MySQL Scaler: Secrets openly shown in metric name #2165
Comments
tomkerkhove
added
bug
|
https://github.com/kedacore/keda/blob/main/pkg/scalers/mysql_scaler.go#L186-L190 if s.metadata.connectionString != "" {
metricName = kedautil.NormalizeString(fmt.Sprintf("%s-%s", metricName, s.metadata.connectionString))
} else {
metricName = kedautil.NormalizeString(fmt.Sprintf("%s-%s", metricName, s.metadata.dbName))
}IMHO, we have to mask it. We are already doing it in [mssql scaler] (https://github.com/kedacore/keda/blob/main/pkg/scalers/mssql_scaler.go#L149-L153) and others, we could use the same approach, or we can use PostgreSQL approach (which basically uses the function I can do it today |
|
Yeah we should reuse the |
I'm working on it, I hope that the next will the PR is created (I don't have so much time right now and I update one or two by day). |
|
@JorTurFer no need to rush :) I can tackle this particular issue. Have some rest! |
zroubalik
changed the title
Discussed in #2163
Originally posted by TimShilov October 6, 2021
I just noticed that the metric name is created based on the MySQL scaler connection string (which is a secret and is stored in a Secret) which I think is not great. Is there any reason why it's not hashed?
Secrets are secrets and they should not be lying around. And Keda should not take something that is Secret and turn it into a plain text.
Basically, anyone with access to HPA can see the secret which is unexpected to me.
The screenshot is taken from GKE UI. "Deployment" -> "Details".
The text was updated successfully, but these errors were encountered: