- What is the nature and description of the request?
As an admin I require the ability to have my keys for my environment be private.
- Why does the customer need this? (List the business requirements here)
Security reasons require private keys for the environment.
- Is there already an existing RFE upstream or in Red Hat Bugzilla?
Not that I could find
The private keys need to be protected, but in a way that maintains OpenShift's ability to bootstrap)
The following files are unencrypted private keys I was able to find:
# grep -lr PRIVATE /etc/origin/
Also, there is the private key for the master, base64 encoded in all kubconfig files.
The key is for the master and is found in:
Effected kubconfig files are:
/etc/origin/generated-configs/node-<router FQDN>/system:node:<router FQDN>.kubeconfig
Command to find the private keys in kubeconfig files:
# for i in $(find /etc/origin -iname *kubeconfig); do echo "File Name: "$i; grep data: $i | tr -s " " | while read a; do name=$(echo $a | cut -d " " -f 1) ; key=$(echo $a | cut -d " " -f 2| base64 -d); if [ -n "$key" -a PRIVATE = "$(echo $key | grep -o PRIVATE | head -1)" ]; then echo -e "$name" ; echo "$key" ; /bin/echo -e "\n" ;fi ; done; done
This bug has been identified as a dated (created more than 3 months ago) bug.
This bug has been triaged (has a trello card linked to it), or reviewed by Engineering/PM and has been put into the product backlog,
however this bug has not been slated for a currently planned release (3.9, 3.10 or 3.11), which cover our releases for the rest of the calendar year.
As a result of this bugs age, state on the current roadmap and PM Score (being below 70), this bug is being Closed - Differed,
as it is currently not part of the products immediate priorities.
Please see: https://docs.google.com/document/d/1zdqF4rB3ea8GmVIZ7qWCVYUaQ7-EexUrQEF0MTwdDkw/edit for more details.