From b9e2d0a40089a7db7d573985c87ef8e08ed29a7b Mon Sep 17 00:00:00 2001 From: Cian Johnston Date: Tue, 27 Feb 2024 16:33:32 +0000 Subject: [PATCH] fix(coderd): mark provisioner daemon psk as secret (#12322) * fix(coderd): mark provisioner daemon psk as secret Marks provisioner daemon PSK with the secret annotation. This ensures it will be scrubbed from API requests to /api/v2/deployment/config. * make gen --- cli/testdata/server-config.yaml.golden | 3 --- coderd/deployment_test.go | 2 ++ codersdk/deployment.go | 2 +- codersdk/deployment_test.go | 3 +++ docs/cli/server.md | 1 - 5 files changed, 6 insertions(+), 5 deletions(-) diff --git a/cli/testdata/server-config.yaml.golden b/cli/testdata/server-config.yaml.golden index dfc1d0ca15..8996387ff4 100644 --- a/cli/testdata/server-config.yaml.golden +++ b/cli/testdata/server-config.yaml.golden @@ -383,9 +383,6 @@ provisioning: # Time to force cancel provisioning tasks that are stuck. # (default: 10m0s, type: duration) forceCancelInterval: 10m0s - # Pre-shared key to authenticate external provisioner daemons to Coder server. - # (default: , type: string) - daemonPSK: "" # Enable one or more experiments. These are not ready for production. Separate # multiple experiments with commas, or enter '*' to opt-in to all available # experiments. diff --git a/coderd/deployment_test.go b/coderd/deployment_test.go index 66e3990e25..c087526ed0 100644 --- a/coderd/deployment_test.go +++ b/coderd/deployment_test.go @@ -27,6 +27,7 @@ func TestDeploymentValues(t *testing.T) { cfg.PostgresURL.Set(hi) cfg.SCIMAPIKey.Set(hi) cfg.ExternalTokenEncryptionKeys.Set("the_random_key_we_never_expected,an_other_key_we_never_unexpected") + cfg.Provisioner.DaemonPSK = "provisionersftw" client := coderdtest.New(t, &coderdtest.Options{ DeploymentValues: cfg, @@ -46,6 +47,7 @@ func TestDeploymentValues(t *testing.T) { require.Empty(t, scrubbed.Values.PostgresURL.Value()) require.Empty(t, scrubbed.Values.SCIMAPIKey.Value()) require.Empty(t, scrubbed.Values.ExternalTokenEncryptionKeys.Value()) + require.Empty(t, scrubbed.Values.Provisioner.DaemonPSK.Value()) } func TestDeploymentStats(t *testing.T) { diff --git a/codersdk/deployment.go b/codersdk/deployment.go index 4c1acb143d..fc13d53c26 100644 --- a/codersdk/deployment.go +++ b/codersdk/deployment.go @@ -1408,7 +1408,7 @@ when required by your organization's security policy.`, Env: "CODER_PROVISIONER_DAEMON_PSK", Value: &c.Provisioner.DaemonPSK, Group: &deploymentGroupProvisioning, - YAML: "daemonPSK", + Annotations: clibase.Annotations{}.Mark(annotationSecretKey, "true"), }, // RateLimit settings { diff --git a/codersdk/deployment_test.go b/codersdk/deployment_test.go index 250be46461..b3f4bc83e2 100644 --- a/codersdk/deployment_test.go +++ b/codersdk/deployment_test.go @@ -71,6 +71,9 @@ func TestDeploymentValues_HighlyConfigurable(t *testing.T) { flag: true, env: true, }, + "Provisioner Daemon Pre-shared Key (PSK)": { + yaml: true, + }, } set := (&codersdk.DeploymentValues{}).Options() diff --git a/docs/cli/server.md b/docs/cli/server.md index f678041901..5a32845378 100644 --- a/docs/cli/server.md +++ b/docs/cli/server.md @@ -779,7 +779,6 @@ Serve prometheus metrics on the address defined by prometheus address. | ----------- | ------------------------------------------ | | Type | string | | Environment | $CODER_PROVISIONER_DAEMON_PSK | -| YAML | provisioning.daemonPSK | Pre-shared key to authenticate external provisioner daemons to Coder server.