Disabled the CrateDB parameter node.attr.zone due to security concerns

Update CHANGES.rst Co-authored-by: Georg Traar <[email protected]> Update crate/operator/create.py Co-authored-by: Georg Traar <[email protected]>
crate · Jul 10, 2024 · d7f62a6 · d7f62a6
1 parent b6b631a
commit d7f62a6
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 10 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -4,8 +4,11 @@ Changelog
 
 Unreleased
 ----------
+
 * Increase memory for grand central, reduce CPU limit.
 
+* Changed the ``node.attr.zone`` parameter for AWS to use IMDSv2.
+
 2.39.0 (2024-05-22)
 -------------------
 

diff --git a/crate/operator/create.py b/crate/operator/create.py
@@ -453,9 +453,16 @@ def get_statefulset_crate_command(
             }
         )
 
+    # Availability zone retrieval at pod launch time
     if config.CLOUD_PROVIDER == CloudProvider.AWS:
-        url = "http://169.254.169.254/latest/meta-data/placement/availability-zone"
-        settings["-Cnode.attr.zone"] = f"$(curl -s '{url}')"
+        aws_cmd = (
+            "curl -s -X PUT 'http://169.254.169.254/latest/api/token' "
+            "-H 'X-aws-ec2-metadata-token-ttl-seconds: 120' | "
+            "xargs -I {} curl -s "
+            "'http://169.254.169.254/latest/meta-data/placement/availability-zone'"
+            " -H 'X-aws-ec2-metadata-token: {}'"
+        )
+        settings["-Cnode.attr.zone"] = f"$({aws_cmd})"
     elif config.CLOUD_PROVIDER == CloudProvider.AZURE:
         url = "http://169.254.169.254/metadata/instance/compute/zone?api-version=2020-06-01&format=text"  # noqa
         settings["-Cnode.attr.zone"] = f"$(curl -s '{url}' -H 'Metadata: true')"

diff --git a/tests/test_create.py b/tests/test_create.py
@@ -634,19 +634,26 @@ def test_node_and_cluster_settings_may_override(self):
         assert "-Cnode.attr.some_cluster_setting=cluster" in cmd
 
     @pytest.mark.parametrize(
-        "provider, url",
+        "provider, url, header",
         [
             (
                 CloudProvider.AWS,
-                "http://169.254.169.254/latest/meta-data/placement/availability-zone",
+                "-X PUT 'http://169.254.169.254/latest/api/token'",
+                " -H 'X-aws-ec2-metadata-token-ttl-seconds: 120' | xargs -I {} curl -s 'http://169.254.169.254/latest/meta-data/placement/availability-zone' -H 'X-aws-ec2-metadata-token: {}'",  # noqa
             ),
             (
                 CloudProvider.AZURE,
-                "http://169.254.169.254/metadata/instance/compute/zone?api-version=2020-06-01&format=text",  # noqa
+                "'http://169.254.169.254/metadata/instance/compute/zone?api-version=2020-06-01&format=text'",  # noqa
+                " -H 'Metadata: true'",
+            ),
+            (
+                CloudProvider.GCP,
+                "'http://169.254.169.254/computeMetadata/v1/instance/zone'",
+                " -H 'Metadata-Flavor: Google' | rev | cut -d '/' -f 1 | rev",
             ),
         ],
     )
-    def test_zone_attr(self, provider, url):
+    def test_zone_attr(self, provider, url, header):
         with mock.patch("crate.operator.create.config.CLOUD_PROVIDER", provider):
             cmd = get_statefulset_crate_command(
                 namespace="some-namespace",
@@ -670,10 +677,7 @@ def test_zone_attr(self, provider, url):
                 is_data=True,
                 crate_version="4.6.3",
             )
-        additional_args = ""
-        if provider == CloudProvider.AZURE:
-            additional_args = " -H 'Metadata: true'"
-        assert f"-Cnode.attr.zone=$(curl -s '{url}'{additional_args})" in cmd
+        assert f"-Cnode.attr.zone=$(curl -s {url}{header})" in cmd
 
     @pytest.mark.parametrize(
         "node_settings, cluster_settings",