TsuyoshiUshio / KubernetesTask

Kubernetes Task for Visual Studio Team Services
34 stars 14 forks source link

Encrypt/Remove kubeconfig secrets from build output #15

Open dtzar opened 7 years ago

dtzar commented 7 years ago

When you use the general 2.x task it outputs the entire contents of the kubeconfig file to the build log/output in VSTS. We should not have this for security reasons.

TsuyoshiUshio commented 7 years ago

1.x is the same. Let's encode the kubecnfig file into Base64. Then it will be solved. See 5.1. Create an endopint on the README. :)

TsuyoshiUshio commented 7 years ago

Can I close this issue?

dtzar commented 7 years ago

I imagine there is a way to either:

  1. Encrypt the contents of kube config since Base64 can easily be decoded: http://www.hashemian.com/tools/base64-encode-decode.php --> "Base64 decoding employs a reverse algorithm to yield the original content. While Base64 encoding alters the original content, it is not suitable as an encryption mechanism as it can be easily decoded to reveal the original content." or
  2. Remove the output of the kube config from the build log.
rakelkar commented 7 years ago

Do you know which line is causing the output to get written?

On Mon, Jun 12, 2017 at 9:09 AM, David Tesar notifications@github.com wrote:

I imagine there is a way to either:

  1. Encrypt the contents of kube config since Base64 can easily be decoded: http://www.hashemian.com/tools/base64-encode-decode.php --> "Base64 decoding employs a reverse algorithm to yield the original content. While Base64 encoding alters the original content, it is not suitable as an encryption mechanism as it can be easily decoded to reveal the original content." or
  2. Remove the output of the kube config from the build log.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/TsuyoshiUshio/KubernetesTask/issues/15#issuecomment-307837229, or mute the thread https://github.com/notifications/unsubscribe-auth/ADQphdpjwCE4sG4yziroMzidOu2mFbipks5sDWKhgaJpZM4Npc9r .

-- Rakesh Kelkar

dtzar commented 7 years ago

Not sure - somewhere here https://github.com/TsuyoshiUshio/KubernetesTask/blob/master/kubectl.ts I imagine with the kubeconfig.

rakelkar commented 7 years ago

Yeah it's strange.. I think the agent framework is printing it.. I've started a thread with them to figure it out.

On Jun 13, 2017 12:50 PM, "David Tesar" notifications@github.com wrote:

Not sure - somewhere here https://github.com/TsuyoshiUshio/KubernetesTask/ blob/master/kubectl.ts I imagine with the kubeconfig.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/TsuyoshiUshio/KubernetesTask/issues/15#issuecomment-308228484, or mute the thread https://github.com/notifications/unsubscribe-auth/ADQphRBX-ln9HaydDqxTlgIEso5n47pYks5sDugUgaJpZM4Npc9r .

TsuyoshiUshio commented 7 years ago

I don't know why. But I realised that if you have multiple lines of the parameter, vsts prints from the second line. VSTS doesn't print the first line. I should report to the VSTS production team about it.

The log is automatically out. https://github.com/TsuyoshiUshio/KubernetesTask/blob/master/kubectl.ts#L31

TsuyoshiUshio commented 7 years ago

@dtzar It seems automatically printout when I use this.

this.kubeconfig = tl.getEndpointAuthorizationParameter(this.endpoint, 'kubeconfig', true);

I can't avoid it. However, this line smells. I'll investigate it.

https://github.com/Microsoft/vsts-task-lib/blob/master/node/task.ts#L364