Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

base64 encoding #6

Merged
merged 4 commits into from
Apr 2, 2019
Merged

base64 encoding #6

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
d3bdfd6
generate password using base64
hensur Aug 17, 2018
e887ea1
correct unsecure versions
hensur Aug 17, 2018
3c45662
Merge branch 'master' into feature/base64
martin-helmich Apr 2, 2019
54bd713
Update main.go
martin-helmich Apr 2, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ applications run on Kubernetes.

## Security note

Older versions (actually, just 0.0.1) of this controller used the `math/rand` package for generating secrets, which is deterministic and not cryptographically secure (see #1 for more information). If you're already running this controller and want to regenerate all potentially compromised secrets, start the controller with the `-regenerate-insecure` flag (note that you will need to manually re-create any Pods using these secrets, though). When using the `kubectl apply` command from below, the new flag will be added to your Deployment automatically.
Older versions (>= 1.0.0) of this controller used the `math/rand` package for generating secrets, which is deterministic and not cryptographically secure (see #1 for more information). If you're already running this controller and want to regenerate all potentially compromised secrets, start the controller with the `-regenerate-insecure` flag (note that you will need to manually re-create any Pods using these secrets, though). When using the `kubectl apply` command from below, the new flag will be added to your Deployment automatically.

## Deployment

Expand Down Expand Up @@ -41,7 +41,9 @@ data:

```
$ kubectl annotate secrets --all secret-generator.v1.mittwald.de/regenerate=true
```

- Regenerate only certain fields
```
$ kubectl annotate secrets --all secret-generator.v1.mittwald.de/regenerate=password1.password2
$ kubectl annotate secrets --all secret-generator.v1.mittwald.de/regenerate=password1.password2
```
23 changes: 8 additions & 15 deletions main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,11 @@ package main

import (
"crypto/rand"
"encoding/base64"
"flag"
"strings"
"time"

"github.com/golang/glog"
"github.com/mittwald/kubernetes-secret-generator/util"
"k8s.io/client-go/kubernetes"
Expand All @@ -31,9 +35,6 @@ import (
"k8s.io/client-go/rest"
"k8s.io/client-go/tools/cache"
"k8s.io/client-go/tools/clientcmd"
"math/big"
"strings"
"time"
)

const (
Expand All @@ -43,9 +44,6 @@ const (
SecretSecureAnnotation = "secret-generator.v1.mittwald.de/secure"
)

var runes = []rune("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789")
var runesLen = big.NewInt(int64(len(runes)))

var namespace string
var allNamespaces bool
var kubecfg string
Expand Down Expand Up @@ -191,15 +189,10 @@ func (c *GeneratorController) SecretAdded(obj interface{}) {
}

func generateSecret(length int) (string, error) {
b := make([]rune, length)
for i := range b {
n, err := rand.Int(rand.Reader, runesLen)
if err != nil {
return "", err
}
b[i] = runes[n.Int64()]
}
return string(b), nil
b := make([]byte, length)
rand.Read(b)

return base64.StdEncoding.EncodeToString(b)[0:length], nil
}

func contains(s []string, e string) bool {
Expand Down