
Tumblr Opensources Kubernetes Utilities - byxorna
https://engineering.tumblr.com/post/182013497734/open-sourcing-our-kubernetes-tools
======
p1necone
My tinfoil hat is telling me that the engineers are pushing to open source as
much as possible before the company inevitably goes under due to the recent
banning of NSFW content.

~~~
excalibur
That's actually not coming from the hat, you're receiving signals of the
site's impending collapse _through_ the foil. You way want to consider adding
a few more layers.

------
throwaway_129
Not a cryptographer, but a few things irked me about the secret projector
encryption features:

1\. Calls it AES-CBC, but it's using AES-GCM
[https://github.com/tumblr/k8s-secret-
projector/blob/master/p...](https://github.com/tumblr/k8s-secret-
projector/blob/master/pkg/encryption/cbc/block.go#L88)

2\. Encryption key generation (edited: from a password) uses a hash function
rather than using a KDF. Short hashes are padded (takes first N bytes required
to hit max length, appends to end) or trimmed to the appropriate length.
[https://github.com/tumblr/k8s-secret-
projector/blob/master/p...](https://github.com/tumblr/k8s-secret-
projector/blob/master/pkg/encryption/cbc/key.go#L43)

~~~
byxorna
Fair points :)

Do you have any examples of using a KDF that jives with the bitlength
requirements of a given cipher?

~~~
leetbulb
There's an RFC for that:
[https://tools.ietf.org/html/rfc5869](https://tools.ietf.org/html/rfc5869)

Doesn't look like the Go API[1] allows you to specify an output key material
length, so you'd just truncate or iterate until you get however much material
you need (The HKDF Wiki implementation does this[2]).

1:
[https://godoc.org/golang.org/x/crypto/hkdf](https://godoc.org/golang.org/x/crypto/hkdf)

2:
[https://en.wikipedia.org/wiki/HKDF#Example:_Python_implement...](https://en.wikipedia.org/wiki/HKDF#Example:_Python_implementation)

~~~
throwaway_129
You don't want to generate key material from a password with hkdf. From the
RFC:

 _On the other hand, it is anticipated that some applications will not be able
to use HKDF "as-is" due to specific operational requirements, or will be able
to use it but without the full benefits of the scheme. One significant example
is the derivation of cryptographic keys from a source of low entropy, such as
a user's password. The extract step in HKDF can concentrate existing entropy
but cannot amplify entropy. In the case of password-based KDFs, a main goal is
to slow down dictionary attacks using two ingredients: a salt value,and the
intentional slowing of the key derivation computation. HKDF naturally
accommodates the use of salt; however, a slowing down mechanism is not part of
this specification. Applications interested in a password-based KDF should
consider whether, for example, [PKCS5] meets their needs better than HKDF._

~~~
leetbulb
Ah, excuse my skimming. I wasn't aware it was being generated from a password.
:x

------
AndyNemmity
That config injector seems super useful. I immediately start to wonder what
subset of config options I can inject, and actually get the application to
update.

~~~
byxorna
K8s will update mounted ConfigMaps "live" in your pod, by updating a symlink.
If your application is using inotify or file polling to watch the ConfigMap as
a volume, you can reconfigure your app when changes happen (or signal your
liveness probe you should be terminated to reload latest config).

~~~
wetpaste
This partly solves a big problem for me, which was how do I keep those
configmaps up to date for a bunch of customers with a legacy application that
writes UI config updates to a local xml config file. I wanted that file to
live inside of configmaps but I have this problem. I already found a bash
script that does inotify pushes to git (called git-watch), but I didn't have
the other half of this equation. The missing half was getting those new config
changes applied back into the configmap.

------
mikesun
I hope Regulator has been decommissioned ;)

~~~
byxorna
How did you see my Q1 TODO list?

~~~
heinstrom
;)

------
solarkraft
I miss Tumblr.

