Skip to content
This repository was archived by the owner on Oct 11, 2024. It is now read-only.

Comments

Remove secrets from Docker Images#1191

Merged
gdbelvin merged 9 commits intogoogle:masterfrom
gdbelvin:genkeys
Jul 19, 2019
Merged

Remove secrets from Docker Images#1191
gdbelvin merged 9 commits intogoogle:masterfrom
gdbelvin:genkeys

Conversation

@gdbelvin
Copy link
Contributor

@gdbelvin gdbelvin commented Feb 7, 2019

Private keys should not be part of the docker images.
This was an old hack that predated docker's secrets feature.

TODO / Help wanted: add a kubernetes configmap that does the same thing.

@gdbelvin gdbelvin requested a review from RJPercival February 7, 2019 14:19
@gdbelvin gdbelvin force-pushed the genkeys branch 2 times, most recently from 8f01e17 to 52b9c84 Compare February 7, 2019 14:24
@gdbelvin
Copy link
Contributor Author

gdbelvin commented Feb 7, 2019

@DazWilkin I also verified that in this configuration, docker-compose up works successfully. Can you verify with respect to #1190 ?

@gdbelvin gdbelvin requested a review from DazWilkin February 7, 2019 14:26
@codecov
Copy link

codecov bot commented Feb 7, 2019

Codecov Report

Merging #1191 into master will decrease coverage by 0.02%.
The diff coverage is n/a.

Impacted file tree graph

@@            Coverage Diff            @@
##           master   #1191      +/-   ##
=========================================
- Coverage   30.33%   30.3%   -0.03%     
=========================================
  Files          48      48              
  Lines        3867    3867              
=========================================
- Hits         1173    1172       -1     
- Misses       2512    2513       +1     
  Partials      182     182
Impacted Files Coverage Δ
core/client/client.go 28.28% <0%> (-0.66%) ⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 3c05089...1e210f7. Read the comment docs.

@DazWilkin
Copy link
Contributor

Checking it now.

@DazWilkin
Copy link
Contributor

sequencer service needs the secret references too.

@DazWilkin
Copy link
Contributor

Otherwise, it appears to work. I continue to have issues with context deadline exceeded

@gdbelvin
Copy link
Contributor Author

gdbelvin commented Feb 7, 2019

Just added the keys to the sequencer. See if that doesn't solve the context deadline exceeded issue...
If the sequencer isn't starting because it doesn't have access to those keys, it would prevent sequencing progress from happening which would cause a context exceeded error

@DazWilkin
Copy link
Contributor

I'd added they keys myself to get it to work but it doesn't address my issue :-(

@gdbelvin
Copy link
Contributor Author

gdbelvin commented Feb 7, 2019

The other place to look for these context deadline errors is the trillian log sequencer. If either the KT sequencer or the log sequencer are having issues clients will see deadline exceeded.

@DazWilkin
Copy link
Contributor

checking

@DazWilkin
Copy link
Contributor

DazWilkin commented Feb 7, 2019

Everything else appears (!?) to be OK.

The only other recurring log entry that I see across the services is in server and it's:
interceptor.go:38] auth interceptor: no hander for /google.keytransparency.v1.KeyTransparency/GetRevision

NB Typo in hander sb handler

But, otherwise, everything appears OK. Should I publish my logs?

@DazWilkin
Copy link
Contributor

I have been unclear as to whether I should use 0.0.0.0:8080 (sequencer) or 0.0.0.0:443 (server).

