Skip to content

Commit

Permalink
fix: redact service account key in config in RedactSecrets method
Browse files Browse the repository at this point in the history 
Include the previously missing service account key field in the redaction.

Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>
(cherry picked from commit 873bd38)
  • Loading branch information
@utkuozdemir @smira
utkuozdemir authored and smira committed Dec 27, 2022
1 parent 42b04e3 commit e20e66a
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 0 deletions.
6 changes: 6 additions & 0 deletions pkg/machinery/config/types/v1alpha1/v1alpha1_provider.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,8 @@ func (c *Config) Bytes() ([]byte, error) {
}

// RedactSecrets implements the config.Provider interface.
//
//nolint:gocyclo
func (c *Config) RedactSecrets(replacement string) config.Provider {
if c == nil {
return nil
Expand Down Expand Up @@ -135,6 +137,10 @@ func (c *Config) RedactSecrets(replacement string) config.Provider {
clone.ClusterConfig.ClusterAESCBCEncryptionSecret = redactStr(clone.ClusterConfig.ClusterAESCBCEncryptionSecret)
clone.ClusterConfig.ClusterSecretboxEncryptionSecret = redactStr(clone.ClusterConfig.ClusterSecretboxEncryptionSecret)

if clone.ClusterConfig.ClusterServiceAccount != nil {
clone.ClusterConfig.ClusterServiceAccount.Key = redactBytes(clone.ClusterConfig.ClusterServiceAccount.Key)
}

if clone.ClusterConfig.ClusterCA != nil {
clone.ClusterConfig.ClusterCA.Key = redactBytes(clone.ClusterConfig.ClusterCA.Key)
}
Expand Down
2 changes: 2 additions & 0 deletions pkg/machinery/config/types/v1alpha1/v1alpha1_redact_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ func TestRedactSecrets(t *testing.T) {
require.NotEmpty(t, config.ClusterConfig.ClusterSecretboxEncryptionSecret)
require.NotEmpty(t, config.ClusterConfig.ClusterCA.Key)
require.NotEmpty(t, config.ClusterConfig.EtcdConfig.RootCA.Key)
require.NotEmpty(t, config.ClusterConfig.ClusterServiceAccount.Key)

replacement := "**.***"

Expand All @@ -55,4 +56,5 @@ func TestRedactSecrets(t *testing.T) {
require.Equal(t, replacement, redacted.Cluster().SecretboxEncryptionSecret())
require.Equal(t, replacement, string(redacted.Cluster().CA().Key))
require.Equal(t, replacement, string(redacted.Cluster().Etcd().CA().Key))
require.Equal(t, replacement, string(redacted.Cluster().ServiceAccount().Key))
}

0 comments on commit e20e66a

Please sign in to comment.