   51 MB   n/a        26 minutes ago
kubernetes  resource  0.25.5   51 MB   n/a        1 day ago
kubernetes  resource  0.25.4   51 MB   n/a        6 days ago
kubernetes  resource  0.25.3   51 MB   n/a        1 week ago
kubernetes  resource  0.25.2   51 MB   n/a        1 week ago
kubernetes  resource  0.24.0   53 MB   n/a        1 week ago
random      resource  0.5.6    36 MB   n/a        1 week ago
random      resource  0.5.3    36 MB   n/a        1 week ago
random      resource  0.5.1    28 MB   n/a        1 week ago

TOTAL plugin cache size: 1.3 GB
➜  pulumi (28-rabbitmq) ✗

The text was updated successfully, but these errors were encountered:

ncsibra · 2019-08-09T06:20:36Z

@lukehoban "kind/question", so it's not a bug?
I thought these secrets always should be removed from diffs/logs and state, or not?

hausdorff · 2019-08-09T17:18:35Z

We probably should automatically mark the data and stringData fields of Secret as secret by default.

In case you don't know, Secret is not particularly secret, though. :) Kubernetes stores secrets in plain text in etcd, and generally anyone with kubectl access can get at the values. So our solution here would only affect what you can see via Pulumi itself.

ncsibra · 2019-08-09T17:59:41Z

Sadly I know. :)
But the whole point for the mentioned feature and for handling some Outputs as secret, to hide sensitive informations from state and log files.
Sometimes when reporting an issue internally or for pulumi, we have to be very careful to not share sensitive data through log or state snippets, that's why I think it's an important feature.

lukehoban · 2019-09-06T23:42:36Z

We probably should automatically mark the data and stringData fields of Secret as secret by default.

Note that you can in the meantime use additionalSecretOutputs to mark any outputs you want to be secret as secret.

ncsibra changed the title ~~Secrets handled incorrectly when using pipelines in helm chart~~ Secrets handled incorrectly in helm chart Aug 8, 2019

lukehoban self-assigned this Aug 8, 2019

lukehoban added the kind/question Questions about existing features label Aug 9, 2019

lukehoban added this to the 0.27 milestone Aug 9, 2019

lukehoban assigned lblackstone and unassigned lukehoban Sep 6, 2019

lblackstone mentioned this issue Sep 13, 2019

Automatically mark Secret data and stringData as secret #803

Merged

lblackstone added the kind/feature label Sep 13, 2019

lblackstone closed this as completed in #803 Sep 19, 2019

infin8x added the kind/enhancement Improvements or new features label Jul 10, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Secrets handled incorrectly in helm chart #698

Secrets handled incorrectly in helm chart #698

ncsibra commented Aug 8, 2019 •

edited

Loading

ncsibra commented Aug 9, 2019

hausdorff commented Aug 9, 2019

ncsibra commented Aug 9, 2019

lukehoban commented Sep 6, 2019

Secrets handled incorrectly in helm chart #698

Secrets handled incorrectly in helm chart #698

Comments

ncsibra commented Aug 8, 2019 • edited Loading

ncsibra commented Aug 9, 2019

hausdorff commented Aug 9, 2019

ncsibra commented Aug 9, 2019

lukehoban commented Sep 6, 2019

ncsibra commented Aug 8, 2019 •

edited

Loading