Ship env vars as one-time secret #7923
Conversation
roboquat
added
release-note
team: IDE
team: webapp
Codecov Report
@@ Coverage Diff @@
## main #7923 +/- ##
===========================================
- Coverage 30.45% 10.28% -20.17%
===========================================
Files 115 18 -97
Lines 18732 1001 -17731
===========================================
- Hits 5705 103 -5602
+ Misses 12538 897 -11641
+ Partials 489 1 -488
Flags with carried forward coverage won't be shown. Click here to find out more. Continue to review full report at Codecov.
|
|
/hold |
|
/hold cancel |
|
/werft run 👍 started the job as gitpod-build-cw-envvar-ots.3 |
|
/lgtm Code looks good, tested and works as advertised. /hold |
|
LGTM label has been added. Git tree hash: 1f24a3d385fdb8e9898472e4319b46676e7c6d32
|
|
@geropl fair point - will correct this |
csweichel
force-pushed
the
cw/envvar-ots
branch
from
9dc26a3 to
05dcf52
Compare
|
@geropl changed the env var OTS timeout - needs another lgtm |
|
I hoped for a constant. 😄 But |
|
LGTM label has been added. Git tree hash: 60750202a474f0d6177f69539a5f16bc7546bdb0
|
|
/approve no-issue |
That would have been smarter. Lesson learned: first coffee, then PR |
|
I cannot really test it, it fails when i try to configure Gitpod app in order to create a new project: |
|
looking at the code you'll see that we treat the |
|
/lgtm I rely on @geropl testing. 😄 Scanned for compatibilities between server and supervisor looks like can be deployed in any order. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: akosyakov, geropl Associated issue requirement bypassed by: geropl The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/hold cancel |
| return ev; | ||
| }); | ||
| ev.setName(e.name); | ||
| ev.setValue(e.name); |
There was a problem hiding this comment.
How did this work then during testing, at all? 🤔
There was a problem hiding this comment.
@geropl I think you tested before the bug was introduced.
| return ev; | ||
| }); | ||
| ev.setName(e.name); | ||
| ev.setValue(e.name); |
There was a problem hiding this comment.
Also sometimes the value seems to be name + ' ' + value? 🤔
EDIT: Ah, actually the JAVA_TOOL_OPTIONS normal behavior is to append values. Not part of the bug.
Description
Today user environment variables become environment variables on the workspace pod. This is a clean and straight forward way to implement env vars, but it suffers from a drawback: values are stored in clear-text on the pod. If one isn't careful about logging, those values could be spread into the logs, and are visible to everyone with access to the cluster.
This PR starts shipping env vars as one-time secret, much like we ship the Git hoster token. This way, environment variable values are not visible to anyone, except within the workspace.
How to test
kubectl get pod -o yaml ws-...and ensure the user env vars are not present.Release Notes