New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ROX-12569 Change local-sensor cluster id #3127
ROX-12569 Change local-sensor cluster id #3127
Conversation
|
GitGuardian id | Secret | Commit | Filename | |
---|---|---|---|---|
3485722 | RSA Private Key | 44ac2bd | tools/local-sensor/certs/caKey.pem | View secret |
4494364 | Generic Private Key | 44ac2bd | tools/local-sensor/certs/caKey.pem | View secret |
4494365 | Generic Private Key | 44ac2bd | tools/local-sensor/certs/key.pem | View secret |
4515690 | Generic Private Key | 9045ed8 | tools/local-sensor/certs/caKey.pem | View secret |
4515691 | Generic Private Key | 9045ed8 | tools/local-sensor/certs/key.pem | View secret |
🛠 Guidelines to remediate hardcoded secrets
- Understand the implications of revoking this secret by investigating where it is used in your code.
- Replace and store your secrets safely. Learn here the best practices.
- Revoke and rotate these secrets.
- If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.
To avoid such incidents in the future consider
- following these best practices for managing and storing secrets including API keys and other credentials
- install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.
🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.
Our GitHub checks need improvements? Share your feedbacks!
Images are ready for the commit at 9045ed8. To use with deploy scripts, first |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The change looks ok.
You may want to calm down GitGuardian that complains about finding secrets in .pem
files, not sure how it's done.
Also, I have no clue how to capture data for safety-net-*
files and I wasn't able to spot instructions. Could you please link it somewhere visibly or write it down if it is not yet written?
sensor/tests/replay/replay_test.go
Outdated
@@ -57,7 +57,7 @@ func (suite *ReplayEventsSuite) SetupSuite() { | |||
panic(err) | |||
} | |||
suite.fakeCentral = centralDebug.MakeFakeCentralWithInitialMessages( | |||
message.SensorHello("1234"), | |||
message.SensorHello("12345678-1234-1234-1234-123456789abc"), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not valid UUIDv4. Here is the validation rule that I found after quick googling: https://stackoverflow.com/a/19989922
Maybe let's use something like this?
message.SensorHello("12345678-1234-1234-1234-123456789abc"), | |
message.SensorHello("00000000-0000-4000-A000-000000000000"), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
... and apply to all 3 occurrences
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fair. I'll change it. It's interesting though,pkg/uuid.go
is not complaining with 12345678-1234-1234-1234-123456789abc
(haven't look at the code)
@gavin-stackrox Do you know how to do this? We use these secrets for test purposes only.
@msugakov The instruction are in this PR #2473. I think it's a good idea to have them written down somewhere else. Maybe in a comment in the tests code? |
I think a README.md in |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm fine with this change. But for the record, I think a better way of addressing this is to mock the TLS configuration for local-sensor, as described here: https://issues.redhat.com/browse/ROX-11015
The only reason local-sensor needs these files is to extract the ID from the cert CN. The gRPC connection is being mocked anyway so the contents of the certificate are irrelevant.
I agree with you, ROX-11015 should be the way to go to fix this properly. However, ROX-11015 might end up being a rabbit hole and this PR gives a quick patch to keep the log from spamming those uuid errors 🙂 |
1759114
to
9045ed8
Compare
Description
sensor-integration-test
were tracing the following due to invalidcluster_id
:Checklist
[ ] Unit test and regression tests added[ ] Evaluated and added CHANGELOG entry if required[ ] Determined and documented upgrade steps[ ] Documented user facing changes (create PR based on openshift/openshift-docs and merge into rhacs-docs)If any of these don't apply, please comment below.
Testing Performed
Manual testing and CI: