Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Readonly access keys #870

Merged
merged 5 commits into from
Feb 2, 2022
Merged

Readonly access keys #870

merged 5 commits into from
Feb 2, 2022

Conversation

mxyng
Copy link
Collaborator

@mxyng mxyng commented Feb 2, 2022
edited
Loading

Revert parts of #860 which moved access key creation to inside infra. This change made it impossible for users to back up and restore keys or migrate tokens between installs.

  • root|engine access key, restore to original creation process
    1. if keys already exist in their respective kubernetes secrets, reuse those values
    2. if keys are provided through helm values, template those values into kubernetes secrets
    3. otherwise generate a value through helm
  • encryption key was originally written to a kubernetes secret. the default behaviour now is to write it to a file. default path is alongside the db file.
    • this tries to strike a balance between portability since the database is already stored on disk, and usability since it will be transparent to the user
    • in production, users should use an external database. as a result, this encryption key should ideally also be external. this can take the form of a kubernetes secret created out of band and injected into the pod through Upgrade Helm chart #848's envFrom or volumes and volumeMounts options or through integrations like vault
  • Wrote appropriate unit tests
  • Considered security implications of the change
  • Updated associated docs where necessary
  • Updated associated configuration where necessary
  • Change is backwards compatible if it needs to be (user can upgrade without manual steps?)
  • Nothing sensitive logged

Resolves #

@mxyng mxyng force-pushed the readonly-access-keys branch 3 times, most recently from c22a79e to 4f9773a Compare February 2, 2022 03:08
mxyng
mxyng commented Feb 2, 2022
View reviewed changes
internal/registry/config.go
Permissions: strings.Join(v.Permissions, " "),
ExpiresAt: time.Now().Add(time.Hour * 876000),
ExpiresAt: time.Now().Add(math.MaxInt64),
Copy link
Collaborator Author

@mxyng mxyng Feb 2, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

root tokens shouldn't expire since it's a last resort. it'll be devastating if the backup access method fails because it expired. leaving ExpiresAt empty will cause it to expire very quickly so setting this to the max allowed value for time.Add()

mxyng
mxyng commented Feb 2, 2022
View reviewed changes
internal/registry/config.go
@@ -487,42 +488,48 @@ func (r *Registry) importAPITokens() error {
}

for k, v := range keys {
if v.Secret == "" {
logging.S.Debugf("%s: unset secret", k)
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if either reference or value is empty, the token won't be created

mxyng
mxyng commented Feb 2, 2022
View reviewed changes
internal/registry/models/api_token.go Outdated
@@ -17,6 +20,7 @@ type APIToken struct {
// TODO: remove me with machine identities
Permissions string

Key string
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is necessary otherwise deleting and recreating API tokens will fail since the ID is the primary key

@mxyng mxyng requested a review from ssoroka February 2, 2022 03:14
jmorganca
jmorganca reviewed Feb 2, 2022
View reviewed changes
internal/registry/data/group_test.go Outdated
var (
everyone = models.Group{Name: "Everyone", ProviderID: providerID}
)
everyone := models.Group{Name: "Everyone", ProviderID: providerID}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for cleaning this up

BruceMacD
BruceMacD reviewed Feb 2, 2022
View reviewed changes
Copy link
Collaborator

@BruceMacD BruceMacD left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, my only concern is around the case of changing a specified token secret.

From the rename PR (to simplify find and replace in your change):

  • rootAPIToken -> systemAccessKey
  • root-api-token -> system-access-key
  • engineAPIToken -> engineAccessKey
  • api-token -> access-key

internal/registry/config.go Outdated Show resolved Hide resolved
@mxyng mxyng force-pushed the readonly-access-keys branch 2 times, most recently from 6de0511 to ccc9dd6 Compare February 2, 2022 17:43
ssoroka
ssoroka reviewed Feb 2, 2022
View reviewed changes
helm/charts/infra/templates/secret.yaml Show resolved Hide resolved
internal/registry/config.go Outdated Show resolved Hide resolved
internal/registry/config.go
if err != nil {
return fmt.Errorf("import access keys: %w", err)
}
parts := strings.Split(raw, ".")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should this be ":" ?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is the value of the key which is <id>.<secret>

internal/registry/config.go Outdated Show resolved Hide resolved
internal/registry/models/access_key.go Outdated Show resolved Hide resolved
@mxyng
AccessKey.Key unqiue index
1225cb7
@mxyng
aggregate errors
aa90494 
- check error instead of check non-error
@mxyng mxyng merged commit b757256 into main Feb 2, 2022
@mxyng mxyng deleted the readonly-access-keys branch February 2, 2022 21:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@BruceMacD BruceMacD BruceMacD left review comments

@ssoroka ssoroka ssoroka left review comments

@jmorganca jmorganca jmorganca approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mxyng @ssoroka @jmorganca @BruceMacD