From 7f4576cf36d8e72b774a903c4c322227f1256390 Mon Sep 17 00:00:00 2001
From: Michel Laterman <82832767+michel-laterman@users.noreply.github.com>
Date: Fri, 12 Aug 2022 10:55:09 -0700
Subject: [PATCH] Log redacted config on config changes (#1671)

* Log redacted config on config changes

* Fix redact linter warnings

* Fix redaction

* Fix redaction, redact service token

* fix redacted initialization to fix tests

* Change logging location to reduce duplication
---
 CHANGELOG.next.asciidoc |  1 +
 cmd/fleet/main.go       | 25 +++++++++++++++++++++----
 2 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index a11896778..d8e8e4165 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -11,3 +11,4 @@
 - Add start_time and minimum_execution_duration to actions to allow fleet-server to schedule agent actions. {pull}1381[1381]
 - Fleet Server now allows setting global labels on APM instrumentation. {pull}1649[1649]
 - Fleet Server now allows setting transaction sample rate on APM instrumentation {pull}1681[1681]
+- Log redacted config when config updates. {issue}1626[1626] {pull}1668[1668]
\ No newline at end of file
diff --git a/cmd/fleet/main.go b/cmd/fleet/main.go
index 2f6be9a9e..a28ec50c3 100644
--- a/cmd/fleet/main.go
+++ b/cmd/fleet/main.go
@@ -585,6 +585,10 @@ func redactOutputCfg(cfg *config.Config) config.Output {
 		redacted.Elasticsearch.APIKey = kRedacted
 	}
 
+	if redacted.Elasticsearch.ServiceToken != "" {
+		redacted.Elasticsearch.ServiceToken = kRedacted
+	}
+
 	if redacted.Elasticsearch.TLS != nil {
 		newTLS := *redacted.Elasticsearch.TLS
 
@@ -621,9 +625,22 @@ func redactServerCfg(cfg *config.Config) config.Server {
 	return redacted
 }
 
+func redactConfig(cfg *config.Config) *config.Config {
+	redacted := &config.Config{
+		Fleet:   cfg.Fleet,
+		Output:  cfg.Output,
+		Inputs:  make([]config.Input, 1),
+		Logging: cfg.Logging,
+		HTTP:    cfg.HTTP,
+	}
+	redacted.Inputs[0].Server = redactServerCfg(cfg)
+	redacted.Output = redactOutputCfg(cfg)
+	return redacted
+}
+
 func configChangedServer(curCfg, newCfg *config.Config) bool {
 
-	zlog := log.With().Interface("new", redactServerCfg(newCfg)).Logger()
+	zlog := log.With().Interface("new", redactConfig(newCfg)).Logger()
 
 	changed := true
 	switch {
@@ -631,15 +648,15 @@ func configChangedServer(curCfg, newCfg *config.Config) bool {
 		zlog.Info().Msg("initial server configuration")
 	case !reflect.DeepEqual(curCfg.Fleet, newCfg.Fleet):
 		zlog.Info().
-			Interface("old", curCfg).
+			Interface("old", redactConfig(curCfg)).
 			Msg("fleet configuration has changed")
 	case !reflect.DeepEqual(curCfg.Output, newCfg.Output):
 		zlog.Info().
-			Interface("old", redactOutputCfg(curCfg)).
+			Interface("old", redactConfig(curCfg)).
 			Msg("output configuration has changed")
 	case !reflect.DeepEqual(curCfg.Inputs[0].Server, newCfg.Inputs[0].Server):
 		zlog.Info().
-			Interface("old", redactServerCfg(curCfg)).
+			Interface("old", redactConfig(curCfg)).
 			Msg("server configuration has changed")
 	default:
 		changed = false