Postgres credentials exposed in ConfigMap

[drpsyko101]

Description

helm-charts/charts/plane-ce/templates/config-secrets/app-env.yaml

Lines 49 to 55 in 6258277

	{{- if .Values.postgres.local_setup }}
	DATABASE_URL: "postgresql://{{ .Values.env.pgdb_username }}:{{ .Values.env.pgdb_password }}@{{ .Release.Name }}-pgdb.{{ .Release.Namespace }}.svc.{{ .Values.env.default_cluster_domain | default "cluster.local" }}/{{ .Values.env.pgdb_name }}"
	{{- else if .Values.env.pgdb_remote_url }}
	DATABASE_URL: {{ .Values.env.pgdb_remote_url}}
	{{- else }}
	DATABASE_URL: ""
	{{ end }}

This behaviour exposes sensitive Postgres credentials in a ConfigMap, normally visible to a normal user. Both local setup and remote Postgres URL are affected.

Steps to reproduce

1. Install plane with the minimal set values

2. kubectl get configmap plane-app-app-vars -oyaml

   data:
     DATABASE_URL: postgresql://plane:plane@postgres:5432/plane
     #                                ^ Visible sensitive information

Possible fix

Move DATABASE_URL to app-secrets secret in charts/plane-ce/templates/config-secrets/app-env.yaml since the secret is used similarly to the ConfigMap counterpart.

System Info

OS: Ubuntu 22.04
Chart Version: plane-ce:1.0.22

[robertvy]

same issue here.

[akshat5302]

We are working on it, and this issue will be resolved in our upcoming releases.

[robertvy]

thanks, same for REDIS URL (the password is also exposed), or sentry DSN. Actually there are a few keys that should be moved to secrets out of configmap. It would also be great to be able to pass secrets using existing secrets rather than having to hardcode or pass at runtime.

[leedsjb]

AMQP_URL in app-env.yaml also contains a secret stored in a ConfigMap despite a secret object existing for RabbitMQ in rabbitmqdb.yaml: .Values.services.rabbitmq.default_password