Description of problem: The configmap for ASB includes registry credentials in plaintext. We should break out the credentials into a separate secret. Version-Release number of selected component (if applicable): 3.9.0 How reproducible: 100% Steps to Reproduce: 1. Deploy Ansible service broker with registry credentials set 2. Look at the ASB configmap Actual results: Password in plain text Expected results: Password is not stored there and kept in a secret
This should be fixed with PR https://github.com/openshift/ansible-service-broker/pull/629 Documentation is here: https://github.com/openshift/ansible-service-broker/pull/628
Fabian, Could you help to clarify how to "Deploy Ansible service broker with registry credentials set" in "Steps to Reproduce"?
To test storing the credentials in a secret, you would: 1. Create a secret that contains two fields, `username` and `password`, with the values set to the credentials for your registry. 2. Edit the broker configuration so that in the registries section, for your specific registry, you have the following fields set auth_type: secret auth_name: <name of the secret created in step 1> 3. Deploy/Redeploy the broker If everything worked properly, the broker should have authenticated with the registry (will show up in the broker logs), and if you run `oc describe configmap` on the broker configmap you won't see your username or password in plain text. The official documentation is here: https://github.com/openshift/ansible-service-broker/blob/master/docs/config.md#storing-registry-credentials-in-a-secretfile
I'm changing status to "VERIFIED" since the original problem have been fixed. For another issue "ASB bootstrap fail while using file authenticate type since failed to read registry credentials from file" in Comment 5 will be traced by BZ https://bugzilla.redhat.com/show_bug.cgi?id=1539310
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0489