Controller create ReplicationController with objectstore creds mount

[rvadim]

I was deploy application, deis create namespace for application and puth objectsotrage-keyfile secret to it:

kubectl --namespace io-forecast get secrets
NAME                    TYPE                                  DATA      AGE
default-token-46ntm     kubernetes.io/service-account-token   3         1d
io-forecast-v5-env      Opaque                                7         9m
objectstorage-keyfile   Opaque

Also deis create next RC for application:

kubectl --namespace io-forecast get rc -o yaml
apiVersion: v1                                                                                                                                      
items:                                                                                                                                              
- apiVersion: v1                                                                                                                                    
  kind: ReplicationController                                                                                                                       
  metadata:                                                                                                                                         
    creationTimestamp: 2016-07-22T08:57:56Z                                                                                                         
    generation: 2                                                                                                                                   
    labels:                                                                                                                                         
      app: io-forecast                                                                                                                              
      heritage: deis                                                                                                                                
      type: web                                                                                                                                     
      version: v5                                                                                                                                   
    name: io-forecast-v5-web                                                                                                                        
    namespace: io-forecast                                                                                                                          
    resourceVersion: "840744"                                                                                                                       
    selfLink: /api/v1/namespaces/io-forecast/replicationcontrollers/io-forecast-v5-web                                                              
    uid: 61f523f5-4fea-11e6-86c7-0ed1ab11a603                                                                                                       
  spec:                                                                                                                                             
    replicas: 1                                                                                                                                     
    selector:                                                                                                                                       
      app: io-forecast                                                                                                                              
      heritage: deis                                                                                                                                
      type: web                                                                                                                                     
      version: v5                                                                                                                                   
    template:                                                                                                                                       
      metadata:                                                                                                                                     
        creationTimestamp: null                                                                                                                     
        labels:                                                                                                                                     
          app: io-forecast                                                                                                                          
          heritage: deis                                                                                                                            
          type: web                                                                                                                                 
          version: v5                                                                                                                               
        name: io-forecast-v5-web                                                                                                                    
      spec:                                                                                                                                         
        containers:                                                                                                                                 
        - args:                                                                                                                                     
          - start                                                                                                                                   
          - web                                                                                                                                     
          env:                                                                                                                                      
          - name: BUILDER_STORAGE                                                                                                                   
            valueFrom:                                                                                                                              
              secretKeyRef:                                                                                                                         
                key: builder-storage                                                                                                                
                name: io-forecast-v5-env                                                                                                            
          - name: DEIS_MINIO_SERVICE_PORT                                                                                                           
            valueFrom:                                                                                                                              
              secretKeyRef:                                                                                                                         
                key: deis-minio-service-port                                                                                                        
                name: io-forecast-v5-env                                                                                                            
          - name: DEIS_APP                                                                                                                          
            valueFrom:                                                                                                                              
              secretKeyRef:                                                                                                                         
                key: deis-app                                                                                                                       
                name: io-forecast-v5-env                                                                                                            
          - name: DEIS_MINIO_SERVICE_HOST                                                                                                           
            valueFrom:
              secretKeyRef:
                key: deis-minio-service-host
                name: io-forecast-v5-env
          - name: PORT
            valueFrom:
              secretKeyRef:
                key: port
                name: io-forecast-v5-env
          - name: WORKFLOW_RELEASE
            valueFrom:
              secretKeyRef:
                key: workflow-release
                name: io-forecast-v5-env
          - name: SLUG_URL
            valueFrom:
              secretKeyRef:
                key: slug-url
                name: io-forecast-v5-env
          image: quay.io/deis/slugrunner:v2.1.0
          imagePullPolicy: Always
          name: io-forecast-web
          readinessProbe:
            exec:
              command:
              - bash
              - -c
              - '[[ ''$(ps -p 1 -o args)'' != *''bash /runner/init''* ]]'
            failureThreshold: 1
            initialDelaySeconds: 30
            periodSeconds: 5
            successThreshold: 1
            timeoutSeconds: 5
          resources: {}
          terminationMessagePath: /dev/termination-log
          volumeMounts:
          - mountPath: /var/run/secrets/deis/objectstore/creds
            name: objectstorage-keyfile
            readOnly: true
        dnsPolicy: ClusterFirst
        restartPolicy: Always
        securityContext: {}
        terminationGracePeriodSeconds: 30
        volumes:
        - name: objectstorage-keyfile
          secret:
            secretName: objectstorage-keyfile
  status:
    fullyLabeledReplicas: 1
    observedGeneration: 2
    replicas: 1
kind: List
metadata: {}

So cluster swift credentials is open for any application? Is it a bug?

[kmala]

The credentials are open only for slug build apps. The slugbuilder builds a slug from the git source and pushes into storage bucket which the slugrunner(app contianer) pull and runs it.So, the slugrunner needs to to know the creds of the storage for downloading the slug.

[bacongobbler]

Labeling as security as I know most administrators don't want their S3 credentials exposed to users.

[kmala]

i think this deis/builder#138 should fix the issue.

[bacongobbler]

I don't think that's going to resolve the issue. The point being made here is that any buildpack application has direct access to the object store. That should not happen.

I've also mentioned this previously in another issue: deis/controller#140 (comment)

[kmala]

What i meant is we should have presigned urls so that the slug runner uses it to download and it need not have access to the creds.I have checked and currently s3, gcs and azure all support pre-signed urls.

[bacongobbler]

Ah I see what you mean. Apologies for the confusion. "Sign tarballs and compile slugs" doesn't exactly explain anything about migrating slugrunner to use presigned URLs for fetching slugs.

[pixeleet]

+1 on pre-signed urls as currently I'm running into signature incompatibilities with boto as eu-central-1 uses v4 signature and boto seems to only understand up to v3

The issue seems to be a long standing one:
boto/boto#2741

http://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html

[bacongobbler]

this will be fixed with deis/controller#1179.

[bacongobbler]

closing as a duplicate of deis/slugrunner#58 which will be closed when deis/slugrunner#59 is merged.