This repository was archived by the owner on Jan 13, 2026. It is now read-only.
This repository was archived by the owner on Jan 13, 2026. It is now read-only.
asset-syncer sync job exposes AuthorizationHeader basic auth in logs #8393
Description
Describe the bug
If an AppreRepository is configured with basic auth, then asset-syncer will log out the AuthorizationHeader. The log will include basic auth key/value pair (base64 encoded).
To Reproduce
Steps to reproduce the behavior:
- Configure an AppRepository with Basic Auth
- Sync the AppRepository
- Investigate the
synccontainer logs, you will get:
I0520 21:03:20.555658 1 root.go:32] asset-syncer has been configured with: server.Config{DatabaseURL:"apps-postgresql:5432", DatabaseName:"assets", DatabaseUser:"postgres", DatabasePassword:"REDACTED", Debug:false, Namespace:"ns", OciRepositories:[]string{"my-chart"}, TlsInsecureSkipVerify:false, FilterRules:"", PassCredentials:false, UserAgent:"asset-syncer/2.8.0 (kubeapps/2.10.0)", UserAgentComment:"kubeapps/2.10.0", GlobalPackagingNamespace:"kubeapps", KubeappsNamespace:"", AuthorizationHeader:"Basic <EXPOSED AUTH>", DockerConfigJson:""}Expected behavior
A clear and concise description of what you expected to happen.
Similarly to Config.DatabasePassword, the AuthorizationHeader is redacted.
Desktop (please complete the following information):
- Version 2.10.0