[ws-manager-mk2] Protect tokens #16763
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Furisto
added
team: workspace
|
started the job as gitpod-build-fo-protected-tokens-3.3 because the annotations in the pull request description changed |
|
started the job as gitpod-build-fo-protected-tokens-3.5 because the annotations in the pull request description changed |
|
started the job as gitpod-build-fo-protected-tokens-3.7 because the annotations in the pull request description changed |
|
started the job as gitpod-build-fo-protected-tokens-3.8 because the annotations in the pull request description changed |
Furisto
force-pushed
the
fo/protected-tokens-3
branch
from
67cc554 to
dcb21e0
Compare
Furisto
force-pushed
the
fo/protected-tokens-3
branch
from
207271c to
ae62756
Compare
Furisto
force-pushed
the
fo/protected-tokens-3
branch
from
ae62756 to
8389e32
Compare
roboquat
added
release-note-none
and removed
do-not-merge/release-note-label-needed
labels
|
Closed in favor of #16806 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Store sensitive workspace data (tokens) in short lived Kubernetes secrets. When a workspace start is requested we create a secret (named workspaceid-tokens) that contains the tokens extracted from the content initializer. The tokens will be removed from the content initializer.
The secret itself will live in a separate namespace so that we can narrow down the scope of permissions we need to give to ws-daemon so that it can access the secrets. When the content init happens in ws-daemon the secrets will be injected into the initializer again and the secret will be deleted once the workspace reaches the
runningphase but latest when it reaches thestoppedphase.Related Issue(s)
n.a.
How to test
Release Notes
Build Options:
Run the build with werft instead of GHA
leeway-target=components:all
Run Leeway with
--dont-testPublish Options
Installer Options
Add desired feature flags to the end of the line above, space separated
Preview Environment Options:
If enabled this will build
install/previewIf enabled this will create the environment on GCE infra
Valid options are
all,workspace,webapp,ide,jetbrains,vscode,ssh