From e20e66a190a49973d94f8d8f0678bb9fe9cb9a4e Mon Sep 17 00:00:00 2001 From: Utku Ozdemir Date: Thu, 15 Dec 2022 12:31:12 +0100 Subject: [PATCH] fix: redact service account key in config in RedactSecrets method Include the previously missing service account key field in the redaction. Signed-off-by: Utku Ozdemir (cherry picked from commit 873bd3807c0fcca2e212deb7fd044662557964c1) --- pkg/machinery/config/types/v1alpha1/v1alpha1_provider.go | 6 ++++++ pkg/machinery/config/types/v1alpha1/v1alpha1_redact_test.go | 2 ++ 2 files changed, 8 insertions(+) diff --git a/pkg/machinery/config/types/v1alpha1/v1alpha1_provider.go b/pkg/machinery/config/types/v1alpha1/v1alpha1_provider.go index cf119098ca..e529b6c41f 100644 --- a/pkg/machinery/config/types/v1alpha1/v1alpha1_provider.go +++ b/pkg/machinery/config/types/v1alpha1/v1alpha1_provider.go @@ -103,6 +103,8 @@ func (c *Config) Bytes() ([]byte, error) { } // RedactSecrets implements the config.Provider interface. +// +//nolint:gocyclo func (c *Config) RedactSecrets(replacement string) config.Provider { if c == nil { return nil @@ -135,6 +137,10 @@ func (c *Config) RedactSecrets(replacement string) config.Provider { clone.ClusterConfig.ClusterAESCBCEncryptionSecret = redactStr(clone.ClusterConfig.ClusterAESCBCEncryptionSecret) clone.ClusterConfig.ClusterSecretboxEncryptionSecret = redactStr(clone.ClusterConfig.ClusterSecretboxEncryptionSecret) + if clone.ClusterConfig.ClusterServiceAccount != nil { + clone.ClusterConfig.ClusterServiceAccount.Key = redactBytes(clone.ClusterConfig.ClusterServiceAccount.Key) + } + if clone.ClusterConfig.ClusterCA != nil { clone.ClusterConfig.ClusterCA.Key = redactBytes(clone.ClusterConfig.ClusterCA.Key) } diff --git a/pkg/machinery/config/types/v1alpha1/v1alpha1_redact_test.go b/pkg/machinery/config/types/v1alpha1/v1alpha1_redact_test.go index 613bec7ea3..4231ee924a 100644 --- a/pkg/machinery/config/types/v1alpha1/v1alpha1_redact_test.go +++ b/pkg/machinery/config/types/v1alpha1/v1alpha1_redact_test.go @@ -34,6 +34,7 @@ func TestRedactSecrets(t *testing.T) { require.NotEmpty(t, config.ClusterConfig.ClusterSecretboxEncryptionSecret) require.NotEmpty(t, config.ClusterConfig.ClusterCA.Key) require.NotEmpty(t, config.ClusterConfig.EtcdConfig.RootCA.Key) + require.NotEmpty(t, config.ClusterConfig.ClusterServiceAccount.Key) replacement := "**.***" @@ -55,4 +56,5 @@ func TestRedactSecrets(t *testing.T) { require.Equal(t, replacement, redacted.Cluster().SecretboxEncryptionSecret()) require.Equal(t, replacement, string(redacted.Cluster().CA().Key)) require.Equal(t, replacement, string(redacted.Cluster().Etcd().CA().Key)) + require.Equal(t, replacement, string(redacted.Cluster().ServiceAccount().Key)) }