Prevent ACR refresh token exposure in EXECVE audit logs

[ehvs]

Which issue this PR addresses:

Replace az acr login --name with az acr login --expose-token + podman login --password-stdin in pull_container_images() to prevent the ACR refresh token from appearing as a command-line argument in auditd EXECVE records.

https://issues.redhat.com/browse/ARO-24815

why we need it:

During RP/Gateway VMSS bootstrap, pull_container_images() calls az acr login --name $registry. The Azure CLI internally spawns a docker login --password $token subprocess, which exposes the ACR refresh token as a plaintext command-line argument. This is captured by auditd EXECVE syscall logging.

podman --password-stdin should be used rather than az acr log to prevent the secret variable from being shown in shell output.

What is PR does

Tip

Files that directly fix ARO-24815 are (to assist reviewing changes):

1. pkg/deploy/generator/scripts/rpVMSS.sh
2. pkg/deploy/generator/scripts/util-common.sh

1. Unsets xtrace shell option while working with sensitive information. Variables containing sensitive information are written to output when xtrace is set.
   • While logging into Azure acr via podman
   • While updating system TLS certificates
2. Addresses shellcheck warnings
   • The warnings that can be safely disregarded have been disabled
   • Some warnings were valid, that code has been refactored

General improvements to improve readability

1. All function and variable descriptions have been refactored to have a uniform style.
2. Command/function calls with more than three options have been broken up into multiple lines.

Test plan for issue:

Deploying to INT to

• Ensure the problem is resolved
• Ensure no new errors/failures were introduced

Successfully deployed in pipelines:

1. INT
2. Canary
   • The script succeeds until the aro image pull is attempted. It tries to pull an image based on the tag, which apparently is no longer created.
3. Re-releasing to INT to confirm no regression after rebasing from master
   • Pipeline run

[Copilot]

Pull request overview

This PR updates the VMSS bootstrapping image-pull flow to avoid exposing ACR credentials in process arguments by switching from az acr login to token-based login and podman login --password-stdin.

Changes:

• Replace az acr login --name <registry> with az acr login --expose-token + podman login --password-stdin in pull_container_images().
• Derive ACR registry hostname from ACRRESOURCEID for use with podman login.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Copilot was unable to review this pull request because the user who requested the review is ineligible. To be eligible to request a review, you need a paid Copilot license, or your organization must enable Copilot code review.

[Copilot]

Copilot was unable to review this pull request because the user who requested the review is ineligible. To be eligible to request a review, you need a paid Copilot license, or your organization must enable Copilot code review.

[swiencki]

The new xtrace helpers can abort bootstrap under set -e. xtrace_unset() returns non-zero when tracing is already off, and xtrace_set() returns non-zero when tracing was previously on. Because both VMSS bootstrap scripts run with errexit, the new wrapper around the ACR login path can terminate the script instead of just suppressing tracing.

ARO-RP/pkg/deploy/generator/scripts/util-common.sh

Lines 54 to 71 in 467e224

	# * Sets XTRACE_IS_SET=XTRACE_SET (if true) or XTRACE_IS_SET=XTRACE_UNSET (if false).
	xtrace_set_capture() {
	[[ $- =~ "x" ]] && XTRACE_IS_SET=$XTRACE_SET || XTRACE_IS_SET=$XTRACE_UNSET
	}
	# xtrace_unset()
	#
	# Un-sets xtrace (if set)
	xtrace_unset() {
	(( XTRACE_IS_SET == XTRACE_SET )) && set +x
	}
	# xtrace_set()
	#
	# Sets xtrace (if unset)
	xtrace_set() {
	(( XTRACE_IS_SET == XTRACE_UNSET )) && set -x
	}

[hlipsig]

@copilot please review

[Copilot]

@hlipsig I've opened a new pull request, #4692, to work on those changes. Once the pull request is ready, I'll request review from you.

[Copilot]

Copilot was unable to review this pull request because the user who requested the review is ineligible. To be eligible to request a review, you need a paid Copilot license, or your organization must enable Copilot code review.

[s-fairchild]

The new xtrace helpers can abort bootstrap under set -e. xtrace_unset() returns non-zero when tracing is already off, and xtrace_set() returns non-zero when tracing was previously on. Because both VMSS bootstrap scripts run with errexit, the new wrapper around the ACR login path can terminate the script instead of just suppressing tracing.

ARO-RP/pkg/deploy/generator/scripts/util-common.sh

Lines 54 to 71 in 467e224

	# * Sets XTRACE_IS_SET=XTRACE_SET (if true) or XTRACE_IS_SET=XTRACE_UNSET (if false).
	xtrace_set_capture() {
	[[ $- =~ "x" ]] && XTRACE_IS_SET=$XTRACE_SET || XTRACE_IS_SET=$XTRACE_UNSET
	}
	# xtrace_unset()
	#
	# Un-sets xtrace (if set)
	xtrace_unset() {
	(( XTRACE_IS_SET == XTRACE_SET )) && set +x
	}
	# xtrace_set()
	#
	# Sets xtrace (if unset)
	xtrace_set() {
	(( XTRACE_IS_SET == XTRACE_UNSET )) && set -x
	}

@swiencki This is true. I've tested locally with a short script sourcing util-common.sh and running xtrace_set and xtrace_unset. Not super relevant, but running xtrace_set in succession does not cause failure (return non zero). However running xtrace_set in succession does cause failure (return non zero). Not sure why.

Anyways I've pushed an update that returns 0 if the conditional test for XTRACE_IS_SET is false.

[s-fairchild]

@copilot please review

[github-actions]

Please rebase pull request.

[Copilot]

Copilot was unable to review this pull request because the user who requested the review is ineligible. To be eligible to request a review, you need a paid Copilot license, or your organization must enable Copilot code review.

[github-actions]

Please rebase pull request.

[cadenmarchese]

/azp run ci

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).