Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-6731

Gathered Environment variables (HTTP_PROXY/HTTPS_PROXY) may contain sensible information and should be obfuscated

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Normal Normal
    • None
    • 4.13
    • Insights Operator
    • None
    • None
    • CCXDEV Sprint 84, CCXDEV Sprint 85, CCXDEV Sprint 86
    • 3
    • False
    • Hide

      None

      Show
      None
    • NA
    • Bug Fix
    • Done

      Description of problem:

      On Pod definitions gathering, Operator should obfuscate particular environment variables (HTTP_PROXY and HTTPS_PROXY) from containers by default.
      
      Pods from the control plane can have those variables injected from the cluster-wide proxy, and they may contain values as "user:password@[http://6.6.6.6:1234|http://6.6.6.6:1234/]".
      

      Version-Release number of selected component (if applicable):

       

      How reproducible:

       

      Steps to Reproduce:

      1. In order to change deployments, scale down:
        * cluster-version-operator
        * cluster-monitoring-operator
        * prometheus-operator
      2. Introduce a new environment variable on alertmanager-main statusSet with either or both HTTP_PROXY, HTTPS_PROXY. Any value but void will do.
      4. Run insight-operator to get that pod definitions.
      5. Check in the archive (usually config/pod/openshift-monitoring/alertmanager-main-0.json) that target environment variable(s) value is obfuscated.

      Actual results:

      ...
      "spec": {
          ...
          "containers": {
              ...
              "env": [
                  {
                      "name": "HTTP_PROXY"
                      "value": "jdow:1qa2wd@[http://8.8.8.8:8080|http://8.8.8.8:8080/]"
                  }
              ]
          }
      }
      ...

      Expected results:

      ...
      "spec": {
          ...
          "containers": {
              ...
              "env": [
                  {
                      "name": "HTTP_PROXY"
                      "value": "xxxxxxxxx" // Where x char number is the length of the obfuscated string
                  }
              ]
          }
      }
      ...

      Additional info:

       

            rh-ee-ijimeno Isaac Jimeno
            rh-ee-ijimeno Isaac Jimeno
            Joao Bastos Fula Joao Bastos Fula
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: