Bug 1574562 - Posibility to specify a field passphrase (or refer to a secret) for a Secured Route
Summary: Posibility to specify a field passphrase (or refer to a secret) for a Secured...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: RFE
Version: 3.7.1
Hardware: All
OS: All
unspecified
medium
Target Milestone: ---
: ---
Assignee: Eric Paris
QA Contact: Xiaoli Tian
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-05-03 14:42 UTC by Gonzalo Marcote
Modified: 2019-08-08 02:54 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-12 11:58:02 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Gonzalo Marcote 2018-05-03 14:42:41 UTC
1. Proposed title of this feature request
Routes should have the posibility to specify a field passphrase (or refer to a secret) for other router implementations that support this, for example Avi Networks.

3. What is the nature and description of the request?
Currently, password protected key files are not supported. HAProxy prompts for a password upon starting and does not have a way to automate this process:
https://docs.openshift.com/container-platform/3.7/dev_guide/routes.html#creating-routes

Routes should have the posibility to specify a field passphrase (or refer to a secret) for other router implementations that support this, for example Avi Networks. 

4. Why does the customer need this? (List the business requirements here)
They are using one Avi Network downstream implementation that support this feature.  While Avi Networks can re-validate Route configuration and reject bad objects, OpenShift should perform input validation and check that key and cert fields are correct, rejection object creation if not valid.

5. How would the customer like to achieve this? (List the functional requirements here)
To HAProxy and hence routes to support password protected key files

6. For each functional requirement listed in question 5, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.
Checking if HAProxy support password protected key files and check that key and cert fields are correct, rejection object route creation if not valid.

10. List any affected packages or components.
OCP 3.7
HA-Proxy version 1.5

Comment 4 Ben Bennett 2018-10-26 14:11:13 UTC
haproxy doesn't support this well (or really, at all)... you'll get a prompt asking for the key passphrase on the controlling terminal.  And that will be incredibly difficult to control.

Also, how will they expect this to work?  Where will the passphrase be stored?  Alongside the key in the route?  It will then be written to the storage in the pod just like the keys are, so if someone compromises the pod, they can read the key and the corresponding passphrase.

If you can clarify what the attack that they are concerned about is, that might help.

Comment 6 Kirsten Newcomer 2019-06-12 11:58:02 UTC
With the introduction of OpenShift 4, Red Hat has delivered or roadmapped a substantial number of features based on feedback by our customers.  Many of the enhancements encompass specific RFEs which have been requested, or deliver a comparable solution to a customer problem, rendering an RFE redundant.

This bz (RFE) has been identified as a feature request not yet planned or scheduled for an OpenShift release and is being closed. 

If this feature is still an active request that needs to be tracked, Red Hat Support can assist in filing a request in the new JIRA RFE system, as well as provide you with updates as the RFE progress within our planning processes. Please open a new support case: https://access.redhat.com/support/cases/#/case/new 

Opening a New Support Case: https://access.redhat.com/support/cases/#/case/new 

As the new Jira RFE system is not yet public, Red Hat Support can help answer your questions about your RFEs via the same support case system.


Note You need to log in before you can comment on or make changes to this bug.