Bug 1701408

Summary: [DOCS] Certificate Authority x.509 certificate is stored unencrypted and available to all IAM users in the account including AWS support
Product: OpenShift Container Platform Reporter: Chris Callegari <ccallega>
Component: DocumentationAssignee: Kathryn Alexander <kalexand>
Status: CLOSED CURRENTRELEASE QA Contact: Johnny Liu <jialiu>
Severity: medium Docs Contact: Vikram Goyal <vigoyal>
Priority: medium    
Version: 4.1.0CC: aos-bugs, jokerman, mmccomas, scuppett, wking
Target Milestone: ---   
Target Release: 4.1.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-05-09 14:13:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Chris Callegari 2019-04-18 21:31:45 UTC 
Description of problem:
Certificate Authority x.509 certificate is stored unencrypted and available to all IAM users in the account including AWS support in to form of an AWS CloudFormation stack.  Stack info is not private.

Version-Release number of selected component (if applicable):
4.1 Beata

How reproducible:
Always

Steps to Reproduce:
1. Follow the procedure
http://file.rdu.redhat.com/kalexand/041719/osdocs323/installing/installing_aws_upi/installing-aws-upi.html#installation-creating-aws-dns-install-aws-upi

Actual results:
OpenShift internal certificate authority is exposed to all IAM users of an AWS account as well as AWS support.  The cert is basically in the wild.

Expected results:
OpenShift internal data is not exposed inadvertantly

Additional info:
Further discussion is withing the pull request...
https://github.com/openshift/openshift-docs/pull/14241
Comment 5 W. Trevor King 2019-05-06 21:55:07 UTC 
Some discussion in [1], but basically:

1. There's no security concern about leaking *certificates*, as long as you don't leak the keys.  Certificates get served to anyone who sends an HTTPS request to the encrypted endpoint anyway, they aren't private.  I'm not aware of any leak concerns with information that goes into the CloudFormation templates.
2. The bootstrap Ignition config does contain secrets like X.509 keys.  But you can serve it from any location you like, it doesn't have to be S3.  For example, in CI we serve it to the cluster under test from a Service in the CI cluster [2].  At some point, discussion about locking down an S3 bucket is going to distract from the point of getting your cluster up.  As long as we don't pitch it as "this is the 100% safe and secure method for putting the bootstrap Ignition config on S3", I'm fine with cutting corners.  Would wiggle wording to that effect around [3] be satisfactory?

[1]: https://github.com/openshift/openshift-docs/pull/14241#discussion_r276795529
[2]: https://github.com/openshift/release/pull/3440/commits/7d4e4349bed16d03a199518e87d30daafdc26b76#diff-2b1b845b92f8062711789a2bfdb27290R403
[3]: https://github.com/openshift/openshift-docs/pull/14241/files#diff-027942c942df17c3eb23ffd1cbb35e6dR30
Comment 6 Kathryn Alexander 2019-05-07 18:15:37 UTC 
I added some notes around here: https://github.com/openshift/openshift-docs/pull/14241/files#diff-027942c942df17c3eb23ffd1cbb35e6dR30

Trevor, Chris, will you PTAL?
Comment 7 Kathryn Alexander 2019-05-08 13:52:29 UTC 
Trevor approved the text in the PR.

Jianlin, will you PTAL and let me know if you agree that this issue is addressed? If not, I'll open a follow-up PR.

The change is around here: https://github.com/openshift/openshift-docs/pull/14241/files#diff-027942c942df17c3eb23ffd1cbb35e6dR30
Comment 8 Johnny Liu 2019-05-09 11:13:11 UTC 
LGTM.
Comment 9 Kathryn Alexander 2019-05-09 14:13:30 UTC 
Thank you! This change is live: https://docs.openshift.com/container-platform/4.1/installing/installing_aws_upi/installing-aws-upi.html#installation-creating-aws-bootstrap-installing-aws-upi
Comment 10 W. Trevor King 2020-05-18 04:28:59 UTC 
CLOSED for a long time, so nobody needs info anymore.