dispatch icon indicating copy to clipboard operation
dispatch copied to clipboard
verified publisher icon vmware-archive

Obfuscating credentials in dispatch install

Open markpeek opened this issue 8 years ago • 2 comments

  • [X] Bug
  • [ ] Feature
  • [ ] Enhancement

Detailed Description

Running dispatch install --debug will print out quite a lot of data. Some of this data is secret credentials that should be obfuscated for security purposes.

Context

It is best practice not to print out credentials to prevent accidentally leaking those credentials. The use of --debug should be more careful about what it exposes. Perhaps there could be a non-obfuscation option in case that is needed for real debugging of the credentials.

markpeek avatar Jan 27 '18 01:01 markpeek

This is going to be tough... as we are just printing out helm output. We could try and ensure all credentials are stored as secrets and not passed in through chart configs. This is probably a good idea, but may require that we modify dependent charts.

berndtj avatar Jan 29 '18 18:01 berndtj

Agree that we should store credentials into secrets. (currently, most configurations/credentials are import from values.yaml directly or from values.yaml --> config maps --> (secrets) to the dispatch manager.

In addition, we should also consider avoid pass credentials to values.yaml and then to k8s secrets, but import directly from a file. it is pain to pass values among so many layers, and it is safer to keep the logic as simple as possible.

seanhuxy avatar Jan 29 '18 19:01 seanhuxy