PB-6687 :: Placing PX secret in nfsrestore job spec #360
Conversation
vikasit12
requested review from
lalat-das,
diptiranjanpx,
prashanthpx,
siva-portworx,
px-kesavan and
vsundarraj-px
pkg/drivers/nfsrestore/nfsrestore.go
Outdated
| @@ -248,6 +248,11 @@ func jobForRestoreResource( | |||
| logrus.Infof("failed to get the px service name and namespace: %v", err) | |||
| return nil, fmt.Errorf("failed to get the px service name and namespace: %v", err) | |||
| } | |||
| // | |||
There was a problem hiding this comment.
nit: remove this blank comment line.. or add some story here describing what scenario we need this secret fetching
pkg/drivers/nfsrestore/nfsrestore.go
Outdated
| Value: pxSecretIssuer, | ||
| }) | ||
| } | ||
| if len(pxSecretKey) != 0{ |
There was a problem hiding this comment.
By setting the secretKey as ENV would make this visible to every one who has even pod view. If I understand from stork. The stork deployment only references the k8s secret reference name but the secretKey is embedded in the k8s secret. But here we are passing as job pod env. I am not sure if this becomes a security vulnerability.
There was a problem hiding this comment.
By setting the secretKey as ENV would make this visible to every one who has even pod view. If I understand from stork. The stork deployment only references the k8s secret reference name but the secretKey is embedded in the k8s secret. But here we are passing as job pod env. I am not sure if this becomes a security vulnerability.
This is a nfs restore job so once completed it gets deleted. Also stork can use that in such a manner because it resides in same namespace as of portworx but nfs restore will start in some other ns where that secret will not be present hence passing that as ENV.
Also anyone having job pod view right now can view these access keys from stork too as in pod it is an ENV variable only
There was a problem hiding this comment.
@vikasit12 As discussed, let us please create the secret in the stork code ( Resourceexport reconciler code) and pass only the secret name and namespace similar to other secret like cred/cert/image registry secret.
…Enabled Signed-off-by: Vikas Kumar <[email protected]>
What this PR does / why we need it:
This PR gets secret env from stork deploy used in nfs restore of secured portworx volumes. The access key retrieved is passed as env variable in nfs restore job to complete nfs restore
Which issue(s) this PR fixes (optional)
Closes #PB-6687
Special notes for your reviewer:
Test Cases combination performed:
Backup and restore