-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MySQL Scaler: Secrets openly shown in metric name #2165
Comments
https://github.com/kedacore/keda/blob/main/pkg/scalers/mysql_scaler.go#L186-L190 if s.metadata.connectionString != "" {
metricName = kedautil.NormalizeString(fmt.Sprintf("%s-%s", metricName, s.metadata.connectionString))
} else {
metricName = kedautil.NormalizeString(fmt.Sprintf("%s-%s", metricName, s.metadata.dbName))
} IMHO, we have to mask it. We are already doing it in [mssql scaler] (https://github.com/kedacore/keda/blob/main/pkg/scalers/mssql_scaler.go#L149-L153) and others, we could use the same approach, or we can use PostgreSQL approach (which basically uses the function I can do it today |
Yeah we should reuse the |
I'm working on it, I hope that the next will the PR is created (I don't have so much time right now and I update one or two by day). |
@JorTurFer no need to rush :) I can tackle this particular issue. Have some rest! |
Discussed in #2163
Originally posted by TimShilov October 6, 2021
I just noticed that the metric name is created based on the MySQL scaler connection string (which is a secret and is stored in a Secret) which I think is not great. Is there any reason why it's not hashed?
Secrets are secrets and they should not be lying around. And Keda should not take something that is Secret and turn it into a plain text.
Basically, anyone with access to HPA can see the secret which is unexpected to me.
The screenshot is taken from GKE UI. "Deployment" -> "Details".
The text was updated successfully, but these errors were encountered: