Bug 1509082 - Installer should not put registry credentials in plain text in configmap for ASB deployment
Summary: Installer should not put registry credentials in plain text in configmap for ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 3.7.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 3.9.0
Assignee: Fabian von Feilitzsch
QA Contact: Weihua Meng
URL:
Whiteboard:
Depends On: 1533208
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-11-02 22:27 UTC by Weihua Meng
Modified: 2018-03-28 14:10 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: Registry credentials for the broker were stored in a configmap Consequence: Sensitive credentials could be exposed in plain text. Fix: A secret is now created to store the credentials Result: Registry credentials are no longer visible in plaintext
Clone Of:
Environment:
Last Closed: 2018-03-28 14:09:47 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0489 0 None None None 2018-03-28 14:10:51 UTC

Description Weihua Meng 2017-11-02 22:27:13 UTC 
Description of problem:
Installer should not put registry credentials in plain text in configmap for ASB deployment.
The credentials should be put in secret.
https://bugzilla.redhat.com/show_bug.cgi?id=1503289

Version-Release number of the following components:
openshift-ansible-3.7.0-0.189.0.git.0.d497c5e.el7.noarch.rpm

How reproducible:
Always

Steps to Reproduce:
1. Install OCP with Ansible Service Broker (ASB) enabled with vars such as 
  openshift_enable_service_catalog: true
  ansible_service_broker_install: true
  ansible_service_broker_registry_type: dockerhub
  ansible_service_broker_registry_url: https://registry.hub.docker.com
  ansible_service_broker_registry_organization: ansibleplaybookbundle
  ansible_service_broker_registry_user: "changeme"
  ansible_service_broker_registry_password: "changeme"
2. Check ASB configmap when installation finished.
$ oc get configmap broker-config -o yaml -n openshift-ansible-service-broker

Actual results:

    broker-config: |
      registry:
        - type: dockerhub
          name: rh
          url:  https://registry.hub.docker.com
          user: changeme
          pass: changeme
          org:  ansibleplaybookbundle
          tag:  latest
          white_list: [u'.*-apb$']

Expected results:
No pass item
The credentials should be put in secret.

Additional info:
Comment 2 Fabian von Feilitzsch 2018-01-16 20:17:04 UTC 
https://github.com/openshift/openshift-ansible/pull/6745/files
Comment 3 openshift-github-bot 2018-01-18 19:44:59 UTC 
Commit pushed to master at https://github.com/openshift/openshift-ansible

https://github.com/openshift/openshift-ansible/commit/1a2a895356df638756d2117e3d324710167737db
Merge pull request #6745 from shawn-hurley/secret-reg-auth

Automatic merge from submit-queue.

Bug 1509082 - Adding auth as a secret

If username and password are defined we should use a secret for the credentials.
Comment 5 Weihua Meng 2018-01-23 04:22:46 UTC 
Fixed.
openshift-ansible-3.9.0-0.22.0.git.0.0e9d896.el7.noarch.rpm

$ oc get configmap broker-config -o yaml -n openshift-ansible-service-broker

apiVersion: v1
data:
  broker-config: |
    registry:
      - type: dockerhub
        name: rh
        url:  https://registry.hub.docker.com
        org:  ansibleplaybookbundle
        tag:  v3.7
        white_list: [.*-apb$]

        auth_type: "secret"
        auth_name: "asb-registry-auth"
      - type: local_openshift
        name: localregistry
        namespaces: ['openshift']
        white_list: []
Comment 8 errata-xmlrpc 2018-03-28 14:09:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0489
Note You need to log in before you can comment on or make changes to this bug.