[bitnami/harbor] harbor-jobservice-envvars secret obtains the password of the registry from values.yaml in plain text #17020
Comments
amgonzalezf
changed the title
amgonzalezf
changed the title
amgonzalezf
changed the title
CeliaGMqrz
changed the title
|
Hi @amgonzalezf, First of all, sorry for the delay. Thank you for reporting this issue. I have checked what you describe. Also, I have seen that you have opened several related issues, see #17057, #17024, and #17023. Are all issues related to the same problem? If so, do you have any more? Just to know if we need to approach the issue more generally. Would you like to contribute by creating a PR to solve the issue? The Bitnami team will be happy to review it and provide feedback. Here you can find the contributing guidelines. We're a small team and our capacity is not too high. This is currently on our radar but the priority is not too high. Said that we can not guarantee any ETA. |
|
Hi @CeliaGMqrz, Those issues are indeed related to the same problem: passwords that must be stated in plain text in the values.yaml file when we want to change the default passwords (which are unsecure). I didn't find any other passwords that must be stated in plain text in the values.yaml file apart from those for which I already created tickets. I would like to help with the PRs but it would be the first time that I contribute in a project, so it will take some time for me to learn how to do it properly and right now I also don't have much time for this. In any case, I wanted to at least document the problem in Github, so maybe someone else can help as well. In any case, if I have time in the future, I will try to do the PRs myself =) |
|
Hi @amgonzalezf, Great, thanks for reporting this. I have created an internal task for our team to work on the related issue. I will move the case to on-hold until we get updates. |
github-actions
bot
added
on-hold
Name and Version
bitnami/harbor v16.6.6
What is the problem this feature will solve?
In order to set a secure password for the registry instead of using the default password "harbor_registry_password", I'm creating a secret called "credentials" that contains the keys
REGISTRY_CREDENTIAL_PASSWORDandREGISTRY_CREDENTIAL_USERNAMEand then I'm setting the field '.Values.core.existingEnvVarsSecret: credentials' in the values.yaml file.But the jobservice server uses the secret harbor-jobservice-envvars to obtain the password of the registry, and this secret obtains such password from the field .Values.registry.credentials.password. The problem with this is that the only way of providing the jobservice server the password of the registry is by pasting the password in plain text in that field, which is unsecure and makes highly risky to upload the values.yaml file to a git repository (we are trying to follow GitOps principles, the "credentials" secret is generated with SealedSecrets and the sealedsecret manifest is stored in the repository).
What is the feature you are proposing to solve the problem?
From my point of view, the harbor-jobservice-envvars secret should have the option to obtain the password of the registry from a preexisting secret. To avoid duplicities, it would be ideal that the harbor-jobservice-envvars secret obtains the password of the registry by looking at the key
REGISTRY_CREDENTIAL_PASSWORDwithin the preexisting secret specified in '.Values.core.existingEnvVarsSecret'.The text was updated successfully, but these errors were encountered: