Open hriprsd opened 3 years ago
@hriprsd I believe this is a duplicate of issue #12, which I don't believe is a valid issue.
This enables anyone (even without access to consul) can view the KV stored in the concourse ui
☝️ Regarding this point, I believe this is not entirely accurate, IIUC. I believe it's more accurate to say this allows anyone with an RBAC role that grants them viewing access to view the K/V via the Concourse UI. Furthermore, this is also true of any other Concourse resource whose metadata is surfaced to Concourse.
As I asked in issue #12 ...
Are you suggesting that
concourse-consul-kv-resource
prints the values of the Consul k/v pairs it tracks? If so, that is expected, no? If the k/v pairs are secrets, I would think they should be stored in a proper secrets manager, such as Vault and not fetched directly via theconcourse-consul-kv-resource
. Or am I misinterpreting?
☝️ Does this seem reasonable? Or am I mistaken or misunderstanding your use-case?
Hey!. Thanks for your response. The config should not have secrets - correct. But maybe a config has some endpoints etc which i don't want others(other teams) to know. I might be taking of a one off case but can that possibility be considered please? Am new to all this, my question might be silly, please excuse.
On Mon, 8 Feb, 2021, 19:31 Mike Ball, notifications@github.com wrote:
@hriprsd https://github.com/hriprsd I believe this is a duplicate of issue #12 https://github.com/mdb/concourse-consul-kv-resource/issues/12, which I don't believe is a valid issue.
This enables anyone (even without access to consul) can view the KV stored in the concourse ui
☝️ Regarding this point, I believe this is not entirely accurate, IIUC. I believe it's more accurate to say this allows anyone with an RBAC role that grants them viewing access https://concourse-ci.org/user-roles.html to view the K/V via the Concourse UI. Furthermore, this is also true of any other Concourse resource whose metadata is surfaced to Concourse.
As I asked in issue #12 https://github.com/mdb/concourse-consul-kv-resource/issues/12 ...
Are you suggesting that concourse-consul-kv-resource prints the values of the Consul k/v pairs it tracks? If so, that is expected, no? If the k/v pairs are secrets, I would think they should be stored in a proper secrets manager, such as Vault https://www.vaultproject.io/ and not fetched directly via the concourse-consul-kv-resource. Or am I misinterpreting?
☝️ Does this seem reasonable? Or am I mistaken or misunderstanding your use-case?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/mdb/concourse-consul-kv-resource/issues/13#issuecomment-775170854, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFPAKL5VXIYEX3OCTTSSOR3S57VEFANCNFSM4XENOOUA .
When I try to get a value from consul, the entire value is printed in the pipeline. i.e anyone can view it from the concourse-ui Sample pipeline:
resources:
jobs:
UI Output:
This enables anyone (even without access to consul) can view the KV stored in the concourse ui