Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

secretKeys documentation and fixes #513

Merged
merged 4 commits into from
Sep 27, 2021
Merged

secretKeys documentation and fixes #513

merged 4 commits into from
Sep 27, 2021

Conversation

joel-bluedata
Copy link
Member

The main point of this PR is to add a doc about "secret keys" that can be referenced from the CRD wiki pages.

I've also bundled a fix for an upgrade case: make sure that the master key default is generated if there was a pre-existing kdconfig when KD was upgraded.

I think it's quite likely that we'll want to include some immediate fixes for issue #512 in here as well, along with the necessary doc updates to reflect that.

@joel-bluedata
secretKeys documentation and fixes
ce60330 
The main point of this PR is to add a doc about "secret keys" that can be referenced from the CRD wiki pages.

I've also bundled a fix for an upgrade case: make sure that the master key default is generated if there was a pre-existing kdconfig when KD was upgraded.

I think it's quite likely that we'll want to include some immediate fixes for issue bluek8s#512 in here as well, along with the necessary doc updates to reflect that.
@joel-bluedata
if we can't decrypt a secret key, just drop it
3c5b17e 
...rather than bailing out on the whole configmeta generation.
@joel-bluedata
prevent changing master encryption key while kdclusters exist
d12c4c9 
(including indirectly by kdconfig deletion)

Some big-hammer preventive measures for things described in issue bluek8s#512.
@joel-bluedata
Copy link
Member Author

The last two commits are proposed near-term fixes for the changes described in issue #512, so everyone can see what code changes would be involved. If they're acceptable I'll keep them in here and update the doc accordingly.

@joel-bluedata joel-bluedata mentioned this pull request Sep 24, 2021
Open
kmathur2
kmathur2 reviewed Sep 24, 2021
View reviewed changes
doc/secret-keys.md
ngID = namespace.getWithTokens(["node", "nodegroup_id"])
roleID = namespace.getWithTokens(["node", "role_id"])
secretKeyName = "some-key-name"
secretKeyValue = namespace.getWithTokens(["distros", distroID, ngID, "roles", roleID, "secret_keys", secretKeyName])
Copy link
Member

@kmathur2 kmathur2 Sep 24, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@aleshchynskyi @joel-bluedata If I remember this correctly, this still gives encrypted value?

Can we clarify this in the doc.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nope, this will give unencrypted... only the unencrypted value is stored in the configmeta.

Elaborating a bit: this is the value that was originally passed in as the "value" in a secretKeys element. Now it may be the case that this value is ITSELF a decryption key that will be used to decrypt other things (e.g. from a Secret or Configmap), but whatever that usage is, it's application-specific.

@joel-bluedata joel-bluedata merged commit 077a097 into bluek8s:master Sep 27, 2021
@joel-bluedata joel-bluedata deleted the secretkeys branch September 27, 2021 23:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kmathur2 kmathur2 kmathur2 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@joel-bluedata @kmathur2