Bug 2144067: core: Read mon secret from file instead of env var #441
Conversation
Environment variables are not recommended for secrets in pods since they can be easily leaked if the environemnt variables are logged. By mounting the mon secret as a file, the mgr and osd prepare pods can read the mon secret from a file for better security. Signed-off-by: Travis Nielsen <tnielsen@redhat.com> (cherry picked from commit 4033351)
The toolbox, toolbox job, and osd prepare jobs need to mount the ceph admin keyring as a file instead of using an env var. The toolbox script will still allow setting of the env var for backward compatibility, though all the examples are now updated to use the keyring as a file. Signed-off-by: Travis Nielsen <tnielsen@redhat.com> (cherry picked from commit 4f77664)
|
@travisn: An error was encountered searching for bug 2144067 on the Bugzilla server at https://bugzilla.redhat.com. No known errors were detected, please see the full error message for details. Full error message.
response code 401 not 200
Please contact an administrator to resolve this issue, then request a bug refresh with In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: travisn The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
@travisn: An error was encountered searching for bug 2144067 on the Bugzilla server at https://bugzilla.redhat.com. No known errors were detected, please see the full error message for details. Full error message.
response code 401 not 200
Please contact an administrator to resolve this issue, then request a bug refresh with In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/cherry-pick release-4.11 |
|
/cherry-pick release-4.10 |
|
@travisn: #441 failed to apply on top of branch "release-4.11": In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@travisn: #441 failed to apply on top of branch "release-4.10": In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Description of your changes:
Environment variables are not recommended for secrets in pods since they can be easily leaked if the environemnt variables are logged. By mounting the mon secret as a file, the mgr and osd prepare pods can read the mon secret from a file for better security.
This in addition to rook#11331 should mean rook is compliant with not using the secrets.
The one exception to this is that the CSI driver and many of the Ceph pods mount the rook-ceph-config secret, but it does not contain confidential information. The secret only contains the mon endpoints, which is necessary to save as a secret for the csi driver.
Which issue is resolved by this Pull Request:
Resolves #https://bugzilla.redhat.com/show_bug.cgi?id=2144067
Checklist:
skip-cion the PR.