Bug 1571349

Summary: Container ENV proxy vars getting redacted when BUILD_LOGLEVEL=5 used in build
Product: OpenShift Container Platform Reporter: Luke Stanton <lstanton>
Component: BuildAssignee: Adam Kaplan <adam.kaplan>
Status: CLOSED ERRATA QA Contact: wewang <wewang>
Severity: low Docs Contact: Brandi Munilla <bmcelvee>
Priority: unspecified    
Version: 3.6.0CC: aos-bugs, bparees, wzheng
Target Milestone: ---   
Target Release: 3.10.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: Some build container environment variables were modified when redacted in the container log. Consequence: URL proxy settings (such as HTTP/S proxies) were modified, breaking these settings. Fix: A copy of these environment variables are made prior to redaction in the logs. Result: Proxy URLs with user credentials are redacted in the container log, but are not modified when used in the build.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-07-30 19:13:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Luke Stanton 2018-04-24 14:59:38 UTC 
Description of problem:
User is seeing issue where setting the BUILD_LOGLEVEL=5 env variable in the build-config appears to corrupt the proxy related env variables in the output container. The NO_PROXY, HTTP_PROXY, and HTTPS_PROXY env vars not only get redacted in the build logs (as they should), the final running container also has the redacted env variables. This is causing problems with internal application service calls.

How reproducible:
Consistently

Steps to Reproduce:
1. Add BUILD_LOGLEVEL=5 to the build-config...

  source:
    type: Binary
    binary: {}
  strategy:
    sourceStrategy:
      from:
        kind: ImageStreamTag
        namespace: ${IMAGE_NAMESPACE}
        name: 'system-ocpimage-springboot:1.0.1.14'
      env:
      - name: BUILD_LOGLEVEL
        value: "5"
    type: Source

2. Build and deploy an image based on the config

Actual results:
The container result from the build has redacted env proxy vars...
==========
HTTP_PROXY=http://redacted@proxy.example.com:8080
HTTPS_PROXY=https://redacted@proxy.example.com:8080
NO_PROXY=//redacted@.cluster.local,.svc
==========

Expected results:
==========
HTTP_PROXY=http://svc-satellite:pass1@proxy.example.com:8080
HTTPS_PROXY=https://svc-satellite:pass1@proxy.example.com:8080
NO_PROXY=.cluster.local
==========

Additional info:
From the user...

==============================================================

"I was able to reproduce the behavior in tomcat and springboot image
below is the docker file content for system-ocpimage-springboot.
We are not doing anything else for spring boot."

FROM registry.access.redhat.com/redhat-openjdk-18/openjdk18-openshift:1.1-11

USER root

ENV TZ=America/New_York

RUN chmod -R 777 $HOME

USER 1001
---------------------------------------------------------------

the issue is consistent when i add "BUILD_LOGLEVEL" with value "5" like below in the build YAML file.

    source:
      type: Binary
      binary: {}
    strategy:
      sourceStrategy:
        from:
          kind: ImageStreamTag
          namespace: ${IMAGE_NAMESPACE}
          name: 'system-ocpimage-springboot:1.0.1.14'
        env:
        - name: BUILD_LOGLEVEL
          value: "5"
      type: Source

==============================================================

Version info:

openshift-ansible-playbooks-3.6.173.0.83-1.git.0.84c5eff.el7.noarch
tuned-profiles-atomic-openshift-node-3.6.173.0.83-1.git.0.1f70b16.el7.x86_64
openshift-ansible-lookup-plugins-3.6.173.0.83-1.git.0.84c5eff.el7.noarch
atomic-openshift-docker-excluder-3.6.173.0.83-1.git.0.1f70b16.el7.noarch
atomic-openshift-sdn-ovs-3.6.173.0.83-1.git.0.1f70b16.el7.x86_64
openshift-ansible-docs-3.6.173.0.83-1.git.0.84c5eff.el7.noarch
openshift-ansible-roles-3.6.173.0.83-1.git.0.84c5eff.el7.noarch
atomic-openshift-excluder-3.6.173.0.83-1.git.0.1f70b16.el7.noarch
atomic-openshift-clients-3.6.173.0.83-1.git.0.1f70b16.el7.x86_64
openshift-ansible-callback-plugins-3.6.173.0.83-1.git.0.84c5eff.el7.noarch
atomic-openshift-utils-3.6.173.0.83-1.git.0.84c5eff.el7.noarch
atomic-openshift-node-3.6.173.0.83-1.git.0.1f70b16.el7.x86_64
openshift-ansible-filter-plugins-3.6.173.0.83-1.git.0.84c5eff.el7.noarch
atomic-openshift-master-3.6.173.0.83-1.git.0.1f70b16.el7.x86_64
openshift-ansible-3.6.173.0.83-1.git.0.84c5eff.el7.noarch
atomic-openshift-3.6.173.0.83-1.git.0.1f70b16.el7.x86_64
Comment 1 Luke Stanton 2018-04-24 15:02:42 UTC 
Created attachment 1426104 [details]
Build template
Comment 2 Luke Stanton 2018-04-24 15:03:26 UTC 
Created attachment 1426105 [details]
Master config containing proxy settings
Comment 3 Adam Kaplan 2018-05-01 17:52:38 UTC 
Origin PR: https://github.com/openshift/origin/pull/19532
s2i PR: https://github.com/openshift/source-to-image/pull/874
Comment 4 openshift-github-bot 2018-05-04 00:41:22 UTC 
Commit pushed to master at https://github.com/openshift/origin

https://github.com/openshift/origin/commit/51b3047636ac7bebadd1114bc8a0d1e21d1f1c87
Ensure environment variables and URLs are not modified for safe logging.

Bug 1571349
Comment 5 openshift-github-bot 2018-05-04 21:55:53 UTC 
Commit pushed to master at https://github.com/openshift/origin

https://github.com/openshift/origin/commit/4650086d67bdf4a38213575245a04029a350d2fa
bump(*):

github.com/openshift/source-to-image 27f0729
github.com/emicklei/go-restful-swagger12 5e28dc7
github.com/skynetservices/skydns 775ef406
k8s.io forks

* fixes bug 1571349
* Support for ConfigMap Build Sources
** Trello Card https://trello.com/c/RMKJxJUm/1020-5-allow-using-a-configmap-as-an-input-to-a-build-builds
** RFE/bug 1540978
Comment 7 wewang 2018-05-17 10:03:28 UTC 
verified in openshift v3.10.0-0.47.0
steps:
1. modify master-config.yaml as below,and restart master:
admissionConfig:
  pluginConfig:
    BuildDefaults:
      configuration:
        apiVersion: v1
        env:
        - name: HTTP_PROXY 
          value: http://file.xxx.redhat.com:xxxx
        - name: HTTPS_PROXY 
          value: https://file.xxx.redhat.com:xxx
        - name: CUSTOM_VAR 
          value: custom_value
        kind: BuildDefaultsConfig
        gitHTTPProxy: http://file.xxx.redhat.com:xxx
        gitHTTPSProxy: https://file.xxx.redhat.com:xxx
        gitNoProxy: cluster.local,otherdomain.com

  
2. Create apps 
  $oc new-app -f https://raw.githubusercontent.com/openshift/origin/master/examples/sample-app/application-template-stibuild.json
3. Add BUILD_LOGLEVEL=5 to the build-config
4. Check the env in container
[wewang@wen-local ~]$ oc rsh frontend-2-rzd7s
sh-4.2$ env |grep HTTP
HTTPS_PROXY=https://file.xxx.redhat.com:xxx
HTTP_PROXY=http://file.xxx.redhat.com:xxxx
Comment 9 errata-xmlrpc 2018-07-30 19:13:48 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1816