Open
Description
Describe the bug
When TLS is disabled, authentication tokens are transmitted without encryption.
Is this a UI bug or a server bug?
- UI
- Server
What is the severity of the bug
Unencrypted Authentication Tokens could be captured.
-
severity/Critical: Weave GitOps is crashing or experiencing data loss, the UI is inaccessible or a key feature is unusable. There is no known workaround -
severity/Major: Weave Gitops functionality is broken, there is a workaround, but the workaround requires significant effort -
severity/Minor: Weave Gitops functionality is broken, but there is a fairly straightforward workaround -
severity/Low: Doesn’t affect primary flow/functionality but would be good to fix
Environment
- gitops: [e.g. v0.1.0]
- How you deployed the Weave GitOps server: [e.g. Tilt, Helm Chart, etc]
- kubernetes: [e.g. 1.20.4]
- KinD - version]
- k3s - version
- cloud [e.g., EKS, AKS] version
- other - name version
- Browser + version: [e.g. chrome 74, safari 12, firefox 87]
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Users should be warned that their credentials are not secure when --insecure is configured.
Config and Logs
If applicable, add logs to help explain your problem. please compress the output before attaching
- Logs from the
wego-apppod - Events from
flux-systemnamespace (Or the namespace you deployed flux and/or Weave GitOps) -
kubectl cluster-info dump - Prometheus alerts
- Flux logs
Screenshots
Additional context