Uploaded image for project: 'OpenShift Cloud'
  1. OpenShift Cloud
  2. OCPCLOUD-2433

[upstream] CAPA: Ignition: add option to store User Data in plain text


    • Icon: Story Story
    • Resolution: Done
    • Icon: Normal Normal
    • None
    • None
    • None
    • 3
    • False
    • None
    • False
    • CLOUD Sprint 247, CLOUD Sprint 248, CLOUD Sprint 249

      User Story

      As a user I want the ability to store AWS CAPI Ignition data in EC2 Instance User Data.


      For Machine bootstrapping CAPA supports one main method: CloudInit and one experimental method: Ignition.

      For the former, CAPA used to store the User Data that the bootstrapper would use to fulfill its job in the EC2 Instance User Data in plain text.

      This was not considered the most secure way to provide this configuration to a machine as a process/subject with the power to query the instance metadata could be able to read this config, which may contain certs, keys and other forms of secrets.

      As such to minimize this issue, a new default method was added, where the controller would now leverage AWS SSM to encrypt the user data before storing it in the EC2 Instance User Data. The previous method of storing User Data in plain text was kept available as an alternative option to users, which would be able to access it by providing the InsecureSkipSecretsManager option in the AWSMachine spec.

      Later on, when the new Ignition bootstrapping support was added, the creators, already aware of the security implications of storing User Data in plain text,
      decided to opt for a more secure default. After briefly looking at using AWS SSM encryption also for Ignition, they acknowledged that it wasn't possible due to Ignition's lack of support for multi mime types. Hence they went for using S3 Buckets to store the config in objects, and have ignition fetch it at bootstrap time from there, and this did the trick.

      Up until now this has been the only option to achieve Ignition bootstrapping.
      However even if this is a better option from a security standpoint than storing User Data in plain text, and as such the preferred option for a good default,
      it requires the ability to provision/access S3 Buckets, which is not always possible/desirable in specific scenarios, as well as not suitable for certain type of bespoke CAPI bootstrap providers.

      As such we would like to introduce for Ignition, similarly to what is available for CloudInit, the ability to store User Data in the EC2 Instance in plain text.
      Of course we know this is not the best option from a security standpoint, and as such we want to make it a fallback option that users can leverage if their use case does not allow the use of S3 buckets. We mentioned in the docs, and in the API that this option is discouraged and we trust CAPA users will use this with care.


      • Merge upstream PR


      • Cloud team

      Definition of Done

      • Merge upstream PR

            ddonati@redhat.com Damiano Donati
            ddonati@redhat.com Damiano Donati
            0 Vote for this issue
            1 Start watching this issue