Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSE-C secret not mounted #9867

Closed
3 tasks done
michal-raska opened this issue Oct 20, 2022 · 2 comments · Fixed by #9870
Closed
3 tasks done

SSE-C secret not mounted #9867

michal-raska opened this issue Oct 20, 2022 · 2 comments · Fixed by #9870
Labels
P3 Low priority type/bug

Comments

@michal-raska
Copy link
Contributor

Pre-requisites

  • I have double-checked my configuration
  • I can confirm the issues exists when I tested with :latest
  • I'd like to contribute the fix myself (see contributing guide)

What happened/what you expected to happen?

In our project we use the Argo in the following way:

  • our component uploads an object to S3, with SSE-C
  • Argo Workflow is supposed to get the object with S3 during init

We encountered two issues:

  1. The wrong secret key is read

    • argo-workflows/workflow/artifacts/artifacts.go

      Line 63 in 36646ef

      serverSideCustomerKeyBytes, err := ri.GetSecret(ctx, art.S3.EncryptionOptions.ServerSideCustomerKeySecret.Name, art.S3.SecretKeySecret.Key)
      reads the wrong secret key, I believe it should be
    •  ri.GetSecret(ctx, art.S3.EncryptionOptions.ServerSideCustomerKeySecret.Name, art.S3.EncryptionOptions.ServerSideCustomerKeySecret.Key)
  2. The secret with the server-side-customer key is not mounted

Logs from the init container

time="2022-10-20T09:02:22.558Z" level=info msg="Start loading input artifacts..."
time="2022-10-20T09:02:22.558Z" level=info msg="Downloading artifact: raw-document-set"
time="2022-10-20T09:02:22.558Z" level=error msg="executor error: open /argo/secret/h2oai-api-sse-c-key/secretkey: no such file or directory"
time="2022-10-20T09:02:22.559Z" level=info msg="Alloc=7039 TotalAlloc=12092 Sys=18898 NumGC=3 Goroutines=2"
time="2022-10-20T09:02:22.559Z" level=fatal msg="open /argo/secret/h2oai-api-sse-c-key/secretkey: no such file or directory"

Version

latest

Paste a small workflow that reproduces the issue. We must be able to run the workflow; don't enter a workflows that uses private images.

Any workflow using an SSE-C where the secret name and secret key containing the SSE-C key differs from the secret name and keys containing the AWS Access Key ID and AWS Secret Access Key.

Logs from the workflow controller

N/A for this issue

Logs from in your workflow's wait container

N/A for this issue
@michal-raska
Copy link
Contributor Author

https://github.com/argoproj/pkg/blob/v0.13.6/s3/s3.go#L322

does not set the minio.GetObjectOptions{ServerSideEncryption: encOpts}

@michal-raska michal-raska mentioned this issue Oct 20, 2022
Merged
@michal-raska
Copy link
Contributor Author

Please advise who should I ask for reviews regarding this, thank you!

@michal-raska michal-raska mentioned this issue Oct 20, 2022
Merged
9 tasks
@sarabala1979 sarabala1979 added the P3 Low priority label Oct 31, 2022
terrytangyuan pushed a commit that referenced this issue Nov 3, 2022
@michal-raska
fix: mount secret with SSE-C key if needed, fix secret key read. Fixes
b91606a 
…#9867 (#9870)

Signed-off-by: Michal Raška <michal.raska@h2o.ai>
Co-authored-by: Michal Raška <michal.raska@h2o.ai>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
P3 Low priority type/bug
Projects
None yet
Milestone
No milestone
2 participants
@michal-raska @sarabala1979