Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow ability to verify host key for git clone of datadir using SSH protocol #36

Open
edevosc2c opened this issue Jun 7, 2023 · 0 comments
Open

Allow ability to verify host key for git clone of datadir using SSH protocol #36

edevosc2c opened this issue Jun 7, 2023 · 0 comments
Assignees
@edevosc2c
Labels
enhancement New feature or request

Comments

@edevosc2c
Copy link
Member

edevosc2c commented Jun 7, 2023
edited
Loading

Cause

Currently, we do not verify the host key when doing a git clone of datadir using the SSH protocol: https://github.com/georchestra/helm-georchestra/blob/main/templates/_bootstrap-georchestra-datadir.tpl#L18
HTTPS (the default protocol when simply deploying the helm chart) is not affected, as it verifies the TLS certificate.

If someone manages to do a man in the middle between the Kubernetes cluster and the final git repository, then an attacker could provide malicious configurations to the pods.

Some possibilities by providing malicious configurations:

  • allow doing some remote execution of some affected programs.
  • deface the website
  • show different data like their own metadatas and so on

Solution

We should allow the ability to provide a host key in the values.yaml file so that git verifies the git server.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@edevosc2c edevosc2c

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@edevosc2c