cloudfoundry / cf-for-k8s

The open source deployment manifest for Cloud Foundry on Kubernetes
Apache License 2.0
300 stars 115 forks source link

Support rotation of `blobstore.secret_access_key` #527

Open ericpromislow opened 3 years ago

ericpromislow commented 3 years ago

Describe the bug

This is in the category of supporting rotation of all credentials (https://www.pivotaltracker.com/story/show/175210100)

To Reproduce*

Steps to reproduce the behavior:

  1. Deploy cf-for-k8s
  2. Verify it works by pushing an app or running smoke tests
  3. Change the value of blobstore.secret_access_key in a values file.
  4. Redeploy should fail.
  5. kubectl logs -n cf-system cf-api-server-SUFFIX -c cf-api-server

We see this text in the logs:

… "message":"Error with blobstore: Excon::Error::Forbidden - Expected(200) <=> Actual(403 Forbidden)
excon.error.response\n  :body          => 
…<Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message> 

That's because the cloud-controller is using the new provided value but minio hasn't been updated.

This happens only when using the internal minio blobstore, under the assumption that if you're updating this field, it's because the password for your external blobstore has changed and you're giving cf-for-k8s the new credential.

Expected behavior

The deploy should succeed.

cf-gitbot commented 3 years ago

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/175278389

The labels on this github issue will be updated when the story is started.