Uploaded image for project: 'OpenJDK'
  1. OpenJDK
  2. OPENJDK-2833

OpenJDK image should scrub passwords from logs

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False
    • Important

      See attached example - in this case the TRUSTSTORE_PASSWORD environment variable is populated from a secret, and added to JAVA_OPTS_APPEND:

                     "-Djavax.net.ssl.trustStorePassword=$(TRUSTSTORE_PASSWORD)
      

      The password is visible in the application logs during pod start:

      Starting the Java application using /opt/jboss/container/java/run/run-java.sh ...
      INFO exec -a "java" java -XX:MaxRAMPercentage=80.0 -XX:+UseParallelGC -XX:MinHeapFreeRatio=10 -XX:MaxHeapFreeRatio=20 -XX:GCTimeRatio=4 -XX:AdaptiveSizePolicyWeight=90 -XX:+ExitOnOutOfMemoryError -Djavax.net.ssl.trustStorePassword=supersecretpassword -cp "." -jar /deployments/csb-app-1.0-SNAPSHOT.jar
      

              jdowland@redhat.com Jonathan Dowland
              rhn-support-shiggs Stephen Higgs
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: