levant icon indicating copy to clipboard operation
levant copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Move consul values to debug

Open antgubarev opened this issue 5 years ago • 3 comments

Description Levant shows consul key values in info level. Are you sure it is a good idea?

2019-05-12T14:26:23+03:00 |INFO| template/funcs: using Consul KV variable with key security/gitlab/registry-user and value gitlab+deploy-token-xxxxx
2019-05-12T14:26:23+03:00 |INFO| template/funcs: using Consul KV variable with key security/gitlab/registry-token and value gbVp52syDv4XXXXX

Output of levant version:

Levant v0.2.7
Date: 2019-03-19T08:26:24Z
Commit: 9e952d55f171e63f5c7955e826401eac91ed0b28
Branch: 0.2.7
State: 0.2.7
Summary: 9e952d55f171e63f5c7955e826401eac91ed0b28

Output of consul version:

Consul v1.4.4
Protocol 2 spoken by default, understands 2 to 3 (agent will automatically use protocol >2 when speaking to compatible agents)

Output of nomad version:

Nomad v0.9.1 (4b2bdbd9ab68a27b10c2ee781cceaaf62e114399)

antgubarev avatar May 12 '19 11:05 antgubarev

@antgubarev in this situation, no matter what log level is used, items like this have the chance of being exposed to operators. Sensitive items should be kept in a more secure store such as using Vault's KV secret engine.

jrasell avatar Jul 31 '19 10:07 jrasell

Hi @jrasell and thanks for levant, I started using it recently and it saved me quite some time from having to write my own template and deployment wrapper around nomad jobs.

I'd just like to add one more argument in favour of moving the templated values to debug, and that argument has to do with CI/CD:

If you run levant as part of your CI/CD pipeline and use templates to populate secrets as your deployment moves from staging to production, these secrets would appear in the logs of your CI builds where they may be accessed by people who are not supposed to have access to production keys. The workaround for now is to run with -log-level=warn but that hides other useful information too.

My suggestion is to change helper/variable.go to only show the keys for -log-level=info and only show both keys and values for -log-level=debug. If that sounds reasonable I'm happy to make the change and send you a PR.

sakisv avatar May 23 '20 18:05 sakisv

+1 to showing keys and values if -log-level=debug -- its way to noisy as it is, especially when you are substituting in a bunch of values.

lhayhurst avatar Jul 14 '21 22:07 lhayhurst