Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Concourse Seems to Expose Secrets on Web Nodes #2415
Hello Concourse devs,
Great product, but am having an issue with plaintext communication between web and workers.
Here is a sample of output from running
As you can see, there are secrets (parameters sent to concourse task) exposed in plaintext which I have x'd out.
Here is the BOSH manifest:
Yeah, I've been wanting to fix this for a while. :/ Right now Garden can't be configured to listen via TLS, since it's usually configured to listen on a local Unix domain socket instead. We're the only ones that really use it this way.
There's also the concern of there being no auth to Garden's API, so even with TLS it wouldn't be enough to really comfortably "lock it down" within the network (unless we do mutual TLS, which ain't a bad idea).
So in the long run it might be best to simply move away from direct worker registration, require workers to register via the TSA, and have the TSA's tunneled listeners listen via TLS with some reasonable auth.