feat: PUC-752: reading OIDCCryptoPassphrase from a file #650
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cardoe
reviewed
Feb 5, 2025
There was a problem hiding this comment.
Can you write a description of why the change is needed to leave us some bread crumbs for future logic. I've recently found myself needing to refer to our commits in upstream OpenStack projects and our commits have been lacking in explanation which would be helpful.
haseebsyed12
force-pushed
the
puc-752_oidccryptopassphrase
branch
3 times, most recently
from
323ef12 to
19b5006
Compare
haseebsyed12
force-pushed
the
puc-752_oidccryptopassphrase
branch
from
52478cb to
2a78532
Compare
skrobul
approved these changes
Feb 7, 2025
haseebsyed12
force-pushed
the
puc-752_oidccryptopassphrase
branch
from
2a78532 to
8b9d3fc
Compare
cardoe
requested changes
Feb 7, 2025
scripts/gitops-secrets-gen.sh
Outdated
Comment on lines
266
to
274
| default_pwgen() { | ||
| "${SCRIPTS_DIR}/pwgen.sh" 2>/dev/null | ||
| } | ||
|
|
||
| # Custom password generator with only alphabets | ||
| # shellcheck disable=SC2317 | ||
| alpha_only_pwgen() { | ||
| head /dev/urandom | tr -dc A-Za-z | head -c 32 | ||
| } |
There was a problem hiding this comment.
Suggested change
| default_pwgen() { | |
| "${SCRIPTS_DIR}/pwgen.sh" 2>/dev/null | |
| } | |
| # Custom password generator with only alphabets | |
| # shellcheck disable=SC2317 | |
| alpha_only_pwgen() { | |
| head /dev/urandom | tr -dc A-Za-z | head -c 32 | |
| } | |
| default_pwgen() { | |
| "${SCRIPTS_DIR}/pwgen.sh" 2>/dev/null | |
| } | |
| # Custom password generator with only alphabets | |
| # shellcheck disable=SC2317 | |
| alpha_only_pwgen() { | |
| head /dev/urandom | tr -dc A-Za-z | head -c 32 | |
| } |
So we're not setting LC_ALL to C like the pwgen.sh script does. Let's instead add another parameter to pwgen.sh and let you specify the range.
So in that script do tr -dc ${2:-_A-Z-a-z-0-9}
scripts/gitops-secrets-gen.sh
Outdated
| @@ -274,7 +286,7 @@ load_or_gen_os_secret() { | |||
| return 1 | |||
| else | |||
| echo "Generating ${secret_var}" | |||
| data="$("${SCRIPTS_DIR}/pwgen.sh" 2>/dev/null)" | |||
| data="$(${gen_func})" | |||
There was a problem hiding this comment.
Suggested change
| data="$(${gen_func})" | |
| data="$("${SCRIPTS_DIR}/pwgen.sh" 32 "A-Za-z" 2>/dev/null)" |
haseebsyed12
force-pushed
the
puc-752_oidccryptopassphrase
branch
from
1e56cc6 to
b29edcd
Compare
cardoe
approved these changes
Feb 10, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Problem:
Unable to authenticate when the user receives the initial state, it is encrypted with a key from pod A, then user is redirected to the identity provided and finally when they get back through redirect, they may land on pod B which is no longer able to decrypt the state.
Solution:
OIDCCryptoPassphrase is a password used for encryption of the state cookie and cache entries and it must be the same on all replicas.
Previously we were setting the OIDCCryptoPassphrase to a random value that is generated on pod startup and multiple pods have different value.