v3.0.1
2024-07-30
What's Changed
Breaking Changes 🛠
feat: Inject git provider SSH key using K8s secret
New Features 🎉
feat: Release self-hosted pipekit Helm Chart
feat: Add yaml tab to Pipe run page
feat: Automatically link URLs in logs
feat: Add rotate deploy key endpoint and UI support
Bug Fixes and Dependency Updates 🐞
Security Advisory: Rotate Pipe SSH Deploy Keys for Enhanced Security
Summary
Users within your Pipekit Organization can view the YAML configuration for completed workflows via the Pipekit web interface and API. Historically, Pipekit included the private SSH key for your Git provider within the Workflow YAML. This allowed users to interact with your Git provider, potentially with elevated permissions.
Issue
The private SSH key is no longer included in the YAML for new Pipe Runs. However, it is possible that users can still copy the key from runs executed before this change was implemented.
Recommendation
To mitigate this risk, we strongly recommend rotating your private SSH key to invalidate the old key. Follow these steps to rotate the SSH key:
Navigate to the "Pipes" section and locate an affected Pipe.
Click on "Settings".
Select "Rotate Pipe SSH Deploy Key".
Repeat these steps for all affected Pipes.
Impact
Please note that you may not be able to successfully resubmit previous runs for the affected Pipes, as the old SSH key may have a different name to the new one.
By taking these actions, you will protect your Git provider from unauthorized access.
About Pipekit
Pipekit is the control plane for Argo Workflows. Platform teams use Pipekit to manage data & CI pipelines at scale, while giving developers self-serve access to Argo. Pipekit's unified logging view, Workflow Metrics dashboards, enterprise-grade RBAC and multi-cluster management capabilities lower maintenance costs for platform teams while delivering a superior devex for Argo users. Sign up for a 30-day free trial at pipekit.io/signup.
Last updated