search

crossplane-contrib / provider-upjet-aws

Official AWS Provider for Crossplane by Upbound.
https://marketplace.upbound.io/providers/upbound/provider-aws
Apache License 2.0
137 stars 112 forks source link

ESS Vault - Fails to publish AWS RDS Connection Details containing autogenerated RDS Master DB Password to Vault #1297

Open shuknk8s opened 2 months ago

shuknk8s commented 2 months ago

Is there an existing issue for this?

Affected Resource(s)

rds.aws.upbound.io/v1beta2 in conjunction with ESS Vault

Resource MRs required to reproduce the bug

Hasan has both versions of composition with and without writesecretto namespace

Steps to Reproduce

  1. Follow Crossplane ESS Vault Doc to setup vault integration with crossplane
  2. Create a AWS RDS Postgresql DB Instance with autogenerate master password set to true in composition
  3. Try to publish connection details including master password to vault either directly using MR or through a claim without writing the connectiondetails to namespaced secret(ESS Vault doc does not specify the need to write the conn details in secret and doing so defeats the purpose of ESS Vault)
  4. Connection details with other details like host , address, post, username etc gets published to Vault but autogenerated master password gets excluded
  5. If we write the connection details using write secret to namespace in composition then master password gets included in the published conenction details in Vault which is contrary to the design of ESS Vault and it poses a security risk since kubernetes secret is inherently insecure so to honor the design of ESS Vault , crossplane must ensure that connenction details including auto-generated db master password is published directly to Vault without needing to write the connection secret in the k8s cluster.

What happened?

Per ESS Vault document, the conenctiondetails of MR should get published directly to vault but in reality it does not without first writing the connection details to k8s cluster especially when the connection details include auto generated db master password.

Relevant Error Output Snippet

This issue has been discussed with Jared and Hasan at length in the slack.

Crossplane Version

1.15.2

Provider Version

latest upbound aws provider

Kubernetes Version

Client Version: v1.28.5 Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3 Server Version: v1.28.8+k3s1

Kubernetes Distribution

k3s and openshift

Additional Info

https://crossplane.slack.com/archives/CEFQCGW1H/p1714675654509779?thread_ts=1714061533.429319&cid=CEFQCGW1H

shuknk8s commented 1 month ago

This defect has been proven genuine and has been accepted, why do we need to use deprecated writeconnectionsecrettoref and publishconnectiondetailsto to publish connection secret details to vault , it appears that the feature has been rolled out without proper testing.