Skip to content

Avoid potential leaks #1167

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
praveenkumar merged 5 commits into from
Oct 3, 2025
Merged

Avoid potential leaks #1167

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
09ce341
snc.sh: avoid leaking the temporary kubeadmin password
kpouget Sep 26, 2025
d4a7f45
tools.sh: don't leak the kubeadmin password
kpouget Sep 26, 2025
516209d
systemd/crc-cluster-status.sh: don't leak the kubeadmin password
kpouget Sep 26, 2025
fdde370
systemd/crc-pullsecret.sh: don't leak the pull secrets
kpouget Sep 26, 2025
9bbf5e0
systemd/ocp-userpasswords.sh: don't leak the kubeadmin password
kpouget Sep 26, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 8 additions & 1 deletion snc.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -280,7 +280,14 @@ FROM scratch
RUN ln -sf var/Users /Users && mkdir /var/Users
EOF
podman build --from ${RHCOS_IMAGE} --authfile ${OPENSHIFT_PULL_SECRET_PATH} -t default-route-openshift-image-registry.apps-crc.testing/openshift-machine-config-operator/rhcos:latest --file ${INSTALL_DIR}/Containerfile .
retry ${OC} login -u kubeadmin -p $(cat ${INSTALL_DIR}/auth/kubeadmin-password) --insecure-skip-tls-verify=true api.${SNC_PRODUCT_NAME}.${BASE_DOMAIN}:6443
(
set +x # disable the logging in the subshell to prevent the password leakage
kubeadmin_pass=$(cat ${INSTALL_DIR}/auth/kubeadmin-password)
retry ${OC} login -u kubeadmin -p "$kubeadmin_pass" --insecure-skip-tls-verify=true api.${SNC_PRODUCT_NAME}.${BASE_DOMAIN}:6443
rm -f ${INSTALL_DIR}/auth/kubeadmin-password
esc_pw="$(printf '%s' "$kubeadmin_pass" | sed -e 's/[\/&|\\]/\\&/g')"
sed -i "s|$esc_pw|REDACTED|g" "${INSTALL_DIR}/.openshift_install.log"
)
retry ${OC} registry login -a ${INSTALL_DIR}/reg.json
retry podman push --authfile ${INSTALL_DIR}/reg.json --tls-verify=false default-route-openshift-image-registry.apps-crc.testing/openshift-machine-config-operator/rhcos:latest
cat << EOF > ${INSTALL_DIR}/custom-os-mc.yaml
Expand Down
13 changes: 8 additions & 5 deletions systemd/crc-cluster-status.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
#!/bin/bash

set -o pipefail
set -o errexit
set -o nounset
set -o errtrace
set -x

export KUBECONFIG=/opt/kubeconfig
Expand All @@ -9,19 +13,19 @@ if [ ! -f /opt/crc/pass_kubeadmin ]; then
exit 1
fi

PASS_KUBEADMIN="$(cat /opt/crc/pass_kubeadmin)"

rm -rf /tmp/.crc-cluster-ready

if ! oc adm wait-for-stable-cluster --minimum-stable-period=1m --timeout=10m; then
exit 1
fi

set +x

echo "Logging into OpenShift with kubeadmin user to update $KUBECONFIG"
COUNTER=1
MAXIMUM_LOGIN_RETRY=10
until oc login --insecure-skip-tls-verify=true -u kubeadmin -p "$PASS_KUBEADMIN" https://api.crc.testing:6443 > /dev/null 2>&1; do

# use a `(set +x)` subshell to avoid leaking the password
until (set +x ; oc login --insecure-skip-tls-verify=true -u kubeadmin -p "$(cat /opt/crc/pass_kubeadmin)" https://api.crc.testing:6443 > /dev/null 2>&1); do
if [ "$COUNTER" -ge "$MAXIMUM_LOGIN_RETRY" ]; then
echo "Unable to login to the cluster..., authentication failed."
exit 1
Expand All @@ -33,4 +37,3 @@ done

# need to set a marker to let `crc` know the cluster is ready
touch /tmp/.crc-cluster-ready

22 changes: 17 additions & 5 deletions systemd/crc-pullsecret.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,20 +1,32 @@
#!/bin/bash

set -o pipefail
set -o errexit
set -o nounset
set -o errtrace
set -x

source /usr/local/bin/crc-systemd-common.sh
export KUBECONFIG="/opt/kubeconfig"

wait_for_resource secret

set +x # disable the logging to avoid leaking the pull secrets

# check if existing pull-secret is valid if not add the one from /opt/crc/pull-secret
existingPsB64=$(oc get secret pull-secret -n openshift-config -o jsonpath="{['data']['\.dockerconfigjson']}")
existingPs=$(echo "${existingPsB64}" | base64 -d)

echo "${existingPs}" | jq -e '.auths'

if [[ $? != 0 ]]; then
pullSecretB64=$(base64 -w0 < /opt/crc/pull-secret)
oc patch secret pull-secret -n openshift-config --type merge -p "{\"data\":{\".dockerconfigjson\":\"${pullSecretB64}\"}}"
# check if the .auths field is there
if echo "${existingPs}" | jq -e 'has("auths")' >/dev/null 2>&1; then
echo "Cluster already has the pull secrets, nothing to do"
exit 0
fi

echo "Cluster doesn't have the pull secrets. Setting them from /opt/crc/pull-secret ..."
pullSecretB64=$(base64 -w0 < /opt/crc/pull-secret)
# Create the JSON patch in memory and pipe it to the oc command
printf '{"data":{".dockerconfigjson": "%s"}}' "${pullSecretB64}" | \
oc patch secret pull-secret -n openshift-config --type merge --patch-file=/dev/stdin

Comment on lines +26 to +31
Copy link

@coderabbitai coderabbitai bot Oct 1, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Guard against missing local pull secret before patching.

