Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bootstrap token is sensitive, node_token is not #51

Closed
rwaffen opened this issue Apr 28, 2023 · 3 comments · Fixed by #52
Closed

bootstrap token is sensitive, node_token is not #51

rwaffen opened this issue Apr 28, 2023 · 3 comments · Fixed by #52
Labels
bug Something isn't working

Comments

@rwaffen
Copy link
Member

rwaffen commented Apr 28, 2023
edited by kenyon
Loading

when defining a bootstrap_token and handing it over to a node like this:

lookup_options:
  k8s::server::resources::bootstrap::secret:
    convert_to: Sensitive

k8s::server::resources::bootstrap::secret:  foo4567890foobar
k8s::node::node_token: "puppet.%{lookup('k8s::server::resources::bootstrap::secret')}"

you end up with a /srv/kubernetes/bootstrap-kubelet.kubeconf on the node like this:

...
users:
- name: default
  user:
    token: puppet.Sensitive [value redacted]
@rwaffen rwaffen added the bug Something isn't working label Apr 28, 2023
@ananace ananace mentioned this issue Apr 28, 2023
Merged
@ananace
Copy link
Member

ananace commented Apr 28, 2023

The PR in question will of course only match the token itself, a Hiera-based lookup like you've posted might not result in the wanted result - since you're string-concatenating inside Hiera itself.

@rwaffen
Copy link
Member Author

rwaffen commented Apr 28, 2023

yes i came up to this conclusion myself 🤦 .one cannot string interpolate with sensitive strings 🤔

@ananace
Copy link
Member

ananace commented May 10, 2023

I've had a thought on this, expanding the token to allow passing it either as a sensitive string or as a struct - with an ID and a secret that's sensitive.

Your example config should then be possible, just in the form of;

lookup_options:
  k8s::server::resources::bootstrap::secret:
    convert_to: Sensitive

k8s::server::resources::bootstrap::secret:  foo4567890foobar
k8s::node::node_token:
  id: puppet
  secret: "%{alias('k8s::server::resources::bootstrap::secret')}"

@GMZwinge GMZwinge mentioned this issue Sep 19, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
2 participants
@ananace @rwaffen