karmada icon indicating copy to clipboard operation
karmada copied to clipboard
verified publisher icon karmada-io

Redact sensitive information from the karmadactl init command output

Open zhzhuang-zju opened this issue 1 year ago • 2 comments

What type of PR is this? /kind feature

What this PR does / why we need it: The karmadactl init command, at the end of the initializtaion, writes some sensitive information in the stdout, like token, in its karmadactl register example. This will bring up two issues:

  • data leak, for instance in CI/CD logs image

  • The token's validity period is one day. Users may not join the pull mode member clusters immediately after installing Karmada, causing the secret to expire.

I hope the command output to be how to do rather than what to do. Users can follow the steps in the command output as needed.

Which issue(s) this PR fixes: Fixes #

Special notes for your reviewer: Modified command output:

Register cluster with 'Pull' mode

Step 1: Create bootstrap tokens and get the full 'karmadactl register' flag needed to register the member cluster using the token.
(In karmada)~# karmadactl token create --print-register-command --kubeconfig /etc/init/members/karmada-apiserver.config
karmadactl register [karmada-apiserver-endpoint] --token [token] --discovery-token-ca-cert-hash [ca-cert-hash]

Step 2: Use the output result from step 1 to register the cluster to Karmada control plane. "--cluster-name" is set to cluster of current-context by default.
(In member cluster)~# karmadactl register [karmada-apiserver-endpoint] --token [token] --discovery-token-ca-cert-hash [ca-cert-hash]

Step 3: Show members of karmada
(In karmada)~# karmadactl --kubeconfig /etc/init/members/karmada-apiserver.config get clusters

Does this PR introduce a user-facing change?:

zhzhuang-zju avatar Oct 19 '24 09:10 zhzhuang-zju

:warning: Please install the 'codecov app svg image' to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

Attention: Patch coverage is 94.44444% with 1 line in your changes missing coverage. Please review.

Project coverage is 46.24%. Comparing base (72cfef5) to head (429f2d3). Report is 2 commits behind head on master.

Files with missing lines Patch % Lines
pkg/karmadactl/cmdinit/kubernetes/deploy.go 0.00% 1 Missing :warning:

:exclamation: Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #5714      +/-   ##
==========================================
+ Coverage   46.18%   46.24%   +0.05%     
==========================================
  Files         663      663              
  Lines       54592    54575      -17     
==========================================
+ Hits        25215    25236      +21     
+ Misses      27752    27717      -35     
+ Partials     1625     1622       -3
Flag Coverage Δ
unittests 46.24% <94.44%> (+0.05%) :arrow_up:

Flags with carried forward coverage won't be shown. Click here to find out more.

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

codecov-commenter avatar Oct 19 '24 09:10 codecov-commenter

/assign @RainbowMango

zhzhuang-zju avatar Nov 25 '24 11:11 zhzhuang-zju

OK. Please rebase the code to make the new tests happy.

RainbowMango avatar Nov 25 '24 12:11 RainbowMango

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: RainbowMango

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

karmada-bot avatar Nov 26 '24 03:11 karmada-bot