kubeapps icon indicating copy to clipboard operation
kubeapps copied to clipboard

Published 20 hours ago verified publisher icon vmware-tanzu

[Repository] add a request flag to control at which level credentials are redacted when fetching a repository

Open dlaloue-vmware opened this issue 2 years ago • 5 comments

When doing a GET on a given repository, plugins will ensure that credentials are marked as redacted. The current setting is to do full redaction, but some users may want to be able to view more useful data (e.g. see the username but not the password), or all data.

the proposal is to pass an option/flag to the GET request to indicate what level of redaction to apply, something like FULL | MIXED | NONE.

dlaloue-vmware avatar Jun 07 '22 18:06 dlaloue-vmware

Thanks, this will be helpful as a pattern in other areas too so that we don't send the actual secret data across the network unless explicitly requested to do so: for example, when fetching the resources for an installed app, currently we fetch the secrets in full (though they are not displayed unless the reveal/eye icon is clicked in the UX). This pattern will allow us to fetch redacted secrets initially (so the UX can display the secrets along with other resources as it does currently) and only fetch the actual secret data for a particular secret if the user explicitly requests it.

absoludity avatar Jun 08 '22 00:06 absoludity

It would be great if the values are hidden by default as well. In some cases, there are secrets/passwords in there as well, so it would be good to hide them behind a "show helm values" toggle or something.

smerschjohann avatar Jul 01 '22 09:07 smerschjohann

Do you mean from the API response as well?

Currently, the repos API is doing it, so the UI (still in progress) shows the REDACTED value by default.

image

However, the packages API does send the secret values, although the UI hides them by default:

image

In case you mean also using a config-level flag to disable that feature (in the packages API, not the repos one), I think it's worth opening a separate issue for that. From memory, I don't know how easy it would be, but certainly worth discussing.

antgamdia avatar Jul 01 '22 10:07 antgamdia

Oh sorry, this is about the repos api. my bad, I meant those values:

grafik

smerschjohann avatar Jul 01 '22 10:07 smerschjohann

before implementing a solution for a flag, i think we need to fix the following 2 bugs: issue #5746 issue #5747

The current UI does not provide a "view" UI, so the only time we would see the data is during an edit/update. This diminishes the need for such a flag as the UI would not be using it.

Finally, we would need to decide how we want to use this flag in the UI. For example, do we have an install flag that defines the default option, do we use a preference settings, or just a toggle on the view/update page (which would reload the page).

dlaloue-vmware avatar Nov 28 '22 23:11 dlaloue-vmware