Conjur Buildpack doesn't fail when retrieval of secrets fails

cyberark / cloudfoundry-conjur-buildpack

Buildpack for the Conjur / Cloud Foundry integration

Apache License 2.0

0 stars 3 forks source link

Conjur Buildpack doesn't fail when retrieval of secrets fails #81

Closed TheSecMaven closed 4 years ago

TheSecMaven commented 4 years ago

Summary

deployed an app that had conjur secrets, saw in logs it said it was injecting the vars, then failed due to conjur being down. Since the app certainly relies on conjur for environment variables we need the push to fail with an error or the app needs to fall to startup so that we are aware of this issue and don't have to dig in logs to findout.

Steps to Reproduce

Steps to reproduce the behavior:

push an app with conjur secrets.yml and buiildpack
check logs that it failed to retrieve creds due to conjur connectivity/down issue
see that app reports as up and started (no visible errors other than in logs)

Expected Results

app would fail to start/faill to push because it couldn't contact conjur

Actual Results (including error logs, if applicable)

app starts up without env vars that are required.

Reproducible

[ X] Always
[ ] Sometimes
[ ] Non-Reproducible

Version/Tag number

conjur_buildpack 1 true false conjur_buildpack-2.1.4.zip and a java app running springboot

Environment setup

PCF on premise

izgeri commented 4 years ago

@mkkeffeler thanks for filing this. I'm checking with our contacts at VMWare to see if they have any insight into why the cf push process continues after a non-final buildpack specified in the app manifest or with the -b flag of the cf push command exits on a non-zero code.

From reviewing the app manifest and cf push documentation, it does not appear that you can indicate in your app manifest or with the cf push command that you want the push to fail if any specified buildpacks exit on an error code.

One way to manage this that occurs to me is to have your app startup process fail if the required secrets are not present in the app env - I'm not sure whether that's workable for your org, but I have low confidence that CF provides a solution for critical non-final buildpacks. I'll update this issue when I hear more on this.

TheSecMaven commented 4 years ago

yeah, had considered that as well. we need somethiing that doesnt require a developer know what to do, and rather they just push with their manifest and that manifest will fail it. whatever that looks liike

izgeri commented 4 years ago

@mkkeffeler we've explored a few options with VMWare and there doesn't seem to be a mechanism to force cf push to fail unless it fails in the compile phase of the language buildpack (e.g. not this buildpack). I don't know of another way to enforce this without application changes, unfortunately - it's a limitation of the system that this buildpack is running in.

We could explore options for providing other tooling that would verify that the buildpack completed its run and/or that secrets were appropriately injected. If you're interested in pursuing this route, I'd suggest working with your account executive to file an official enhancement request.

Since at this time I'm not aware of any changes we could make to the buildpack itself that would change this behavior, I'm going to close this issue for now.