There is no mechanism to hide passwords passed through environment variables. So you can see in web console values of all passwords: DB_PASSWORD=XO87brdc EAP_HTTPS_PASSWORD=password It should be hidden similarly as it was in OSE2 - add there a small '(show)' link that would reveal password only when clicked.
This is more like a future request.Since the password is only seen by the users who could access the project or the users who could view some specified database resources ,the password is not seen by others who do not have the permission to view the password. So I think it's acceptable.
You should use Secrets for passwords, this would prevent exposure of passwords in env vars. Secret values are only visible after the user chooses to reveal the values. Our OOTB templates need to be doing this as well.
https://github.com/openshift/origin/pull/12055
The below pre-installed tempaltes still show password through environment variables after create in webconsole redis-ephemeral redis-persistent amq62-basic amq62-persistent amq62-persistent-ssl amq62-ssl eap64-amq-persistent-s2i eap64-amq-s2i eap64-basic-s2i eap64-https-s2i eap64-mongodb-persistent-s2i eap64-mongodb-s2i eap64-mysql-persistent-s2i eap64-mysql-s2i eap64-postgresql-persistent-s2i eap64-postgresql-s2i eap64-sso-s2i eap70-amq-persistent-s2i eap70-amq-s2i eap70-basic-s2i eap70-https-s2i eap70-mongodb-persistent-s2i eap70-mongodb-s2i eap70-mysql-persistent-s2i eap70-mysql-s2i eap70-postgresql-persistent-s2i eap70-postgresql-s2i eap70-sso-s2i jws30-tomcat7-basic-s2i jws30-tomcat7-https-s2i jws30-tomcat7-mongodb-persistent-s2i jws30-tomcat7-mongodb-s2i jws30-tomcat7-mysql-persistent-s2i jws30-tomcat7-mysql-s2i jws30-tomcat7-postgresql-persistent-s2i jws30-tomcat7-postgresql-s2i jws30-tomcat8-basic-s2i jws30-tomcat8-https-s2i jws30-tomcat8-mongodb-persistent-s2i jws30-tomcat8-mongodb-s2i jws30-tomcat8-mysql-persistent-s2i jws30-tomcat8-mysql-s2i jws30-tomcat8-postgresql-persistent-s2i jws30-tomcat8-postgresql-s2i
I'll fix the redis template but the other templates are owned by the middleware team, so the bug needs to be filed against them to change the template structure to match our new secret pattern.
fixing redis here: https://github.com/openshift/origin/pull/13528
Rob, head's up about some (suggested) changes for the middleware templates. By using a secret to provide the password env variable, the web console will understand to not display the value. You can see an example of the change here: https://github.com/openshift/origin/pull/13528
Commit pushed to master at https://github.com/openshift/origin https://github.com/openshift/origin/commit/cbe2807ef2d831e67fb9b4e4df1def619ebdf22a use secret refs for redis password value so it is not exposed on the console bug 1233513
This has been merged into ocp and is in OCP v3.6.27 or newer.
Since the xpaas templates already have issue 'JBoss Issue Tracker CLOUD-1511' to track, I will ingore them from this bug. There is new template dotnet-pgsql-persistent [1] added recently,we also should cover this template. [1] https://raw.githubusercontent.com/openshift/openshift-ansible/master/roles/openshift_examples/files/examples/v1.6/quickstart-templates/dotnet-pgsql-persistent.json
Scott I see you added the template mentioned in comment 13. Do you know who the actual owner of the template is so we can assign a bug to them?
Severin Gehwolf owns the dotnet templates.
https://github.com/redhat-developer/s2i-dotnetcore is the upstream repo
Yes, we'll look to get this fixed. Thanks.
Upstream PR: https://github.com/redhat-developer/s2i-dotnetcore/pull/69
Assigning back to Scott. .NET templates are fixed upstream.
https://github.com/openshift/openshift-ansible/pull/3963
Password is still shown in webconsole when create app with [1] template [1] https://raw.githubusercontent.com/openshift/openshift-ansible/master/roles/openshift_examples/files/examples/v1.5/quickstart-templates/dotnet-pgsql-persistent.json
(In reply to XiuJuan Wang from comment #26) > Password is still shown in webconsole when create app with [1] template > > [1] > https://raw.githubusercontent.com/openshift/openshift-ansible/master/roles/ > openshift_examples/files/examples/v1.5/quickstart-templates/dotnet-pgsql- > persistent.json Seems the wrong template to test. PR above merged it into the release-1.5 branch *not* master. Looks like master does not have it yet. Scott, thoughts? Anyway the template to test is here: https://raw.githubusercontent.com/openshift/openshift-ansible/release-1.5/roles/openshift_examples/files/examples/v1.5/quickstart-templates/dotnet-pgsql-persistent.json
@Severin,My mistake. Checked the template under branch release-1.5, password is hidden in webconsole. Move bug to verified.
Master branch PR is here, i'll get it merged today. The CI jobs were busted for a while. https://github.com/openshift/openshift-ansible/pull/3962
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1140