Bug 2063697
| Summary: | Observability - MCOCR reports object-storage secret without AWS access_key in STS enabled env | ||
|---|---|---|---|
| Product: | Red Hat Advanced Cluster Management for Kubernetes | Reporter: | cqu |
| Component: | Core Services / Observability | Assignee: | Chunlin Yang <chuyang> |
| Status: | CLOSED ERRATA | QA Contact: | Xiang Yin <xiyin> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | rhacm-2.5 | CC: | cqu, jwakely, smeduri |
| Target Milestone: | --- | Flags: | bot-tracker-sync:
rhacm-2.5+
|
| Target Release: | rhacm-2.5 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-06-09 02:09:30 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
cqu
2022-03-14 07:35:33 UTC
Verified by 2.5.0-DOWNSTREAM-2022-04-20-06-50-05, issue is fixed. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: Red Hat Advanced Cluster Management 2.5 security updates, images, and bug fixes), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:4956 This comment was flagged a spam, view the edit history to see the original text if required. RFE Copy secret with specific secret namespace, name for source and ... MCOCR reports object-storage secret without AWS access_key in STS. https://www.myloyola.net/ This comment was flagged a spam, view the edit history to see the original text if required. This comment was flagged a spam, view the edit history to see the original text if required. This comment was flagged a spam, view the edit history to see the original text if required. Can you please share us an image depicting the issue? https://www.myallsaversconnect.net/ Bug 2063697 is related to the observability of object storage secrets in a Secure Token Service (STS) enabled environment. In this bug report, it is highlighted that MCOCR (Managed Cloud Object Storage Configuration Reports) is reporting object storage secrets without AWS access_key in such an environment. This can potentially expose sensitive information, making it a security risk. To provide more context, STS is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users. In such an environment, MCOCR should not report the AWS access_key in the object storage secrets, as it is unnecessary and can pose a security risk. The bug report suggests that the issue could be resolved by modifying MCOCR to exclude the access_key from the object storage https://www.tellhappystar.org/ secrets when STS is enabled. By doing so, the security of the system could be improved by reducing the potential exposure of sensitive information. Overall, Bug 2063697 highlights the importance of observability in ensuring the security of sensitive information, particularly in STS enabled environments. This comment was flagged a spam, view the edit history to see the original text if required. That’s what I was looking for, what an info present here at this website, thank you admin! https://www.mybkexperience.one/ I found a lot of interesting information here. https://www.prepaidgiftbalance.vip/ Thanks for sharing. It's so interesting. https://www.utsa-blackboard.com/ This is an interesting situation where the MultiClusterObservability (MCO) CR reports a failure due to a missing AWS access key, even though metrics data are being successfully forwarded to the S3 bucket in an STS-enabled ROSA environment. This suggests that while the standard configuration check might be failing, the underlying STS mechanism for accessing the S3 bucket is likely working. https://www.mycenturahealth.it.com This error occurs because the ACM 2.5 MCO operator performs a strict validation check that expects the access_key and secret_key fields to be present in the configuration, even when using STS/IRSA. To resolve the "ObjectStorageConfInvalid" status while maintaining your security posture, simply add "dummy" values to those fields in your thanos.yaml secret. Because Thanos prioritizes the OIDC/STS token provided by the service account at runtime, it will bypass the dummy keys and successfully authenticate with AWS, while the MCO operator will finally see the config as "complete" and transition to a Ready status. https://www.opensky-cc.com |