[ws-manager-mk2] Protect tokens #16806
Conversation
Furisto
added
team: workspace
|
started the job as gitpod-build-fo-protected-tokens-4.1 because the annotations in the pull request description changed |
| @@ -52,7 +52,7 @@ MATCHES="$(grep -c -- --- k8s.yaml)" | |||
| # get the read number of K8s manifest docs | |||
| # K8s object names and kinds are duplicated in a config map to faciliate deletion | |||
| # subtract one (the config map) and then divide by 2 to get the actual # of docs we'll loop through | |||
| DOCS="$((((MATCHES - 1) / 2) + 1))" | |||
There was a problem hiding this comment.
Had an out of bounds error without it.
| err = r.deleteSecret(ctx, fmt.Sprintf("%s-%s", ws.Name, "tokens"), r.Config.SecretsNamespace) | ||
| if err != nil { | ||
| log.Error(err, "could not delete token secret", "workspace", ws.Name) | ||
| } |
There was a problem hiding this comment.
still think we should return an error when we fail to delete the secret, and not remove the finalizer if there's an error, so we try again until all secrets have been cleaned up
There was a problem hiding this comment.
We retry the deletion of the secret now and will not delete the workspace CR until the deletion of the secret suceeds.
Furisto
force-pushed
the
fo/protected-tokens-4
branch
from
529036d to
ef697aa
Compare
|
/werft run with-preview 👍 started the job as gitpod-build-fo-protected-tokens-4.4 |
|
/werft run with-preview recreate-vm 👍 started the job as gitpod-build-fo-protected-tokens-4.5 |
|
/werft run with-preview recreate-vm 👍 started the job as gitpod-build-fo-protected-tokens-4.7 |
Furisto
force-pushed
the
fo/protected-tokens-4
branch
from
0fe78e2 to
8a5d725
Compare
roboquat
added
deployed: workspace
Description
Store sensitive workspace data (tokens) in short lived Kubernetes secrets. When a workspace start is requested we create a secret (named [workspaceid]-tokens) that contains the tokens extracted from the content initializer. The tokens will be removed from the content initializer.
The secret itself will live in a separate namespace so that we can narrow down the scope of permissions we need to give to ws-daemon so that it can access the secrets. When the content init happens in ws-daemon the secrets will be injected into the initializer again and the secret will be deleted once the workspace reaches the
runningphase but latest when it reaches thestoppedphase.Related Issue(s)
n.a.
How to test
Release Notes
Build Options:
Run the build with werft instead of GHA
leeway-target=components:all
Run Leeway with
--dont-testPublish Options
Installer Options
Add desired feature flags to the end of the line above, space separated
Preview Environment Options:
If enabled this will build
install/previewIf enabled this will create the environment on GCE infra
Valid options are
all,workspace,webapp,ide,jetbrains,vscode,ssh