Project

General

Profile

Actions

Feature #20665

closed

Installer handles secrets separately from local.params

Added by Lucas Di Pentima over 1 year ago. Updated over 1 year ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Category:
Deployment
Story points:
-
Release relationship:
Auto

Description

The local.params & arvados.sls files store some secret information that site admins might want to keep off a git repository for better security.
Create a separate local.params.secrets file with those environment variables that will get read from installer.sh and provision.sh scripts to make the above easier. Also, update the documentation reflecting these changes.


Subtasks 1 (0 open1 closed)

Task #20677: Review 20665-installer-secrets-handlingResolvedBrett Smith06/21/2023Actions
Actions #1

Updated by Peter Amstutz over 1 year ago

  • Target version changed from Development 2023-06-21 sprint to Development 2023-07-05 sprint
Actions #2

Updated by Lucas Di Pentima over 1 year ago

Updates at db3234c - branch 20665-installer-secrets-handling
Doc tests run: developer-run-tests-doc-and-sdk-R: #1867
Manually tested by creating a new cluster.

  • Separates all security-sensitive data to a new local.params.secrets file, including a-d-c's SSH private key.
  • Updates documentation.
Actions #3

Updated by Brett Smith over 1 year ago

Lucas Di Pentima wrote in #note-2:

Updates at db3234c - branch 20665-installer-secrets-handling

This is great, thank you for the documentation updates especially. Just a couple of style suggestions.

-    if [[ ! -s $CONFIG_FILE ]] ; then
+    if [ ! -s ${CONFIG_FILE} -o ! -s ${CONFIG_FILE}.secrets ]; then

As long as we're committed to using bash, my understanding is [[ ]] provides better style because it has richer operators and less surprising precedence rules. So this version would both match the rest of the script better and also be preferred bash style as I understand it:

    if ! [[ -s "${CONFIG_FILE}" && -s "${CONFIG_FILE}.secrets" ]]; then

If we're trying to work towards POSIX compatibility, then ignore my comment.

In the documentation:

this file may need to be handled differently from the others.

When I read this I feel like I don't understand what this is alluding to. Can we make this a little more concrete with an example? e.g., "you may wish to store this file in a secrets store like [name an example or two]."

Thanks.

Actions #4

Updated by Lucas Di Pentima over 1 year ago

Updates at 73a972b5a

Addressed above suggestions:

  • Improves bash code styling.
  • Provides examples on how to securely handle the secrets file.
Actions #5

Updated by Brett Smith over 1 year ago

Lucas Di Pentima wrote in #note-4:

  • Improves bash code styling.
-    if [ ! -s ${CONFIG_FILE} -o ! -s ${CONFIG_FILE}.secrets ]; then
+    if [[ -s ${CONFIG_FILE} && -s ${CONFIG_FILE}.secrets ]]; then

This new version needs a negation ! in front of the test condition. As written this version would error out on a good checkout.

  • Provides examples on how to securely handle the secrets file.

"AWS Secrets Manager" should be titlecased since it's the name of a specific service.

Go ahead and merge with those changes. Thanks.

Actions #6

Updated by Lucas Di Pentima over 1 year ago

Brett Smith wrote in #note-5:

This new version needs a negation ! in front of the test condition. As written this version would error out on a good checkout.

  • Provides examples on how to securely handle the secrets file.

"AWS Secrets Manager" should be titlecased since it's the name of a specific service.

Whoops! Thanks for spotting that error. Fixes at 81e02a8fc -- will merge, thanks!

Actions #7

Updated by Lucas Di Pentima over 1 year ago

  • % Done changed from 0 to 100
  • Status changed from In Progress to Resolved
Actions #8

Updated by Peter Amstutz over 1 year ago

  • Release set to 66
Actions

Also available in: Atom PDF