Merge pull request #420 from michalschott/main

Mask the Kubernetes Secrets data from dry-run and apply logs
fluxcd · Sep 9, 2021 · 9838b77 · 9838b77
2 parents 52c61f8 + 72bc544
commit 9838b77
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 2 deletions.
diff --git a/controllers/kustomization_controller.go b/controllers/kustomization_controller.go
@@ -356,7 +356,7 @@ func (r *KustomizationReconciler) reconcile(
 			source.GetArtifact().Revision,
 			kustomizev1.ValidationFailedReason,
 			err.Error(),
-		), err
+		), stripSensitiveData(err)
 	}
 
 	// apply
@@ -367,7 +367,7 @@ func (r *KustomizationReconciler) reconcile(
 			source.GetArtifact().Revision,
 			meta.ReconciliationFailedReason,
 			err.Error(),
-		), err
+		), stripSensitiveData(err)
 	}
 
 	// prune

diff --git a/controllers/utils.go b/controllers/utils.go
@@ -17,6 +17,8 @@ limitations under the License.
 package controllers
 
 import (
+	"errors"
+	"regexp"
 	"strings"
 )
 
@@ -77,3 +79,14 @@ func containsString(slice []string, s string) bool {
 	}
 	return false
 }
+
+func stripSensitiveData(err error) error {
+	r := regexp.MustCompile(`(v1.Secret.(StringData|Data):) (.*)`)
+	newErr := r.ReplaceAllString(err.Error(), "$1 [ ** REDACTED ** ]")
+
+	// strip data from bigger context
+	r = regexp.MustCompile(`((stringData|data)\":{)(.*)(})`)
+	newErr = r.ReplaceAllString(newErr, "$1 [ ** REDACTED ** ] $4")
+
+	return errors.New(newErr)
+}
diff --git a/controllers/utils_test.go b/controllers/utils_test.go
@@ -1,6 +1,7 @@
 package controllers
 
 import (
+	"errors"
 	"strings"
 	"testing"
 )
@@ -54,3 +55,32 @@ error: error validating data: unknown field "ima  ge" in io.k8s.api.core.v1.Cont
 		})
 	}
 }
+
+func TestStripSensitiveData(t *testing.T) {
+	tests := []struct {
+		name     string
+		in       error
+		expected error
+	}{
+		{
+			"stringData",
+			errors.New("apply failed: Error from server (BadRequest): error when creating \"0f1563ce-8273-4879-99dd-f6f58629cc2d.yaml\": Secret in version \"v1\" cannot be handled as a Secret: v1.Secret.StringData: ReadString: expects \" or n, but found 0, error found in #10 byte of ...|\"secret\":0}}\n|..., bigger context ...|\"namespace\":\"sensitive-data-dkgvw\"},\"stringData\":{\"secret\":0}}\n|...\n"),
+			errors.New("apply failed: Error from server (BadRequest): error when creating \"0f1563ce-8273-4879-99dd-f6f58629cc2d.yaml\": Secret in version \"v1\" cannot be handled as a Secret: v1.Secret.StringData: [ ** REDACTED ** ]\n|..., bigger context ...|\"namespace\":\"sensitive-data-dkgvw\"},\"stringData\":{ [ ** REDACTED ** ] }\n|...\n"),
+		},
+		{
+			"data",
+			errors.New("apply failed: Error from server (BadRequest): error when creating \"0f1563ce-8273-4879-99dd-f6f58629cc2d.yaml\": Secret in version \"v1\" cannot be handled as a Secret: v1.Secret.Data: ReadString: expects \" or n, but found 0, error found in #10 byte of ...|\"secret\":0}}\n|..., bigger context ...|\"namespace\":\"sensitive-data-dkgvw\"},\"data\":{\"secret\":0}}\n|...\n"),
+			errors.New("apply failed: Error from server (BadRequest): error when creating \"0f1563ce-8273-4879-99dd-f6f58629cc2d.yaml\": Secret in version \"v1\" cannot be handled as a Secret: v1.Secret.Data: [ ** REDACTED ** ]\n|..., bigger context ...|\"namespace\":\"sensitive-data-dkgvw\"},\"data\":{ [ ** REDACTED ** ] }\n|...\n"),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			expected := stripSensitiveData(tt.in)
+
+			if expected.Error() != tt.expected.Error() {
+				t.Errorf("\nexpected:\n%q\ngot:\n%q\n", tt.expected.Error(), expected.Error())
+			}
+		})
+	}
+}