Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

core: Read mon secret from file instead of env var #11434

Merged
merged 2 commits into from
Dec 15, 2022
Merged

core: Read mon secret from file instead of env var #11434

merged 2 commits into from
Dec 15, 2022

Conversation

travisn
Copy link
Member

@travisn travisn commented Dec 13, 2022

Description of your changes:
Environment variables are not recommended for secrets in pods since they can be easily leaked if the environemnt variables are logged. By mounting the mon secret as a file, the mgr and osd prepare pods can read the mon secret from a file for better security.

This in addition to #11331 should mean rook is compliant with not using the secrets.

The one exception to this is that the CSI driver and many of the Ceph pods mount the rook-ceph-config secret, but it does not contain confidential information. The secret only contains the mon endpoints, which is necessary to save as a secret for the csi driver.

$ kubectl -n rook-ceph get secret rook-ceph-config -o yaml
apiVersion: v1
data:
  mon_host: W3YyOjEwLjEwNi4zMC4yMTQ6MzMwMCx2MToxMC4xMDYuMzAuMjE0OjY3ODld
  mon_initial_members: YQ==
kind: Secret

And the decoded secret:

- mon_host: [v2:10.106.30.214:3300,v1:10.106.30.214:6789]
- mon_initial_members: a

Which issue is resolved by this Pull Request:
Resolves #10994

Checklist:

  • Commit Message Formatting: Commit titles and messages follow guidelines in the developer guide).
  • Skip Tests for Docs: If this is only a documentation change, add the label skip-ci on the PR.
  • Reviewed the developer guide on Submitting a Pull Request
  • Pending release notes updated with breaking and/or notable changes for the next minor release.
  • Documentation has been updated, if necessary.
  • Unit tests have been added, if necessary.
  • Integration tests have been added, if necessary.

@travisn travisn force-pushed the secret-as-file branch 5 times, most recently from 7507016 to 359f036 Compare December 14, 2022 23:20
@travisn
core: read mon secret from file instead of env var
4033351 
Environment variables are not recommended for secrets in pods since
they can be easily leaked if the environemnt variables are logged.
By mounting the mon secret as a file, the mgr and osd prepare pods
can read the mon secret from a file for better security.

Signed-off-by: Travis Nielsen <tnielsen@redhat.com>
@travisn
manifest: toolbox and jobs mount secret volume
4f77664 
The toolbox, toolbox job, and osd prepare jobs need to mount the
ceph admin keyring as a file instead of using an env var.
The toolbox script will still allow setting of the env var
for backward compatibility, though all the examples are now
updated to use the keyring as a file.

Signed-off-by: Travis Nielsen <tnielsen@redhat.com>
BlaineEXE
BlaineEXE reviewed Dec 15, 2022
View reviewed changes
cmd/rook/ceph/osd.go
Comment on lines +201 to +204
if err := readCephSecret(path.Join(mon.CephSecretMountPath, mon.CephSecretFilename)); err != nil {
rook.TerminateFatal(err)
}

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we really need these? If the deployment defines an env var, then that version will reference the env var, and if it defines the file, then it will use the file, right? Is there some other behavior I've forgotten where Rook needs to read that info?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For the mgr side car and the osd prepare job, their pod specs are controlled by the operator of the same version, so we know that those will be using the secret file. But the osd purge job could have a spec with the env vars, or it could have the secret mounted, depending on the version. So this helper will use the fallback to the env var, really just to cover that osd purge job case.

BlaineEXE
BlaineEXE approved these changes Dec 15, 2022
View reviewed changes
Copy link
Member

@BlaineEXE BlaineEXE left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good with just a clarifying question. I have the sense that I'm forgetting some behavior and that it's probably good.

@travisn travisn merged commit 3a8c7d2 into rook:master Dec 15, 2022
@travisn travisn deleted the secret-as-file branch December 15, 2022 17:19
@mergify mergify bot mentioned this pull request Dec 15, 2022
Merged
mergify bot added a commit that referenced this pull request Dec 15, 2022
@mergify
Merge pull request #11446 from rook/mergify/bp/release-1.10/pr-11434
f79325f 
core: Read mon secret from file instead of env var (backport #11434)
@travisn travisn mentioned this pull request Dec 20, 2022
Closed
@travisn travisn mentioned this pull request Feb 21, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@BlaineEXE BlaineEXE BlaineEXE approved these changes

@satoru-takeuchi satoru-takeuchi Awaiting requested review from satoru-takeuchi

Assignees
No one assigned
Labels
backport-release-1.10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Make rook helm chart CIS compliant
2 participants
@travisn @BlaineEXE