Secret exposure through environment variables

[than-pet]

Describe the bug

1. cost-analyzer deployment has the following "sensitive" environmental variables defined as plain text:

• REMOTE_WRITE_PASSWORD
• CLOUD_PROVIDER_API_KEY

---

2. In addition, REMOTE_WRITE_PASSWORD environmental variable is always set even if the remoteWrite.postgres.enabled value is false.

Expected behavior

1. These kind of values must be handled as kubernetes secrets in the generated charts. This approach is already implemented in the deployment yaml:
   https://github.com/kubecost/cost-analyzer-helm-chart/blob/develop/cost-analyzer/templates/cost-analyzer-deployment-template.yaml#L379-L383

---

2. REMOTE_WRITE_PASSWORD shouldn't be set as env variable when the remoteWrite.postgres is disabled.
   https://github.com/kubecost/cost-analyzer-helm-chart/blob/develop/cost-analyzer/templates/cost-analyzer-deployment-template.yaml#L648-L649

[kwombach12]

@than-pet Thanks for logging this. @thomasvn when youre back, can you take a look at this?

[thomasvn]

@than-pet I agree that REMOTE_WRITE_PASSWORD should only be set when .Values.remoteWrite.postgres.enabled=true. Therefore this code block should instead look something like the following:

            {{- if .Values.remoteWrite.postgres.enabled }}
            - name: REMOTE_WRITE_ENABLED
              value: "true"
            - name: REMOTE_WRITE_PASSWORD
              value: {{ .Values.remoteWrite.postgres.auth.password }}
            {{- end }}

Are you interested in authoring the PR?

[bt-macole]

conversation seems to have focused on REMOTE_WRITE_PASSWORD want to draw attention back to CLOUD_PROVIDER_API_KEY also being marked as a leaked api key. Some more information on this one and making it optional/configurable would be good as well.

[thomasvn]

@bt-macole The CLOUD_PROVIDER_API_KEY is only used for GCP clusters, and can be safely removed from your configuration if you're not deploying to GCP! It's currently expected to be there and is limited to only accessing Google's billing API.

[bt-macole]

@thomasvn thanks for the reply, I removed it via a patch already. I didn't see a way to do it via helm, which would make my life easier. certainly not urgent or blocking though.

[thomasvn]

@bt-macole Ok thanks for the feedback! Yes I'd agree that it would be good to make CLOUD_PROVIDER_API_KEY a configurable option in Helm.

[than-pet]

Are you interested in authoring the PR?

@thomasvn I created the PR to disable REMOTE_WRITE_PASSWORD variable if remoteWrite.postgres is not enabled.

Regarding my second point in this ticket, I have no clue on how to move the GCP billing API key into a kubernetes secret.

[chipzoller]

In 2.x REMOTE_WRITE_PASSWORD is no longer even used and as mentioned above the CLOUD_PROVIDER_API_KEY env var is a Kubecost-provided, non-sensitive API key only used to retrieve GCP pricing. It is also our desire to eliminate the default inclusion of it (tracked in #2767 and cross-referenced at the source in opencost/opencost#2311). Closing as no longer relevant.