Description of problem: Installer should not put registry credentials in plain text in configmap for ASB deployment. The credentials should be put in secret. https://bugzilla.redhat.com/show_bug.cgi?id=1503289 Version-Release number of the following components: openshift-ansible-3.7.0-0.189.0.git.0.d497c5e.el7.noarch.rpm How reproducible: Always Steps to Reproduce: 1. Install OCP with Ansible Service Broker (ASB) enabled with vars such as openshift_enable_service_catalog: true ansible_service_broker_install: true ansible_service_broker_registry_type: dockerhub ansible_service_broker_registry_url: https://registry.hub.docker.com ansible_service_broker_registry_organization: ansibleplaybookbundle ansible_service_broker_registry_user: "changeme" ansible_service_broker_registry_password: "changeme" 2. Check ASB configmap when installation finished. $ oc get configmap broker-config -o yaml -n openshift-ansible-service-broker Actual results: broker-config: | registry: - type: dockerhub name: rh url: https://registry.hub.docker.com user: changeme pass: changeme org: ansibleplaybookbundle tag: latest white_list: [u'.*-apb$'] Expected results: No pass item The credentials should be put in secret. Additional info:
https://github.com/openshift/openshift-ansible/pull/6745/files
Commit pushed to master at https://github.com/openshift/openshift-ansible https://github.com/openshift/openshift-ansible/commit/1a2a895356df638756d2117e3d324710167737db Merge pull request #6745 from shawn-hurley/secret-reg-auth Automatic merge from submit-queue. Bug 1509082 - Adding auth as a secret If username and password are defined we should use a secret for the credentials.
Fixed. openshift-ansible-3.9.0-0.22.0.git.0.0e9d896.el7.noarch.rpm $ oc get configmap broker-config -o yaml -n openshift-ansible-service-broker apiVersion: v1 data: broker-config: | registry: - type: dockerhub name: rh url: https://registry.hub.docker.com org: ansibleplaybookbundle tag: v3.7 white_list: [.*-apb$] auth_type: "secret" auth_name: "asb-registry-auth" - type: local_openshift name: localregistry namespaces: ['openshift'] white_list: []
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0489