fix: Write sensitive cloud-init user-data into /etc/cloud/cloud.cfg.d

This allows cloud-init to read the user-data without using an #include, which always fails when cloud-init first runs.
kubernetes-sigs · Mar 8, 2024 · b21896e · b21896e
1 parent 5aa9d22
commit b21896e
Show file tree

Hide file tree

Showing 4 changed files with 2 additions and 25 deletions.
diff --git a/docs/book/src/topics/userdata-privacy.md b/docs/book/src/topics/userdata-privacy.md
@@ -46,11 +46,6 @@ cloudInit:
 cloud-init does not print boothook script errors to the systemd journal. Logs for the script, if it errored can be found in
 `/var/log/cloud-init-output.log`
 
-### Warning messages
-
-Because cloud-init will attempt to read the final file at start, cloud-init will always print a `/etc/secret-userdata.txt cannot be found`
-message. This can be safely ignored.
-
 ### Secrets manager console
 
 The AWS secrets manager console should show secrets being created and deleted, with a lifetime of around a minute. No plaintext secret

diff --git a/pkg/cloud/services/secretsmanager/secret_fetch_script.go b/pkg/cloud/services/secretsmanager/secret_fetch_script.go
@@ -46,7 +46,7 @@ if [ "{{.Endpoint}}" != "" ]; then
 fi
 SECRET_PREFIX="{{.SecretPrefix}}"
 CHUNKS="{{.Chunks}}"
-FILE="/etc/secret-userdata.txt"
+FILE="/etc/cloud/cloud.cfg.d/99_kubeadm_bootstrap.cfg"
 FINAL_INDEX=$((CHUNKS - 1))
 
 # Log an error and exit.

diff --git a/pkg/cloud/services/ssm/secret_fetch_script.go b/pkg/cloud/services/ssm/secret_fetch_script.go
@@ -46,7 +46,7 @@ if [ "{{.Endpoint}}" != "" ]; then
 fi
 SECRET_PREFIX="{{.SecretPrefix}}"
 CHUNKS="{{.Chunks}}"
-FILE="/etc/secret-userdata.txt"
+FILE="/etc/cloud/cloud.cfg.d/99_kubeadm_bootstrap.cfg"
 FINAL_INDEX=$((CHUNKS - 1))
 
 # Log an error and exit.

diff --git a/pkg/internal/mime/mime.go b/pkg/internal/mime/mime.go
@@ -26,15 +26,7 @@ import (
 	"strings"
 )
 
-const (
-	includePart = "file:///etc/secret-userdata.txt\n"
-)
-
 var (
-	includeType = textproto.MIMEHeader{
-		"content-type": {"text/x-include-url"},
-	}
-
 	boothookType = textproto.MIMEHeader{
 		"content-type": {"text/cloud-boothook"},
 	}
@@ -83,16 +75,6 @@ func GenerateInitDocument(secretPrefix string, chunks int32, region string, endp
 		return []byte{}, err
 	}
 
-	includeWriter, err := mpWriter.CreatePart(includeType)
-	if err != nil {
-		return []byte{}, err
-	}
-
-	_, err = includeWriter.Write([]byte(includePart))
-	if err != nil {
-		return []byte{}, err
-	}
-
 	if err := mpWriter.Close(); err != nil {
 		return []byte{}, err
 	}