Skip to content

Commit 9ef9737

Browse files
stttssttts
committed
SQUASH: redact secret diffs
Signed-off-by: Dr. Stefan Schimanski <[email protected]>
1 parent bf9437f commit 9ef9737

File tree

1 file changed

+20
-4
lines changed

1 file changed

+20
-4
lines changed

pkg/resource/api.go

Lines changed: 20 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -57,7 +57,9 @@ func NewAPIPatchingApplicator(c client.Client) *APIPatchingApplicator {
5757
return &APIPatchingApplicator{client: c, log: logging.NewNopLogger()}
5858
}
5959

60-
// WithLogger sets the logger on the APIPatchingApplicator.
60+
// WithLogger sets the logger on the APIPatchingApplicator. The logger logs
61+
// client operations including diffs of objects that are patched. Diffs of
62+
// secrets are redacted.
6163
func (a *APIPatchingApplicator) WithLogger(l logging.Logger) *APIPatchingApplicator {
6264
a.log = l
6365
return a
@@ -111,7 +113,13 @@ func (a *APIPatchingApplicator) Apply(ctx context.Context, obj client.Object, ao
111113
if len(patchBytes) == 0 {
112114
return nil
113115
}
114-
log.WithValues("diff", string(patchBytes)).Info("patching object")
116+
secretGVK := schema.GroupVersionKind{Group: "v1", Version: "Secret", Kind: "Secret"}
117+
if obj.GetObjectKind().GroupVersionKind() == secretGVK {
118+
// TODO(sttts): be more clever and only redact the secret data
119+
log.WithValues("diff", "**REDACTED**").Info("patching object")
120+
} else {
121+
log.WithValues("diff", string(patchBytes)).Info("patching object")
122+
}
115123

116124
return a.client.Patch(ctx, obj, client.RawPatch(patch.Type(), patchBytes))
117125
}
@@ -175,7 +183,9 @@ func NewAPIUpdatingApplicator(c client.Client) *APIUpdatingApplicator {
175183
return &APIUpdatingApplicator{client: c, log: logging.NewNopLogger()}
176184
}
177185

178-
// WithLogger sets the logger on the APIUpdatingApplicator.
186+
// WithLogger sets the logger on the APIUpdatingApplicator. The logger logs
187+
// client operations including diffs of objects that are patched. Diffs of
188+
// secrets are redacted.
179189
func (a *APIUpdatingApplicator) WithLogger(l logging.Logger) *APIUpdatingApplicator {
180190
a.log = l
181191
return a
@@ -216,7 +226,13 @@ func (a *APIUpdatingApplicator) Apply(ctx context.Context, obj client.Object, ao
216226
if len(patchBytes) == 0 {
217227
return nil
218228
}
219-
log.WithValues("diff", string(patchBytes)).Info("updating object")
229+
secretGVK := schema.GroupVersionKind{Group: "v1", Version: "Secret", Kind: "Secret"}
230+
if obj.GetObjectKind().GroupVersionKind() == secretGVK {
231+
// TODO(sttts): be more clever and only redact the secret data
232+
log.WithValues("diff", "**REDACTED**").Info("patching object")
233+
} else {
234+
log.WithValues("diff", string(patchBytes)).Info("patching object")
235+
}
220236

221237
return a.client.Update(ctx, obj)
222238
}

0 commit comments

Comments
 (0)