Git Product home page Git Product logo

helm's Issues

GPT retrieval chart requires BEARER_TOKEN and OPENAI_API_KEY to be plain text

Currently,
When I use the gpt-retrieval-plugin chart as a dependency:

apiVersion: v2
name: my-deployment
type: application
version: 0.0.1
dependencies:
- name: chatgpt-retrieval-plugin
  alias: gptretrieval
  version: 0.0.18
  repository: https://icoretech.github.io/helm
  condition: gptretrieval.enabled

and I configure it in the values.yaml file:

gptretrieval:
  enabled: true
  web:
    image: ghcr.io/icoretech/chatgpt-retrieval-plugin-docker:weaviate-e8fda70-1690594131
    extraEnvs:
      - name: DATASTORE
        value: weaviate
      - name: WEAVIATE_URL
        value: http://weaviate:80
      - name: BEARER_TOKEN
        value: blabla
      - name: OPENAI_API_KEY
        value: blabla

I need to provide the BEARER_TOKEN and OPENAI_API_KEY directly in plain text.

This exposes my configurations and although they are later wrapped as a secret.
They are also present as a plain text in my values file.

It would be much more useful if either:

Fix Docker vulnerabilities

The security team in our company blocked the implementation of PGBouncer because of the following vulnerabilities:

❯ docker scout cves ghcr.io/icoretech/pgbouncer-docker:1.23.0
    i New version 1.11.0 available (installed version is 1.10.0) at https://github.com/docker/scout-cli
          ✓ SBOM of image already cached, 33 packages indexed
    ✗ Detected 1 vulnerable package with 2 vulnerabilities


## Overview

                    │                Analyzed Image                  
────────────────────┼────────────────────────────────────────────────
  Target            │  ghcr.io/icoretech/pgbouncer-docker:1.23.0     
    digest          │  c61e50d7fefc                                  
    platform        │ linux/arm64                                    
    provenance      │ https://github.com/icoretech/pgbouncer-docker  
                    │  c5578c0303de97122743fc06bc7e888272739590      
    vulnerabilities │    1C     0H     0M     0L     1?              
    size            │ 7.0 MB                                         
    packages        │ 33                                             


## Packages and Vulnerabilities

   1C     0H     0M     0L     1?  openssl 3.0.13-r0
pkg:apk/alpine/[email protected]?os_name=alpine&os_version=3.17

    ✗ CRITICAL CVE-2024-5535
      https://scout.docker.com/v/CVE-2024-5535
      Affected range : <3.0.14-r0  
      Fixed version  : 3.0.14-r0   
    
    ✗ UNSPECIFIED CVE-2024-4741
      https://scout.docker.com/v/CVE-2024-4741
      Affected range : <3.0.14-r0  
      Fixed version  : 3.0.14-r0   
    


2 vulnerabilities found in 1 package
  UNSPECIFIED  1  
  LOW          0  
  MEDIUM       0  
  HIGH         0  
  CRITICAL     1

If I build this image locally the vulnerability is gone, so I think you could just rebuild it and push it back to GCR. For now I've pushed the clean image to our internal ECR to move with it.

Thanks!

PS.: opening this issue here as the docker repo has no Issues enabled.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.