-
Bug
-
Resolution: Done
-
Blocker
-
None
-
None
-
None
-
False
-
False
-
Passed
-
0
-
0
-
Untriaged
-
None
Description of problem:
Sensitive info is exposed in registry deployment
Version-Release number of selected component (if applicable): 0.5.3
How reproducible:
Always
Steps to reproduce:
Create a secret and check the registry deployment yaml with
oc get deployment -n velero-l app.kubernetes.io/component=Registry -o jsonpath=
{.items[*].spec.template.spec.containers[0].env}| jq -r |
Actual result:
$ oc get deployment -n velero-l app.kubernetes.io/component=Registry -o jsonpath={.items[*].spec.template.spec.containers[0].env} | jq -r
[
{ "name": "REGISTRY_STORAGE", "value": "s3" }
,
{ "name": "REGISTRY_STORAGE_S3_ACCESSKEY", "value": "minio" }
,
{ "name": "REGISTRY_STORAGE_S3_BUCKET", "value": "miniobucket" }
,
{ "name": "REGISTRY_STORAGE_S3_REGION", "value": "minio" }
,
{ "name": "REGISTRY_STORAGE_S3_SECRETKEY", "value": "minio123" }
,
{ "name": "REGISTRY_STORAGE_S3_REGIONENDPOINT", "value": "http://minio-minio.apps.mayap-oadp-123.qe.devcluster.openshift.com" }
,
{ "name": "REGISTRY_STORAGE_S3_SKIPVERIFY", "value": "true" }
]
Expected results: sensitive data should not be exposed for user. Better to refer a secret instead.
[OADP-176] Sensitive data is exposed in registry deployment
This issue has been addressed in the following products:
OADP-1.0-RHEL-8
Via RHBA-2022:0455 https://access.redhat.com/errata/RHBA-2022:0455
This issue has been addressed in the following products:
OADP-1.0-RHEL-8
Via RHBA-2022:0455 https://access.redhat.com/errata/RHBA-2022:0455
validated on 0.5.5 downstream:
oc get deployment -n velero -l app.kubernetes.io/component=Registry -o jsonpath={.items[*].spec.template.spec.containers[0].env} | jq
[
{
"name": "REGISTRY_STORAGE",
"value": "s3"
},
{
"name": "REGISTRY_STORAGE_S3_ACCESSKEY",
"valueFrom": {
"secretKeyRef": {
"key": "access_key",
"name": "oadp-example-velero-1-aws-registry-secret"
}
}
},
{
"name": "REGISTRY_STORAGE_S3_BUCKET",
"value": "mayapvelerooadp"
},
{
"name": "REGISTRY_STORAGE_S3_REGION",
"value": "us-east-2"
},
{
"name": "REGISTRY_STORAGE_S3_SECRETKEY",
"valueFrom": {
"secretKeyRef": {
"key": "secret_key",
"name": "oadp-example-velero-1-aws-registry-secret"
}
}
},
{
"name": "REGISTRY_STORAGE_S3_REGIONENDPOINT"
},
{
"name": "REGISTRY_STORAGE_S3_SKIPVERIFY"
}
]
Checked again upstream 0.5.5, seems like fixed:
(mtc-e2e-venv) [mperetz@mperetz oadp-operator]$ oc get deployment -n velero -l app.kubernetes.io/component=Registry -o jsonpath={.items[*].spec.template.spec.containers[0].env} | jq -r
[
{
"name": "REGISTRY_STORAGE",
"value": "s3"
},
{
"name": "REGISTRY_STORAGE_S3_ACCESSKEY",
"valueFrom": {
"secretKeyRef": {
"key": "access_key",
"name": "oadp-example-velero-1-aws-registry-secret"
}
}
},
{
"name": "REGISTRY_STORAGE_S3_BUCKET",
"value": "mayapvelerooadp"
},
{
"name": "REGISTRY_STORAGE_S3_REGION",
"value": "us-east-2"
},
{
"name": "REGISTRY_STORAGE_S3_SECRETKEY",
"valueFrom": {
"secretKeyRef": {
"key": "secret_key",
"name": "oadp-example-velero-1-aws-registry-secret"
}
}
},
{
"name": "REGISTRY_STORAGE_S3_REGIONENDPOINT"
},
{
"name": "REGISTRY_STORAGE_S3_SKIPVERIFY"
}
]
Fix PR is merged: https://github.com/openshift/oadp-operator/pull/535
Dylan Murray
added a comment - spampatt@redhat.com I think the fix here is to be reading this value from a secret rather than injecting it via env var. Let me know what you think
Dylan Murray
added a comment - spampatt@redhat.com I think the fix here is to be reading this value from a secret rather than injecting it via env var. Let me know what you think
This issue has been addressed in the following products:
OADP-1.0-RHEL-8Via
RHBA-2022:0455 https://access.redhat.com/errata/RHBA-2022:0455