[installer]: deprecate static message bus password and replace with secret #15905
Conversation
mrsimonemms
force-pushed
the
sje/deprecate-messagebus-pass
branch
from
8318571 to
5b4275f
Compare
mrsimonemms
force-pushed
the
sje/deprecate-messagebus-pass
branch
2 times, most recently
from
2845cd9 to
94492fa
Compare
mrsimonemms
force-pushed
the
sje/deprecate-messagebus-pass
branch
4 times, most recently
from
0e6f3b4 to
1b5dc78
Compare
|
started the job as gitpod-build-sje-deprecate-messagebus-pass.8 because the annotations in the pull request description changed |
mrsimonemms
changed the title
|
started the job as gitpod-build-sje-deprecate-messagebus-pass.9 because the annotations in the pull request description changed |
|
started the job as gitpod-build-sje-deprecate-messagebus-pass.10 because the annotations in the pull request description changed |
|
started the job as gitpod-build-sje-deprecate-messagebus-pass.11 because the annotations in the pull request description changed |
github-actions
bot
added
team: SID
team: webapp
|
/hold so I can rebase the golden files before final merge |
|
/werft run 👍 started the job as gitpod-build-sje-deprecate-messagebus-pass.13 |
mrsimonemms
force-pushed
the
sje/deprecate-messagebus-pass
branch
from
a707f57 to
f1b106d
Compare
There was a problem hiding this comment.
LGTM apart from the above comment! Init container does seem to be a bit complicated but seems to be the only way without changing too much logic. Hoping we can move to using extraConfiguration option in the future so that we don't have to pass the password at two different places 🤔
/hold Just in case
|
I tried to review the code, but it was a bit too large for me to judge with confidence. |
|
@geropl yes, it's a bigger than I'd have hoped. Happy to sync with you if you need it |
Previously, this was defined as a Helm secret inline. Now, this uses the way that the Installer supports by default.
mrsimonemms
force-pushed
the
sje/deprecate-messagebus-pass
branch
from
f1b106d to
bd70425
Compare
|
/unhold Rebased from |
|
/hold |
mrsimonemms
force-pushed
the
sje/deprecate-messagebus-pass
branch
from
bd70425 to
a71f403
Compare
|
/unhold |
Description
The experimental config had a
staticMessagebusPasswordkey which violates our rules on configuration, namely "sensitive data must be stored in a secret".To that end, this deprecates the old behaviour and replaces with a new
messageBusobject in the config. I took the decision to put it in a new object because, as a dependency, it's plausible that we'll need to have additional configuration options in the future (similar to registry/db/storage).The complexity with this ticket is that RabbitMQ load definitions secret which requires the password. As there's no documentation on how to achieve that, the load definition secret stores the password as
%PASSWORD%, I've created an init container which reads the load definition and password secrets and replaces%PASSWORD%with the actual password and then saves it to theemptyDirwhich is what's actually used by the RabbitMQ resource.If no password is given or the old
experimentalconfig is used, this stores the given password in a secret so RabbitMQ can read it.There is no
MapValuefor the experimental config that can be done because it's too complex to create a secret for a time-limited deprecated function. The deprecated message doesn't display the password because I don't want to write credentials into logs, even if the password is easily readable.Related Issue(s)
Fixes #15899
How to test
Install a cluster with the following config. To check that the new secret has been promulgated, run
kubectl exec -it -n gitpod deployments/server -- env | grep MESSAGEBUS_PASSWORD1. No password specified (default)
No special config required
2. Deprecated
experimentalconfig3. New password secret
Release Notes
Documentation
Build Options:
Experimental feature to run the build with GitHub Actions (and not in Werft).
If enabled this will build
install/previewValid options are
all,workspace,webapp,ide,jetbrains,vscode,ssh