Skip to content

Generate an ignition-auth key and provide it to the MCS #1740

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
cgwalters wants to merge 1 commit into from
Closed

Generate an ignition-auth key and provide it to the MCS #1740

cgwalters wants to merge 1 commit into from

Conversation

@cgwalters
Copy link
Member

@cgwalters cgwalters commented May 12, 2019

This is an optional hardening for access to Ignition; the installer
generates a random key (separately for master/worker pool) and installs
it into the openshift-machine-config-operator namespace. If the MCS
finds an ignition-auth secret with the master/worker keys, it will use it:
openshift/machine-config-operator#736

This PR just generates those secrets, so we can land it before the
MCO PR as well.

@cgwalters
Generate an ignition-auth key and provide it to the MCS
1ff2f25 
This is an optional hardening for access to Ignition; the installer
generates a random key (separately for master/worker pool) and installs
it into the `openshift-machine-config-operator` namespace.  If the MCS
finds an `ignition-auth` secret with the `master/worker` keys, it will use it:
openshift/machine-config-operator#736

This PR just generates those secrets, so we can land it before the
MCO PR as well.
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented May 12, 2019

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: cgwalters
To fully approve this pull request, please assign additional approvers.
We suggest the following additional approver: crawford

If they are not already assigned, you can assign the PR to them by writing /assign @crawford in a comment when ready.

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci-robot openshift-ci-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label May 12, 2019
@cgwalters cgwalters mentioned this pull request May 12, 2019
Closed
ashcrow
ashcrow reviewed May 13, 2019
View reviewed changes
pkg/asset/installconfig/ignitionauth.go

// Generate generates a new IgnitionAuth
func (a *IgnitionAuth) Generate(dep asset.Parents) error {
a.Master = utilrand.String(64)
Copy link
Member

@ashcrow ashcrow May 13, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just to double check, is there any need to utilrand.Seed before or between generations?

@abhinavdahiya
Copy link
Contributor

abhinavdahiya commented May 13, 2019

/hold

We will evaluate this for 4.2
Installer treats the master and worker ign configs as "not a secret" and changing that needs more thought.

@openshift-ci-robot openshift-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label May 13, 2019
@ashcrow
Copy link
Member

ashcrow commented May 13, 2019

Unit failure:

--- FAIL: TestMasterGenerate (0.89s)
panic: reflect: call of reflect.Value.Elem on zero Value [recovered]
	panic: reflect: call of reflect.Value.Elem on zero Value

goroutine 30 [running]:
testing.tRunner.func1(0xc4202221e0)
	/usr/local/go/src/testing/testing.go:742 +0x29d
panic(0x1291de0, 0xc420160a20)
	/usr/local/go/src/runtime/panic.go:502 +0x229
reflect.Value.Elem(0x0, 0x0, 0x0, 0x0, 0x0, 0x199)
	/usr/local/go/src/reflect/value.go:775 +0x1b7
github.com/openshift/installer/pkg/asset.Parents.Get(0xc420501e58, 0xc420501cd8, 0x3, 0x3)
	/go/src/github.com/openshift/installer/pkg/asset/parents.go:22 +0x73
github.com/openshift/installer/pkg/asset/ignition/machine.(*Master).Generate(0xc420501dc8, 0xc420501e58, 0x2, 0x2)
	/go/src/github.com/openshift/installer/pkg/asset/ignition/machine/master.go:41 +0x10e
github.com/openshift/installer/pkg/asset/ignition/machine.TestMasterGenerate(0xc4202221e0)
	/go/src/github.com/openshift/installer/pkg/asset/ignition/machine/master_test.go:49 +0x410
testing.tRunner(0xc4202221e0, 0x14d85f8)
	/usr/local/go/src/testing/testing.go:777 +0xd0
created by testing.(*T).Run
	/usr/local/go/src/testing/testing.go:824 +0x2e0
FAIL	github.com/openshift/installer/pkg/asset/ignition/machine	1.144s

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented May 15, 2019

@cgwalters: The following tests failed, say /retest to rerun them all:

Test name Commit Details Rerun command
ci/prow/unit 1ff2f25 link /test unit
ci/prow/e2e-aws 1ff2f25 link /test e2e-aws

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@abhinavdahiya
Copy link
Contributor

abhinavdahiya commented Jun 4, 2019

I would love to see a overall design doc where this fits in. Otherwise this is no being actively worked on... Feel free to reopen.

/close

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Jun 4, 2019

@abhinavdahiya: Closed this PR.

Details

In response to this:

I would love to see a overall design doc where this fits in. Otherwise this is no being actively worked on... Feel free to reopen.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@cgwalters
Copy link
Member Author

cgwalters commented Jun 4, 2019

Yep that's fine - see openshift/machine-config-operator#784 for a new approach that while not quite as strong, it also doesn't have the ergonomic hit for UPI scenarios that would be required with this PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ashcrow ashcrow ashcrow left review comments

@jcpowermac jcpowermac Awaiting requested review from jcpowermac

@mtnbikenc mtnbikenc Awaiting requested review from mtnbikenc

Assignees

No one assigned

Labels

do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@cgwalters @openshift-ci-robot @abhinavdahiya @ashcrow