Add ability to use existing PSK secrets

[pranavgaikwad]

Signed-off-by: Pranav Gaikwad pgaikwad@redhat.com

Describe what this PR does

• Introduces new field in Transport Options to specify existing secrets:
  • Secrets may either contain TLS certs or a Pre-Shared Key
  • New secret is not created if existing secret is valid
• Updates rsync termination logic:
  • Rsync client will now send a file to a known location on the server to indicate transfer completion, server will exit when the file is present in destination. Previously, _exit message was read from server logs to exit
  • Transport container will exit when underlying Transfer is gone

Is there anything that requires special attention?
~This PR does NOT add support for creating a new PSK when existing is invalid. Creating PSK is not supported in go currently [1]. Users will need to provide their existing PSK in a secret. If not provided, library will default to creating new TLS certs instead. ~

Updated to create a 32 byte long PSK key. Stunnel requires key to be base64 encoded.

Related issues:
[1] golang/go#6379

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: pranavgaikwad

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [pranavgaikwad]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[pranavgaikwad]

/cc @JohnStrunk

[JohnStrunk]

For generating the PSK, we should be able to just use:

pvc-transfer/transfer/transfer.go

Lines 182 to 194 in 2171849

	func GeneratePassword() (string, error) {
	var letters = []byte("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ")
	password := make([]byte, 24)
	for i := 0; i < 24; i++ {
	num, err := rand.Int(rand.Reader, big.NewInt(int64(len(letters))))
	if err != nil {
	return "", err
	}
	password = append(password, letters[num.Int64()])
	}
	return string(password), nil
	}

This creates a ~128bit key:

• Each character provides: ln(26*2)/ln(2) bits of entropy = 5.7
• 5.7 * 24 characters = 136 bits

... looking at the rest of the PR now

[JohnStrunk]

It looks like [transfer] got moved to below the key specification... was this intentional (and ok?)

[pranavgaikwad]

@JohnStrunk Yes, the settings will apply to all subsections including the one used for termination. Its kind of a global setting across mutliple transfers

[JohnStrunk]

Maybe call this UsePSK or something? It's still TLS, even w/ the PSK, it's just TLS-PSK instead of using public-key crypto.

[JohnStrunk]

I'm not following the flow...
I assume this goes with the change to foreground = no. Is the logic here:

• we're putting stunnel in the bg and having the script (main entrypoint) probe the connection's availability
• When it's no longer available, the entrypoint terminates, bringing the container down and killing the background stunnel process since the container terminates?

[pranavgaikwad]

@JohnStrunk That's correct.

[JohnStrunk]

24 --> 32 bytes?

[pranavgaikwad]

@JohnStrunk yeah as per Stunnel documentation, stunnel allows either 16 or 32 bytes PSK. I didn't really try giving a 24 bytes value, I can check if its something we want to do.

[JohnStrunk]

No problem. The comment just says 24, but the implementation is 32.

[pranavgaikwad]

ahh okay.

[JohnStrunk]

/lgtm