Potential Informaiton Leakage

[nevercodecorrect]

Context

In code, username and password is directly printed. It is a potential informaiton leakage issue as described in CWE-532

Value and/or benefit

Removing password could reduce the attack surface

Anything else?

No response

[viniciusdc]

Hi @nevercodecorrect, this information comes from the basic default values of Keycloak's root settings during initial setup as a temporary password -- which is later passed into the schema here:

nebari/src/_nebari/stages/kubernetes_keycloak/__init__.py

Lines 219 to 229 in 5463e8d

	def input_vars(self, stage_outputs: Dict[str, Dict[str, Any]]):
	return InputVars(
	name=self.config.project_name,
	environment=self.config.namespace,
	endpoint=stage_outputs["stages/04-kubernetes-ingress"]["domain"],
	initial_root_password=self.config.security.keycloak.initial_root_password,
	overrides=[json.dumps(self.config.security.keycloak.overrides)],
	node_group=stage_outputs["stages/02-infrastructure"]["node_selectors"][
	"general"
	],
	).dict()

This admin credential is generated for the first interaction with the master realm on Keycloak for admin usage. Its is outlined in our docs that you should change this password after the first deployment (here)

That said, I agree that exposing the keycloak's root password is a potential risk, even though it's temporary. We could initialize those values into a separate text file in the user host environment or set relatable env vars that contain the expected values, such as NEBARI_KEYCLOAK_INITIAL_ROOT_PASSWORD