You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
When a rundeck container using environment variable configuration for database or LDAP, those secrets can be seen by jobs executing locally to the container. Sensitive configuration information should be not available for child jobs by default.
Describe the solution you'd like
Unset sensitive variables after configuration consolidation by remco and before rundeck process start.
Describe alternatives you've considered
Unset sensitive variables after configuration consolidation by remco and before rundeck process start.
Additional context
Sensitive configuration information should be not available for child jobs by default.
The text was updated successfully, but these errors were encountered:
Apologies for not seeing your PR before I started mine! Would #4912 suite your needs? We a number of different configuration layers in use, stock plugins with secrets, and our enterprise image builds on top of this as well. As such unsetting all RUNDECK_ prefixed envars by default instead of maintaining an explicit list of sensitive envars may be a better approach. An example would be AWS credentials for the S3 log storage plugin.
Is your feature request related to a problem? Please describe.
When a rundeck container using environment variable configuration for database or LDAP, those secrets can be seen by jobs executing locally to the container. Sensitive configuration information should be not available for child jobs by default.
Describe the solution you'd like
Unset sensitive variables after configuration consolidation by remco and before rundeck process start.
Describe alternatives you've considered
Unset sensitive variables after configuration consolidation by remco and before rundeck process start.
Additional context
Sensitive configuration information should be not available for child jobs by default.
The text was updated successfully, but these errors were encountered: