systemd/crc-cluster-status.sh: don't leak the kubeadmin password

kpouget · praveenkumar · commit 29a5268a1b01 · 2025-10-03T10:17:24.000+05:30
diff --git a/systemd/crc-cluster-status.sh b/systemd/crc-cluster-status.sh
@@ -1,5 +1,9 @@
 #!/bin/bash
 
+set -o pipefail
+set -o errexit
+set -o nounset
+set -o errtrace
 set -x
 
 export KUBECONFIG=/opt/kubeconfig
@@ -9,19 +13,19 @@ if [ ! -f /opt/crc/pass_kubeadmin ]; then
     exit 1
 fi
 
-PASS_KUBEADMIN="$(cat /opt/crc/pass_kubeadmin)"
-
 rm -rf /tmp/.crc-cluster-ready
 
 if ! oc adm wait-for-stable-cluster --minimum-stable-period=1m --timeout=10m; then
     exit 1
 fi
 
-set +x
+
 echo "Logging into OpenShift with kubeadmin user to update $KUBECONFIG"
 COUNTER=1
 MAXIMUM_LOGIN_RETRY=10
-until oc login --insecure-skip-tls-verify=true -u kubeadmin -p "$PASS_KUBEADMIN" https://api.crc.testing:6443 > /dev/null 2>&1; do
+
+# use a `(set +x)` subshell to avoid leaking the password
+until (set +x ; oc login --insecure-skip-tls-verify=true -u kubeadmin -p "$(cat /opt/crc/pass_kubeadmin)" https://api.crc.testing:6443 > /dev/null 2>&1); do
     if [ "$COUNTER" -ge "$MAXIMUM_LOGIN_RETRY" ]; then
         echo "Unable to login to the cluster..., authentication failed."
         exit 1
@@ -33,4 +37,3 @@ done
 
 # need to set a marker to let `crc` know the cluster is ready
 touch /tmp/.crc-cluster-ready
-
