From b21896ef7187dd087af60bbd46c19fdcc26e6284 Mon Sep 17 00:00:00 2001 From: Daniel Lipovetsky Date: Thu, 18 Jan 2024 09:56:46 -0800 Subject: [PATCH] fix: Write sensitive cloud-init user-data into /etc/cloud/cloud.cfg.d This allows cloud-init to read the user-data without using an #include, which always fails when cloud-init first runs. --- docs/book/src/topics/userdata-privacy.md | 5 ----- .../secretsmanager/secret_fetch_script.go | 2 +- pkg/cloud/services/ssm/secret_fetch_script.go | 2 +- pkg/internal/mime/mime.go | 18 ------------------ 4 files changed, 2 insertions(+), 25 deletions(-) diff --git a/docs/book/src/topics/userdata-privacy.md b/docs/book/src/topics/userdata-privacy.md index 6bae238c39..7466a555a0 100644 --- a/docs/book/src/topics/userdata-privacy.md +++ b/docs/book/src/topics/userdata-privacy.md @@ -46,11 +46,6 @@ cloudInit: cloud-init does not print boothook script errors to the systemd journal. Logs for the script, if it errored can be found in `/var/log/cloud-init-output.log` -### Warning messages - -Because cloud-init will attempt to read the final file at start, cloud-init will always print a `/etc/secret-userdata.txt cannot be found` -message. This can be safely ignored. - ### Secrets manager console The AWS secrets manager console should show secrets being created and deleted, with a lifetime of around a minute. No plaintext secret diff --git a/pkg/cloud/services/secretsmanager/secret_fetch_script.go b/pkg/cloud/services/secretsmanager/secret_fetch_script.go index d7d4accbe7..f31f3d5d1d 100644 --- a/pkg/cloud/services/secretsmanager/secret_fetch_script.go +++ b/pkg/cloud/services/secretsmanager/secret_fetch_script.go @@ -46,7 +46,7 @@ if [ "{{.Endpoint}}" != "" ]; then fi SECRET_PREFIX="{{.SecretPrefix}}" CHUNKS="{{.Chunks}}" -FILE="/etc/secret-userdata.txt" +FILE="/etc/cloud/cloud.cfg.d/99_kubeadm_bootstrap.cfg" FINAL_INDEX=$((CHUNKS - 1)) # Log an error and exit. diff --git a/pkg/cloud/services/ssm/secret_fetch_script.go b/pkg/cloud/services/ssm/secret_fetch_script.go index cc370ad01a..229e54247d 100644 --- a/pkg/cloud/services/ssm/secret_fetch_script.go +++ b/pkg/cloud/services/ssm/secret_fetch_script.go @@ -46,7 +46,7 @@ if [ "{{.Endpoint}}" != "" ]; then fi SECRET_PREFIX="{{.SecretPrefix}}" CHUNKS="{{.Chunks}}" -FILE="/etc/secret-userdata.txt" +FILE="/etc/cloud/cloud.cfg.d/99_kubeadm_bootstrap.cfg" FINAL_INDEX=$((CHUNKS - 1)) # Log an error and exit. diff --git a/pkg/internal/mime/mime.go b/pkg/internal/mime/mime.go index 7f7b23aa8b..9344e51a2c 100644 --- a/pkg/internal/mime/mime.go +++ b/pkg/internal/mime/mime.go @@ -26,15 +26,7 @@ import ( "strings" ) -const ( - includePart = "file:///etc/secret-userdata.txt\n" -) - var ( - includeType = textproto.MIMEHeader{ - "content-type": {"text/x-include-url"}, - } - boothookType = textproto.MIMEHeader{ "content-type": {"text/cloud-boothook"}, } @@ -83,16 +75,6 @@ func GenerateInitDocument(secretPrefix string, chunks int32, region string, endp return []byte{}, err } - includeWriter, err := mpWriter.CreatePart(includeType) - if err != nil { - return []byte{}, err - } - - _, err = includeWriter.Write([]byte(includePart)) - if err != nil { - return []byte{}, err - } - if err := mpWriter.Close(); err != nil { return []byte{}, err }