fix(security): harden transit unseal credential handling (#473)

Signed-off-by: Roel de Cort <roel.decort@adfinis.com>

Author: dc-tec

api/v1alpha1/openbaocluster_types.go

@@ -1217,7 +1217,7 @@ type GatewayReference struct {
 // TransitSealConfig configures the Transit seal type.
 // See: https://openbao.org/docs/configuration/seal/transit/
 type TransitSealConfig struct {
-	// Address is the full address to the OpenBao cluster.
+	// Address is the full HTTPS address to the OpenBao cluster providing the Transit seal.
 	// +kubebuilder:validation:MinLength=1
 	Address string `json:"address"`
 

charts/openbao-operator/crds/openbao.org_openbaoclusters.yaml

@@ -4314,7 +4314,8 @@ spec:
                       Required when Type is "transit".
                     properties:
                       address:
-                        description: Address is the full address to the OpenBao cluster.
+                        description: Address is the full HTTPS address to the OpenBao
+                          cluster providing the Transit seal.
                         minLength: 1
                         type: string
                       disableRenewal:

charts/openbao-operator/templates/admission/validate-openbaocluster.yaml

@@ -157,13 +157,27 @@ spec:
         size(object.spec.unseal.transit.token) == 0
       message: Hardened profile does not allow spec.unseal.transit.token; use spec.unseal.credentialsSecretRef instead.
     - expression: >-
-        !has(object.spec.profile) ||
-        object.spec.profile != "Hardened" ||
         !has(object.spec.unseal) ||
         !has(object.spec.unseal.transit) ||
         !has(object.spec.unseal.transit.address) ||
         object.spec.unseal.transit.address.startsWith("https://")
-      message: Hardened profile requires spec.unseal.transit.address to use HTTPS.
+      message: Transit unseal address must use HTTPS.
+    - expression: >-
+        !has(object.spec.unseal) ||
+        !has(object.spec.unseal.transit) ||
+        !has(object.spec.unseal.transit.address) ||
+        !(
+          object.spec.unseal.transit.address.contains("@") ||
+          object.spec.unseal.transit.address.contains("?") ||
+          object.spec.unseal.transit.address.contains("#") ||
+          object.spec.unseal.transit.address.matches("^https://([^/?#@]*\\.)?localhost([:/?#].*)?$") ||
+          object.spec.unseal.transit.address.matches("^https://127\\.0\\.0\\.1([:/?#].*)?$") ||
+          object.spec.unseal.transit.address.contains("[::1]") ||
+          object.spec.unseal.transit.address.matches("^https://169\\.254\\..*") ||
+          object.spec.unseal.transit.address.contains("[fe80:") ||
+          object.spec.unseal.transit.address.matches("^https://[0-9]+([:/?#].*)?$")
+        )
+      message: Transit unseal address must not include userinfo, query, fragment, localhost, loopback, link-local, or numeric host forms.
     - expression: >-
         !has(object.spec.unseal) ||
         !has(object.spec.unseal.transit) ||
@@ -333,13 +347,21 @@ spec:
         object.spec.profile != "Hardened" ||
         object.spec.replicas >= 3
       message: "Hardened profile requires at least 3 replicas for Raft quorum HA. Use Profile=Development for non-HA deployments."
-    # Block references to system secrets in backup/upgrade
+    # Confused-deputy protection: users configuring unseal Secret credentials must be able to read that Secret.
+    - expression: >-
+        !has(object.spec.unseal) ||
+        !has(object.spec.unseal.credentialsSecretRef) ||
+        authorizer.group("").resource("secrets").namespace(request.namespace).name(object.spec.unseal.credentialsSecretRef.name).check("get").allowed()
+      message: "Users configuring unseal credentials must be authorized to get spec.unseal.credentialsSecretRef."
+    # Block references to system secrets in unseal/backup/upgrade
     - expression: >-
+        (!has(object.spec.unseal) || !has(object.spec.unseal.credentialsSecretRef) ||
+          !object.spec.unseal.credentialsSecretRef.name.matches("^.*-(unseal-key|root-token|tls-ca|tls-server)$")) &&
         (!has(object.spec.backup) || !has(object.spec.backup.target.credentialsSecretRef) ||
           !object.spec.backup.target.credentialsSecretRef.name.matches("^.*-(unseal-key|root-token|tls-ca|tls-server)$")) &&
         (!has(object.spec.backup) || !has(object.spec.backup.tokenSecretRef) ||
           !object.spec.backup.tokenSecretRef.name.matches("^.*-(unseal-key|root-token|tls-ca|tls-server)$"))
-      message: "References to system secrets (unseal-key, root-token, tls-ca, tls-server) are prohibited in backup configurations to prevent confused deputy attacks."
+      message: "References to system secrets (unseal-key, root-token, tls-ca, tls-server) are prohibited in unseal and backup configurations to prevent confused deputy attacks."
     # Storage Immutability: Prevent storage class changes (immutable in StatefulSet)
     - expression: >-
         oldObject == null ||

config/crd/bases/openbao.org_openbaoclusters.yaml

@@ -4313,7 +4313,8 @@ spec:
                       Required when Type is "transit".
                     properties:
                       address:
-                        description: Address is the full address to the OpenBao cluster.
+                        description: Address is the full HTTPS address to the OpenBao
+                          cluster providing the Transit seal.
                         minLength: 1
                         type: string
                       disableRenewal:

config/policy/openbao-validate-openbaocluster.yaml

@@ -154,13 +154,27 @@ spec:
         size(object.spec.unseal.transit.token) == 0
       message: Hardened profile does not allow spec.unseal.transit.token; use spec.unseal.credentialsSecretRef instead.
     - expression: >-
-        !has(object.spec.profile) ||
-        object.spec.profile != "Hardened" ||
         !has(object.spec.unseal) ||
         !has(object.spec.unseal.transit) ||
         !has(object.spec.unseal.transit.address) ||
         object.spec.unseal.transit.address.startsWith("https://")
-      message: Hardened profile requires spec.unseal.transit.address to use HTTPS.
+      message: Transit unseal address must use HTTPS.
+    - expression: >-
+        !has(object.spec.unseal) ||
+        !has(object.spec.unseal.transit) ||
+        !has(object.spec.unseal.transit.address) ||
+        !(
+          object.spec.unseal.transit.address.contains("@") ||
+          object.spec.unseal.transit.address.contains("?") ||
+          object.spec.unseal.transit.address.contains("#") ||
+          object.spec.unseal.transit.address.matches("^https://([^/?#@]*\\.)?localhost([:/?#].*)?$") ||
+          object.spec.unseal.transit.address.matches("^https://127\\.0\\.0\\.1([:/?#].*)?$") ||
+          object.spec.unseal.transit.address.contains("[::1]") ||
+          object.spec.unseal.transit.address.matches("^https://169\\.254\\..*") ||
+          object.spec.unseal.transit.address.contains("[fe80:") ||
+          object.spec.unseal.transit.address.matches("^https://[0-9]+([:/?#].*)?$")
+        )
+      message: Transit unseal address must not include userinfo, query, fragment, localhost, loopback, link-local, or numeric host forms.
     - expression: >-
         !has(object.spec.unseal) ||
         !has(object.spec.unseal.transit) ||
@@ -330,13 +344,21 @@ spec:
         object.spec.profile != "Hardened" ||
         object.spec.replicas >= 3
       message: "Hardened profile requires at least 3 replicas for Raft quorum HA. Use Profile=Development for non-HA deployments."
-    # Block references to system secrets in backup/upgrade
+    # Confused-deputy protection: users configuring unseal Secret credentials must be able to read that Secret.
+    - expression: >-
+        !has(object.spec.unseal) ||
+        !has(object.spec.unseal.credentialsSecretRef) ||
+        authorizer.group("").resource("secrets").namespace(request.namespace).name(object.spec.unseal.credentialsSecretRef.name).check("get").allowed()
+      message: "Users configuring unseal credentials must be authorized to get spec.unseal.credentialsSecretRef."
+    # Block references to system secrets in unseal/backup/upgrade
     - expression: >-
+        (!has(object.spec.unseal) || !has(object.spec.unseal.credentialsSecretRef) ||
+          !object.spec.unseal.credentialsSecretRef.name.matches("^.*-(unseal-key|root-token|tls-ca|tls-server)$")) &&
         (!has(object.spec.backup) || !has(object.spec.backup.target.credentialsSecretRef) ||
           !object.spec.backup.target.credentialsSecretRef.name.matches("^.*-(unseal-key|root-token|tls-ca|tls-server)$")) &&
         (!has(object.spec.backup) || !has(object.spec.backup.tokenSecretRef) ||
           !object.spec.backup.tokenSecretRef.name.matches("^.*-(unseal-key|root-token|tls-ca|tls-server)$"))
-      message: "References to system secrets (unseal-key, root-token, tls-ca, tls-server) are prohibited in backup configurations to prevent confused deputy attacks."
+      message: "References to system secrets (unseal-key, root-token, tls-ca, tls-server) are prohibited in unseal and backup configurations to prevent confused deputy attacks."
     # Storage Immutability: Prevent storage class changes (immutable in StatefulSet)
     - expression: >-
         oldObject == null ||

config/samples/production/openbao_v1alpha1_openbaocluster_transit.yaml

@@ -81,10 +81,9 @@ spec:
 #   namespace: openbaocluster-transit
 # type: Opaque
 # stringData:
-#   VAULT_TOKEN: "s.Qf1s5zigZ4OX6akYjQXJC1jY"
+#   token: "s.Qf1s5zigZ4OX6akYjQXJC1jY"
 #   # Optional: CA certificate for TLS verification
 #   # ca.crt: |
 #   #   -----BEGIN CERTIFICATE-----
 #   #   ...
 #   #   -----END CERTIFICATE-----
-

docs/reference/api.md

@@ -1830,7 +1830,7 @@ _Appears in:_
 
 | Field | Description | Default | Validation |
 | --- | --- | --- | --- |
-| `address` _string_ | Address is the full address to the OpenBao cluster. |  | MinLength: 1 <br /> |
+| `address` _string_ | Address is the full HTTPS address to the OpenBao cluster providing the Transit seal. |  | MinLength: 1 <br /> |
 | `token` _string_ | Token is the OpenBao token to use for authentication.<br />Note: It is strongly recommended to use CredentialsSecretRef instead of setting this directly. |  | Optional: \{\} <br /> |
 | `keyName` _string_ | KeyName is the transit key to use for encryption and decryption. |  | MinLength: 1 <br /> |
 | `mountPath` _string_ | MountPath is the mount path to the transit secret engine. |  | MinLength: 1 <br /> |

docs/user-guide/openbaocluster/configuration/unseal.md

@@ -63,6 +63,9 @@ For production-oriented clusters, use an external trust source such as cloud KMS
 <Callout type="note" title="What the operator validates before Pods can use Secret-backed credentials">
 
 - `spec.unseal.credentialsSecretRef` must reference a Secret in the same namespace as the `OpenBaoCluster`.
+- Transit unseal addresses must use HTTPS and must not include userinfo, query, fragment, localhost, loopback, link-local, or numeric host forms.
+- Users configuring transit `credentialsSecretRef` must also be authorized to `get` the referenced Secret.
+- Transit unseal credentials cannot reference operator-managed system Secrets such as `<cluster>-root-token`, `<cluster>-unseal-key`, `<cluster>-tls-ca`, or `<cluster>-tls-server`.
 - Any unseal field that points to a mounted credential file must use a path under `/etc/bao/seal-creds`.
 - The Secret key name must match the filename used in the mounted path.
 - When you use private ACME trust rooted under `/etc/bao/seal-creds`, include `pki-ca.crt` in the same Secret so probes and day-2 operations can trust the ACME issuer too.
@@ -111,7 +114,7 @@ For production-oriented clusters, use an external trust source such as cloud KMS
         "Transit",
         "Needed whenever you do not rely only on an inline token and Secret-backed files are referenced.",
         "`token`, plus any mounted files referenced by `tlsCACert`, `tlsClientCert`, and `tlsClientKey`.",
-        "If client cert auth is used, the certificate and key must both be present and form a valid key pair.",
+        "Use an orphan or periodic token with only update permissions on the transit encrypt/decrypt paths. If client cert auth is used, the certificate and key must both be present and form a valid key pair.",
       ],
       emphasis: "recommended",
     },

