Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

🌱 Mount ironic credentials as plain-text volumes instead of the ironic htpasswd environment variable #1685

Merged
merged 1 commit into from
Jun 10, 2024

Conversation

MahnoorAsghar
Copy link
Contributor

@MahnoorAsghar MahnoorAsghar commented Apr 18, 2024

Security baselines do not recommend using secrets as environment variables but using files instead. Therefore, the Ironic and Inspector usernames and passwords will now be mounted as plain-text volumes into the ironic-image pod, instead of the IRONIC_HTPASSWD and INSPECTOR_HTPASSWD environment variables.

@metal3-io-bot metal3-io-bot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Apr 18, 2024
@MahnoorAsghar MahnoorAsghar changed the title Mount ironic HTPASSWD as volume instead of environment variable 🌱 Mount ironic HTPASSWD as volume instead of environment variable Apr 18, 2024
@MahnoorAsghar
Copy link
Contributor Author

(This PR is work continued from #1616)

@MahnoorAsghar
Copy link
Contributor Author

/test-centos-e2e-integration-main

1 similar comment
@tuminoid
Copy link
Member

/test-centos-e2e-integration-main

Copy link
Member

@lentzi90 lentzi90 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good, but there are a few more places that needs changes to get this in the e2e tests. Can you check the e2e* folders here? For example this should change. The secrets for the e2e tests are generated here which may also need some changes.

@MahnoorAsghar MahnoorAsghar force-pushed the remove-cis-error branch 2 times, most recently from 70ce5dc to e0b507b Compare April 19, 2024 11:08
@metal3-io-bot metal3-io-bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Apr 19, 2024
@MahnoorAsghar
Copy link
Contributor Author

/test metal3-bmo-e2e-test-pull
/test-centos-e2e-integration-main

@MahnoorAsghar
Copy link
Contributor Author

/retest

@mboukhalfa
Copy link
Member

/test ?

@metal3-io-bot
Copy link
Contributor

@mboukhalfa: The following commands are available to trigger required jobs:

  • /test generate
  • /test gomod
  • /test manifestlint
  • /test markdownlint
  • /test metal3-bmo-e2e-test-pull
  • /test metal3-centos-e2e-integration-test-main
  • /test metal3-ubuntu-e2e-integration-test-main
  • /test shellcheck
  • /test test
  • /test unit

The following commands are available to trigger optional jobs:

  • /test dev-env-integration-test-centos-main
  • /test dev-env-integration-test-centos-release-1-4
  • /test dev-env-integration-test-centos-release-1-5
  • /test dev-env-integration-test-centos-release-1-6
  • /test dev-env-integration-test-ubuntu-main
  • /test dev-env-integration-test-ubuntu-release-1-4
  • /test dev-env-integration-test-ubuntu-release-1-5
  • /test dev-env-integration-test-ubuntu-release-1-6
  • /test metal3-bmo-e2e-test-optional-pull
  • /test metal3-centos-e2e-basic-test-main
  • /test metal3-centos-e2e-feature-test-main
  • /test metal3-e2e-1-26-1-27-upgrade-test-main
  • /test metal3-e2e-1-27-1-28-upgrade-test-main
  • /test metal3-e2e-1-28-1-29-upgrade-test-main
  • /test metal3-e2e-clusterctl-upgrade-test-main
  • /test metal3-ubuntu-e2e-basic-test-main
  • /test metal3-ubuntu-e2e-feature-test-main

Use /test all to run the following jobs that were automatically triggered:

  • generate
  • gomod
  • manifestlint
  • shellcheck
  • test
  • unit

In response to this:

/test ?

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@mboukhalfa
Copy link
Member

/test metal3-centos-e2e-integration-test-main
/test metal3-ubuntu-e2e-integration-test-main
/override test-centos-e2e-integration-main

@metal3-io-bot
Copy link
Contributor

@mboukhalfa: mboukhalfa unauthorized: /override is restricted to Repo administrators, approvers in top level OWNERS file.

