Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

🐛 Stop reading ironic and inspector HTPASSWD from environment variables #482

Merged
merged 1 commit into from
Apr 18, 2024

Conversation

MahnoorAsghar
Copy link
Contributor

Security baselines such as CIS do not recommend using secrets as environment variables, but using files instead. Therefore, the IRONIC_HTPASSWD and INSPECTOR_HTPASSWD will now be populated from files instead of environment variables.

@metal3-io-bot metal3-io-bot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Mar 5, 2024
@metal3-io-bot metal3-io-bot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Mar 5, 2024
scripts/auth-common.sh Outdated Show resolved Hide resolved
scripts/auth-common.sh Outdated Show resolved Hide resolved
Copy link
Member

@tuminoid tuminoid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not following: who and where are the files populated now?

Some nits too.

scripts/auth-common.sh Outdated Show resolved Hide resolved
scripts/auth-common.sh Outdated Show resolved Hide resolved
scripts/auth-common.sh Outdated Show resolved Hide resolved
@MahnoorAsghar
Copy link
Contributor Author

I'm not following: who and where are the files populated now?

Some nits too.

The files are populated by cluster-baremetal-operator. I have a PR there which I will test alongside this one: openshift/cluster-baremetal-operator#408

@tuminoid
Copy link
Member

tuminoid commented Mar 5, 2024

I'm not following: who and where are the files populated now?
Some nits too.

The files are populated by cluster-baremetal-operator. I have a PR there which I will test alongside this one: openshift/cluster-baremetal-operator#408

That is not part of Metal3. Who is populating/creating files in Metal3?

@MahnoorAsghar
Copy link
Contributor Author

I'm not following: who and where are the files populated now?
Some nits too.

The files are populated by cluster-baremetal-operator. I have a PR there which I will test alongside this one: openshift/cluster-baremetal-operator#408

That is not part of Metal3. Who is populating/creating files in Metal3?

Good point. I will come up with a change for metal3 as well.

@dtantsur
Copy link
Member

dtantsur commented Mar 7, 2024

This is going to break virtually all consumers: the files are not there when the container starts, we populate them.

My earlier plan was to eventually start accepting a mounted secret instead of HTPASSWD variables. Then the consumers, such as CBO, will be able to fix the problem for themselves. Maybe you could go down the same path? It's harder to backport, of course, but nor is this change really backportable.

It's also not the worst vulnerability you can imagine (the password is hashed), so I'm fine if we only fix it on the main branch and only for consumers that switch to mounting the secret.

@metal3-io-bot metal3-io-bot added the needs-rebase Indicates that a PR cannot be merged because it has merge conflicts with HEAD. label Mar 21, 2024
@metal3-io-bot metal3-io-bot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed needs-rebase Indicates that a PR cannot be merged because it has merge conflicts with HEAD. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Mar 25, 2024
scripts/auth-common.sh Outdated Show resolved Hide resolved
scripts/auth-common.sh Outdated Show resolved Hide resolved
scripts/runhttpd Outdated Show resolved Hide resolved
@MahnoorAsghar MahnoorAsghar force-pushed the fix-cis-issue branch 2 times, most recently from 1ccc193 to 1466ea4 Compare March 27, 2024 15:21
scripts/auth-common.sh Outdated Show resolved Hide resolved
@MahnoorAsghar
Copy link
Contributor Author

/hold

@metal3-io-bot metal3-io-bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Apr 9, 2024
@MahnoorAsghar MahnoorAsghar changed the title 🐛 Fix CIS vulnerability: Stop reading ironic API passwords from env vars 🐛 Stop reading ironic and inspector HTPASSWD from environment variables Apr 10, 2024
@dtantsur
Copy link
Member

/approve

@metal3-io-bot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dtantsur

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@metal3-io-bot metal3-io-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 17, 2024
Copy link
Member

@tuminoid tuminoid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A tiny nit left.

scripts/auth-common.sh Outdated Show resolved Hide resolved
@metal3-io-bot metal3-io-bot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Apr 17, 2024
@MahnoorAsghar
Copy link
Contributor Author

/unhold

@metal3-io-bot metal3-io-bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Apr 18, 2024
@dtantsur
Copy link
Member

/hold

Has any integration jobs run here? I don't see any results, let me check with the folks.

@metal3-io-bot metal3-io-bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Apr 18, 2024
@mboukhalfa
Copy link
Member

/test ?

@metal3-io-bot
Copy link
Contributor

@mboukhalfa: The following commands are available to trigger required jobs:

  • /test markdownlint
  • /test metal3-centos-e2e-integration-test-main
  • /test metal3-ubuntu-e2e-integration-test-main
  • /test shellcheck

Use /test all to run the following jobs that were automatically triggered:

  • shellcheck

In response to this:

/test ?

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@dtantsur
Copy link
Member

/test metal3-centos-e2e-integration-test-main
/test metal3-ubuntu-e2e-integration-test-main

@dtantsur
Copy link
Member

/hold cancel

Looking good, please proceed with reviews.

@metal3-io-bot metal3-io-bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Apr 18, 2024
Copy link
Member

@tuminoid tuminoid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

/cc @Rozzii
PTAL

@metal3-io-bot metal3-io-bot requested a review from Rozzii April 18, 2024 13:10
@elfosardo
Copy link
Member

/lgtm

@metal3-io-bot metal3-io-bot added the lgtm Indicates that a PR is ready to be merged. label Apr 18, 2024
@metal3-io-bot metal3-io-bot merged commit 4d70427 into metal3-io:main Apr 18, 2024
8 checks passed
elfosardo pushed a commit to elfosardo/ironic-image that referenced this pull request Apr 29, 2024
OCPBUGS-32169: [4.14] Add hybrid configuration for cachito
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants