fix: decryption before every substitution disabled #733
Conversation
Calling ansible-vault as a separate process is a huge overhead and takes upto 2 seconds per variable. Doing this over and over before every substitution slows doen the entire processing. Now we decrypt once at startup and keep the decrypted values in memory and reuse them during substitution. https://issues.redhat.com/browse/AAP-40490
|
|
@Alex-Izquierdo currently we dont store anything in files locally when doing the decryption we pass in the fields via pexpect one at a time. |
@mkanoor That's my point. Through a file would be even more performant since we call the cli only once. |
|
@Alex-Izquierdo that might require some re-write and testing. @bzwei did we try this earlier I remember we had some solution using python packages not sure if we decrypted all variables in a single file. Not sure how that works. If there are embedded multi lines in the data. Is there a marker of when the clear text starts and when it ends. |
|
If we want to call the decrypt cli only once, we may assemble all secret variables into a json string and encrypt it at eda-server side and decrypt and parse json at the engine side. |
# [ AAP-40490] increase activation readiness timeout ## Description We have detected that ansible-rulebook might be slow at starting when decrypting vaulted variables. After #1088 we have received several reports for activations being restarted as unresponsive after not receive the heartbeat in time. In combination with ansible/ansible-rulebook#733 we agreed to increase the default value of RULEBOOK_READINESS_TIMEOUT_SECONDS for safeness. Jira: https://issues.redhat.com/browse/AAP-40490 ## Type of Change <!-- Mandatory: Check one or more boxes that apply --> - [x] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected) - [ ] Documentation update - [ ] Test update - [ ] Refactoring (no functional changes) - [ ] Development environment change - [ ] Configuration change - [ ] CI change ## Self-Review Checklist <!-- These items help ensure quality - they complement our automated CI checks --> - [X] I have performed a self-review of my code - [ ] I have added relevant comments to complex code sections - [ ] I have updated documentation where needed - [ ] I have considered the security impact of these changes - [ ] I have considered performance implications - [ ] I have thought about error handling and edge cases - [ ] I have tested the changes in my local environment - [ ] I have run the linters and test suite locally - [ ] I have tested the changes on integration environment ## Testing Instructions Create an activation with multiple credentials. ### Prerequisites None ### Expected Results The activation is not set as unresponsive and it is set as running by the system ## Additional Context None ### Required Actions None Signed-off-by: Alex <[email protected]>
@bzwei The problem with that is "Data in Transit" is not encrypted |
why not encrypted? I am proposing the server encrypts the json string and sends to client. So data in transit is encrypted. Then client decrypts, parses the decrypted json, and inserts sensitive variables in memory. |
|
@Alex-Izquierdo @bzwei We have to fix this in a separate PR I am thinking we take all the extra vars that we get from the controller put into a temporary yaml file and then decrypt the whole yaml file using ansible vault and keep those decrypted values in memory and delete the temporary yaml file. |
Calling ansible-vault as a separate process is a huge overhead and takes upto 2 seconds per variable. Doing this over and over before every substitution slows doen the entire processing. Now we decrypt once at startup and keep the decrypted values in memory and reuse them during substitution.
https://issues.redhat.com/browse/AAP-40490