Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Encrypt the token cache #952

Open
rucciva opened this issue Jun 25, 2023 · 1 comment · May be fixed by #973
Open

Encrypt the token cache #952

rucciva opened this issue Jun 25, 2023 · 1 comment · May be fixed by #973
Labels
enhancement New feature or request

Comments

@rucciva
Copy link

rucciva commented Jun 25, 2023

Purpose of the feature (why)

To minimize what confidential data gets stored on local machine.

Your idea (how)

options:

  1. add flag that specify environment variables that should contains secret to encrypt/decrypt to token cache.
    • If specified environment is emtpy, fail and show message to instruct user to set env variables.
    • If not empty but wrong secret, do not use the cache and start over the authentication
  2. integrate with os secrets management e.g mac's keychain or windows credential manager (i don't know whether its possible or not. what comes in mind is the way git store credential to connect to remote server)
@rucciva rucciva added the enhancement New feature or request label Jun 25, 2023
@applejag
Copy link

Suggest relying on the OS keyring. Environment variables aren't that safe. At least on Linux you can read environment variables from /proc/$PID/environ, which just uses file permissions. Not any safer than storing the credentials in ~/.kube directory.

Zalando has a great cross-platform implementation: https://github.com/zalando/go-keyring

@applejag applejag linked a pull request Aug 24, 2023 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Added key cache via OS keyring applejag/kubelogin
2 participants
@applejag @rucciva