Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1533208 - Regression: Registry credentials are displayed in plain text in configmap for ASB
Regression: Registry credentials are displayed in plain text in configmap for...
Status: CLOSED ERRATA
Product: OpenShift Container Platform
Classification: Red Hat
Component: Service Broker (Show other bugs)
3.9.0
Unspecified Unspecified
unspecified Severity unspecified
: ---
: 3.9.0
Assigned To: Shawn Hurley
Zhang Cheng
:
Depends On:
Blocks: 1509082
  Show dependency treegraph
 
Reported: 2018-01-10 13:08 EST by Fabian von Feilitzsch
Modified: 2018-03-28 10:19 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: No Doc Update
Doc Text:
undefined
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-03-28 10:19:05 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0489 None None None 2018-03-28 10:19 EDT

  None (edit)
Description Fabian von Feilitzsch 2018-01-10 13:08:49 EST 
Description of problem:
The configmap for ASB includes registry credentials in plaintext. We should break out the credentials into a separate secret.

Version-Release number of selected component (if applicable):
3.9.0

How reproducible:
100%

Steps to Reproduce:
1. Deploy Ansible service broker with registry credentials set
2. Look at the ASB configmap

Actual results:
Password in plain text

Expected results:
Password is not stored there and kept in a secret
Comment 1 Shawn Hurley 2018-01-11 09:55:31 EST 
This should be fixed with PR https://github.com/openshift/ansible-service-broker/pull/629

Documentation is here: 
https://github.com/openshift/ansible-service-broker/pull/628
Comment 3 Zhang Cheng 2018-01-24 05:20:38 EST 
Fabian,

Could you help to clarify how to "Deploy Ansible service broker with registry credentials set" in "Steps to Reproduce"?
Comment 4 Fabian von Feilitzsch 2018-01-24 14:48:19 EST 
To test storing the credentials in a secret, you would:

1. Create a secret that contains two fields, `username` and `password`, with the values set to the credentials for your registry.
2. Edit the broker configuration so that in the registries section, for your specific registry, you have the following fields set

    auth_type: secret
    auth_name: <name of the secret created in step 1>

3. Deploy/Redeploy the broker

If everything worked properly, the broker should have authenticated with the registry (will show up in the broker logs), and if you run `oc describe configmap` on the broker configmap you won't see your username or password in plain text.

The official documentation is here:
https://github.com/openshift/ansible-service-broker/blob/master/docs/config.md#storing-registry-credentials-in-a-secretfile
Comment 6 Zhang Cheng 2018-01-27 13:00:29 EST 
I'm changing status to "VERIFIED" since the original problem have been fixed.
For another issue "ASB bootstrap fail while using file authenticate type since failed to read registry credentials from file" in Comment 5 will be traced by BZ https://bugzilla.redhat.com/show_bug.cgi?id=1539310
Comment 9 errata-xmlrpc 2018-03-28 10:19:05 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0489
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.