-
Bug
-
Resolution: Done
-
Normal
-
4.12
-
None
-
None
-
CCXDEV Sprint 84, CCXDEV Sprint 85
-
2
-
False
-
Description of problem:
On Pod definitions gathering, Operator should obfuscate particular environment variables (HTTP_PROXY and HTTPS_PROXY) from containers by default. Pods from the control plane can have those variables injected from the cluster-wide proxy, and they may contain values as "user:password@[http://6.6.6.6:1234|http://6.6.6.6:1234/]".
Version-Release number of selected component (if applicable):
How reproducible:
Steps to Reproduce:
1. In order to change deployments, scale down: * cluster-version-operator * cluster-monitoring-operator * prometheus-operator 2. Introduce a new environment variable on alertmanager-main statusSet with either or both HTTP_PROXY, HTTPS_PROXY. Any value but void will do. 4. Run insight-operator to get that pod definitions. 5. Check in the archive (usually config/pod/openshift-monitoring/alertmanager-main-0.json) that target environment variable(s) value is obfuscated.
Actual results:
... "spec": { ... "containers": { ... "env": [ { "name": "HTTP_PROXY" "value": "jdow:1qa2wd@[http://8.8.8.8:8080|http://8.8.8.8:8080/]" } ] } } ...
Expected results:
... "spec": { ... "containers": { ... "env": [ { "name": "HTTP_PROXY" "value": "<obfuscated>" } ] } } ...
Additional info:
- depends on
-
OCPBUGS-6731 Gathered Environment variables (HTTP_PROXY/HTTPS_PROXY) may contain sensible information and should be obfuscated
- Closed
- links to