[3006.x] Document gpg_decrypt_must_succeed opt-in and upcoming default flip#69597
Open
dwoz wants to merge 1 commit into
Open
[3006.x] Document gpg_decrypt_must_succeed opt-in and upcoming default flip#69597dwoz wants to merge 1 commit into
dwoz wants to merge 1 commit into
Conversation
Contributor
|
This is a breaking change. Isn't the point of the .x release branches to be stable? Why is salt even still supporting 3 concurrent releases? |
e051403 to
1be5ff7
Compare
3006.x is LTS; we cannot change the default of gpg_decrypt_must_succeed here. Instead, document the risk of silent GPG decryption failures (issue saltstack#41846), how to opt in for fail-loud behavior, and announce the upcoming default flip. Silent decrypt failures allow the raw GPG-armored ciphertext to pass through pillar rendering unchanged; consumers such as file.managed's contents_pillar then write the ciphertext to disk in place of the decrypted secret, exposing encrypted-at-rest data. Users should set "gpg_decrypt_must_succeed: True" in their minion or master config now to get a SaltRenderError on failure instead of silent corruption. The default was flipped to True in Potassium (3009.0) and will flip in a future 3006.x release. Also drops the now-stale warn_until("Chlorine") block in the gpg renderer -- the deprecation notice pointed at a Chlorine (3007) default flip that never happened on 3006.x, and the docstring warning is a more accurate replacement. Adds two unit tests pinning the 3006.x contract: - default config returns ciphertext silently on decrypt failure (guards against an inadvertent flip) - explicit gpg_decrypt_must_succeed: True raises SaltRenderError Refs saltstack#41846
1be5ff7 to
f1809ce
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Documents the risk of silent GPG decryption failures on 3006.x, how to opt in for fail-loud behavior, and announces the upcoming default flip of
gpg_decrypt_must_succeed. Does not change the default on 3006.x (LTS compatibility).Why
Silent decrypt failures allow the raw GPG-armored ciphertext to pass through pillar rendering unchanged. Consumers such as
file.managed'scontents_pillarthen write the ciphertext to disk in place of the decrypted secret, exposing encrypted-at-rest data. See #41846.Since 3006.x is an LTS release we cannot flip the default here (same principle as #69443). Instead, this PR:
salt.renderers.gpgmodule docstringwarn_until("Chlorine", ...)block whose deprecation-target release (Chlorine == 3007) never triggered a flip on 3006.xPrior art
gpg_decrypt_must_succeedoption, defaultedFalse. Present on 3006.x.True. Present on 3007.x, 3008.x, master.What issues does this PR fix or reference?
Refs #41846
Changes
salt/renderers/gpg.py: expand module docstring with awarning::block explaining the risk, the recommended opt-in (gpg_decrypt_must_succeed: True), and the upcoming default change; drop the stalewarn_until("Chlorine", ...)fall-through.tests/pytests/unit/renderers/test_gpg.py: add two regression tests — one pinning the silent-default contract on 3006.x, one verifying the opt-in path raises.changelog/41846.deprecated.md.Recommended user action on 3006.x
Merge requirements satisfied?
Commits signed with GPG?
Yes