-
Notifications
You must be signed in to change notification settings - Fork 90
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
secretKeys documentation and fixes #513
Conversation
The main point of this PR is to add a doc about "secret keys" that can be referenced from the CRD wiki pages. I've also bundled a fix for an upgrade case: make sure that the master key default is generated if there was a pre-existing kdconfig when KD was upgraded. I think it's quite likely that we'll want to include some immediate fixes for issue bluek8s#512 in here as well, along with the necessary doc updates to reflect that.
...rather than bailing out on the whole configmeta generation.
(including indirectly by kdconfig deletion) Some big-hammer preventive measures for things described in issue bluek8s#512.
The last two commits are proposed near-term fixes for the changes described in issue #512, so everyone can see what code changes would be involved. If they're acceptable I'll keep them in here and update the doc accordingly. |
ngID = namespace.getWithTokens(["node", "nodegroup_id"]) | ||
roleID = namespace.getWithTokens(["node", "role_id"]) | ||
secretKeyName = "some-key-name" | ||
secretKeyValue = namespace.getWithTokens(["distros", distroID, ngID, "roles", roleID, "secret_keys", secretKeyName]) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@aleshchynskyi @joel-bluedata If I remember this correctly, this still gives encrypted value?
Can we clarify this in the doc.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nope, this will give unencrypted... only the unencrypted value is stored in the configmeta.
Elaborating a bit: this is the value that was originally passed in as the "value" in a secretKeys element. Now it may be the case that this value is ITSELF a decryption key that will be used to decrypt other things (e.g. from a Secret or Configmap), but whatever that usage is, it's application-specific.
The main point of this PR is to add a doc about "secret keys" that can be referenced from the CRD wiki pages.
I've also bundled a fix for an upgrade case: make sure that the master key default is generated if there was a pre-existing kdconfig when KD was upgraded.
I think it's quite likely that we'll want to include some immediate fixes for issue #512 in here as well, along with the necessary doc updates to reflect that.