Do not render templates when decrypting neededForUsers secrets
#664
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This fixes Mic92#659 In Mic92#649, we started rendering templates twice: 1. When rendering `neededForUsers` secrets (if there are any `neededForUsers` secrets). 2. When decrypting "regular" secrets. This alone was weird and wrong, but didn't cause issues for people until Mic92#655, which triggered Mic92#659. The cause is not super obvious: 1. When rendering `neededForUsers` secrets, we'd generate templates in `/run/secrets-for-users/rendered`. 2. However, the `path` for these templates is in `/run/secrets/rendered`, which is not inside of the `/run/secrets-for-users` directory we're dealing with, so we'd generate a symlink from `/run/secrets/rendered/<foo>` to `/run/secrets-for-users/rendered/<foo>`, which required making the parent directory of the symlink (`/run/secrets/rendered/`). 3. This breaks sops-nix's assumption that `/run/secrets` either doesn't exist, or is a symlink, and you get the symptoms described in <Mic92#659>. Reproducing this in a test was straightforward: just expand our existing template test to also have a `neededForUsers` secret. Fixing this was also straightforward: don't render templates during the `neededForUsers` phase (if we want to add support for `neededForUsers` templates in the future, that would be straightforward to do, but I opted not do that here).
|
@mergify queue |
✅ The pull request has been merged automaticallyThe pull request has been merged automatically at eee831a |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This fixes #659
In #649, we started rendering templates twice:
neededForUserssecrets (if there are anyneededForUserssecrets).This alone was weird and wrong, but didn't cause issues for people until #655, which triggered #659. The cause is not super obvious:
neededForUserssecrets, we'd generate templates in/run/secrets-for-users/rendered.pathfor these templates is in/run/secrets/rendered, which is not inside of the/run/secrets-for-usersdirectory we're dealing with, so we'd generate a symlink from/run/secrets/rendered/<foo>to/run/secrets-for-users/rendered/<foo>, which required making the parent directory of the symlink (/run/secrets/rendered/)./run/secretseither doesn't exist, or is a symlink, and you get the symptoms described in I'm running into a super strange issue with /run/secrets not working #659.Reproducing this in a test was straightforward: just expand our existing template test to also have a
neededForUserssecret.Fixing this was also straightforward: don't render templates during the
neededForUsersphase (if we want to add support forneededForUserstemplates in the future, that would be straightforward to do, but I opted not do that here).