Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Automatically mark Secret data and stringData as secret #803

Merged
merged 2 commits into from
Sep 19, 2019
Merged

Automatically mark Secret data and stringData as secret #803

merged 2 commits into from
Sep 19, 2019

Conversation

lblackstone
Copy link
Member

Proposed changes

Pulumi can make fields in the state as secret to encrypt them
in the checkpoint, and prevent them from appearing in plaintext.
Kubernetes Secret resources are used to store secrets, so
mark the relevant data and stringData fields as secret in
Pulumi by default.

Related issues (optional)

Fixes #698

@lblackstone lblackstone marked this pull request as ready for review September 17, 2019 14:50
metral
metral approved these changes Sep 17, 2019
View reviewed changes
Copy link
Contributor

@metral metral left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall LGTM.

I'd love to see a way for us in the future to make repetitive changes like the ones in this PR take place in a single file that gets inherited by the resource classes in TS and Python, versus having to touch individual files. I've noticed we've had to do this a couple of times recently. Food for thought 🙂

CHANGELOG.md
@@ -6,6 +6,10 @@
- v1.14.x
- v1.13.x

### Improvements

- Automatically mark Secret data and stringData as secret. (https://github.com/pulumi/pulumi-kubernetes/pull/803).
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should add clarifying docs that this secret encoding only applies to the statefile, as the secret will still be stored in plaintext or b64 in k8s and etcd by default.

As of 1.13 there is a beta feature for encryption at rest for etcd, assuming the user can enable this feature. This would also be a good time to remind folks to lock down etcd and control plane access to admins only if possible - see risks.

IMO we should present both links ^ in the docs.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@metral Which docs were you thinking? The SDK docs for the Secret class?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was leaning towards the ones linked in my prior comment. Figured this would be a good opportunity to nudge the user to consider reading both links and applying them if possible

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added a comment to the SDK docs for the Secret classes.

@lblackstone
Automatically mark Secret data and stringData as secret
d1c2272 
Pulumi can make fields in the state as secret to encrypt them
in the checkpoint, and prevent them from appearing in plaintext.
Kubernetes Secret resources are used to store secrets, so
mark the relevant `data` and `stringData` fields as secret in
Pulumi by default.
@lblackstone
Add comment about k8s Secret security
daf7e27
@lblackstone lblackstone force-pushed the lblackstone/secret-fields branch from 1b3f01a to daf7e27 Compare September 19, 2019 20:07
@lblackstone lblackstone requested a review from metral September 19, 2019 20:21
@lblackstone lblackstone merged commit c9feaab into master Sep 19, 2019
@pulumi-bot pulumi-bot deleted the lblackstone/secret-fields branch September 19, 2019 22:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@metral metral metral approved these changes

@hausdorff hausdorff Awaiting requested review from hausdorff

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Secrets handled incorrectly in helm chart
2 participants
@lblackstone @metral