dashboard icon indicating copy to clipboard operation
dashboard copied to clipboard
verified publisher icon kubernetes

Hardcoded secrets' names

Open astorath opened this issue 6 years ago • 12 comments

What should be cleaned up or changed

The following secrets' names are hardcoded and should be configurable through command line: - kubernetes-dashboard-key-holder - kubernetes-dashboard-certs - kubernetes-dashboard-csrf

Provide any links for context
  • https://github.com/kubernetes/dashboard/blob/a98910f62b9c88277cbb95c761125b21ae3311cd/src/app/backend/auth/api/types.go#L25
  • https://github.com/kubernetes/dashboard/blob/a98910f62b9c88277cbb95c761125b21ae3311cd/src/app/backend/auth/api/types.go#L28
  • https://github.com/kubernetes/dashboard/blob/79e490c7759d27dd67cbceaa28bc91e719149e6d/src/app/backend/client/api/types.go#L32

astorath avatar Jul 29 '19 09:07 astorath

We could do that, but it's not really critical or very useful for users. I'd say that this has a very low priority.

floreks avatar Jul 29 '19 09:07 floreks

@floreks this breaks helm charts naming design... Would you accept a PR?

astorath avatar Jul 29 '19 09:07 astorath

How does it break its naming design?

floreks avatar Jul 29 '19 10:07 floreks

Most (if not all) helm charts can override names of all it's resources with values (like nameOverride or fullnameOverride). Hardcoding resources names drives this impossible - you have to use dashboard naming convention for secrets/configs.

Best practice: https://helm.sh/docs/chart_best_practices/#resource-naming-in-templates

E.g.:

  • https://github.com/helm/charts/blob/5928c0625b7604c191e3deac4a43885c82145aaa/stable/kubernetes-dashboard/templates/secret.yaml#L9
  • https://github.com/helm/charts/blob/5928c0625b7604c191e3deac4a43885c82145aaa/stable/prometheus/templates/server-configmap.yaml#L7
  • https://github.com/helm/charts/blob/5928c0625b7604c191e3deac4a43885c82145aaa/stable/postgresql/templates/secrets.yaml#L5
  • https://github.com/helm/charts/blob/5928c0625b7604c191e3deac4a43885c82145aaa/stable/postgresql/templates/secrets.yaml#L5

astorath avatar Jul 29 '19 11:07 astorath

hmm... that's fine. If you are willing to create PR to support that I am fine with it.

floreks avatar Jul 29 '19 12:07 floreks

This makes it impossible to change the names of objects:

$ kubectl logs -f pod/kube-dashboard-68656f95c9-8t7vw
2019/09/14 13:18:52 Starting overwatch
2019/09/14 13:18:52 Using namespace: kube-dashboard
2019/09/14 13:18:52 Using in-cluster config to connect to apiserver
2019/09/14 13:18:52 Using secret token for csrf signing
2019/09/14 13:18:52 Initializing csrf token from kubernetes-dashboard-csrf secret
panic: secrets "kubernetes-dashboard-csrf" is forbidden: User "system:serviceaccount:kube-dashboard:kube-dashboard" cannot get resource "secrets" in API group "" in the namespace "kube-dashboard"

goroutine 1 [running]:
github.com/kubernetes/dashboard/src/app/backend/client/csrf.(*csrfTokenManager).init(0xc0003e8820)
	/home/travis/build/kubernetes/dashboard/src/app/backend/client/csrf/manager.go:40 +0x3b4
github.com/kubernetes/dashboard/src/app/backend/client/csrf.NewCsrfTokenManager(...)
	/home/travis/build/kubernetes/dashboard/src/app/backend/client/csrf/manager.go:65
github.com/kubernetes/dashboard/src/app/backend/client.(*clientManager).initCSRFKey(0xc0004f4280)
	/home/travis/build/kubernetes/dashboard/src/app/backend/client/manager.go:479 +0xc7
github.com/kubernetes/dashboard/src/app/backend/client.(*clientManager).init(0xc0004f4280)
	/home/travis/build/kubernetes/dashboard/src/app/backend/client/manager.go:447 +0x47
github.com/kubernetes/dashboard/src/app/backend/client.NewClientManager(...)
	/home/travis/build/kubernetes/dashboard/src/app/backend/client/manager.go:528
main.main()
	/home/travis/build/kubernetes/dashboard/src/app/backend/dashboard.go:105 +0x212

kissgyorgy avatar Sep 14 '19 13:09 kissgyorgy

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle stale

fejta-bot avatar Dec 13 '19 14:12 fejta-bot

/lifecycle frozen

maciaszczykm avatar Dec 16 '19 07:12 maciaszczykm

There's an argument for --namespace. There should be an argument to configure these as well.

I exposed this bug today when learning Kustomize. I was setting up a "Production" overlay to learn how to use the software and the existence of this bug means that the Dashboard can never be deployed using Kustomize with an overlay that modifies the name via a prefix or suffix.

+1 from me. As a user this would be very useful.

zimmertr avatar Jan 06 '20 18:01 zimmertr

Raising the prio as it would allow dashboard to work in more setups.

maciaszczykm avatar Sep 02 '20 13:09 maciaszczykm

Hi guys, Is the same topic as https://github.com/kubernetes/dashboard/issues/7330 Can I work on this? Thanks in advance

JJotah avatar Sep 30 '22 15:09 JJotah

Go ahead, create draft PR sooner rather than later to discuss the solution.

maciaszczykm avatar Sep 30 '22 18:09 maciaszczykm

Dashboard no longer uses these secrets. There is settings config map which name can be configured via args.

maciaszczykm avatar Mar 04 '24 14:03 maciaszczykm