1533208 – Regression: Registry credentials are displayed in plain text in configmap for ASB

Bug 1533208 - Regression: Registry credentials are displayed in plain text in configmap for ASB

Summary: Regression: Registry credentials are displayed in plain text in configmap for...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Service Broker
Sub Component:
Version:	3.9.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	3.9.0
Assignee:	Shawn Hurley
QA Contact:	Zhang Cheng
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1509082
TreeView+	depends on / blocked

Reported:	2018-01-10 18:08 UTC by Fabian von Feilitzsch
Modified:	2018-03-28 14:19 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:	undefined
Clone Of:
Environment:
Last Closed:	2018-03-28 14:19:05 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:0489	0	None	None	None	2018-03-28 14:19:32 UTC

Description Fabian von Feilitzsch 2018-01-10 18:08:49 UTC

Description of problem:
The configmap for ASB includes registry credentials in plaintext. We should break out the credentials into a separate secret.

Version-Release number of selected component (if applicable):
3.9.0

How reproducible:
100%

Steps to Reproduce:
1. Deploy Ansible service broker with registry credentials set
2. Look at the ASB configmap

Actual results:
Password in plain text

Expected results:
Password is not stored there and kept in a secret

Comment 1 Shawn Hurley 2018-01-11 14:55:31 UTC

This should be fixed with PR https://github.com/openshift/ansible-service-broker/pull/629

Documentation is here: 
https://github.com/openshift/ansible-service-broker/pull/628

Comment 3 Zhang Cheng 2018-01-24 10:20:38 UTC

Fabian,

Could you help to clarify how to "Deploy Ansible service broker with registry credentials set" in "Steps to Reproduce"?

Comment 4 Fabian von Feilitzsch 2018-01-24 19:48:19 UTC

To test storing the credentials in a secret, you would:

1. Create a secret that contains two fields, `username` and `password`, with the values set to the credentials for your registry.
2. Edit the broker configuration so that in the registries section, for your specific registry, you have the following fields set

    auth_type: secret
    auth_name: <name of the secret created in step 1>

3. Deploy/Redeploy the broker

If everything worked properly, the broker should have authenticated with the registry (will show up in the broker logs), and if you run `oc describe configmap` on the broker configmap you won't see your username or password in plain text.

The official documentation is here:
https://github.com/openshift/ansible-service-broker/blob/master/docs/config.md#storing-registry-credentials-in-a-secretfile

Comment 6 Zhang Cheng 2018-01-27 18:00:29 UTC

I'm changing status to "VERIFIED" since the original problem have been fixed.
For another issue "ASB bootstrap fail while using file authenticate type since failed to read registry credentials from file" in Comment 5 will be traced by BZ https://bugzilla.redhat.com/show_bug.cgi?id=1539310

Comment 9 errata-xmlrpc 2018-03-28 14:19:05 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0489

Note You need to log in before you can comment on or make changes to this bug.