system-sphinx logs display the DATABASE_URL which can contain the database password

[dlydiard]

The system-sphinx POD logs display the declare command that sets the DATABASE_URL, which can contain the password from the system-database secret.

Example:

declare -x DATABASE_URL="postgresql://three_scale_system:my-secret-password@database.com/database"

Per docs, this format is recommended for external databases https://github.com/3scale/3scale-operator/blob/master/doc/apimanager-reference.md#system-database

Logs shouldn't display sensitive information and should be masked.

[eguzki]

This is out of scope of the 3scale operator.

I think you should try in https://github.com/3scale/porta

BTW: Sphinx has been replaced by searchd recently #818

[mayorova]

@dlydiard Thanks for the report. This issue was fixed here: https://github.com/3scale/porta/pull/3208/files#diff-6a7303480cb96bfade8adf7f87da2c9c7622a03bf4378365c3c996a55fb09c85L23-L24

It will be included in the next 3scale on-premises release.
Well, actually, as @eguzki pointed out, the sphinx component will be replaced, so it will use a different image and will not have the DATABASE_URL env var anyway.

For future bug reports and feature requests please open an issue in https://issues.redhat.com/projects/THREESCALE/issues. Thanks for your contribution!