Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bug 2144067: core: Read mon secret from file instead of env var #441

Merged
merged 3 commits into from Dec 15, 2022

Conversation

travisn
Copy link

@travisn travisn commented Dec 15, 2022

Description of your changes:
Environment variables are not recommended for secrets in pods since they can be easily leaked if the environemnt variables are logged. By mounting the mon secret as a file, the mgr and osd prepare pods can read the mon secret from a file for better security.

This in addition to rook#11331 should mean rook is compliant with not using the secrets.

The one exception to this is that the CSI driver and many of the Ceph pods mount the rook-ceph-config secret, but it does not contain confidential information. The secret only contains the mon endpoints, which is necessary to save as a secret for the csi driver.

Which issue is resolved by this Pull Request:
Resolves #https://bugzilla.redhat.com/show_bug.cgi?id=2144067

Checklist:

  • Commit Message Formatting: Commit titles and messages follow guidelines in the developer guide).
  • Skip Tests for Docs: If this is only a documentation change, add the label skip-ci on the PR.
  • Reviewed the developer guide on Submitting a Pull Request
  • Pending release notes updated with breaking and/or notable changes for the next minor release.
  • Documentation has been updated, if necessary.
  • Unit tests have been added, if necessary.
  • Integration tests have been added, if necessary.

Environment variables are not recommended for secrets in pods since
they can be easily leaked if the environemnt variables are logged.
By mounting the mon secret as a file, the mgr and osd prepare pods
can read the mon secret from a file for better security.

Signed-off-by: Travis Nielsen <tnielsen@redhat.com>
(cherry picked from commit 4033351)
The toolbox, toolbox job, and osd prepare jobs need to mount the
ceph admin keyring as a file instead of using an env var.
The toolbox script will still allow setting of the env var
for backward compatibility, though all the examples are now
updated to use the keyring as a file.

Signed-off-by: Travis Nielsen <tnielsen@redhat.com>
(cherry picked from commit 4f77664)
@openshift-ci
Copy link

openshift-ci bot commented Dec 15, 2022

@travisn: An error was encountered searching for bug 2144067 on the Bugzilla server at https://bugzilla.redhat.com. No known errors were detected, please see the full error message for details.

Full error message. response code 401 not 200

Please contact an administrator to resolve this issue, then request a bug refresh with /bugzilla refresh.

In response to this:

Bug 2144067: core: Read mon secret from file instead of env var

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci
Copy link

openshift-ci bot commented Dec 15, 2022

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: travisn

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Dec 15, 2022
upgrading minikube action to latest version which has
the fix of crictl, currently CI is failing due to this.

Signed-off-by: subhamkrai <srai@redhat.com>
(cherry picked from commit a877771)
(cherry picked from commit eb48660)
@travisn travisn merged commit ab3046b into red-hat-storage:release-4.12 Dec 15, 2022
43 of 47 checks passed
@openshift-ci
Copy link

openshift-ci bot commented Dec 15, 2022

@travisn: An error was encountered searching for bug 2144067 on the Bugzilla server at https://bugzilla.redhat.com. No known errors were detected, please see the full error message for details.

Full error message. response code 401 not 200

Please contact an administrator to resolve this issue, then request a bug refresh with /bugzilla refresh.

In response to this:

Bug 2144067: core: Read mon secret from file instead of env var

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@travisn travisn deleted the backport-secret-as-file branch December 15, 2022 18:51
@travisn
Copy link
Author

travisn commented Mar 16, 2023

/cherry-pick release-4.11

@travisn
Copy link
Author

travisn commented Mar 16, 2023

/cherry-pick release-4.10

@openshift-cherrypick-robot

@travisn: #441 failed to apply on top of branch "release-4.11":

Applying: core: read mon secret from file instead of env var
Using index info to reconstruct a base tree...
M	cmd/rook/ceph/osd.go
M	pkg/operator/ceph/cluster/mgr/spec.go
M	pkg/operator/ceph/cluster/mon/env.go
M	pkg/operator/ceph/cluster/osd/envs.go
M	pkg/operator/ceph/cluster/osd/provision_spec.go
Falling back to patching base and 3-way merge...
Auto-merging pkg/operator/ceph/cluster/osd/provision_spec.go
Auto-merging pkg/operator/ceph/cluster/osd/envs.go
CONFLICT (content): Merge conflict in pkg/operator/ceph/cluster/osd/envs.go
Auto-merging pkg/operator/ceph/cluster/mon/env.go
Auto-merging pkg/operator/ceph/cluster/mgr/spec.go
Auto-merging cmd/rook/ceph/osd.go
CONFLICT (content): Merge conflict in cmd/rook/ceph/osd.go
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0001 core: read mon secret from file instead of env var
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

In response to this:

/cherry-pick release-4.11

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-cherrypick-robot

@travisn: #441 failed to apply on top of branch "release-4.10":

Applying: core: read mon secret from file instead of env var
Using index info to reconstruct a base tree...
M	cmd/rook/ceph/osd.go
M	pkg/operator/ceph/cluster/mgr/spec.go
M	pkg/operator/ceph/cluster/mon/config.go
M	pkg/operator/ceph/cluster/mon/env.go
M	pkg/operator/ceph/cluster/osd/envs.go
M	pkg/operator/ceph/cluster/osd/provision_spec.go
Falling back to patching base and 3-way merge...
Auto-merging pkg/operator/ceph/cluster/osd/provision_spec.go
Auto-merging pkg/operator/ceph/cluster/osd/envs.go
CONFLICT (content): Merge conflict in pkg/operator/ceph/cluster/osd/envs.go
Auto-merging pkg/operator/ceph/cluster/mon/env.go
CONFLICT (content): Merge conflict in pkg/operator/ceph/cluster/mon/env.go
Auto-merging pkg/operator/ceph/cluster/mon/config.go
CONFLICT (content): Merge conflict in pkg/operator/ceph/cluster/mon/config.go
Auto-merging pkg/operator/ceph/cluster/mgr/spec.go
Auto-merging cmd/rook/ceph/osd.go
CONFLICT (content): Merge conflict in cmd/rook/ceph/osd.go
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0001 core: read mon secret from file instead of env var
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

In response to this:

/cherry-pick release-4.10

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files.
Projects
None yet
3 participants