tower 0.61.12 — silent connect + no kubeconfig leak
Customer running the connect URL was getting the entire k3s install
transcript scrolled to their terminal — including the base64-encoded
kubeconfig (cluster-admin certs visible in scrollback). Two problems:
1. UX: violates "Tower silent in the background" platform principle.
2. Security: cluster-admin material visible to anyone shoulder-surfing
or screen-sharing.
wrapQuiet() in connect_token.go now wraps bootstrap + trailer:
- all output → /var/log/odoosky-connect.log (operator-readable)
- ONE friendly line to terminal at start ("Connecting…")
- ONE outcome line at end (✓ success / ⚠ failure)
- on non-zero exit: dump last 30 log lines so customer isn't
staring at a silent terminal
Kubeconfig is already tee'd to /tmp/odoosky-kubeconfig.yaml by the
bootstrap, so the trailer reads it from disk — never needs stdout.
This commit is contained in:
Claude
@@ -9,7 +9,7 @@ backend:
|
||||
# so every cluster that runs Tower needs the same imagePullSecret
|
||||
# provisioned out-of-band (until cluster-platform-v3 owns it).
|
||||
repository: registry.odoosky.cloud/odoosky/docker-mirror/tower
|
||||
tag: "0.61.11"
|
||||
tag: "0.61.12"
|
||||
pullPolicy: IfNotPresent
|
||||
imagePullSecrets:
|
||||
- name: docker-mirror-pull
|
||||
|
||||
Reference in New Issue
Block a user