-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: secret copy #741 #948
base: main
Are you sure you want to change the base?
Conversation
This appears to be unprivileged and effectively allows cluster-wide read of any Secrets if you have RBAC permissions of read/write to a Secret in a single namespace. Also, because the name is customizable, this is a bypass of It's reasonable for an app to have runtime read/write secrets in it's own namespace (possibly restricted by There's a few different ways you could address this, but I'd suggest driving it via a CR instead of the Secret resources alone. For example, editing Package resources is privileged (things shouldn't be giving away RBAC to this resource kind), which drives most of this operator and solves the permissions issue. This is isn't a comment on the feature itself, I have no opinion on it. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for the delayed review on this - happy to have further convo on my comments. If you want to think through and propose other options here it might be good to write up a design doc for the team + security to review before we dive into another implementation.
# Workaround for https://github.com/zarf-dev/zarf/issues/2713 | ||
- description: "Modify Istio values w/ upstream registry" | ||
cmd: "uds zarf tools yq -i '.global.proxy_init.image |= sub(\"###ZARF_REGISTRY###\", \"docker.io\") | .global.proxy.image |= sub(\"###ZARF_REGISTRY###\", \"docker.io\")' src/istio/values/upstream-values.yaml" | ||
|
||
- description: "Deploy the Istio source package with Zarf Dev" | ||
cmd: "uds zarf dev deploy src/istio --flavor upstream --no-progress" | ||
|
||
# Undo previous registry workaround | ||
- description: "Restore Istio registry values" | ||
cmd: "uds zarf tools yq -i '.global.proxy_init.image |= sub(\"docker.io\", \"###ZARF_REGISTRY###\") | .global.proxy.image |= sub(\"docker.io\", \"###ZARF_REGISTRY###\")' src/istio/values/upstream-values.yaml" | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Zarf 0.42.1 included this fix/feature to allow us to pass in --registry-url
during the dev deploy
(set to docker.io
). Once uds-cli consumes that zarf version this should be switched to use that flag instead of yq.
.Mutate(request => copySecret(request)) | ||
.Validate(request => validateSecret(request)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would be curious to get your thoughts on this design approach of mutating the "destination" secret. Initially I thought this was a mistake because I didn't read far enough in the PR 😅.
My inclination would be that it makes more sense to Watch
(or Reconcile
) secrets that have a label like uds.dev/copyMe
(i.e. the "source" secret). That way you can guarantee you know when the secrets update at the source and ensure they are kept up to date in the destination. This current pattern would only watch changes/creations on the destination side, meaning you might miss changes if the source updates I think? There may be a few more design implementations to think through here, but overall I think it would make a bit more sense? (a few of those design decisions: do you need an overwrite: true/false
annotation, do you support mutliple destinations and how, etc)
I think this might also resolve most of @bburky's security concerns since the only secret being read would be one that has been explicitly labelled to be copied. The only caveat would be on that overwrite
piece - we would want to be careful implementing this to not overprivilege that label to write to any secret without some safeguards (maybe we only allow overwriting if pepr is already controlling the secret, use ownership metadata, etc).
The one obvious downside I could see to this is that you would need to have access to label/annotate the source secret which might be an issue with some upstream charts/operators? If that is a major sticking point we could move to a custom resource as @bburky recommended. If we want to go that route I think I'd lean slightly towards a new custom resource rather than using the Package
CR.
Description
dev deploy
with###ZARF_REGISTRY###
values in helm chart zarf-dev/zarf#2713Related Issue
Fixes #741
Type of change
Checklist before merging