New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
the value is printed while doing a "get" #13
Comments
@hriprsd I believe this is a duplicate of issue #12, which I don't believe is a valid issue.
☝️ Regarding this point, I believe this is not entirely accurate, IIUC. I believe it's more accurate to say this allows anyone with an RBAC role that grants them viewing access to view the K/V via the Concourse UI. Furthermore, this is also true of any other Concourse resource whose metadata is surfaced to Concourse. As I asked in issue #12 ...
☝️ Does this seem reasonable? Or am I mistaken or misunderstanding your use-case? |
Hey!.
Thanks for your response. The config should not have secrets - correct. But
maybe a config has some endpoints etc which i don't want others(other
teams) to know. I might be taking of a one off case but can that
possibility be considered please?
Am new to all this, my question might be silly, please excuse.
- hriprsd
…On Mon, 8 Feb, 2021, 19:31 Mike Ball, ***@***.***> wrote:
@hriprsd <https://github.com/hriprsd> I believe this is a duplicate of
issue #12 <#12>,
which I don't *believe* is a valid issue.
This enables anyone (even without access to consul) can view the KV stored
in the concourse ui
☝️ Regarding this point, I *believe* this is not entirely accurate, IIUC.
I believe it's more accurate to say this allows anyone with an RBAC role
that grants them viewing access <https://concourse-ci.org/user-roles.html>
to view the K/V via the Concourse UI. Furthermore, this is *also* true of
any other Concourse resource whose metadata is surfaced to Concourse.
As I asked in issue #12
<#12> ...
Are you suggesting that concourse-consul-kv-resource prints the values of
the Consul k/v pairs it tracks? If so, that is expected, no? If the k/v
pairs are secrets, I would think they should be stored in a proper secrets
manager, such as Vault <https://www.vaultproject.io/> and not fetched
directly via the concourse-consul-kv-resource. Or am I misinterpreting?
☝️ Does this seem reasonable? Or am I mistaken or misunderstanding your
use-case?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#13 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AFPAKL5VXIYEX3OCTTSSOR3S57VEFANCNFSM4XENOOUA>
.
|
When I try to get a value from consul, the entire value is printed in the pipeline. i.e anyone can view it from the concourse-ui
Sample pipeline:
resources:
type: consul-kv
source:
token: my-acl-token
host: my-consul.com
tls_cert: my-cert-string
tls_key: my-cert-key-string
key: my/key
jobs:
plan:
UI Output:
This enables anyone (even without access to consul) can view the KV stored in the concourse ui
The text was updated successfully, but these errors were encountered: