Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

oAuthSecret stored in plain text #22950

Closed
guydog28 opened this issue May 2, 2024 · 11 comments
Closed

oAuthSecret stored in plain text #22950

guydog28 opened this issue May 2, 2024 · 11 comments
Labels
area/che-operator Issues and PRs related to Eclipse Che Kubernetes Operator help wanted Community, we are fully engaged on other issues. Feel free to take this one. We'll help you! kind/bug Outline of a bug - must adhere to the bug report template. new&noteworthy/che-only Like 'new&noteworthy' but which do not apply to downstream (eg., plugins or devfiles) severity/P1 Has a major impact to usage or development of the system. team/A This team is responsible for the Che Operator and all its operands as well as chectl and Hosted Che

Comments

@guydog28
Copy link

guydog28 commented May 2, 2024
edited

Describe the bug

oAuthClientSecret is being stored in plain text in the CheCluster resource. We deploy Che via helm and GitOps with ArgoCD. This means cluster state is stored in Git. We used ExternalSecrets to keep all sensitive data out of the code base, but this does not seem to be possible with Che.

Suggestion:
Modify networking.auth.oAuthSecret to first check in the namespace for a secret with the provided name, and a key of 'secret', and if it does not exist, assume the value is the plaintext secret. This keeps things working with backward compatibility but allows us to keep sensitive oauth client secrets out of our git repo.

Che version

7.85@latest

Steps to reproduce

No steps required.

Expected behavior

Provide a kubernetes secret name in place of a plaintext oauth client secret.

Runtime

Kubernetes (vanilla)

Screenshots

No response

Installation method

other (please specify in additional context)

Environment

Amazon

Eclipse Che Logs

No response

Additional context

We store the CheCluster resource and supporting resources in git, and use ArgoCD to keep them in sync with the cluster.
@guydog28 guydog28 added the kind/bug Outline of a bug - must adhere to the bug report template. label May 2, 2024
@akurinnoy akurinnoy added area/install Issues related to installation, including offline/air gap and initial setup team/A This team is responsible for the Che Operator and all its operands as well as chectl and Hosted Che severity/P1 Has a major impact to usage or development of the system. area/che-operator Issues and PRs related to Eclipse Che Kubernetes Operator and removed area/install Issues related to installation, including offline/air gap and initial setup labels May 3, 2024
@tolusha
Copy link
Contributor

tolusha commented May 6, 2024

Hello @guydog28
Make sense for me.

Suggestion:
Modify networking.auth.oAuthSecret to first check in the namespace for a secret with the provided name, and a key of 'secret', and if it does not exist, assume the value is the plaintext secret. This keeps things working with backward compatibility but allows us to keep sensitive oauth client secrets out of our git repo.

@ibuziuk ibuziuk added the help wanted Community, we are fully engaged on other issues. Feel free to take this one. We'll help you! label May 6, 2024
@ibuziuk
Copy link
Member

ibuziuk commented May 6, 2024

Adding help-wanted label. @guydog28 Would you be interested in contributing this functionality to Eclipse Che?

@guydog28
Copy link
Author

guydog28 commented May 6, 2024
edited

Adding help-wanted label. @guydog28 Would you be interested in contributing this functionality to Eclipse Che?

Possibly. If someone wants to point me in the right direction for eclipse's requirements for contributing and the section of the architecture to look at for this, I can possibly dig in a bit.

@tolusha
Copy link
Contributor

tolusha commented May 6, 2024
edited

I think we can read the secret here [1] like this:

secret := &corev1.Secret{}
exists, err := deploy.GetNamespacedObject(ctx, ctx.CheCluster.Spec.Networking.Auth.OAuthSecret, secret)

If secret exists, then read some key from it, otherwise use ctx.CheCluster.Spec.Networking.Auth.OAuthSecret as plain text

[1] https://github.com/eclipse-che/che-operator/blob/32974f029ee66275cf1fa4c49cc6e7ae2c621f23/pkg/deploy/gateway/oauth_proxy.go#L103

@guydog28
Copy link
Author

guydog28 commented May 7, 2024
edited

I think we can read the secret here [1] like this:

secret := &corev1.Secret{}
exists, err := deploy.GetNamespacedObject(ctx, ctx.CheCluster.Spec.Networking.Auth.OAuthSecret, secret)

If secret exists, then read some key from it, otherwise use ctx.CheCluster.Spec.Networking.Auth.OAuthSecret as plain text

[1] https://github.com/eclipse-che/che-operator/blob/32974f029ee66275cf1fa4c49cc6e7ae2c621f23/pkg/deploy/gateway/oauth_proxy.go#L103

I agree that is probably the right spot since it isn't done the same way in openshift. Is this something your team would do or is it still preferred that I do it? I've only written minimal Go, so it might take me a bit to get a working environment going and wrap my head around it and add tests and such.

@guydog28
Copy link
Author

guydog28 commented May 7, 2024
edited

I created this:

eclipse-che/che-operator@main...guydog28:che-operator:main

But I lack the background to create proper unit tests that test the cases where:

  1. The secret exists and the key oAuthSecret does not exist on the secret, and
  2. The secret exists and the key oAuthSecret does exist on the secret

Mainly - how to mock the calls to get the secret and the key in the cluster for the tests.

Any help on that would be appreciated and then I can submit a PR.

@tolusha
Copy link
Contributor

tolusha commented May 9, 2024

@guydog28
Sounds good, could you create a PR ?
I will provide comments there.

@guydog28
Copy link
Author

guydog28 commented May 9, 2024

@tolusha eclipse-che/che-operator#1836 Created there.

@guydog28 guydog28 mentioned this issue May 9, 2024
Merged
10 tasks
@tolusha tolusha mentioned this issue May 14, 2024
Merged
10 tasks
@tolusha
Copy link
Contributor

tolusha commented May 14, 2024

@guydog28
Thank you for contribution.

@tolusha tolusha closed this as completed May 14, 2024
@guydog28
Copy link
Author

guydog28 commented May 14, 2024
edited

@guydog28 Thank you for contribution.

You are very welcome. Thanks for the help!

@ibuziuk ibuziuk added the new&noteworthy/che-only Like 'new&noteworthy' but which do not apply to downstream (eg., plugins or devfiles) label May 16, 2024
@ibuziuk
Copy link
Member

ibuziuk commented May 16, 2024
edited

@guydog28 thank you for the contribution \o/
Adding the issue to the upstream Release Notes:

Previously, when deployed on Kubernetes, `oAuthClientSecret` was stored in plain text in the CheCluster resource.   That was not convenient for the GitOps approach when the cluster state is stored in Git and managed by ArgoCD. Starting from this release the values for oAuthSecret can be configured using ExternalSecrets to keep all sensitive data out of the code base.

will you be able to contribute additional docs to https://github.com/eclipse-che/che-docs?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/che-operator Issues and PRs related to Eclipse Che Kubernetes Operator help wanted Community, we are fully engaged on other issues. Feel free to take this one. We'll help you! kind/bug Outline of a bug - must adhere to the bug report template. new&noteworthy/che-only Like 'new&noteworthy' but which do not apply to downstream (eg., plugins or devfiles) severity/P1 Has a major impact to usage or development of the system. team/A This team is responsible for the Che Operator and all its operands as well as chectl and Hosted Che
Projects
Eclipse Che Team A Backlog
Status: No status
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ibuziuk @tolusha @guydog28 @akurinnoy