Skip to content

chore: Use internal secret for JWT key #686

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

chore: Use internal secret for JWT key #686

wants to merge 6 commits into from

Conversation

adwk67
Copy link
Member

@adwk67 adwk67 commented Sep 10, 2025
edited
Loading

Description

Fixes #639

This change is non-breaking as the secret is created and used only "internally". The user does not have to create a secret themselves. The sample applies for the connections.secretKey that is part of the credentials secret used for DB connection information: this has been removed from all code (incl. examples, tests) and replaced with an internal secret. If the field is still provided it will be ignored.

Definition of Done Checklist

  • Not all of these items are applicable to all PRs, the author should update this template to only leave the boxes in that are relevant
  • Please make sure all these things are done and tick the boxes

Author

  • Changes are OpenShift compatible 🟢 tests
  • CRD changes approved
  • CRD documentation for all fields, following the style guide.
  • Helm chart can be installed and deployed operator works
  • Integration tests passed (for non trivial changes)
  • Changes need to be "offline" compatible
  • Links to generated (nightly) docs added
  • Release note snippet added

Reviewer

  • Code contains useful comments
  • Code contains useful logging statements
  • (Integration-)Test cases added
  • Documentation added or updated. Follows the style guide.
  • Changelog updated
  • Cargo.toml only contains references to git tags (not specific commits or branches)

Acceptance

  • Feature Tracker has been updated
  • Proper release label has been added
  • Links to generated (nightly) docs added
  • Release note snippet added
  • Add type/deprecation label & add to the deprecation schedule
  • Add type/experimental label & add to the experimental features tracker

@adwk67 adwk67 moved this to Development: In Progress in Stackable Engineering Sep 10, 2025
@adwk67 adwk67 self-assigned this Sep 10, 2025
@adwk67 adwk67 marked this pull request as ready for review September 10, 2025 15:41
@adwk67 adwk67 moved this from Development: In Progress to Development: Waiting for Review in Stackable Engineering Sep 10, 2025
@adwk67 adwk67 requested a review from a team September 10, 2025 16:13
@maltesander maltesander self-requested a review September 15, 2025 07:15
@maltesander maltesander moved this from Development: Waiting for Review to Development: In Review in Stackable Engineering Sep 15, 2025
maltesander
maltesander requested changes Sep 15, 2025
View reviewed changes
rust/operator-binary/src/airflow_controller.rs Outdated
Comment on lines 1495 to 1499
fn get_random_base64(byte_size: usize) -> String {
let mut buf: Vec<u8> = vec![0; byte_size];
openssl::rand::rand_bytes(&mut buf).unwrap();
openssl::base64::encode_block(&buf)
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we really need openssl for that?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is consistent with what we have done for Trino.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm with Malte here. Is there no easier way to generate random bytes without using openssl? Especially if we only need openssl for this? (I haven't checked)

Copy link
Member

@razvan razvan Sep 15, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nevermind. It's also openssl

Alternative (also from Trino): https://github.com/stackabletech/trino-operator/blob/d6943fcca7fc6f08ad08a4fbe20eb555db948455/rust/operator-binary/src/controller.rs#L1502

Copy link
Member

@sbernauer sbernauer Sep 16, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The current PR state:

    let serial_number = rand::random::<u64>();
    let bytes = serial_number.to_le_bytes();
    general_purpose::STANDARD.encode(bytes)

I'm all in not using openssl!
I think a likely reason we went with openssl is cryptographics. One could unintentional hurt the security by using non-crypto rand function.

So I'm fine with rand, but we should only use the OsRng generator and document why and that we think this is sufficient. See https://github.com/rust-random/rand/blob/master/SECURITY.md#specific-generators

Also, can we increase the 64 bit to 256 bit or would we run into problems?
If we end up with a nice "secure" function we could also throw that in op-rs so we improve this in a central place.

@adwk67 adwk67 enabled auto-merge September 15, 2025 14:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@razvan razvan razvan left review comments

@lfrancke lfrancke lfrancke left review comments

@sbernauer sbernauer sbernauer left review comments

@maltesander maltesander maltesander requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@adwk67 adwk67

Labels
None yet
Projects
Stackable Engineering
Status: Development: In Review
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Airflow 3.x: replace hard-coded JWT secret key with one read from a secret (or auto-generated)
5 participants
@adwk67 @razvan @lfrancke @maltesander @sbernauer