Inconsistency handling passwords with special characters

[bertinatto]

Is this a BUG REPORT or FEATURE REQUEST?:

/kind bug

What happened:

In OpenShift, we use a credentials minter to generate the vSphere password used by the CSI driver. The minter may generate passwords containing special characters that are not escaped. These passwords are then stored in a secret.

We observed that the CSI driver operates correctly when the password is provided via environment variables. However, it fails when the same password is supplied through an .INI file.

What you expected to happen:

The CSI driver should handle passwords consistently regardless of whether they are provided via environment variables or an .INI file. Specifically, it should successfully authenticate using the password in both scenarios.

How to reproduce it (as minimally and precisely as possible):

Try this unit test:

diff --git a/pkg/common/config/config_test.go b/pkg/common/config/config_test.go
index 23e23c77..0e7ca159 100644
--- a/pkg/common/config/config_test.go
+++ b/pkg/common/config/config_test.go
@@ -20,6 +20,7 @@ import (
 	"context"
 	"os"
 	"reflect"
+	"strings"
 	"testing"
 )
 
@@ -261,3 +262,41 @@ func isConfigEqual(actual *Config, expected *Config) bool {
 	}
 	return true
 }
+
+func TestReadCreadentialsFromConfig(t *testing.T) {
+	configStr := `
+[Global]
+user = "[email protected]"
+password = "password\"
+insecure-flag = "1"
+`
+
+	cfg, err := ReadConfig(ctx, strings.NewReader(configStr)) // <----- THIS FAILS
+	if err != nil {
+		t.Fatalf("Error reading config: %v", err)
+	}
+
+	err = validateConfig(ctx, cfg)
+	if err != nil {
+		t.Fatalf("Error validating config: %v", err)
+	}
+}
+
+func TestReadCredentialsFromEnv(t *testing.T) {
+	cfg := &Config{
+		VirtualCenter: idealVCConfig,
+	}
+
+	os.Setenv("VSPHERE_USER", `[email protected]`)
+	os.Setenv("VSPHERE_PASSWORD", `password\`)
+
+	err := FromEnv(ctx, cfg)
+	if err != nil {
+		t.Fatalf("Error reading config from env: %v", err)
+	}
+
+	err = validateConfig(ctx, cfg)
+	if err != nil {
+		t.Fatalf("Error validating config: %v", err)
+	}
+}

Anything else we need to know?:

I understand that passwords passed via an .INI file must be escaped as noted in this previous issue [1]. However, the fact that passwords work when passed via environment variables but fail when passed via an .INI file creates confusion for users.

If it is not possible to achieve consistent behavior regardless of how passwords are passed to the CSI driver, could you please document which characters need to be escaped? According to this PR [2] in cluster-api-provider-vsphere, it appears that only \ and " need to be escaped. Can you confirm if escaping just these characters is sufficient?

[1] #121
[2] https://github.com/kubernetes-sigs/cluster-api-provider-vsphere/blob/71c23168794bed7401ba96e6405ffabd4ebab3d1/packaging/flavorgen/flavors/crs/types/cloudprovider_encoding.go#L33

[jsafrane]

According to this PR [2] in cluster-api-provider-vsphere, it appears that only \ and " need to be escaped. Can you confirm if escaping just these characters is sufficient

It would be much better to document what are the escaping rules in the ini file. Backslash is a popular character in password or even in username.

[bertinatto]

/assign @divyenpatel

[xing-yang]

We added a note for special characters here: https://github.com/vmware-tanzu/velero-plugin-for-vsphere/blob/main/docs/vanilla.md#create-vc-credential-secret
@divyenpatel Can we add a similar note in the vSphere CSI driver doc?

[divyenpatel]

I have filed internal ticket to get https://docs.vmware.com/en/VMware-vSphere-Container-Storage-Plug-in/3.0/vmware-vsphere-csp-getting-started/GUID-BFF39F1D-F70A-4360-ABC9-85BDAFBE8864.html page updated.

new content will be as below

New content
------------
Password for a vCenter Server user.
If password contains character which needs to be escaped then specify password with escaped character.

Examples:
    vCenter password: pwd\123
        Config file: password = "pwd\\123"
    vCenter password: pwd\nWithNewline
        Config file: password = "pwd\\nWithNewLine""
    vCenter password: Admin!23\'"
        Config file: password = "Admin!23\\\'\""
        

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale