hcloud-cloud-controller-manager icon indicating copy to clipboard operation
hcloud-cloud-controller-manager copied to clipboard
verified publisher icon hetznercloud

feat: allow arbitrary length API tokens

Open kamushadenes opened this issue 1 year ago • 5 comments

Context

We have developed a soon-to-be-open-source proxy that forces specific labels in order to provide scoped API access, and that doesn't expose the real API token. This was created to have better control of resources inside the same project (as API tokens currently lack granularity), and to be able to use a single project securely, given that it isn't possible to create a project via the API.

One of it's operating modes is using JWT as a virtual self-validating token, which can't have a fixed size.

This support is required to make full use of it inside a Kubernetes cluster.

The feature is behind a default-false flag so it shouldn't interfere with current behavior.

Related

https://github.com/kubernetes/autoscaler/pull/7285 https://github.com/hetznercloud/csi-driver/pull/724

kamushadenes avatar Sep 28 '24 01:09 kamushadenes

Hey @kamushadenes,

I will respond here, but the same applies to the other two PRs:

This sounds very interesting. I am not sure if a flag is necessary, or if we just want to the whole validation. I will talk to the team responsible for tokens next week and will report back afterwards.

apricote avatar Sep 30 '24 14:09 apricote

Hey @kamushadenes,

we talked about this today internally. We would prefer not to add any additional flags or environment variables to disable the check.

We also do not think that the check is strictly necessary. Instead we would prefer to change the errors when len(token) != 64 to a warning message but allow the token. This would also help us in the future if we ever change the format of our API tokens.

Do you want to update your PRs to log warnings or should we do work on that?

apricote avatar Oct 07 '24 08:10 apricote

Hey @apricote, thanks for getting back!

Makes total sense, I'll update the PRs in a couple hours when my day starts.

kamushadenes avatar Oct 07 '24 08:10 kamushadenes

Done!

kamushadenes avatar Oct 07 '24 09:10 kamushadenes

Codecov Report

Attention: Patch coverage is 0% with 1 line in your changes missing coverage. Please review.

Project coverage is 70.59%. Comparing base (6b132c1) to head (74703d3). Report is 60 commits behind head on main.

Files with missing lines Patch % Lines
internal/config/config.go 0.00% 1 Missing :warning:
Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #752      +/-   ##
==========================================
- Coverage   72.00%   70.59%   -1.41%     
==========================================
  Files          31       31              
  Lines        2650     3299     +649     
==========================================
+ Hits         1908     2329     +421     
- Misses        553      795     +242     
+ Partials      189      175      -14

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

codecov[bot] avatar Oct 07 '24 11:10 codecov[bot]

This PR has been marked as stale because it has not had recent activity. The bot will close the PR if no further action occurs.

github-actions[bot] avatar Jan 05 '25 12:01 github-actions[bot]

Hey,

I checkout out the branch and there is only a small linting error with respect to import sorting. This can be fixed with golangci-lint run --fix. Otherwise, looks good :+1:

lukasmetzner avatar Jan 07 '25 15:01 lukasmetzner

Oops, thanks for noticing, fixed!

kamushadenes avatar Jan 07 '25 15:01 kamushadenes