In response to this:

/test metal3-centos-e2e-integration-test-main
/test metal3-ubuntu-e2e-integration-test-main
/override test-centos-e2e-integration-main

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@mboukhalfa
Copy link
Member

mboukhalfa commented Apr 19, 2024

I think the github branch protection here is not yet updated
the test triggers now are :

/test metal3-centos-e2e-integration-test-main
/test metal3-ubuntu-e2e-integration-test-main

The approver can skip the old check with:
/override test-centos-e2e-integration-main
you do not need to consider this test! we will update it soon

@dtantsur
Copy link
Member

/override test-centos-e2e-integration-main

@metal3-io-bot
Copy link
Contributor

@dtantsur: Overrode contexts on behalf of dtantsur: test-centos-e2e-integration-main

In response to this:

/override test-centos-e2e-integration-main

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@MahnoorAsghar
Copy link
Contributor Author

/test metal3-bmo-e2e-test-pull

@MahnoorAsghar
Copy link
Contributor Author

/test metal3-bmo-e2e-test-pull
/test metal3-centos-e2e-integration-test-main

Copy link
Member

@lentzi90 lentzi90 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/hold
I don't think we should change from htpasswd to plaintext passwords!
/cc @tuminoid

hack/ci-e2e.sh Outdated Show resolved Hide resolved
@metal3-io-bot metal3-io-bot requested a review from tuminoid April 26, 2024 05:27
@metal3-io-bot metal3-io-bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Apr 26, 2024
@MahnoorAsghar MahnoorAsghar changed the title 🌱 Mount ironic HTPASSWD as volume instead of environment variable 🌱 Mount ironic credentials as plain-text volumes instead of the ironic htpasswd environment variable Apr 26, 2024
@MahnoorAsghar MahnoorAsghar force-pushed the remove-cis-error branch 2 times, most recently from 9b62461 to d62f720 Compare April 26, 2024 14:30
@MahnoorAsghar
Copy link
Contributor Author

/test metal3-bmo-e2e-test-pull
/test metal3-centos-e2e-integration-test-main

@lentzi90
Copy link
Member

/test metal3-bmo-e2e-test-optional-pull

Copy link
Member

@tuminoid tuminoid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some nits.

tools/run_local_ironic.sh Outdated Show resolved Hide resolved
hack/ci-e2e.sh Outdated Show resolved Hide resolved
tools/run_local_ironic.sh Outdated Show resolved Hide resolved
@MahnoorAsghar
Copy link
Contributor Author

/test metal3-bmo-e2e-test-optional-pull
/test metal3-bmo-e2e-test-pull
/test metal3-centos-e2e-integration-test-main

1 similar comment
@MahnoorAsghar
Copy link
Contributor Author

/test metal3-bmo-e2e-test-optional-pull
/test metal3-bmo-e2e-test-pull
/test metal3-centos-e2e-integration-test-main

@tuminoid
Copy link
Member

/retest

@MahnoorAsghar
Copy link
Contributor Author

/test metal3-bmo-e2e-test-optional-pull
/test metal3-bmo-e2e-test-pull
/test metal3-centos-e2e-integration-test-main

@tuminoid
Copy link
Member

/test metal3-centos-e2e-integration-test-main metal3-bmo-e2e-test-optional-pull

@MahnoorAsghar
Copy link
Contributor Author

/test metal3-bmo-e2e-test-optional-pull

@tuminoid
Copy link
Member

/retest
CI should be better.

@tuminoid
Copy link
Member

Seems like an actual issue with the PR, unless it is timing out due CI slowness on the background.

@tuminoid
Copy link
Member

/retest

@MahnoorAsghar
Copy link
Contributor Author

/retest

@MahnoorAsghar
Copy link
Contributor Author

/test metal3-bmo-e2e-test-optional-pull

@MahnoorAsghar
Copy link
Contributor Author

/test metal3-bmo-e2e-test-pull
/test metal3-centos-e2e-integration-test-main

@MahnoorAsghar
Copy link
Contributor Author

/test metal3-bmo-e2e-test-optional-pull
/test metal3-bmo-e2e-test-pull
/test metal3-centos-e2e-integration-test-main

tools/run_local_ironic.sh Outdated Show resolved Hide resolved
tools/run_local_ironic.sh Outdated Show resolved Hide resolved
@metal3-io-bot
Copy link
Contributor

metal3-io-bot commented Jun 10, 2024

@MahnoorAsghar: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
metal3-centos-e2e-integration-test-main 75d13de link false /test metal3-centos-e2e-integration-test-main

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

Mount the ironic and inspector htpasswds as volumes into the
ironic-image pod, instead of the IRONIC_HTPASSWD and
INSPECTOR_HTPASSWD environment variables.

Signed-off-by: Mahnoor Asghar <masghar@redhat.com>
@elfosardo
Copy link
Member

/lgtm

@metal3-io-bot metal3-io-bot added the lgtm Indicates that a PR is ready to be merged. label Jun 10, 2024
@MahnoorAsghar
Copy link
Contributor Author

/test metal3-bmo-e2e-test-optional-pull
/test metal3-bmo-e2e-test-pull
/test metal3-centos-e2e-integration-test-main

@metal3-io-bot metal3-io-bot merged commit 2775f5f into metal3-io:main Jun 10, 2024
19 of 22 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants