Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1665010

Summary: Should show Webhook secret and create a link to the secret
Product: OpenShift Container Platform Reporter: Yadan Pei <yapei>
Component: Management ConsoleAssignee: Jakub Hadvig <jhadvig>
Status: CLOSED ERRATA QA Contact: Yadan Pei <yapei>
Severity: low Docs Contact:
Priority: medium    
Version: 4.1.0CC: aos-bugs, bmignano, jkleiner, jokerman, mmccomas, yapei
Target Milestone: ---Keywords: Reopened
Target Release: 4.2.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: User was not able to copy the whole webhook trigger URL since the secret value was obfuscated. Consequence: User was not able to copy the whole webhook trigger URL since the secret value was obfuscated. Fix: Add a link to copy the webhook trigger URL to clipboard Result: User is able to copy the webhook trigger URL to clipboard
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-10-16 06:27:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
design none

Description Yadan Pei 2019-01-10 09:22:15 UTC 
Description of problem:
When we add a secret for Webhook, we should show a link to the secret in Webhooks table "SECRET" column, at least for cluster-admin

Version-Release number of selected component (if applicable):
registry.svc.ci.openshift.org/openshift/origin-v4.0-2019-01-10-044754@sha256   ab9cd0df895b7ab74594d33a68c87443609bd8b1a1327f0de2044f470318f4d7   a71164a46db0   3 hours ago         268 MB
with commit afbc04657d94682d5ec15a0146ac4a8e7da692da

How reproducible:
Always

Steps to Reproduce:
1. Create test secret, test application
$ oc create secret generic mysecret --from-literal=WebHookSecretKey=1234qwer
$ oc new-app centos/ruby-25-centos7~https://github.com/sclorg/ruby-ex.git
2. Add GitLab Webhook and secret
$ oc get bc ruby-ex -o yaml | grep -i secret -A 1
      secret: GrlGs1T2_gOeu8DDppJF
    type: GitHub
--
      secret: wcBbK1vITZV6X_lJoI5w
    type: Generic
--
      secret: mysecret
    type: GitLab

3. Cluster admin visit Build Configs -> ruby-ex -> Overview, Webhooks table


Actual results:
3. GitLab Webhook URL shows https://172.30.0.1:443/apis/build.openshift.io/v1/namespaces/yapei/buildconfigs/ruby-ex/webhooks/<secret>/gitlab and no data in "SECRET" column 

Expected results:
3. We should give a link to secret/mysecret in "SECRET" column because GitLab Webhooks use this secret

Additional info:
Do we need show exact secret name/value for cluster-admin? That's how we expose for 3.x version
Comment 1 Samuel Padgett 2019-01-13 22:15:54 UTC 
We made a deliberate choice not to show the secret value on the details page to avoid users exposing it through shoulder surfing, accidentally in screenshots, etc. The value is sensitive. While this is a worse user experience, it is a compromise to improve security.

The secret column is a link to a secret if we webhook uses a secret reference and should not have a value in this case. We recommend using secret references for webhook secrets.
Comment 2 Grant Shipley 2019-05-23 19:54:48 UTC 
Reopening this as it is a regression from 3.11.  I can understand not displaying it in plain text like we did in 3.x but we need at least to have the copy button added in like we had in 3.x that includes the full API URL.  With the current implementation, a user will need to copy and paste from various places in order to construct a webhook.
Comment 3 Samuel Padgett 2019-05-23 20:06:57 UTC 
A copy link or button is a good compromise.
Comment 4 bmignano 2019-07-26 15:49:11 UTC 
Created attachment 1593755 [details]
design

Attached is the design recommendation for this bug.
Comment 5 Jakub Hadvig 2019-07-30 10:47:01 UTC 
Fixing PR: https://github.com/openshift/console/pull/2214
Comment 7 Yadan Pei 2019-08-01 05:27:11 UTC 
Changes are not included in 4.2.0-0.nightly-2019-07-31-162901, will check on newer builds
Comment 8 Yadan Pei 2019-08-02 03:00:36 UTC 
Now we have a 'Copy URL with Secret' button for users have the edit/admin permission.

Clicking on 'Copy URL with Secret', the webhook URL will be constructed


When we reference a secret in webhook like:
  triggers:
  - github:
      secret: flurzSiPgajj7xJPDGua
    type: GitHub
  - generic:
      secret: 25hzqgLm8PCgugCUGDEV
    type: Generic
  - gitlab:
      secretReference:
        name: mysecret
    type: GitLab

Console will render a link to the secret. 


Verified on registry.svc.ci.openshift.org/ocp/release:4.2.0-0.nightly-2019-08-01-113533
Comment 11 errata-xmlrpc 2019-10-16 06:27:41 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2922