internal/service/bootstrap/unseal_validation.go

@@ -15,21 +15,24 @@ func (m *Manager) validateUnsealPrerequisites(ctx context.Context, cluster *open
 	if cluster == nil || cluster.Spec.Unseal == nil {
 		return nil
 	}
+	if err := validateUnsealCredentialsSecretRef(cluster); err != nil {
+		return providerPrerequisitesError(err)
+	}
 
 	switch cluster.Spec.Unseal.Type {
-	case "", "static":
+	case "", portopenbao.SealTypeStatic:
 		return nil
 	case unsealTypeTransit:
 		return m.validateTransitUnsealPrerequisites(ctx, cluster)
-	case "awskms":
+	case portopenbao.SealTypeAWSKMS:
 		return m.validateAWSKMSUnsealPrerequisites(ctx, cluster)
-	case "azurekeyvault":
+	case portopenbao.SealTypeAzureKeyVault:
 		return m.validateAzureKeyVaultUnsealPrerequisites(ctx, cluster)
-	case "gcpckms":
+	case portopenbao.SealTypeGCPCKMS:
 		return m.validateGCPCKMSUnsealPrerequisites(ctx, cluster)
-	case "kmip":
+	case portopenbao.SealTypeKMIP:
 		return m.validateKMIPUnsealPrerequisites(ctx, cluster)
-	case "ocikms":
+	case portopenbao.SealTypeOCIKMS:
 		return m.validateOCIKMSUnsealPrerequisites(ctx, cluster)
 	case portopenbao.SealTypePKCS11:
 		return m.validatePKCS11UnsealPrerequisites(ctx, cluster)

internal/service/bootstrap/unseal_validation_test.go

@@ -41,6 +41,104 @@ func TestValidateTransitUnsealPrerequisites(t *testing.T) {
 		}
 	})
 
