From cb936670503fde5c5678330c694717184b833203 Mon Sep 17 00:00:00 2001 From: Michal Schott Date: Thu, 2 Sep 2021 10:24:10 +0200 Subject: [PATCH 1/2] Redact secret data. Signed-off-by: Michal Schott --- controllers/kustomization_controller.go | 2 +- controllers/utils.go | 13 +++++++++++ controllers/utils_test.go | 30 +++++++++++++++++++++++++ 3 files changed, 44 insertions(+), 1 deletion(-) diff --git a/controllers/kustomization_controller.go b/controllers/kustomization_controller.go index 0aacaac1..4a61bc32 100644 --- a/controllers/kustomization_controller.go +++ b/controllers/kustomization_controller.go @@ -367,7 +367,7 @@ func (r *KustomizationReconciler) reconcile( source.GetArtifact().Revision, meta.ReconciliationFailedReason, err.Error(), - ), err + ), stripSensitiveData(err) } // prune diff --git a/controllers/utils.go b/controllers/utils.go index a36808ba..5a48c1e6 100644 --- a/controllers/utils.go +++ b/controllers/utils.go @@ -17,6 +17,8 @@ limitations under the License. package controllers import ( + "errors" + "regexp" "strings" ) @@ -77,3 +79,14 @@ func containsString(slice []string, s string) bool { } return false } + +func stripSensitiveData(err error) error { + r := regexp.MustCompile(`(v1.Secret.(StringData|Data):) (.*)`) + newErr := r.ReplaceAllString(err.Error(), "$1 [ ** REDACTED ** ]") + + // strip data from bigger context + r = regexp.MustCompile(`((stringData|data)\":{)(.*)(})`) + newErr = r.ReplaceAllString(newErr, "$1 [ ** REDACTED ** ] $4") + + return errors.New(newErr) +} diff --git a/controllers/utils_test.go b/controllers/utils_test.go index 39b75c77..c8bc3fa5 100644 --- a/controllers/utils_test.go +++ b/controllers/utils_test.go @@ -1,6 +1,7 @@ package controllers import ( + "errors" "strings" "testing" ) @@ -54,3 +55,32 @@ error: error validating data: unknown field "ima ge" in io.k8s.api.core.v1.Cont }) } } + +func TestStripSensitiveData(t *testing.T) { + tests := []struct { + name string + in error + expected error + }{ + { + "stringData", + errors.New("apply failed: Error from server (BadRequest): error when creating \"0f1563ce-8273-4879-99dd-f6f58629cc2d.yaml\": Secret in version \"v1\" cannot be handled as a Secret: v1.Secret.StringData: ReadString: expects \" or n, but found 0, error found in #10 byte of ...|\"secret\":0}}\n|..., bigger context ...|\"namespace\":\"sensitive-data-dkgvw\"},\"stringData\":{\"secret\":0}}\n|...\n"), + errors.New("apply failed: Error from server (BadRequest): error when creating \"0f1563ce-8273-4879-99dd-f6f58629cc2d.yaml\": Secret in version \"v1\" cannot be handled as a Secret: v1.Secret.StringData: [ ** REDACTED ** ]\n|..., bigger context ...|\"namespace\":\"sensitive-data-dkgvw\"},\"stringData\":{ [ ** REDACTED ** ] }\n|...\n"), + }, + { + "data", + errors.New("apply failed: Error from server (BadRequest): error when creating \"0f1563ce-8273-4879-99dd-f6f58629cc2d.yaml\": Secret in version \"v1\" cannot be handled as a Secret: v1.Secret.Data: ReadString: expects \" or n, but found 0, error found in #10 byte of ...|\"secret\":0}}\n|..., bigger context ...|\"namespace\":\"sensitive-data-dkgvw\"},\"data\":{\"secret\":0}}\n|...\n"), + errors.New("apply failed: Error from server (BadRequest): error when creating \"0f1563ce-8273-4879-99dd-f6f58629cc2d.yaml\": Secret in version \"v1\" cannot be handled as a Secret: v1.Secret.Data: [ ** REDACTED ** ]\n|..., bigger context ...|\"namespace\":\"sensitive-data-dkgvw\"},\"data\":{ [ ** REDACTED ** ] }\n|...\n"), + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + expected := stripSensitiveData(tt.in) + + if expected.Error() != tt.expected.Error() { + t.Errorf("\nexpected:\n%q\ngot:\n%q\n", tt.expected.Error(), expected.Error()) + } + }) + } +} From 72bc54477aa89aadc40d1444d0f30b1e9963806f Mon Sep 17 00:00:00 2001 From: Michal Schott Date: Wed, 8 Sep 2021 16:31:49 +0200 Subject: [PATCH 2/2] Filter dryrun errors for senstive data. Signed-off-by: Michal Schott --- controllers/kustomization_controller.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controllers/kustomization_controller.go b/controllers/kustomization_controller.go index 4a61bc32..de74a12d 100644 --- a/controllers/kustomization_controller.go +++ b/controllers/kustomization_controller.go @@ -356,7 +356,7 @@ func (r *KustomizationReconciler) reconcile( source.GetArtifact().Revision, kustomizev1.ValidationFailedReason, err.Error(), - ), err + ), stripSensitiveData(err) } // apply