Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handle empty Kubernetes auth tokens during server initialisation #763

Merged
merged 1 commit into from
Aug 9, 2023
Merged

Handle empty Kubernetes auth tokens during server initialisation #763

merged 1 commit into from
Aug 9, 2023

Conversation

sysvinit
Copy link
Member

@sysvinit sysvinit commented Aug 7, 2023

The k3s-server role bundles some vendor manifests to set up authentication to allow Sensu and Telegraf to access the Kubernetes API server. However, there is a failure case which is not handled correctly, where the token loader services attempt to read the content of the corresponding Secret resource after it has been loaded from the vendor manifests, but before the control plane has added the secret token. This will result in the loader script writing an empty access token to the token file, which will cause Telegraf to fail to start.

This PR fixes this issue by adding a check in the token loader script to ensure that the token is non-empty, and amends the execution condition in the systemd unit template so that the loader script gets executed both when the token file does not exist and when it exists but is empty.

PL-131681

@flyingcircusio/release-managers

Release process

Impact: internal.

Changelog:

Security implications

  • Security requirements defined? (WHERE)
    • Handle failure cases in Kubernetes initialisation to avoid generating invalid configuration and preventing Telegraf from starting.
  • Security requirements tested? (EVIDENCE)
    • Manually verified in a test VM that applying this change to a system which is in a stuck state with invalid empty token files recovers from this state and starts Telegraf properly when switching to the new configuration.

@sysvinit
k3s: handle empty authentication tokens
6c0f4b9 
If the control plane has not yet populated the Secrets with access
tokens for the Telegraf and Sensu ServiceAccounts, then the reported
token will be an empty string, which is not a valid access token.

PL-131681
osnyx
osnyx approved these changes Aug 8, 2023
View reviewed changes
Copy link
Member

@osnyx osnyx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@dpausp dpausp merged commit 83357a8 into fc-23.05-dev Aug 9, 2023
1 check passed
@dpausp dpausp deleted the PL-131681-k3s-empty-secrets branch August 9, 2023 09:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@osnyx osnyx osnyx approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@sysvinit @osnyx @dpausp