Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support kubernetes secret for providing user-data to cloud-init #31

Open
umangachapagain opened this issue Oct 4, 2023 · 1 comment
Open

Support kubernetes secret for providing user-data to cloud-init #31

umangachapagain opened this issue Oct 4, 2023 · 1 comment

Comments

@umangachapagain
Copy link

Context

When using Hegel, currently, if we want to provide user-data to cloud-init, we need to pass it via Hardware spec.
For example:

apiVersion: tinkerbell.org/v1alpha1
kind: Hardware
metadata:
  name: hw1
  namespace: tink-system
spec:
  userData: |
    #cloud-config
    ---
    user: <USERNAME>
    password: <PLAINTEXT_PASSWORD>
    chpasswd: {expire: False}
    ssh_pwauth: True

Hegel then serves the user-data on HEGEL_IP:HEGEL_PORT/2009-04-04/user-data and
meta-data on HEGEL_IP:HEGEL_PORT/2009-04-04/meta-data/

cloud-init can read these user-data and meta-data when datasource is configured correctly.

This behavior works ok as long as user-data does not contain any sensitive information. However, it could still cause formatting issues with user-data.

Proposal

If user-data contains sensitive data like passwords, license keys etc it might not be desirable to put these in Hardware spec in plaintext format which can be read by anyone with read access to Hardware CR.

To help with this, we could move the user-data to a kubernetes secret object and reference that object in Hardware spec.
This secret object reference can be used by Hegel to pull user-data.
New spec example:

apiVersion: tinkerbell.org/v1alpha1
kind: Hardware
metadata:
  name: hw1
  namespace: tink-system
spec:
  userDataRef:
     name: <SECRET_NAME>
     namespace: <SECRET_NAMESPACE>

This approach has a few benefits,

  • We can avoid sensitive user-data information in Hardware spec.
  • Access to this Secret can be restricted to only required users i.e. cluster-admin and hegel serviceaccount.
  • Secret stores data in base64 encoded form. This helps preserve formatting of user-data by creating a secret directly from the user-data file.
@displague
Copy link
Member

This brings crossplane-contrib/provider-cloudinit#8 to mind.

I don't know that Hardware should be concerned with CloudInit directly, but a CloudInit controller could piece together secrets, configmaps, and plain text blobs into a secret that userdata could consume.

This is just food for thought.

In the "New spec example" snippet, userDataRef should be userDataSecretRef.
The namespace would be omitted as it should need to match the Hardware resource.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@displague @umangachapagain