✨ Improve session handling with a secure session key

[zhanggbj]

What this PR does / why we need it:
Improve session handling with a secure session key to avoid hijack.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

[zhanggbj]

Thanks for your review, and all comments are addressed, including

• Only hashed password, so the sessionKey itself should be still human readable
• For logging, just log server, datacenter and username which is in plain text for debugging, but won't log sessionKey with the key structure and an hashed password
• Also adjust function parameters

[sbueringer]

Just nits

[zhanggbj]

/test pull-cluster-api-provider-vsphere-e2e-main

[zhanggbj]

/retest

[chrischdi]

/test pull-cluster-api-provider-vsphere-e2e-main

[laozc]

I think #2171 is going to add the SAML login which may impact the userinfo used here.
There are more fields to be added in the SAML case.

[zhanggbj]

@laozc thanks for the highlight, checking...

[sbueringer]

I think #2171 is going to add the SAML login which may impact the userinfo used here. There are more fields to be added in the SAML case.

Thx, but let's tackle this one at a time.

I think the current PR is fine as is and I also would like to get this into v1.8.0 and backport it into all branches. We can then discuss in the other PR how to build on top

/lgtm
/assign @chrischdi

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: 9c7813c99e1691714625c5d2041816c5dc3eb899

[zhanggbj]

/test pull-cluster-api-provider-vsphere-e2e-main

[chrischdi]

/retest

[sbueringer]

/approve

pending CI/Prow

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: sbueringer

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [sbueringer]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[sbueringer]

/retest

[sbueringer]

/cherry-pick release-1.7

[k8s-infra-cherrypick-robot]

@sbueringer: once the present PR merges, I will cherry-pick it on top of release-1.7 in a new PR and assign it to you.

In response to this:

/cherry-pick release-1.7

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[sbueringer]

/cherry-pick release-1.6

[k8s-infra-cherrypick-robot]

@sbueringer: once the present PR merges, I will cherry-pick it on top of release-1.6 in a new PR and assign it to you.

In response to this:

/cherry-pick release-1.6

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[sbueringer]

/cherry-pick release-1.5

[k8s-infra-cherrypick-robot]

@sbueringer: once the present PR merges, I will cherry-pick it on top of release-1.5 in a new PR and assign it to you.

In response to this:

/cherry-pick release-1.5

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-infra-cherrypick-robot]

@sbueringer: new pull request created: #2190

In response to this:

/cherry-pick release-1.7

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-infra-cherrypick-robot]

@sbueringer: #2154 failed to apply on top of branch "release-1.6":

Applying: Improve session handling with a secure session key
Using index info to reconstruct a base tree...
M	pkg/session/session.go
Falling back to patching base and 3-way merge...
Auto-merging pkg/session/session.go
CONFLICT (content): Merge conflict in pkg/session/session.go
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0001 Improve session handling with a secure session key
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

In response to this:

/cherry-pick release-1.6

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-infra-cherrypick-robot]

@sbueringer: #2154 failed to apply on top of branch "release-1.5":

Applying: Improve session handling with a secure session key
Using index info to reconstruct a base tree...
M	pkg/session/session.go
Falling back to patching base and 3-way merge...
Auto-merging pkg/session/session.go
CONFLICT (content): Merge conflict in pkg/session/session.go
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0001 Improve session handling with a secure session key
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

In response to this:

/cherry-pick release-1.5

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[sbueringer]

@zhanggbj if you have some time, can you please open cherry-picks for 1.5 and 1.6?

[zhanggbj]

@sbueringer Sure, will open cherry-picks today