Uploaded image for project: 'Red Hat OpenShift Dev Spaces (formerly CodeReady Workspaces) '
  1. Red Hat OpenShift Dev Spaces (formerly CodeReady Workspaces)
  2. CRW-10001

Dev Spaces leaks TLS key through ConfigMap

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      Description of problem:

      OpenShift Dev Spaces can leak TLS keys through the che ConfigMap, adding the CHE_INFRA_KUBERNETES_TLSKEY (which holds the TLS key) directly to it. This means private data is fully accessible to users with access to ConfigMaps as well as exposing the secret in standard namespace inspections. 

      Workaround:

      It should be possible to prevent the Secret key from being leaked by configuring the CheCluster as such:

       

      spec:
  components:
    cheServer:
      extraProperties:
        CHE_INFRA_KUBERNETES_TLS__KEY: ""

       

       

      Prerequisites (if any, like setup, operators/versions):

      Steps to Reproduce

       1. Install OpenShift Dev Spaces 3.25

       2. Create a matching key in tlsSecretName

       

      Actual results:

      Key is shown in ConfigMap che

      Expected results:

      Key is only kept in Secret, not in ConfigMap

      Reproducibility (Always/Intermittent/Only Once):

      Acceptance criteria: 

       

      Definition of Done:

      Build Details:

      Additional info (Such as Logs, Screenshots, etc):

       

       *

              abazko Anatolii Bazko
              rhn-support-jorbell Jordan Bell
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: