Database password is stored in Configmap as clear text

[darend]

The password for the clair and notary databases are stored in a Configmap as clear text. It should be stored as Secret for security.

A template is used to construct the postgres URL with the password:

harbor-helm/templates/_helpers.tpl

Lines 133 to 143 in c263ec9

	{{- define "harbor.database.clair" -}}
	postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.database.rawPassword" . }}@{{ template "harbor.database.host" . }}:{{ template "harbor.database.port" . }}/{{ template "harbor.database.clairDatabase" . }}?sslmode={{ template "harbor.database.sslmode" . }}
	{{- end -}}
	{{- define "harbor.database.notaryServer" -}}
	postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.database.rawPassword" . }}@{{ template "harbor.database.host" . }}:{{ template "harbor.database.port" . }}/{{ template "harbor.database.notaryServerDatabase" . }}?sslmode={{ template "harbor.database.sslmode" . }}
	{{- end -}}
	{{- define "harbor.database.notarySigner" -}}
	postgres://{{ template "harbor.database.username" . }}:{{ template "harbor.database.rawPassword" . }}@{{ template "harbor.database.host" . }}:{{ template "harbor.database.port" . }}/{{ template "harbor.database.notarySignerDatabase" . }}?sslmode={{ template "harbor.database.sslmode" . }}
	{{- end -}}

Its then used in the configmaps:

harbor-helm/templates/clair/clair-cm.yaml

Line 15 in c263ec9

source: "{{ template "harbor.database.clair" . }}"

harbor-helm/templates/notary/notary-cm.yaml

Line 35 in c263ec9

"db_url": "{{ template "harbor.database.notaryServer" . }}"

harbor-helm/templates/notary/notary-cm.yaml

Line 59 in c263ec9

"db_url": "{{ template "harbor.database.notarySigner" . }}",

[draeron]

this is critical security issue, on our cluster, all pod's stdout get collected and sent to a elasticsearch cluster which means the value of our password get indexed.

so even if the value would be stored these kind of logs will get posted.

waiting for postgres://harbor:[email protected]:5432/notary_server?sslmode=disable to come up.

[ywk253100]

@darend Thanks for your feedback, we'll fix it.

[ywk253100]

@darend The issue of password leaking is tracked by goharbor/harbor#7510.

[darend]

The issue of password leaking is tracked by goharbor/harbor#7510.

@ywk253100 Thanks. That issue tracks logging of passwords, there is still the issue that the password is stored in a ConfigMap vs Secret