keepalived.authPassword not randomly seeded
Opened this issue · 0 comments
druesendieb commented
Situation:
If keepalived.authPassword
is not specified, .Release.Name
and .Release.Namespace
are used as seed for the generation of the secret keepalived-ingress-vip
.
Problem:
Every installation with the same .Release.Name
and .Release.Namespace
gets the same password autogenerated. This is not good security practice.
How to reconstruct:
Run helm install --dry-run --debug
or helm template --debug
multiple times with the same name and namespace. You will see that you get the same secret over and over again.
Possible solution:
Use
data:
{{- if .Values.keepalived.authPassword }}
password: {{ .Values.keepalived.authPassword | b64enc }}
{{- else }}
password: {{ randAlphaNum 8 | b64enc }}
{{- end }}
in chart/templates/secret.yaml
Pull Request #6