Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1509082 - Installer should not put registry credentials in plain text in configmap for ASB deployment
Installer should not put registry credentials in plain text in configmap for ...
Status: CLOSED ERRATA
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer (Show other bugs)
3.7.0
Unspecified Unspecified
medium Severity medium
: ---
: 3.9.0
Assigned To: Fabian von Feilitzsch
Weihua Meng
:
Depends On: 1533208
Blocks:
  Show dependency treegraph
 
Reported: 2017-11-02 18:27 EDT by Weihua Meng
Modified: 2018-03-28 10:10 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: Registry credentials for the broker were stored in a configmap Consequence: Sensitive credentials could be exposed in plain text. Fix: A secret is now created to store the credentials Result: Registry credentials are no longer visible in plaintext
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-03-28 10:09:47 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0489 None None None 2018-03-28 10:10 EDT

  None (edit)
Description Weihua Meng 2017-11-02 18:27:13 EDT 
Description of problem:
Installer should not put registry credentials in plain text in configmap for ASB deployment.
The credentials should be put in secret.
https://bugzilla.redhat.com/show_bug.cgi?id=1503289

Version-Release number of the following components:
openshift-ansible-3.7.0-0.189.0.git.0.d497c5e.el7.noarch.rpm

How reproducible:
Always

Steps to Reproduce:
1. Install OCP with Ansible Service Broker (ASB) enabled with vars such as 
  openshift_enable_service_catalog: true
  ansible_service_broker_install: true
  ansible_service_broker_registry_type: dockerhub
  ansible_service_broker_registry_url: https://registry.hub.docker.com
  ansible_service_broker_registry_organization: ansibleplaybookbundle
  ansible_service_broker_registry_user: "changeme"
  ansible_service_broker_registry_password: "changeme"
2. Check ASB configmap when installation finished.
$ oc get configmap broker-config -o yaml -n openshift-ansible-service-broker

Actual results:

    broker-config: |
      registry:
        - type: dockerhub
          name: rh
          url:  https://registry.hub.docker.com
          user: changeme
          pass: changeme
          org:  ansibleplaybookbundle
          tag:  latest
          white_list: [u'.*-apb$']

Expected results:
No pass item
The credentials should be put in secret.

Additional info:
Comment 2 Fabian von Feilitzsch 2018-01-16 15:17:04 EST 
https://github.com/openshift/openshift-ansible/pull/6745/files
Comment 3 openshift-github-bot 2018-01-18 14:44:59 EST 
Commit pushed to master at https://github.com/openshift/openshift-ansible

https://github.com/openshift/openshift-ansible/commit/1a2a895356df638756d2117e3d324710167737db
Merge pull request #6745 from shawn-hurley/secret-reg-auth

Automatic merge from submit-queue.

Bug 1509082 - Adding auth as a secret

If username and password are defined we should use a secret for the credentials.
Comment 5 Weihua Meng 2018-01-22 23:22:46 EST 
Fixed.
openshift-ansible-3.9.0-0.22.0.git.0.0e9d896.el7.noarch.rpm

$ oc get configmap broker-config -o yaml -n openshift-ansible-service-broker

apiVersion: v1
data:
  broker-config: |
    registry:
      - type: dockerhub
        name: rh
        url:  https://registry.hub.docker.com
        org:  ansibleplaybookbundle
        tag:  v3.7
        white_list: [.*-apb$]

        auth_type: "secret"
        auth_name: "asb-registry-auth"
      - type: local_openshift
        name: localregistry
        namespaces: ['openshift']
        white_list: []
Comment 8 errata-xmlrpc 2018-03-28 10:09:47 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0489
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.