[Repository] add a request flag to control at which level credentials are redacted when fetching a repository #4867
Comments
dlaloue-vmware
added
the
kind/proposal
|
Thanks, this will be helpful as a pattern in other areas too so that we don't send the actual secret data across the network unless explicitly requested to do so: for example, when fetching the resources for an installed app, currently we fetch the secrets in full (though they are not displayed unless the reveal/eye icon is clicked in the UX). This pattern will allow us to fetch redacted secrets initially (so the UX can display the secrets along with other resources as it does currently) and only fetch the actual secret data for a particular secret if the user explicitly requests it. |
ppbaena
added
kind/feature
|
It would be great if the values are hidden by default as well. In some cases, there are secrets/passwords in there as well, so it would be good to hide them behind a "show helm values" toggle or something. |
|
Do you mean from the API response as well? Currently, the repos API is doing it, so the UI (still in progress) shows the
However, the packages API does send the secret values, although the UI hides them by default:
In case you mean also using a config-level flag to disable that feature (in the packages API, not the repos one), I think it's worth opening a separate issue for that. From memory, I don't know how easy it would be, but certainly worth discussing. |
|
Oh sorry, this is about the repos api. my bad, I meant those values:
|
|
before implementing a solution for a flag, i think we need to fix the following 2 bugs: The current UI does not provide a "view" UI, so the only time we would see the data is during an edit/update. This diminishes the need for such a flag as the UI would not be using it. Finally, we would need to decide how we want to use this flag in the UI. For example, do we have an install flag that defines the default option, do we use a preference settings, or just a toggle on the view/update page (which would reload the page). |
and others
When doing a GET on a given repository, plugins will ensure that credentials are marked as redacted.
The current setting is to do full redaction, but some users may want to be able to view more useful data (e.g. see the username but not the password), or all data.
the proposal is to pass an option/flag to the GET request to indicate what level of redaction to apply, something like FULL | MIXED | NONE.
The text was updated successfully, but these errors were encountered: