fix some issues around secrets handling (PROJQUAY-6787) #142
Conversation
Signed-off-by: badgerops <github@badgerops.net>
Signed-off-by: badgerops <github@badgerops.net>
|
added commit |
HammerMeetNail
added
the
ok-to-test
|
Thanks Sol, we'll take a look at this week and follow up soon. |
|
@dmage @jonathankingfc Anything you want to adjust before we stamp? Seems like a reasonable ask and passes existing tests. |
|
FWIW I've tested a bunch of different scenarios on a vagrant & physical install, upgrade, re-install over existing install. All worked as expected. |
| @@ -0,0 +1,6 @@ | |||
| - name: Generate secrets for Quay config.yaml | |||
There was a problem hiding this comment.
I'm not very familiar with the community.general.random_string. A quick google search yields its powered by the https://docs.python.org/3/library/random.html#random.SystemRandom lib. It looks like it will use a unique seed on each invocation unless specified specific seed (for testing purposes).
However, it does mention limitations of not being available on some OS, though it doesn't call out any. Do we know what the limitations of this role and underlying libraries are?
There was a problem hiding this comment.
Yeah, I'm not sure exactly why that doc mentions it not being available - my guess is maybe a *BSD? Looks like even windows can deal with os.urandom properly.
Given that it is highly unlikely this tool will be installed on a non RHEL OS, I don't think we'll see an issue. The primary reason I went this path was that community.general was already installed, and I didn't want to add any more imports/complexity than necessary to accomplish the goal.
Good question, the passwords are generated and written to the ~/.containers path for the given user: $ echo "bar" | podman secret create foo -
f46441aa419510b9f5303e52e
$ podman secret ls
ID NAME DRIVER CREATED UPDATED
f46441aa419510b9f5303e52e foo file 7 seconds ago 7 seconds ago
$ podman secret inspect foo
[
{
"ID": "f46441aa419510b9f5303e52e",
"CreatedAt": "2024-03-04T14:00:21.239208863Z",
"UpdatedAt": "2024-03-04T14:00:21.239208863Z",
"Spec": {
"Name": "foo",
"Driver": {
"Name": "file",
"Options": {
"path": "/home/<username>/.local/share/containers/storage/secrets/filedriver"
}
},
"Labels": {}
}
}
]
$ cat /home/<username>/.local/share/containers/storage/secrets/filedriver/secretsdata.json
{
"f46441aa419510b9f5303e52e": "YmFyCg=="
$ cat /home/<username>/.local/share/containers/storage/secrets/filedriver/secretsdata.json | jq -r '.[]' | base64 -d -
barI considered adding an update to the readme pointing this out, but thought maybe it would add more confusion than it was worth? I definitely don't mind adding a section discussing how to identify the passwords. They're not really ever needed for customers to use, since they're internal services that aren't exposed outside of the pod, but for troubleshooting purposes I could see wanting to know how to identify them. |
HammerMeetNail
changed the title
Hi team,
What
I noticed that the current
config.yaml.j2contains some hard-coded secrets, and confirmed in an internal environment that they were unchanged as part of themirror-registrydeployment process.Why
I believe users of mirror-registry will want unique passwords & secrets, most importantly the CSRF
SECRET_KEYsince that has significant implications on session hijacking.How
secret-vars.yamlthat will generate random strings using the already importedcommunity.general.random_stringlibrary.config.yaml.j2to use those facts as part of deploymentinstall-postgres-service.yamlandinstall-redis-service.yamlto create podman secrets using the factspostgres.service.j2andredis.service.j2to utilize the secrets createdThis will not impact upgrades, only initial deployments.
I've done the DCO sign-off, and believe this PR is ready to merge, however I'm happy to update/modify based on feedback from this team.
Cheers,
-BadgerOps