-
Notifications
You must be signed in to change notification settings - Fork 41
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix some issues around secrets handling (PROJQUAY-6787) #142
Conversation
Signed-off-by: badgerops <github@badgerops.net>
Signed-off-by: badgerops <github@badgerops.net>
added commit |
Thanks Sol, we'll take a look at this week and follow up soon. |
@dmage @jonathankingfc Anything you want to adjust before we stamp? Seems like a reasonable ask and passes existing tests. |
FWIW I've tested a bunch of different scenarios on a vagrant & physical install, upgrade, re-install over existing install. All worked as expected. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
makes sense to me, but just curious about limitations or drawbacks of implementing this.
do we also lose ability to recover initial passwords since they are generated in memory and no longer persisted to disk anywhere?
@@ -0,0 +1,6 @@ | |||
- name: Generate secrets for Quay config.yaml |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not very familiar with the community.general.random_string
. A quick google search yields its powered by the https://docs.python.org/3/library/random.html#random.SystemRandom lib. It looks like it will use a unique seed on each invocation unless specified specific seed (for testing purposes).
However, it does mention limitations of not being available on some OS, though it doesn't call out any. Do we know what the limitations of this role and underlying libraries are?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I'm not sure exactly why that doc mentions it not being available - my guess is maybe a *BSD? Looks like even windows can deal with os.urandom
properly.
Given that it is highly unlikely this tool will be installed on a non RHEL OS, I don't think we'll see an issue. The primary reason I went this path was that community.general
was already installed, and I didn't want to add any more imports/complexity than necessary to accomplish the goal.
Good question, the passwords are generated and written to the ~/.containers path for the given user: $ echo "bar" | podman secret create foo -
f46441aa419510b9f5303e52e
$ podman secret ls
ID NAME DRIVER CREATED UPDATED
f46441aa419510b9f5303e52e foo file 7 seconds ago 7 seconds ago
$ podman secret inspect foo
[
{
"ID": "f46441aa419510b9f5303e52e",
"CreatedAt": "2024-03-04T14:00:21.239208863Z",
"UpdatedAt": "2024-03-04T14:00:21.239208863Z",
"Spec": {
"Name": "foo",
"Driver": {
"Name": "file",
"Options": {
"path": "/home/<username>/.local/share/containers/storage/secrets/filedriver"
}
},
"Labels": {}
}
}
]
$ cat /home/<username>/.local/share/containers/storage/secrets/filedriver/secretsdata.json
{
"f46441aa419510b9f5303e52e": "YmFyCg=="
$ cat /home/<username>/.local/share/containers/storage/secrets/filedriver/secretsdata.json | jq -r '.[]' | base64 -d -
bar I considered adding an update to the readme pointing this out, but thought maybe it would add more confusion than it was worth? I definitely don't mind adding a section discussing how to identify the passwords. They're not really ever needed for customers to use, since they're internal services that aren't exposed outside of the pod, but for troubleshooting purposes I could see wanting to know how to identify them. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
Hi team,
What
I noticed that the current
config.yaml.j2
contains some hard-coded secrets, and confirmed in an internal environment that they were unchanged as part of themirror-registry
deployment process.Why
I believe users of mirror-registry will want unique passwords & secrets, most importantly the CSRF
SECRET_KEY
since that has significant implications on session hijacking.How
secret-vars.yaml
that will generate random strings using the already importedcommunity.general.random_string
library.config.yaml.j2
to use those facts as part of deploymentinstall-postgres-service.yaml
andinstall-redis-service.yaml
to create podman secrets using the factspostgres.service.j2
andredis.service.j2
to utilize the secrets createdThis will not impact upgrades, only initial deployments.
I've done the DCO sign-off, and believe this PR is ready to merge, however I'm happy to update/modify based on feedback from this team.
Cheers,
-BadgerOps