Password field should be hidden in the SMB NewSmbGlobalMappingRequest Proto

[mauriciopoppe]

This field should be hidden

csi-proxy/client/api/smb/v1beta2/api.proto

Line 34 in c249530

string password = 4;

• Investigate how to update csi-proxy's build process to include additional proto plugins like in https://github.com/container-storage-interface/spec/blob/da58351ba3d7baf850877be3425e76ff30645d33/lib/go/Makefile#L134-L144
• Extend the FieldOptions field like https://github.com/container-storage-interface/spec/blob/da58351ba3d7baf850877be3425e76ff30645d33/csi.proto#L23-L32
• Use the field option in the password field

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[Kartik494]

/remove-lifecycle stale

[Kartik494]

Hi @mauriciopoppe As far as i get it here you are asking for updating password field in as a secret? or we can make a new function that would call the encrypted password?

[mauriciopoppe]

hey @Kartik494, this to hide the password field while the gRPC request is in transit, it's about adding an annotation in the proto file to the password field like

https://github.com/container-storage-interface/spec/blob/da58351ba3d7baf850877be3425e76ff30645d33/csi.proto#L686-L695

map<string, string> secrets = 2 [(csi_secret) = true];

I've updated the top description with a tasklist of the things that we need

[Kartik494]

I would like to work on this
/assign

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[Kartik494]

/remove-lifecycle stale

[Kartik494]

• Investigate how to update csi-proxy's build process to include additional proto plugins like in https://github.com/container-storage-interface/spec/blob/da58351ba3d7baf850877be3425e76ff30645d33/lib/go/Makefile#L134-L144

I have tried to compile api.proto with protoc installed by apt.But this is not generating api.pb.go file , then I looked into comment and tried for protoc 3.19.3 and working without including in makefile

[mauriciopoppe]

hey @Kartik494, there's a test here that installs a version of protobuf that works, locally I used:

protoc --version
libprotoc 3.12.4

[Kartik494]

Sure i will give a try on this again and i will let you know if that works.
Thanks

[mauriciopoppe]

In one of the CSI Windows meetings we saw that the secret annotation is used by csi-lib-utils when logging a request, in CSI Proxy we aren't using this library and we don't log the requests by default.

We agreed that if we make sure that we don't have log statements in the codebase that are logging the requests (and their secrets if they have them) then we don't need to add that annotation to the field, I apologize for not finding out this before.

/close