gitpod icon indicating copy to clipboard operation
gitpod copied to clipboard

Published 20 hours ago verified publisher icon gitpod-io

Epic: Get rid of OTS (One-Time Secret)

Open csweichel opened this issue 2 years ago • 6 comments

Summary

The one-time secret (OTS) mechanism is used to deliver secrets to the workspace cluster. It's not location-aware which breaks workspace startup across regions.

Context

The one-time secret (OTS) mechanism is used to deliver secrets to the workspace cluster. During workspace startup, server will create up to three OTS:

  • one for the SCM token
  • one for the Gitpod token
  • potentially one for environment variables

A one-time secret is stored in the database and identified by a UUID. Using this UUID it can be downloaded once, after which it's removed from the database. When the OTS is created, server produces a URL from which the OTS can be downloaded. This URL is not location-specific, but uses the load balancer (i.e. gitpod.io/...).

Because the different regions use different databases which are synchronised using db-sync, and because the OTS URL is not region-aware, a workspace created in another region will race db-sync. This can lead to workspace startup failure.

Value

Removing OTS will

  • reduce failure modes (see https://github.com/gitpod-io/gitpod/issues/8096)
  • enable cross-region prebuilds (see https://github.com/gitpod-io/gitpod/issues/6650)
  • reduce complexity in webapp

Acceptance Criteria

This work is complete when

  • there's a secure way to keep secrets on the workspace side (Kubernetes secrets qualify here)
  • the OTS mechanism is no longer in use for shipping secrets
  • the OTS mechanism has been removed from the code-base

Measurement

We are successful here when there's no loss of functionality, and no more need for the OTS mechansim.

Tasks

  • [x] Add "secret" support to ws-manager, where a StartWorkspace request can carry named secrets
  • [x] Ship the SCM token as named secret and pass it to ws-daemon during InitWorkspace
  • [x] Ship the Gitpod token as named secret and pass it as environment variable to supervisor
  • [x] Ship the user's environment variables as named secrets and pass as environment variables to the workspace
  • [x] https://github.com/gitpod-io/gitpod/issues/12554
  • [ ] https://github.com/gitpod-io/gitpod/issues/11318
  • [ ] Load testing
  • [ ] Remove old OTS code

csweichel avatar May 19 '22 17:05 csweichel

Added to workspace teams' project, even though it's shared work between WebApp and Workspace, to avoid this being forgotten.

atduarte avatar May 23 '22 18:05 atduarte

@atduarte Added for Team WebApp as well! Please notify when you have the interface changes (w/o impl, maybe). Happy to jump on the changes on our end.

geropl avatar Jun 02 '22 12:06 geropl

@kylos101 Should we sync on the current status here? I feel we're pretty close. :+1:

geropl avatar Jul 19 '22 08:07 geropl

Next step IMHO is to connect the protected_secrets workspace feature flag to ConfigCat and roll this out slowly.

csweichel avatar Aug 01 '22 10:08 csweichel

@csweichel what about the integration test?

atduarte avatar Aug 01 '22 21:08 atduarte

Added: https://github.com/gitpod-io/gitpod/issues/12554 to the epic

kylos101 avatar Sep 08 '22 18:09 kylos101

@atduarte this is In-Validation now.

@Furisto I see that the protected_secrets flag still exists in ConfigCat. Can we remove now?

kylos101 avatar Nov 10 '22 00:11 kylos101

There still seem to be OTS implementation on Server, and it's also being called/used - metrics

easyCZ avatar Nov 10 '22 08:11 easyCZ

@easyCZ @kylos101 I believe @geropl wanted to remove it.

Furisto avatar Nov 10 '22 16:11 Furisto

From an internal conversation it looks like the other client which is generating traffic against the OTS endpoints are Desktop IDEs.

@loujaybee @akosyakov Would you be able to validate if this is indeed the case and the Desktop IDEs use the OTS? What would be the effort to remove OTS from them so that we can remove the endpoints entirely?

easyCZ avatar Nov 24 '22 08:11 easyCZ

@kylos101 @csweichel Does it mean we can remove SUPERVISOR_ENVVAR_OTS now?

Also https://github.com/gitpod-io/gitpod/blob/09642abbc398c43b91aa305295460fdf3cf942a9/components/supervisor/pkg/supervisor/config.go#L348-L365 is not used anymore? i.e https://github.com/gitpod-io/gitpod/commit/34e5648ace77d4d89ad97b50a471e58124b9020f seems to remove it

akosyakov avatar Nov 28 '22 09:11 akosyakov

@akosyakov maybe? I added a conversation here, socializing that it would help to get more data about the client.

kylos101 avatar Nov 28 '22 23:11 kylos101

@akosyakov @easyCZ inboxed this epic to IDE and WebApp, as there appears to be some additional cleanup needed to fully remove OTS, and set the status for workspace back to In-Validation.

kylos101 avatar Nov 28 '22 23:11 kylos101

@akosyakov @kylos101 @atduarte FYI: I thought we can close this issue, but it turns out here is one thing left: AdditionalContentContext. :grimacing:

@kylos101 Let's sync how we want to go about this one.

geropl avatar Feb 15 '23 11:02 geropl

After discussing wiht @kylos101 : Let's close this one and continue the tiny bit left here: https://github.com/gitpod-io/gitpod/issues/16481.

geropl avatar Feb 20 '23 17:02 geropl