If /opt/crc/pull-secret is absent/unreadable, base64/oc patch will fail with opaque errors. Add an explicit check.

 echo "Cluster doesn't have the pull secrets. Setting them from /opt/crc/pull-secret ..."
+if [ ! -r /opt/crc/pull-secret ]; then
+    echo "/opt/crc/pull-secret is missing or unreadable" 1>&2
+    exit 1
+fi
 pullSecretB64=$(base64 -w0 < /opt/crc/pull-secret)
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
echo "Cluster doesn't have the pull secrets. Setting them from /opt/crc/pull-secret ..."
pullSecretB64=$(base64 -w0 < /opt/crc/pull-secret)
# Create the JSON patch in memory and pipe it to the oc command
printf '{"data":{".dockerconfigjson": "%s"}}' "${pullSecretB64}" | \
oc patch secret pull-secret -n openshift-config --type merge --patch-file=/dev/stdin
echo "Cluster doesn't have the pull secrets. Setting them from /opt/crc/pull-secret ..."
if [ ! -r /opt/crc/pull-secret ]; then
echo "/opt/crc/pull-secret is missing or unreadable" 1>&2
exit 1
fi
pullSecretB64=$(base64 -w0 < /opt/crc/pull-secret)
# Create the JSON patch in memory and pipe it to the oc command
printf '{"data":{".dockerconfigjson": "%s"}}' "${pullSecretB64}" | \
oc patch secret pull-secret -n openshift-config --type merge --patch-file=/dev/stdin
🤖 Prompt for AI Agents 
In systemd/crc-pullsecret.sh around lines 26 to 31, the script assumes
/opt/crc/pull-secret exists and is readable before running base64 and oc patch;
add an explicit check that the file exists and is readable (e.g., test -r
/opt/crc/pull-secret), produce a clear error message and exit non-zero if the
check fails (or skip patching), then only run base64 and oc patch when the file
passes the check; also guard and handle empty output from base64 before piping
to oc to avoid applying an invalid patch.

Copy link
Contributor Author

@kpouget kpouget Oct 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍🏻 I'll add that to #1168

Copy link

@coderabbitai coderabbitai bot Oct 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kpouget Thank you for acknowledging the suggestion! Sounds good—I'll keep an eye out for the fix in #1168. 🙂

exit 0
37 changes: 24 additions & 13 deletions systemd/ocp-userpasswords.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,14 +1,21 @@
#!/bin/bash

set -o pipefail
set -o errexit
set -o nounset
set -o errtrace
set -x

source /usr/local/bin/crc-systemd-common.sh
export KUBECONFIG="/opt/kubeconfig"

function gen_htpasswd() {
if [ ! -z "${1}" ] && [ ! -z "${2}" ]; then
podman run --rm -ti xmartlabs/htpasswd $1 $2 >> /tmp/htpasswd.txt
if [ -z "${1:-}" ] || [ -z "${2:-}" ]; then
echo "gen_htpasswd needs two arguments: username password" 1>&2
return 1
fi

podman run --rm docker.io/xmartlabs/htpasswd "$1" "$2"
}

wait_for_resource secret
Expand All @@ -19,20 +26,24 @@ if [ ! -f /opt/crc/pass_developer ]; then
fi

if [ ! -f /opt/crc/pass_kubeadmin ]; then
echo "developer password does not exist"
echo "kubeadmin password does not exist"
exit 1
fi

PASS_DEVELOPER=$(cat /opt/crc/pass_developer)
PASS_KUBEADMIN=$(cat /opt/crc/pass_kubeadmin)
echo "generating the kubeadmin and developer passwords ..."

rm -f /tmp/htpasswd.txt
gen_htpasswd developer "${PASS_DEVELOPER}"
gen_htpasswd kubeadmin "${PASS_KUBEADMIN}"
set +x # /!\ disable the logging to avoid leaking the passwords

if [ -f /tmp/htpasswd.txt ]; then
sed -i '/^\s*$/d' /tmp/htpasswd.txt
dev_pass=$(gen_htpasswd developer "$(cat /opt/crc/pass_developer)")
adm_pass=$(gen_htpasswd kubeadmin "$(cat /opt/crc/pass_kubeadmin)")

oc create secret generic htpass-secret --from-file=htpasswd=/tmp/htpasswd.txt -n openshift-config --dry-run=client -o yaml > /tmp/htpass-secret.yaml
oc replace -f /tmp/htpass-secret.yaml
fi
echo "creating the password secret ..."
# use bash <() to use a temporary fd file
# use sed to remove the empty lines
oc create secret generic htpass-secret \
--from-file=htpasswd=<(printf '%s\n%s\n' "$dev_pass" "$adm_pass") \
-n openshift-config \
--dry-run=client -oyaml \
| oc apply -f-

echo "all done"
9 changes: 6 additions & 3 deletions tools.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -219,7 +219,10 @@ function create_vm {
function generate_htpasswd_file {
local auth_file_dir=$1
local pass_file=$2
random_password=$(cat $1/auth/kubeadmin-password)
${HTPASSWD} -c -B -b ${pass_file} developer developer
${HTPASSWD} -B -b ${pass_file} kubeadmin ${random_password}
(
set +x # use a subshell to avoid leaking the password
local random_password=$(cat $1/auth/kubeadmin-password)
${HTPASSWD} -c -B -i "${pass_file}" developer <<<"developer"
${HTPASSWD} -B -i "${pass_file}" kubeadmin <<<"${random_password}"
)
}