Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Devspace defaults to uploading credentials to cluster #2729

Closed
LISTERINE opened this issue Oct 5, 2023 · 2 comments · Fixed by #2753
Closed

Devspace defaults to uploading credentials to cluster #2729

LISTERINE opened this issue Oct 5, 2023 · 2 comments · Fixed by #2753
Labels
kind/bug Something isn't working

Comments

@LISTERINE
Copy link

What happened?
Running devspace build will, by default and without prompting, upload users credentials to the remote cluster.

What did you expect to happen instead?
At a minimum, a prompt requesting permission to propagate user secrets to remote servers.

How can we reproduce the bug? (as minimally and precisely as possible)

devspace build
info Using namespace 'xxxxxxx'
info Using kube context 'xxxxxxx'
Ensuring image pull secret for registry: xxxxxxx
Created image pull secret xxxxxxx

My devspace.yaml:

version: ...
...

Local Environment:

  • DevSpace Version: 6.3.2
  • Operating System: mac
  • ARCH of the OS: AMD64
    Kubernetes Cluster:
  • Cloud Provider: google
  • Kubernetes Version: v1.25.11-gke.1700

Anything else we need to know?

Any organization that uses SSO likely uses local login credentials for services like artifactory, etc... The result being that unless the team using devspace reads about this default behavior, their corporate credentials are now sitting unencrypted in a shared environment without their knowledge.
I can see from the documentation here https://www.devspace.sh/docs/5.x/configuration/pullSecrets/basics that this was a conscious decision. I understand that this was probably to make use of the tool smoother, but IMO is definitely not being handled correctly.
This absolutely should not be the default behavior, and if it is, the user should be prompted before devspace copies credentials to a remote server. Adding a note to the prompt that tells the user how to make the prompt go away for next time (maybe some kind of config) would allow them to quickly transition to that smooth workflow without making security assumptions on their behalf.
@LISTERINE LISTERINE added the kind/bug Something isn't working label Oct 5, 2023
lizardruss added a commit to lizardruss/devspace that referenced this issue Nov 7, 2023
@lizardruss
fix: only upload pull secret credentials for kaniko and in cluster bu…
f611213 
…ildkit builds

Fixes devspace-sh#2729
Fixes ENG-2185

Signed-off-by: Russell Centanni <russell.centanni@gmail.com>
@lizardruss lizardruss mentioned this issue Nov 7, 2023
Merged
@lizardruss
Copy link
Collaborator

@LISTERINE Hello! I've submitted a PR so that DevSpace will only create the pull secrets for in cluster builds. Let us know if this satisfies the issue!

@LISTERINE
Copy link
Author

I'm not equipped to test it or familiar with the codebase, but at face value the logic seems sound to me. Thanks for addressing this!

lizardruss added a commit to lizardruss/devspace that referenced this issue Nov 8, 2023
@lizardruss
fix: only upload pull secret credentials for kaniko and in cluster bu…
4534d20 
…ildkit builds

Fixes devspace-sh#2729
Fixes ENG-2185

Signed-off-by: Russell Centanni <russell.centanni@gmail.com>
lizardruss added a commit to lizardruss/devspace that referenced this issue Nov 14, 2023
@lizardruss
fix: only upload pull secret credentials for kaniko and in cluster bu…
5b2f7ea 
…ildkit builds

Fixes devspace-sh#2729
Fixes ENG-2185

Signed-off-by: Russell Centanni <russell.centanni@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Devspace defaults to uploading credentials to cluster lizardruss/devspace
2 participants
@lizardruss @LISTERINE