-
Artur Kraev authored
<!-- Before you open the request please review the following guidelines and tips to help it be more easily integrated: - Describe the scope of your change - i.e. what the change does. - Describe any known limitations with your change. - Please run any tests or examples that can exercise your modified code. Thank you for contributing! We will try to test and integrate the change as soon as we can, but be aware we have many GitHub repositories to manage and can't immediately respond to every request. There is no need to bump or check in on a pull request (it will clutter the discussion of the request). Also don't be worried if the request is closed or not integrated sometimes the priorities of Bitnami might not match the priorities of the pull request. Don't fret, the open source community thrives on forks and GitHub makes it easy to keep your changes in a forked repo. --> **Description of the change** Fixing potential controller environment exposure by removing some sprig template functions: - `env`, `expandenv` - controller environment variables exposure (which can contain sensitive data) - `getHostByName` - add possibility to resolve dns entries from templates, which is not secure in some cases This potential exposure is added by PR #1542 where security risks was described in "possible drawbacks" section. Also, sprig func map is now initialized due module initialization and reusing for rendering, which may improve performance. In fact is just port of the [argocd](https://github.com/argoproj/argo-cd/blob/v2.11.3/applicationset/utils/utils.go#L31-L34 ) solution, which described in initial PR #1542 **Benefits** - Fix potential controller sensitive data exposure - Improve rendering performance **Possible drawbacks** No one **Applicable issues** <!-- Enter any applicable Issues here (You can reference an issue using #) --> **Additional information** <!-- If there's anything else that's important and relevant to your pull request, mention that information here.--> Signed-off-by:
Artur Kraev <ravenox@gmail.com>
Artur Kraev authored<!-- Before you open the request please review the following guidelines and tips to help it be more easily integrated: - Describe the scope of your change - i.e. what the change does. - Describe any known limitations with your change. - Please run any tests or examples that can exercise your modified code. Thank you for contributing! We will try to test and integrate the change as soon as we can, but be aware we have many GitHub repositories to manage and can't immediately respond to every request. There is no need to bump or check in on a pull request (it will clutter the discussion of the request). Also don't be worried if the request is closed or not integrated sometimes the priorities of Bitnami might not match the priorities of the pull request. Don't fret, the open source community thrives on forks and GitHub makes it easy to keep your changes in a forked repo. --> **Description of the change** Fixing potential controller environment exposure by removing some sprig template functions: - `env`, `expandenv` - controller environment variables exposure (which can contain sensitive data) - `getHostByName` - add possibility to resolve dns entries from templates, which is not secure in some cases This potential exposure is added by PR #1542 where security risks was described in "possible drawbacks" section. Also, sprig func map is now initialized due module initialization and reusing for rendering, which may improve performance. In fact is just port of the [argocd](https://github.com/argoproj/argo-cd/blob/v2.11.3/applicationset/utils/utils.go#L31-L34 ) solution, which described in initial PR #1542 **Benefits** - Fix potential controller sensitive data exposure - Improve rendering performance **Possible drawbacks** No one **Applicable issues** <!-- Enter any applicable Issues here (You can reference an issue using #) --> **Additional information** <!-- If there's anything else that's important and relevant to your pull request, mention that information here.--> Signed-off-by:
Artur Kraev <ravenox@gmail.com>
Loading