Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: secret copy #741 #948

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

feat: secret copy #741 #948

wants to merge 4 commits into from

Conversation

docandrew
Copy link
Contributor

Description

Related Issue

Fixes #741

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Other (security config, docs update, etc)

Checklist before merging

@docandrew docandrew requested a review from a team as a code owner October 21, 2024 17:06
@bburky
Copy link
Member

bburky commented Oct 21, 2024

This appears to be unprivileged and effectively allows cluster-wide read of any Secrets if you have RBAC permissions of read/write to a Secret in a single namespace. Also, because the name is customizable, this is a bypass of resourceNames RBAC too.

It's reasonable for an app to have runtime read/write secrets in it's own namespace (possibly restricted by resourceNames) , but this would allow reading any secret in the cluster.

There's a few different ways you could address this, but I'd suggest driving it via a CR instead of the Secret resources alone. For example, editing Package resources is privileged (things shouldn't be giving away RBAC to this resource kind), which drives most of this operator and solves the permissions issue.

This is isn't a comment on the feature itself, I have no opinion on it.

Copy link
Contributor

@mjnagel mjnagel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry for the delayed review on this - happy to have further convo on my comments. If you want to think through and propose other options here it might be good to write up a design doc for the team + security to review before we dive into another implementation.

Comment on lines +29 to +39
# Workaround for https://github.com/zarf-dev/zarf/issues/2713
- description: "Modify Istio values w/ upstream registry"
cmd: "uds zarf tools yq -i '.global.proxy_init.image |= sub(\"###ZARF_REGISTRY###\", \"docker.io\") | .global.proxy.image |= sub(\"###ZARF_REGISTRY###\", \"docker.io\")' src/istio/values/upstream-values.yaml"

- description: "Deploy the Istio source package with Zarf Dev"
cmd: "uds zarf dev deploy src/istio --flavor upstream --no-progress"

# Undo previous registry workaround
- description: "Restore Istio registry values"
cmd: "uds zarf tools yq -i '.global.proxy_init.image |= sub(\"docker.io\", \"###ZARF_REGISTRY###\") | .global.proxy.image |= sub(\"docker.io\", \"###ZARF_REGISTRY###\")' src/istio/values/upstream-values.yaml"

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Zarf 0.42.1 included this fix/feature to allow us to pass in --registry-url during the dev deploy (set to docker.io). Once uds-cli consumes that zarf version this should be switched to use that flag instead of yq.

Comment on lines +102 to +103
.Mutate(request => copySecret(request))
.Validate(request => validateSecret(request));
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would be curious to get your thoughts on this design approach of mutating the "destination" secret. Initially I thought this was a mistake because I didn't read far enough in the PR 😅.

My inclination would be that it makes more sense to Watch (or Reconcile) secrets that have a label like uds.dev/copyMe (i.e. the "source" secret). That way you can guarantee you know when the secrets update at the source and ensure they are kept up to date in the destination. This current pattern would only watch changes/creations on the destination side, meaning you might miss changes if the source updates I think? There may be a few more design implementations to think through here, but overall I think it would make a bit more sense? (a few of those design decisions: do you need an overwrite: true/false annotation, do you support mutliple destinations and how, etc)

I think this might also resolve most of @bburky's security concerns since the only secret being read would be one that has been explicitly labelled to be copied. The only caveat would be on that overwrite piece - we would want to be careful implementing this to not overprivilege that label to write to any secret without some safeguards (maybe we only allow overwriting if pepr is already controlling the secret, use ownership metadata, etc).

The one obvious downside I could see to this is that you would need to have access to label/annotate the source secret which might be an issue with some upstream charts/operators? If that is a major sticking point we could move to a custom resource as @bburky recommended. If we want to go that route I think I'd lean slightly towards a new custom resource rather than using the Package CR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Secrets manipulation using the UDS Operator
3 participants