-
Bug
-
Resolution: Done
-
Blocker
-
None
-
None
-
None
-
False
-
False
-
Passed
-
-
0
-
0
-
0
-
Untriaged
-
None
Description of problem:
Sensitive info is exposed in registry deployment
Version-Release number of selected component (if applicable): 0.5.3
How reproducible:
Always
Steps to reproduce:
Create a secret and check the registry deployment yaml with
oc get deployment -n velero-l app.kubernetes.io/component=Registry -o jsonpath=
{.items[*].spec.template.spec.containers[0].env}| jq -r |
Actual result:
$ oc get deployment -n velero-l app.kubernetes.io/component=Registry -o jsonpath={.items[*].spec.template.spec.containers[0].env} | jq -r
[
{ "name": "REGISTRY_STORAGE", "value": "s3" }
,
{ "name": "REGISTRY_STORAGE_S3_ACCESSKEY", "value": "minio" }
,
{ "name": "REGISTRY_STORAGE_S3_BUCKET", "value": "miniobucket" }
,
{ "name": "REGISTRY_STORAGE_S3_REGION", "value": "minio" }
,
{ "name": "REGISTRY_STORAGE_S3_SECRETKEY", "value": "minio123" }
,
{ "name": "REGISTRY_STORAGE_S3_REGIONENDPOINT", "value": "http://minio-minio.apps.mayap-oadp-123.qe.devcluster.openshift.com" }
,
{ "name": "REGISTRY_STORAGE_S3_SKIPVERIFY", "value": "true" }
]
Expected results: sensitive data should not be exposed for user. Better to refer a secret instead.