-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
core: Read mon secret from file instead of env var #11434
Conversation
7507016
to
359f036
Compare
Environment variables are not recommended for secrets in pods since they can be easily leaked if the environemnt variables are logged. By mounting the mon secret as a file, the mgr and osd prepare pods can read the mon secret from a file for better security. Signed-off-by: Travis Nielsen <tnielsen@redhat.com>
359f036
to
0824b62
Compare
The toolbox, toolbox job, and osd prepare jobs need to mount the ceph admin keyring as a file instead of using an env var. The toolbox script will still allow setting of the env var for backward compatibility, though all the examples are now updated to use the keyring as a file. Signed-off-by: Travis Nielsen <tnielsen@redhat.com>
0824b62
to
4f77664
Compare
if err := readCephSecret(path.Join(mon.CephSecretMountPath, mon.CephSecretFilename)); err != nil { | ||
rook.TerminateFatal(err) | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we really need these? If the deployment defines an env var, then that version will reference the env var, and if it defines the file, then it will use the file, right? Is there some other behavior I've forgotten where Rook needs to read that info?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For the mgr side car and the osd prepare job, their pod specs are controlled by the operator of the same version, so we know that those will be using the secret file. But the osd purge job could have a spec with the env vars, or it could have the secret mounted, depending on the version. So this helper will use the fallback to the env var, really just to cover that osd purge job case.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good with just a clarifying question. I have the sense that I'm forgetting some behavior and that it's probably good.
core: Read mon secret from file instead of env var (backport #11434)
Description of your changes:
Environment variables are not recommended for secrets in pods since they can be easily leaked if the environemnt variables are logged. By mounting the mon secret as a file, the mgr and osd prepare pods can read the mon secret from a file for better security.
This in addition to #11331 should mean rook is compliant with not using the secrets.
The one exception to this is that the CSI driver and many of the Ceph pods mount the
rook-ceph-config
secret, but it does not contain confidential information. The secret only contains the mon endpoints, which is necessary to save as a secret for the csi driver.And the decoded secret:
Which issue is resolved by this Pull Request:
Resolves #10994
Checklist:
skip-ci
on the PR.