Root Password shows up in PlainText in migration log
I was testing the behavior of a patch to the Cloud Native GitLab chart and noticed that when the migrations job ran my configured root user/password showed up in the migrations log in plain text.
The message appears to come from https://gitlab.com/gitlab-org/gitlab-ce/blob/master/db/fixtures/production/002_admin.rb#L26 or the same line in EE https://gitlab.com/gitlab-org/gitlab-ee/blob/master/db/fixtures/production/002_admin.rb#L26
I'm going to assume that the only user who could view these logs would be someone with disk level access, so hopefully the root user, so that somewhat limits the scope.
What happens if the logs are shipped to another machine, would that leak the credentials to users who shouldn't have application level root access?
Additionally, should a root password be echoed into a log in plaintext at all?
I will note that the root password was set via kubectl create secret generic gitlab-gitlab-initial-root-password --from-literal=password=LEAKING_CREDENTIAL