Avoid potential leaks

[kpouget]

Summary by CodeRabbit

• Bug Fixes

  • Prevented credential exposure by redacting passwords in logs, escaping sensitive values, and temporarily disabling trace output during secret handling and logins.
  • Improved login reliability with retry messaging, a short backoff between attempts, and safer retry execution.
  • Pull-secret handling now detects existing credentials and skips unnecessary updates; temporary credential artifacts are removed after use.

• Refactor

  • Adopted stricter shell safety options for more robust operation.
  • Streamlined password generation and in-cluster secret creation to avoid temporary files and limit credential exposure.

[coderabbitai]

Walkthrough

Move kubeadmin and other credential handling into short-lived subshells with tracing disabled, add login retry logic and counters, redact/remove stored passwords and avoid logging secrets, and rework pull-secret and htpasswd flows to apply secrets in-memory without temporary files.

Changes

Cohort / File(s)	Summary
Kubeadmin login & credential redaction snc.sh, systemd/crc-cluster-status.sh, tools.sh	Read kubeadmin password inside a subshell with tracing turned off, run oc login from that subshell to avoid leaking credentials, add login retry loop with counter and 5s sleep, remove/redact password files and redact occurrences in install logs.
Pull secret handling systemd/crc-pullsecret.sh	Enable safer shell options, temporarily disable xtrace when handling secrets, detect existing .auths with jq and exit early if present; if missing, base64-encode /opt/crc/pull-secret and patch cluster pull-secret using an in-memory JSON patch via oc.
User passwords / htpasswd flow systemd/ocp-userpasswords.sh, tools.sh	Enable strict shell options; generate htpasswd entries inside subshells with tracing disabled to avoid leaking generated passwords; stream combined htpasswd content into `oc --dry-run -o yaml

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant S as crc-cluster-status.sh
  participant F as /opt/crc/pass_kubeadmin
  participant OC as oc CLI
  Note over S: Secure kubeadmin login flow (subshell hides secret)
  S->>F: read password (subshell, set +x)
  S->>OC: oc login --insecure-skip-tls-verify -u kubeadmin -p "<read>"
  alt login fails
    S->>S: log "try $COUNTER...", sleep 5s, increment COUNTER, retry
  else login succeeds
    S->>S: touch /tmp/.crc-cluster-ready
  end

Loading

sequenceDiagram
  autonumber
  participant P as crc-pullsecret.sh
  participant OC as oc CLI
  participant J as jq
  Note over P: Check and patch pull-secret only when needed (no secrets leaked)
  P->>OC: oc get secret/pull-secret -o json
  P->>J: has(".data[\".dockerconfigjson\"]|fromjson|.auths")
  alt .auths exists
    P-->>P: log "Cluster already has the pull secrets, nothing to do", exit 0
  else missing .auths
    P->>P: read /opt/crc/pull-secret (subshell, set +x), base64-encode
    P->>OC: oc patch secret/pull-secret --patch ...
    P-->>P: exit 0
  end

Loading

sequenceDiagram
  autonumber
  participant U as ocp-userpasswords.sh
  participant H as htpasswd (gen)
  participant OC as oc CLI
  Note over U: Generate htpasswd entries and apply secret without temp files
  U->>H: gen_htpasswd developer <pass> (subshell, set +x)
  U->>H: gen_htpasswd kubeadmin <pass> (subshell, set +x)
  U->>OC: oc create secret generic htpass-secret --dry-run -o yaml | oc apply -f-
  U-->>U: done

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• Changes to have reduce provision time and remove cloud dependency #1153 — Similar edits around kubeadmin login subshell handling, tracing suppression, and retry behavior.

Suggested labels

lgtm, approved

Suggested reviewers

• gbraad
• praveenkumar
• anjannath

Poem

I nibble logs and hide the trace,
In quiet subshell burrows, secrets place.
I patch, I login, counters hop with glee,
No carrot crumbs of passwords for eyes to see.
The cluster wakes — secure, tidy, and free. 🥕🐇

Pre-merge checks and finishing touches

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.
Title Check	❓ Inconclusive	The pull request title “Avoid potential leaks” is related to the primary goal of preventing credential leaks but is overly generic and does not specify what is leaking or where the changes apply, making it difficult for reviewers scanning history to immediately understand the scope and context of the change.	Consider revising the title to explicitly reference credential or password leaks in the affected scripts—for example, “Prevent credential leaks in OpenShift login and scripting” or “Avoid password leaks during CLI login and logging”—to make the change clear and specific.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign gbraad for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 3

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 57169c8 and 4c50c1a.

📒 Files selected for processing (5)

• snc.sh (1 hunks)
• systemd/crc-cluster-status.sh (2 hunks)
• systemd/crc-pullsecret.sh (1 hunks)
• systemd/ocp-userpasswords.sh (1 hunks)
• tools.sh (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (3)

systemd/crc-pullsecret.sh (1)

systemd/crc-systemd-common.sh (1)

• wait_for_resource (3-15)

systemd/ocp-userpasswords.sh (1)

systemd/crc-systemd-common.sh (1)

• wait_for_resource (3-15)

snc.sh (1)

tools.sh (1)

• retry (110-128)

🪛 Shellcheck (0.11.0)

systemd/ocp-userpasswords.sh

[error] 14-14: Couldn't parse this redirection. Fix to allow more checks.

(SC1073)

---

[error] 14-14: Fix any mentioned problems and try again.

(SC1072)

snc.sh

[warning] 288-288: kubeadmin is referenced but not assigned.

(SC2154)

[coderabbitai]

Actionable comments posted: 6

🧹 Nitpick comments (2)

tools.sh (1)

222-227: Harden parameter use and quoting in subshell.

Use the named params and quote paths/vars; also make random_password local to avoid global leakage.

-   (
-       set +x # use a subshell to avoid leaking the password
-       random_password=$(cat $1/auth/kubeadmin-password)
-       ${HTPASSWD} -c -B -b ${pass_file} developer developer
-       ${HTPASSWD} -B -b ${pass_file} kubeadmin "${random_password}"
-   )
+   (
+       set +x # use a subshell to avoid leaking the password
+       local random_password
+       random_password="$(cat "${auth_file_dir}/auth/kubeadmin-password")"
+       "${HTPASSWD}" -c -B -b "${pass_file}" developer developer
+       "${HTPASSWD}" -B -b "${pass_file}" kubeadmin "${random_password}"
+   )

systemd/ocp-userpasswords.sh (1)

42-45: Use POSIX-compliant empty-line filter in sed.

\s is not portable in sed; use [[:space:]]. Also quoting improves robustness.

-   --from-file=htpasswd=<((echo "$dev_pass"; echo "$adm_pass") | sed '/^\s*$/d') \
+   --from-file=htpasswd=<((printf '%s\n%s\n' "$dev_pass" "$adm_pass" | sed '/^[[:space:]]*$/d')) \

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4c50c1a and 96d52c2.

📒 Files selected for processing (5)

• snc.sh (1 hunks)
• systemd/crc-cluster-status.sh (2 hunks)
• systemd/crc-pullsecret.sh (1 hunks)
• systemd/ocp-userpasswords.sh (1 hunks)
• tools.sh (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (3)

systemd/crc-pullsecret.sh (1)

systemd/crc-systemd-common.sh (1)

• wait_for_resource (3-15)

snc.sh (1)

tools.sh (1)

• retry (110-128)

systemd/ocp-userpasswords.sh (1)

systemd/crc-systemd-common.sh (1)

• wait_for_resource (3-15)

🔇 Additional comments (1)

systemd/crc-cluster-status.sh (1)

27-36: LGTM: safe login with subshell and retry.

Subshell disables tracing around password, keeps retry semantics, and avoids leaking credentials.

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

systemd/crc-pullsecret.sh (1)

14-31: With errexit, oc get fails if the secret is missing; ensure it exists before reading/patching.

existingPsB64=$(oc get …) will abort the script when the secret isn’t present yet. Gate with an existence/wait check, then proceed.

 set +x # disable the logging to avoid leaking the pull secrets
 
-# check if existing pull-secret is valid if not add the one from /opt/crc/pull-secret
-existingPsB64=$(oc get secret pull-secret -n openshift-config -o jsonpath="{['data']['\.dockerconfigjson']}")
+# ensure the pull-secret exists before reading it (avoid errexit abort)
+if ! oc get secret pull-secret -n openshift-config >/dev/null 2>&1; then
+    wait_for_resource "secret/pull-secret -n openshift-config" 60 5
+fi
+
+# check if existing pull-secret is valid; if not, add the one from /opt/crc/pull-secret
+existingPsB64=$(oc get secret pull-secret -n openshift-config -o jsonpath="{['data']['\.dockerconfigjson']}")
 existingPs=$(echo "${existingPsB64}" | base64 -d)

🧹 Nitpick comments (2)

systemd/crc-cluster-status.sh (1)

22-29: Optional: restore tracing after the secret-sensitive login.

You disable xtrace before/inside the subshell and never re-enable, reducing later diagnostics. Consider re‑enabling once the login loop finishes.

 done
 
+# Re-enable tracing for subsequent steps
+set -x
+
 # need to set a marker to let `crc` know the cluster is ready
 touch /tmp/.crc-cluster-ready

systemd/ocp-userpasswords.sh (1)

33-40: Optional: restore xtrace after secret handling to keep logs useful.

You turned off tracing for secret generation; consider re‑enabling afterwards.

 echo "creating the password secret ..."
 # use bash <() to use a temporary fd file
 # use sed to remove the empty lines
 oc create secret generic htpass-secret  \
    --from-file=htpasswd=<((echo "$dev_pass"; echo "$adm_pass") | sed '/^[[:space:]]*$/d') \
    -n openshift-config \
    --dry-run=client -oyaml | oc apply -f-
 
+set -x
 echo "all done"

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 96d52c2 and 3f6cd41.

📒 Files selected for processing (5)

• snc.sh (1 hunks)
• systemd/crc-cluster-status.sh (2 hunks)
• systemd/crc-pullsecret.sh (1 hunks)
• systemd/ocp-userpasswords.sh (1 hunks)
• tools.sh (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (3)

snc.sh (1)

tools.sh (1)

• retry (110-128)

systemd/ocp-userpasswords.sh (1)

systemd/crc-systemd-common.sh (1)

• wait_for_resource (3-15)

systemd/crc-pullsecret.sh (1)

systemd/crc-systemd-common.sh (1)

• wait_for_resource (3-15)

🪛 Shellcheck (0.11.0)

tools.sh

[warning] 224-224: Declare and assign separately to avoid masking return values.

(SC2155)

🔇 Additional comments (3)

systemd/ocp-userpasswords.sh (2)

13-16: Fix error text (“two arguments”).

Minor typo in the validation message.

-    if [ -z "${1:-}" ] || [ -z "${2:-}" ]; then
-        echo "gen_htpasswd needs to arguments: username password" 1>&2
+    if [ -z "${1:-}" ] || [ -z "${2:-}" ]; then
+        echo "gen_htpasswd needs two arguments: username password" 1>&2
         return 1
     fi

---

18-19: Feed password via stdin to avoid exposure in process arguments.

-    podman run --rm -i docker.io/xmartlabs/htpasswd "$1" "$2"
+    podman run --rm -i docker.io/xmartlabs/htpasswd -i "$1" <<<"$2"

snc.sh (1)

283-290: Harden sed escaping to cover all regex metacharacters

GNU sed accepts the expanded bracket expression—tested against []/\&$.*^|- and it correctly escapes all characters. Update the snippet as follows:

-    esc_pw="$(printf '%s' "$kubeadmin_pass" | sed -e 's/[\/&|\\]/\\&/g')"
-    sed -i "s|$esc_pw|REDACTED|g" "${INSTALL_DIR}/.openshift_install.log"
+    esc_pw="$(printf '%s' "$kubeadmin_pass" | sed -e 's/[][\/&$.*^|\\-]/\\&/g')"
+    sed -i "s|$esc_pw|REDACTED|g" "${INSTALL_DIR}/.openshift_install.log"

For non-GNU sed portability, consider switching to Perl’s \Q…\E.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (4)

systemd/crc-cluster-status.sh (1)

22-36: Avoid disabling tracing globally; keep it scoped to the subshell.

set -x is enabled earlier, but Line 22 turns tracing off for the rest of the script. The subshell already does set +x safely. Drop the global set +x.

-set +x
-echo "Logging into OpenShift with kubeadmin user to update $KUBECONFIG"
+echo "Logging into OpenShift with kubeadmin user to update $KUBECONFIG"
@@
-# use a `(set +x)` subshell to avoid leaking the password
+# use a `(set +x)` subshell to avoid leaking the password
 until (set +x ; oc login --insecure-skip-tls-verify=true -u kubeadmin -p "$(cat /opt/crc/pass_kubeadmin)" https://api.crc.testing:6443 > /dev/null 2>&1); do

systemd/ocp-userpasswords.sh (3)

18-19: Drop unnecessary -i in podman run under systemd.

No TTY/STDIN needed; arguments are passed positionally.

-    podman run --rm -i docker.io/xmartlabs/htpasswd "$1" "$2"
+    podman run --rm docker.io/xmartlabs/htpasswd "$1" "$2"

---

33-48: Restore tracing after secret operations (keep credentials masked).

Tracing is disabled on Line 34 and never re-enabled; re-enable after oc apply for consistent diagnostics.

 echo "creating the password secret ..."
 # use bash <() to use a temporary fd file
 # use sed to remove the empty lines
 oc create secret generic htpass-secret  \
    --from-file=htpasswd=<((echo "$dev_pass"; echo "$adm_pass") | sed '/^[[:space:]]*$/d') \
    -n openshift-config \
    --dry-run=client -oyaml | oc apply -f-
 
-echo "all done"
+set -x
+echo "all done"

---

42-45: Prefer printf to avoid echo edge cases in secret content.

echo can interpret escapes; printf is safer for arbitrary htpasswd lines.

-   --from-file=htpasswd=<((echo "$dev_pass"; echo "$adm_pass") | sed '/^[[:space:]]*$/d') \
+   --from-file=htpasswd=<((printf '%s\n%s\n' "$dev_pass" "$adm_pass" | sed '/^[[:space:]]*$/d')) \

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3f6cd41 and 062b4d3.

📒 Files selected for processing (4)

• systemd/crc-cluster-status.sh (2 hunks)
• systemd/crc-pullsecret.sh (1 hunks)
• systemd/ocp-userpasswords.sh (1 hunks)
• tools.sh (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• systemd/crc-pullsecret.sh

🧰 Additional context used

🧬 Code graph analysis (1)

systemd/ocp-userpasswords.sh (1)

systemd/crc-systemd-common.sh (1)

• wait_for_resource (3-15)

🪛 Shellcheck (0.11.0)

tools.sh

[warning] 224-224: Declare and assign separately to avoid masking return values.

(SC2155)

🔇 Additional comments (2)

tools.sh (1)

222-227: Fix SC2155, quote paths, and prefer the named var over $1.

Split declare/assign to satisfy ShellCheck, quote the path, and consistently use auth_file_dir. Also quote ${HTPASSWD}. Functionality unchanged.

    (
-       set +x # use a subshell to avoid leaking the password
-       local random_password=$(cat $1/auth/kubeadmin-password)
-       ${HTPASSWD} -c -B -i "${pass_file}" developer <<<"developer"
-       ${HTPASSWD} -B -i "${pass_file}" kubeadmin <<<"${random_password}"
+       set +x # disable tracing to avoid leaking the password
+       local random_password
+       random_password="$(<"${auth_file_dir}/auth/kubeadmin-password")"
+       # feed passwords via stdin; avoid CLI args
+       "${HTPASSWD}" -c -B -i "${pass_file}" developer <<<"developer"
+       "${HTPASSWD}" -B -i "${pass_file}" kubeadmin <<<"${random_password}"
    )

systemd/ocp-userpasswords.sh (1)

13-16: Fix typo in error message (“two arguments”).

Message reads “to arguments.” Keep the corrected OR check.

-    if [ -z "${1:-}" ] || [ -z "${2:-}" ]; then
-        echo "gen_htpasswd needs to arguments: username password" 1>&2
+    if [ -z "${1:-}" ] || [ -z "${2:-}" ]; then
+        echo "gen_htpasswd needs two arguments: username password" 1>&2
         return 1
     fi

[anjannath]

/test e2e-snc

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

systemd/ocp-userpasswords.sh (2)

35-47: Restore tracing after the sensitive block.

We drop into set +x to hide secrets but never turn tracing back on, so the rest of the script now runs silently. Please re‑enable xtrace once the oc apply pipeline finishes so subsequent steps regain their usual diagnostics.

 oc create secret generic htpass-secret  \
    --from-file=htpasswd=<(printf '%s\n%s\n' "$dev_pass" "$adm_pass") \
    -n openshift-config \
    --dry-run=client -oyaml \
     | oc apply -f-
+set -x

---

41-43: Update the stale comment.

The comment still mentions using sed, but the implementation now relies on printf. Please adjust the wording so it reflects the current approach and avoids confusion later.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5ab4c70 and c85282d.

📒 Files selected for processing (1)

• systemd/ocp-userpasswords.sh (2 hunks)

[praveenkumar]

@kpouget bundles generated from this PR is tested with mapt and works as expected?

[kpouget]

@kpouget bundles generated from this PR is tested with mapt and works as expected?

no, I'm not sure yet how to properly test it before merging

[kpouget]

@praveenkumar , I could test this successfully in libvirt 👍🏻

    at 00:00:05 ocp-growfs.service started and took 1s
    at 00:00:13 crc-dnsmasq.service started and took 1s
    at 00:00:14 crc-no-tap.service started and took 1s
    at 00:00:23 crc-wait-apiserver-up.service started and took 122s
    at 00:02:25 ocp-clusterid.service started and took 1s
    at 00:02:25 ocp-mco-sshkey.service started and took 1s
    at 00:02:25 crc-routes-controller.service started and took 1s
    at 00:02:26 crc-cluster-status started and took 110s
    at 00:09:09 crc-pullsecret.service started and took 1s

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (2)

systemd/crc-pullsecret.sh (2)

21-23: jq guard is now errexit/pipefail‑safe.

Using if … | jq -e 'has("auths")' … avoids premature exit; good fix.

---

12-12: Wait for the actual object/namespace; generic “secret” is a no-op.

wait_for_resource secret returns immediately (lists secrets) and doesn’t ensure openshift-config/pull-secret exists; the following oc get … -o jsonpath can fail and abort under errexit. Wait for the exact resource.

-wait_for_resource secret
+wait_for_resource "secret/pull-secret -n openshift-config"

🧹 Nitpick comments (4)

systemd/ocp-userpasswords.sh (4)

21-22: Drop or scope the wait; it doesn’t guard anything here.

You’re creating htpass-secret below, so wait_for_resource secret is redundant and may mask real readiness issues. Remove it, or scope it to a prerequisite if needed.

-wait_for_resource secret
+# No wait needed here; we create the secret below

---

42-42: Stale comment (no sed anymore).

The pipeline no longer uses sed; update or remove this comment to avoid confusion.

-# use sed to remove the empty lines
+# stream the two htpasswd entries via process substitution

---

13-19: Container image hygiene: pin or switch to a maintained base.

Consider pinning the htpasswd image by digest and/or switching to a maintained image (e.g., UBI/httpd variant) to reduce supply‑chain risk.

---

43-47: Optionally clear sensitive vars after apply.

Unset dev_pass/adm_pass to reduce their lifetime in the shell.

     --dry-run=client -oyaml \
     | oc apply -f-
+
+# Clear sensitive data from memory
+unset dev_pass adm_pass

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c85282d and 9bbf5e0.

📒 Files selected for processing (2)

• systemd/crc-pullsecret.sh (1 hunks)
• systemd/ocp-userpasswords.sh (2 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

systemd/crc-pullsecret.sh (1)

systemd/crc-systemd-common.sh (1)

• wait_for_resource (3-15)

🔇 Additional comments (2)

systemd/crc-pullsecret.sh (1)

29-30: Secure patch application via --patch-file and stdin looks good.

This avoids leaking JSON via args and remains idempotent with --type merge.

systemd/ocp-userpasswords.sh (1)

35-38: Good: tracing disabled before handling secrets.

This prevents password/hash leakage to journals.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Guard against missing local pull secret before patching.

If /opt/crc/pull-secret is absent/unreadable, base64/oc patch will fail with opaque errors. Add an explicit check.

 echo "Cluster doesn't have the pull secrets. Setting them from /opt/crc/pull-secret ..."
+if [ ! -r /opt/crc/pull-secret ]; then
+    echo "/opt/crc/pull-secret is missing or unreadable" 1>&2
+    exit 1
+fi
 pullSecretB64=$(base64 -w0 < /opt/crc/pull-secret)

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	echo "Cluster doesn't have the pull secrets. Setting them from /opt/crc/pull-secret ..."
	pullSecretB64=$(base64 -w0 < /opt/crc/pull-secret)
	# Create the JSON patch in memory and pipe it to the oc command
	printf '{"data":{".dockerconfigjson": "%s"}}' "${pullSecretB64}" | \
	oc patch secret pull-secret -n openshift-config --type merge --patch-file=/dev/stdin
	echo "Cluster doesn't have the pull secrets. Setting them from /opt/crc/pull-secret ..."
	if [ ! -r /opt/crc/pull-secret ]; then
	echo "/opt/crc/pull-secret is missing or unreadable" 1>&2
	exit 1
	fi
	pullSecretB64=$(base64 -w0 < /opt/crc/pull-secret)
	# Create the JSON patch in memory and pipe it to the oc command
	printf '{"data":{".dockerconfigjson": "%s"}}' "${pullSecretB64}" | \
	oc patch secret pull-secret -n openshift-config --type merge --patch-file=/dev/stdin

🤖 Prompt for AI Agents

In systemd/crc-pullsecret.sh around lines 26 to 31, the script assumes
/opt/crc/pull-secret exists and is readable before running base64 and oc patch;
add an explicit check that the file exists and is readable (e.g., test -r
/opt/crc/pull-secret), produce a clear error message and exit non-zero if the
check fails (or skip patching), then only run base64 and oc patch when the file
passes the check; also guard and handle empty output from base64 before piping
to oc to avoid applying an invalid patch.

[kpouget]

👍🏻 I'll add that to #1168

[coderabbitai]

@kpouget Thank you for acknowledging the suggestion! Sounds good—I'll keep an eye out for the fix in #1168. 🙂

[praveenkumar]

/cherry-pick release-4.20

[openshift-cherrypick-robot]

@praveenkumar: once the present PR merges, I will cherry-pick it on top of release-4.20 in a new PR and assign it to you.

In response to this:

/cherry-pick release-4.20

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[praveenkumar]

/cherry-pick master

[openshift-cherrypick-robot]

@praveenkumar: once the present PR merges, I will cherry-pick it on top of master in a new PR and assign it to you.

In response to this:

/cherry-pick master

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-cherrypick-robot]

@praveenkumar: new pull request created: #1169

In response to this:

/cherry-pick release-4.20

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-cherrypick-robot]

@praveenkumar: new pull request created: #1170

In response to this:

/cherry-pick master

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.