Trying again using :443 for both authorized-keys create-keyset and then...

keytransparency-client post dazwilkin@google.com \
--client-secret=./client_secret.190205.json \
--insecure \
--data='dGVzdA==' \
--password=${PASSWORD} \
--kt-url=0.0.0.0:443 \
--verbose \
--logtostderr
Go to the following link in your browser then type the authorization code: 
https://accounts.google.com/o/oauth2/auth?access_type=online&client_id=[[REDACTED]]
[[REDACTED]]
2019/02/07 10:59:56 ✓ Signed Map Head signature verified.
2019/02/07 10:59:56 ✓ Log inclusion proof verified.
I0207 10:59:56.987019  158923 client.go:145] Trusted root updated to TreeSize 1
2019/02/07 10:59:56 ✓ Log root updated.
2019/02/07 10:59:56 ✓ Commitment verified.
2019/02/07 10:59:57 ✓ VRF verified.
2019/02/07 10:59:57 ✓ map inclusion proof verified.
2019/02/07 10:59:57 Got current entry...
2019/02/07 10:59:57 Sending Update request...
2019/02/07 10:59:58 ✓ Signed Map Head signature verified.
2019/02/07 10:59:58 ✓ Log inclusion proof verified.
Error: update failed: context deadline exceeded

@gdbelvin
Copy link
Contributor Author

gdbelvin commented Feb 7, 2019

That timeout error is happening really quickly. I think the client is picking up an odd default timeout value of 0s for some reason.

@gdbelvin
Copy link
Contributor Author

gdbelvin commented Feb 7, 2019

The other thing that is happening is that we're starting the timeout counter before the user goes through the OAuth flow

@DazWilkin
Copy link
Contributor

So, you're telling me that my 'open link', allow, copy-paste then enter is too slow? ;-)

@gdbelvin
Copy link
Contributor Author

gdbelvin commented Feb 7, 2019

It's embarrassing :-) Fix: #1195

@RJPercival
Copy link
Contributor

This isn't an issue introduced by this PR, but shouldn't the key generation scripts create and chmod the files before writing the keys to them?

Copy link

@NeverTestGitHub NeverTestGitHub left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

google vrp test

mkdir -p "${GOPATH}/src/github.com/google/keytransparency/genfiles"
cd "${GOPATH}/src/github.com/google/keytransparency/genfiles"
mkdir -p "$(go env GOPATH)/src/github.com/google/keytransparency/genfiles"
cd "$(go env GOPATH)/src/github.com/google/keytransparency/genfiles"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

super-nit: Won't work as expected if $GOPATH contains more than one path

a) ADDRESS=${OPTARG};;
s) SAN_DNS=${OPTARG};;
*) echo "usage: ./generate.sh -d <domain> -a <ip_address> -s <san_extension_DNS>"; exit 1;;
*) echo "usage: ./gen_server_keys.sh -d <domain> -a <ip_address> -s <san_extension_DNS>"; exit 1;;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: Can use $0 or $(basename $0) instead of the filename here.

* master: (106 commits)
  Remove unused logVerifier (google#1324)
  Verify Revisions in StreamRevisions (google#1323)
  Pair verifier functions (google#1322)
  Split VerifyRevision into Verify{LogRoot,MapRevision (google#1318)
  Make Previous hash check optional (google#1307)
  Remove VerifySignedMapRoot from VerifierInterface (google#1320)
  Remove trailing whitespace (google#1321)
  Encapsulate Client Verifier State in test vectors (google#1316)
  Pass along err message (google#1314)
  Remove unnessesary func() (google#1319)
  New test vector transcript format (google#1315)
  Track map revision inside mutation (google#1310)
  Move verifier to its own package (google#1312)
  go generate ./... (google#1306)
  Fix proto copying in revisions and paginator tests. (google#1309)
  Fix proto copying in server_test. (google#1308)
  go mod tidy (google#1305)
  Use new TrillianMapWrite API (google#1304)
  Configurable maximum queue depth for metric reporting. (google#1303)
  Proposal to refine docker deployment (google#1302)
  ...
@gdbelvin gdbelvin requested a review from a team as a code owner July 18, 2019 10:51
@gdbelvin gdbelvin merged commit 2aa29cd into google:master Jul 19, 2019
@gdbelvin gdbelvin deleted the genkeys branch July 19, 2019 12:03
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants