We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
When adding git repositories, argo-cd server writes confidential credentials (username, password, SSH key) to its log stream.
I'd rather expect that those credentials are obfuscated during logging.
Steps to reproduce:
Issue some CLI command like this:
argocd repo add ssh://git@server/repo.git --sshPrivateKeyPath /path/to/ssh/key
Inspect the argocd-server logs like this:
kubectl -n argo logs argocd-server-6fb798d5b4-57qp8 | grep -F 'RSA PRIVATE KEY'
The output looks like this:
time="2018-09-27T09:47:54Z" level=info msg="received unary call /repository.RepositoryService/Create" grpc.method=Create grpc.request.claims="{"at_hash":"RIAPRIwsFlbL1wuCd8wVvA","aud":"argo-cd-cli","email":"user@provider.com","email_verified":false,"exp":1538124151,"iat":1538037751,"iss":"https://argocd/api/dex\",\"name\":\"User Name","sub":"CiQ4ODdkZjAyMC0yMTRjLTQ5YzItYTlkZC03MDcxYmU2MzI2YjMSA3k2Yg"}" grpc.request.content="repo:<repo:"ssh://git@server/repo.git" username:"" password:"" sshPrivateKey:"-----BEGIN RSA PRIVATE KEY-----\n THE FULL KEY IS LOGGED \n-----END RSA PRIVATE KEY-----\n" connectionState:<status:"" message:"" > > " grpc.service=repository.RepositoryService grpc.start_time="2018-09-27T09:47:54Z" span.kind=server system=grpc
The text was updated successfully, but these errors were encountered:
Fix issue where argocd-server logged credentials in plain text during…
8997037
… repo add (issue argoproj#653)
316fcc6
… repo add (issue #653)
f8b2576
Fixed. Will be available in v0.9.2 and v0.10.X
Sorry, something went wrong.
jessesuen
No branches or pull requests
When adding git repositories, argo-cd server writes confidential credentials (username, password, SSH key) to its log stream.
I'd rather expect that those credentials are obfuscated during logging.
Steps to reproduce:
Issue some CLI command like this:
Inspect the argocd-server logs like this:
The output looks like this:
The text was updated successfully, but these errors were encountered: