mz-debug: Remove scraping secrets (#34223)

Even though redacted, we still leak some of the values via annotations.

<!--
Describe the contents of the PR briefly but completely.

If you write detailed commit messages, it is acceptable to copy/paste
them
here, or write "see commit messages for details." If there is only one
commit
in the PR, GitHub will have already added its commit message above.
-->

### Motivation

<!--
Which of the following best describes the motivation behind this PR?

  * This PR fixes a recognized bug.

    [Ensure issue is linked somewhere.]

  * This PR adds a known-desirable feature.

    [Ensure issue is linked somewhere.]

  * This PR fixes a previously unreported bug.

    [Describe the bug in detail, as if you were filing a bug report.]

  * This PR adds a feature that has not yet been specified.

[Write a brief specification for the feature, including justification
for its inclusion in Materialize, as if you were writing the original
     feature specification.]

   * This PR refactors existing code.

[Describe what was wrong with the existing code, if it is not obvious.]
-->

### Tips for reviewer

<!--
Leave some tips for your reviewer, like:

    * The diff is much smaller if viewed with whitespace hidden.
    * [Some function/module/file] deserves extra attention.
* [Some function/module/file] is pure code movement and only needs a
skim.

Delete this section if no tips.
-->

### Checklist

- [ ] This PR has adequate test coverage / QA involvement has been duly
considered. ([trigger-ci for additional test/nightly
runs](https://trigger-ci.dev.materialize.com/))
- [ ] This PR has an associated up-to-date [design
doc](https://github.com/MaterializeInc/materialize/blob/main/doc/developer/design/README.md),
is a design doc
([template](https://github.com/MaterializeInc/materialize/blob/main/doc/developer/design/00000000_template.md)),
or is sufficiently small to not require a design.
  <!-- Reference the design in the description. -->
- [ ] If this PR evolves [an existing `$T ⇔ Proto$T`
mapping](https://github.com/MaterializeInc/materialize/blob/main/doc/developer/command-and-response-binary-encoding.md)
(possibly in a backwards-incompatible way), then it is tagged with a
`T-proto` label.
- [ ] If this PR will require changes to cloud orchestration or tests,
there is a companion cloud PR to account for those changes that is
tagged with the release-blocker label
([example](MaterializeInc/cloud#5021)).
<!-- Ask in #team-cloud on Slack if you need help preparing the cloud
PR. -->
- [ ] If this PR includes major [user-facing behavior
changes](https://github.com/MaterializeInc/materialize/blob/main/doc/developer/guide-changes.md#what-changes-require-a-release-note),
I have pinged the relevant PM to schedule a changelog post.

Author: SangJunBak

Cargo.lock

@@ -30,7 +30,6 @@ rows:
       - `roles/{namespace}/*.yaml`
       - `rolebinding/{namespace}/*.yaml`
       - `configmaps/{namespace}/*.yaml`
-      - `secrets/{namespace}/*.yaml`
       - `serviceaccounts/{namespace}/*.yaml`
 
   - "Resource Type": "Cluster-level"

doc/user/data/mz-debug/kubernetes_resource_files.yml

@@ -32,14 +32,6 @@ rows:
 
       Defaults to the `KUBERNETES_CONTEXT` environment variable.
 
-  - Option: "`--k8s-dump-secret-values <boolean>`"
-    Description: |
-
-      <a name="k8s-dump-secret-values"></a> If `true`, include unredacted secrets in the
-      dump. Use with caution.
-
-      Defaults to `false`.
-
   - Option: "`-h`, `--help`"
     Description: |
 

doc/user/data/mz-debug/self_managed_options.yml

@@ -1,7 +1,7 @@
 [package]
 name = "mz-debug"
 description = "Debug tool for self-managed Materialize."
-version = "0.4.0"
+version = "0.4.1"
 edition.workspace = true
 rust-version.workspace = true
 publish = false

src/mz-debug/Cargo.toml

@@ -29,8 +29,7 @@ use k8s_openapi::api::admissionregistration::v1::{
 };
 use k8s_openapi::api::apps::v1::{DaemonSet, Deployment, ReplicaSet, StatefulSet};
 use k8s_openapi::api::core::v1::{
-    ConfigMap, Event, Node, PersistentVolume, PersistentVolumeClaim, Pod, Secret, Service,
-    ServiceAccount,
+    ConfigMap, Event, Node, PersistentVolume, PersistentVolumeClaim, Pod, Service, ServiceAccount,
 };
 use k8s_openapi::api::networking::v1::NetworkPolicy;
 use k8s_openapi::api::rbac::v1::{Role, RoleBinding};
@@ -51,29 +50,22 @@ struct K8sResourceDumper<'n, K> {
     api: Api<K>,
     namespace: Option<String>,
     resource_type: String,
-    dump_secret_values: bool,
 }
 
 impl<'n, K> K8sResourceDumper<'n, K>
 where
     K: kube::Resource<DynamicType = ()> + Clone + Debug + Serialize + DeserializeOwned,
 {
-    fn cluster(context: &'n Context, client: Client, dump_secret_values: bool) -> Self {
+    fn cluster(context: &'n Context, client: Client) -> Self {
         Self {
             context,
             api: Api::<K>::all(client),
             namespace: None,
             resource_type: K::plural(&()).into_owned(),
-            dump_secret_values,
         }
     }
 
-    fn namespaced(
-        context: &'n Context,
-        client: Client,
-        namespace: String,
-        dump_secret_values: bool,
-    ) -> Self
+    fn namespaced(context: &'n Context, client: Client, namespace: String) -> Self
     where
         K: kube::Resource<Scope = NamespaceResourceScope>,
     {
@@ -82,7 +74,6 @@ where
             api: Api::<K>::namespaced(client, namespace.as_str()),
             namespace: Some(namespace),
             resource_type: K::plural(&()).into_owned(),
-            dump_secret_values,
         }
     }
 
@@ -115,12 +106,7 @@ where
             ));
             let mut file = File::create(&file_name)?;
 
-            // If the resource is a secret, we hide its values by default.
-            if self.resource_type == "secrets" && !self.dump_secret_values {
-                serde_yaml::to_writer(&mut file, item.meta())?;
-            } else {
-                serde_yaml::to_writer(&mut file, &item)?;
-            }
+            serde_yaml::to_writer(&mut file, &item)?;
 
             info!("Exported {}", file_name.display());
         }
@@ -145,8 +131,6 @@ pub struct K8sDumper<'n> {
     k8s_additional_namespaces: Option<Vec<String>>,
     /// The kubernetes context to use.
     k8s_context: Option<String>,
-    /// If true, the tool will dump the values of secrets in the Kubernetes cluster.
-    k8s_dump_secret_values: bool,
 }
 
 impl<'n> K8sDumper<'n> {
@@ -156,15 +140,13 @@ impl<'n> K8sDumper<'n> {
         k8s_namespace: String,
         k8s_additional_namespaces: Option<Vec<String>>,
         k8s_context: Option<String>,
-        k8s_dump_secret_values: bool,
     ) -> Self {
         Self {
             context,
             client,
             k8s_namespace,
             k8s_additional_namespaces,
             k8s_context,
-            k8s_dump_secret_values,
         }
     }
 
@@ -239,59 +221,37 @@ impl<'n> K8sDumper<'n> {
 
     /// Write cluster-level k8s resources to a yaml file per resource.
     async fn dump_cluster_resources(&self) {
-        K8sResourceDumper::<Node>::cluster(
-            self.context,
-            self.client.clone(),
-            self.k8s_dump_secret_values,
-        )
-        .dump()
-        .await;
+        K8sResourceDumper::<Node>::cluster(self.context, self.client.clone())
+            .dump()
+            .await;
 
-        K8sResourceDumper::<StorageClass>::cluster(
-            self.context,
-            self.client.clone(),
-            self.k8s_dump_secret_values,
-        )
-        .dump()
-        .await;
+        K8sResourceDumper::<StorageClass>::cluster(self.context, self.client.clone())
+            .dump()
+            .await;
 
-        K8sResourceDumper::<PersistentVolume>::cluster(
-            self.context,
-            self.client.clone(),
-            self.k8s_dump_secret_values,
-        )
-        .dump()
-        .await;
+        K8sResourceDumper::<PersistentVolume>::cluster(self.context, self.client.clone())
+            .dump()
+            .await;
 
         K8sResourceDumper::<MutatingWebhookConfiguration>::cluster(
             self.context,
             self.client.clone(),
-            self.k8s_dump_secret_values,
         )
         .dump()
         .await;
 
         K8sResourceDumper::<ValidatingWebhookConfiguration>::cluster(
             self.context,
             self.client.clone(),
-            self.k8s_dump_secret_values,
-        )
-        .dump()
-        .await;
-        K8sResourceDumper::<DaemonSet>::cluster(
-            self.context,
-            self.client.clone(),
-            self.k8s_dump_secret_values,
-        )
-        .dump()
-        .await;
-        K8sResourceDumper::<CustomResourceDefinition>::cluster(
-            self.context,
-            self.client.clone(),
-            self.k8s_dump_secret_values,
         )
         .dump()
         .await;
+        K8sResourceDumper::<DaemonSet>::cluster(self.context, self.client.clone())
+            .dump()
+            .await;
+        K8sResourceDumper::<CustomResourceDefinition>::cluster(self.context, self.client.clone())
+            .dump()
+            .await;
     }
 
     async fn _dump_k8s_pod_logs(&self, namespace: &String) -> Result<(), anyhow::Error> {
@@ -370,115 +330,86 @@ impl<'n> K8sDumper<'n> {
 
     /// Write namespace-level k8s resources to a yaml file per resource.
     pub async fn dump_namespaced_resources(&self, namespace: String) {
-        K8sResourceDumper::<Pod>::namespaced(
-            self.context,
-            self.client.clone(),
-            namespace.clone(),
-            self.k8s_dump_secret_values,
-        )
-        .dump()
-        .await;
+        K8sResourceDumper::<Pod>::namespaced(self.context, self.client.clone(), namespace.clone())
+            .dump()
+            .await;
         K8sResourceDumper::<Service>::namespaced(
             self.context,
             self.client.clone(),
             namespace.clone(),
-            self.k8s_dump_secret_values,
         )
         .dump()
         .await;
         K8sResourceDumper::<Deployment>::namespaced(
             self.context,
             self.client.clone(),
             namespace.clone(),
-            self.k8s_dump_secret_values,
         )
         .dump()
         .await;
         K8sResourceDumper::<StatefulSet>::namespaced(
             self.context,
             self.client.clone(),
             namespace.clone(),
-            self.k8s_dump_secret_values,
         )
         .dump()
         .await;
         K8sResourceDumper::<ReplicaSet>::namespaced(
             self.context,
             self.client.clone(),
             namespace.clone(),
-            self.k8s_dump_secret_values,
         )
         .dump()
         .await;
         K8sResourceDumper::<NetworkPolicy>::namespaced(
             self.context,
             self.client.clone(),
             namespace.clone(),
-            self.k8s_dump_secret_values,
         )
         .dump()
         .await;
         K8sResourceDumper::<Event>::namespaced(
             self.context,
             self.client.clone(),
             namespace.clone(),
-            self.k8s_dump_secret_values,
         )
         .dump()
         .await;
         K8sResourceDumper::<Materialize>::namespaced(
             self.context,
             self.client.clone(),
             namespace.clone(),
-            self.k8s_dump_secret_values,
-        )
-        .dump()
-        .await;
-        K8sResourceDumper::<Role>::namespaced(
-            self.context,
-            self.client.clone(),
-            namespace.clone(),
-            self.k8s_dump_secret_values,
         )
         .dump()
         .await;
+        K8sResourceDumper::<Role>::namespaced(self.context, self.client.clone(), namespace.clone())
+            .dump()
+            .await;
         K8sResourceDumper::<RoleBinding>::namespaced(
             self.context,
             self.client.clone(),
             namespace.clone(),
-            self.k8s_dump_secret_values,
         )
         .dump()
         .await;
         K8sResourceDumper::<ConfigMap>::namespaced(
             self.context,
             self.client.clone(),
             namespace.clone(),
-            self.k8s_dump_secret_values,
-        )
-        .dump()
-        .await;
-        K8sResourceDumper::<Secret>::namespaced(
-            self.context,
-            self.client.clone(),
-            namespace.clone(),
-            self.k8s_dump_secret_values,
         )
         .dump()
         .await;
         K8sResourceDumper::<PersistentVolumeClaim>::namespaced(
             self.context,
             self.client.clone(),
             namespace.clone(),
-            self.k8s_dump_secret_values,
         )
         .dump()
         .await;
         K8sResourceDumper::<ServiceAccount>::namespaced(
             self.context,
             self.client.clone(),
             namespace.clone(),
-            self.k8s_dump_secret_values,
         )
         .dump()
         .await;
@@ -487,7 +418,6 @@ impl<'n> K8sDumper<'n> {
             self.context,
             self.client.clone(),
             namespace.clone(),
-            self.k8s_dump_secret_values,
         )
         .dump()
         .await;
@@ -535,9 +465,6 @@ impl<'n> ContainerDumper for K8sDumper<'n> {
             futs.push(Box::pin(
                 self.dump_kubectl_describe::<ConfigMap>(Some(namespace)),
             ));
-            futs.push(Box::pin(
-                self.dump_kubectl_describe::<Secret>(Some(namespace)),
-            ));
             futs.push(Box::pin(
                 self.dump_kubectl_describe::<PersistentVolumeClaim>(Some(namespace)),
             ));

src/mz-debug/src/k8s_dumper.rs

@@ -70,9 +70,6 @@ pub struct SelfManagedDebugModeArgs {
     /// The kubernetes context to use.
     #[clap(long, env = "KUBERNETES_CONTEXT")]
     k8s_context: Option<String>,
-    /// If true, the tool will dump the values of secrets in the Kubernetes cluster.
-    #[clap(long, default_value = "false", action = clap::ArgAction::Set)]
-    k8s_dump_secret_values: bool,
 }
 
 #[derive(Parser, Debug, Clone)]
@@ -160,7 +157,6 @@ struct SelfManagedContext {
     k8s_namespace: String,
     mz_instance_name: String,
     k8s_additional_namespaces: Option<Vec<String>>,
-    k8s_dump_secret_values: bool,
     mz_connection_info: SelfManagedMzConnectionInfo,
     http_connection_auth_mode: AuthMode,
 }
@@ -337,7 +333,6 @@ async fn initialize_context(
                 k8s_namespace: args.k8s_namespace.clone(),
                 mz_instance_name: args.mz_instance_name.clone(),
                 k8s_additional_namespaces: args.additional_k8s_namespaces.clone(),
-                k8s_dump_secret_values: args.k8s_dump_secret_values,
                 mz_connection_info,
                 http_connection_auth_mode: auth_mode,
             })
@@ -406,7 +401,6 @@ async fn run(context: Context) -> Result<(), anyhow::Error> {
             k8s_context,
             k8s_namespace,
             k8s_additional_namespaces,
-            k8s_dump_secret_values,
             ..
         }) => {
             if *dump_k8s {
@@ -416,7 +410,6 @@ async fn run(context: Context) -> Result<(), anyhow::Error> {
                     k8s_namespace.clone(),
                     k8s_additional_namespaces.clone(),
                     k8s_context.clone(),
-                    *k8s_dump_secret_values,
                 );
                 dumper.dump_container_resources().await;
             }