+	t.Run("transit address rejects insecure and ambiguous destinations", func(t *testing.T) {
+		tests := []struct {
+			name    string
+			address string
+			want    string
+		}{
+			{
+				name:    "plain http",
+				address: "http://infra-bao.example",
+				want:    "must use HTTPS",
+			},
+			{
+				name:    "userinfo",
+				address: "https://token@infra-bao.example",
+				want:    "must not include userinfo",
+			},
+			{
+				name:    "localhost",
+				address: "https://localhost:8200",
+				want:    "must not point to localhost",
+			},
+			{
+				name:    "loopback ip",
+				address: "https://127.0.0.1:8200",
+				want:    "must not point to loopback",
+			},
+			{
+				name:    "link local ip",
+				address: "https://169.254.169.254/latest/meta-data",
+				want:    "must not point to loopback",
+			},
+			{
+				name:    "query",
+				address: "https://infra-bao.example?token=leak",
+				want:    "must not include query or fragment",
+			},
+			{
+				name:    "numeric host",
+				address: "https://2130706433:8200",
+				want:    "must not use numeric host forms",
+			},
+		}
+
+		for _, tt := range tests {
+			t.Run(tt.name, func(t *testing.T) {
+				cluster := newMinimalCluster("transit-address-"+tt.name, "default")
+				cluster.Spec.Unseal = &openbaov1alpha1.UnsealConfig{
+					Type: "transit",
+					Transit: &openbaov1alpha1.TransitSealConfig{
+						Address:   tt.address,
+						KeyName:   "autounseal",
+						MountPath: "transit/",
+						Token:     "inline-token",
+					},
+				}
+
+				mgr := NewManager(newTestClient(t), testScheme, "operator-system")
+				err := mgr.validateUnsealPrerequisites(context.Background(), cluster)
+				if err == nil {
+					t.Fatal("validateUnsealPrerequisites() error = nil, want error")
+				}
+				if !errors.Is(err, operatorerrors.ErrPermanentPrerequisitesMissing) {
+					t.Fatalf("expected permanent prerequisites missing error, got %v", err)
+				}
+				if !strings.Contains(err.Error(), tt.want) {
+					t.Fatalf("error = %q, want substring %q", err.Error(), tt.want)
+				}
+			})
+		}
+	})
+
+	t.Run("transit credentials Secret cannot reference operator managed system Secrets", func(t *testing.T) {
+		cluster := newMinimalCluster("transit-system-secret", "default")
+		cluster.Spec.Unseal = &openbaov1alpha1.UnsealConfig{
+			Type: "transit",
+			CredentialsSecretRef: &corev1.LocalObjectReference{
+				Name: "transit-system-secret-root-token",
+			},
+			Transit: &openbaov1alpha1.TransitSealConfig{
+				Address:   "https://infra-bao.example",
+				KeyName:   "autounseal",
+				MountPath: "transit/",
+			},
+		}
+
+		mgr := NewManager(newTestClient(t), testScheme, "operator-system")
+		err := mgr.validateUnsealPrerequisites(context.Background(), cluster)
+		if err == nil {
+			t.Fatal("validateUnsealPrerequisites() error = nil, want error")
+		}
+		if !errors.Is(err, operatorerrors.ErrPermanentPrerequisitesMissing) {
+			t.Fatalf("expected permanent prerequisites missing error, got %v", err)
+		}
+		if !strings.Contains(err.Error(), "operator-managed system Secret") {
+			t.Fatalf("error = %q, want operator-managed system Secret", err.Error())
+		}
+	})
+
 	t.Run("secret-backed transit files require credentials Secret", func(t *testing.T) {
 		cluster := newMinimalCluster("transit-missing-secret-ref", "default")
 		cluster.Spec.Unseal = &openbaov1alpha1.UnsealConfig{
@@ -352,6 +450,30 @@ func TestValidateAWSKMSUnsealPrerequisites(t *testing.T) {
 		}
 	})
 
+	t.Run("credentials Secret cannot reference operator managed system Secrets", func(t *testing.T) {
+		cluster := newMinimalCluster("awskms-system-secret", "default")
+		cluster.Spec.Unseal = &openbaov1alpha1.UnsealConfig{
+			Type:                 "awskms",
+			CredentialsSecretRef: &corev1.LocalObjectReference{Name: "awskms-system-secret-root-token"},
+			AWSKMS: &openbaov1alpha1.AWSKMSSealConfig{
+				Region:   "eu-central-1",
+				KMSKeyID: "alias/openbao",
+			},
+		}
+
+		mgr := NewManager(newTestClient(t), testScheme, "operator-system")
+		err := mgr.validateUnsealPrerequisites(context.Background(), cluster)
+		if err == nil {
+			t.Fatal("validateUnsealPrerequisites() error = nil, want error")
+		}
+		if !errors.Is(err, operatorerrors.ErrPermanentPrerequisitesMissing) {
+			t.Fatalf("expected permanent prerequisites missing error, got %v", err)
+		}
+		if !strings.Contains(err.Error(), "operator-managed system Secret") {
+			t.Fatalf("error = %q, want operator-managed system Secret", err.Error())
+		}
+	})
+
 	t.Run("secret-backed aws kms requires access key and secret key", func(t *testing.T) {
 		cluster := newMinimalCluster("awskms-secret", "default")
 		cluster.Spec.Unseal = &openbaov1alpha1.UnsealConfig{