Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Critical
Fix Version/s: rhos-18.0.11
Affects Version/s: rhos-18.0.0
Component/s: horizon-operator
Labels:
None

Story Points:
2
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Docs Approval:
?
Fixed in Build:
horizon-operator-container-1.0.13-5
Regression:
None
Intelligence Requested:
Market:
PX Impact Score:
Errata Link:
https://errata.engineering.redhat.com/advisory/153488

Sprint:
Pending Verification, Storage Integration Sprint 5
sprint_count:
2
Severity:
Critical

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

The Horizon dashboard is displaying sensitive information including S3 URLs and access keys in Glance image custom properties when using S3 backend storage.

this poses a significant security risk as end users can view internal service credentials through the web interface.

This is due to Horizon using internal endpoints instead of public endpoints to communicate with OpenStack services

Current configuration

OPENSTACK_ENDPOINT_TYPE = "internalURL"

Expected configuration

OPENSTACK_ENDPOINT_TYPE = "publicURL"

links to

https://github.com/openstack-k8s-operators/horizon-operator/pull/482

openstack-k8s-operators/horizon-operator#481: Switch endpoints to publicURL

RHBA-2025:153488 Control plane Operators for RHOSO 18.0.11.

Assignee:: Francesco Pantano

Reporter:: Owen McGonagle

QA Contact:: Jan Jasek

Team:: rhos-dfg-ui

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2025/07/22 6:48 PM

Updated:: 2025/09/13 6:36 AM

Resolved:: 2025/08/28 2:39 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

PagerDuty