Skip to content

networkPolicy: make blockCloudMetadataEgress opt-out discoverable#347

Merged
JatinNanda merged 2 commits into
mainfrom
jatin/metadata-egress-opt-out-clarity
Jul 6, 2026
Merged

networkPolicy: make blockCloudMetadataEgress opt-out discoverable#347
JatinNanda merged 2 commits into
mainfrom
jatin/metadata-egress-opt-out-clarity

Conversation

@JatinNanda

Copy link
Copy Markdown
Contributor

problem

networkPolicy.blockCloudMetadataEgress (added in 6.11.9) auto-enables whenever blob storage is keyless — detected as "no static credential set." That heuristic is an over-approximation:

  • token-federated identities (EKS IRSA, GKE Workload Identity, Azure Workload Identity) get creds from a projected token + the provider STS/IAM endpoint, never 169.254.169.254 → safe to block ✅
  • metadata-based identities (EC2 instance profile, GCE default service account, Azure IMDS-based managed identity) also have "no static credential," but they fetch creds from 169.254.169.254 → the auto-block silently breaks blob storage

The two helpers even contradict each other: retool.blobStorage.keyless lists "instance profile" as a keyless mode, while retool.networkPolicy.blockMetadata.enabled asserts keyless "never [uses] the metadata service." The values comment only warned about data sources using the metadata endpoint, not blob-storage auth itself — so an instance-profile user gets no signal.

approach

Per discussion, don't try to detect the auth form (fragile). Keep the auto-enable as-is and just make the opt-out impossible to miss:

  • NOTES.txt — print a note on install only (.Release.IsInstall, so it doesn't nag on every helm upgrade) when the block is active: no-op for IRSA/WI, but if blob storage uses instance profile / default SA / IMDS managed identity, set blockCloudMetadataEgress: false.
  • values.yaml — fix the comment (the STS/IAM claim only holds for token-federated auth) and spell out exactly when to set false. Applied to both synced copies.

No behavior change to the auto-enable — discoverability only.

verification

helm install … (keyless)  -> NOTES block shown
helm upgrade … (keyless)  -> silent (install-only gate)
static-credential install -> block + NOTES both absent

NetworkPolicy still renders and denies 169.254.169.254/32 for keyless. helm lint clean; both values.yaml copies in sync.

Chart bumped 6.11.9 -> 6.11.10.

follow-up (not in this PR)

The docs already carry the same opt-out guidance (tryretool/docs#2997). Longer term, the robust fix is to gate auto-enable on a positive federated-identity signal (IRSA annotation / WI label) rather than absence of a static key — but that's a behavior change for a separate discussion.

the metadata-egress block auto-enables whenever blob storage is keyless
(no static credential). that's a heuristic: 'no static credential' covers both
token-federated identities (IRSA / GKE Workload Identity / Azure Workload
Identity), which never touch the metadata service and are safe to block, AND
metadata-based identities (EC2 instance profile, GCE default service account,
Azure IMDS managed identity), which fetch credentials from 169.254.169.254 and
are silently broken by the block.

rather than detect the auth form, surface the opt-out:
- NOTES.txt: on install only (gated on .Release.IsInstall so it doesn't nag on
  every upgrade), when the block is active, point at
  networkPolicy.blockCloudMetadataEgress: false for the metadata-based cases.
- values.yaml: correct the comment (the STS/IAM claim only holds for
  token-federated auth) and spell out when to set false.

no behavior change to the auto-enable; discoverability only. bump chart 6.11.9
-> 6.11.10 (values comment + NOTES change).
@JatinNanda
JatinNanda marked this pull request as ready for review July 6, 2026 18:54
@JatinNanda
JatinNanda requested a review from ryanartecona July 6, 2026 18:54
@greptile-apps

greptile-apps Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR makes the metadata-egress opt-out easier to discover.

  • Bumps the Retool Helm chart from 6.11.9 to 6.11.10.
  • Adds an install-only NOTES warning when metadata egress blocking is active.
  • Clarifies the blockCloudMetadataEgress guidance in both values files.

Confidence Score: 5/5

This looks safe to merge after a small cleanup to the install note wording.

  • The new note uses the same helper as the NetworkPolicy render path.
  • The values comments are synced across both copies.
  • The chart version bump matches the changed chart package.
  • The only issue found is a misleading note for forced-on static-credential installs.

charts/retool/templates/NOTES.txt

Important Files Changed

Filename Overview
charts/retool/Chart.yaml Bumps the chart patch version with no dependency or app version changes.
charts/retool/templates/NOTES.txt Adds an install-only note for active metadata-egress blocking, with one wording issue for forced-on static-credential installs.
charts/retool/values.yaml Updates the blockCloudMetadataEgress comment to distinguish token-federated and metadata-based identities.
values.yaml Mirrors the chart values comment update.

Reviews (1): Last reviewed commit: "networkPolicy: make blockCloudMetadataEg..." | Re-trigger Greptile

Comment thread charts/retool/templates/NOTES.txt Outdated
Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
@JatinNanda
JatinNanda merged commit f13830c into main Jul 6, 2026
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants