SQUASH: redact secret diffs

Signed-off-by: Dr. Stefan Schimanski <[email protected]>
crossplane · Sep 2, 2023 · 9ef9737 · 9ef9737
1 parent bf9437f
commit 9ef9737
Showing 1 changed file with 20 additions and 4 deletions.
diff --git a/pkg/resource/api.go b/pkg/resource/api.go
@@ -57,7 +57,9 @@ func NewAPIPatchingApplicator(c client.Client) *APIPatchingApplicator {
 	return &APIPatchingApplicator{client: c, log: logging.NewNopLogger()}
 }
 
-// WithLogger sets the logger on the APIPatchingApplicator.
+// WithLogger sets the logger on the APIPatchingApplicator. The logger logs
+// client operations including diffs of objects that are patched. Diffs of
+// secrets are redacted.
 func (a *APIPatchingApplicator) WithLogger(l logging.Logger) *APIPatchingApplicator {
 	a.log = l
 	return a
@@ -111,7 +113,13 @@ func (a *APIPatchingApplicator) Apply(ctx context.Context, obj client.Object, ao
 	if len(patchBytes) == 0 {
 		return nil
 	}
-	log.WithValues("diff", string(patchBytes)).Info("patching object")
+	secretGVK := schema.GroupVersionKind{Group: "v1", Version: "Secret", Kind: "Secret"}
+	if obj.GetObjectKind().GroupVersionKind() == secretGVK {
+		// TODO(sttts): be more clever and only redact the secret data
+		log.WithValues("diff", "**REDACTED**").Info("patching object")
+	} else {
+		log.WithValues("diff", string(patchBytes)).Info("patching object")
+	}
 
 	return a.client.Patch(ctx, obj, client.RawPatch(patch.Type(), patchBytes))
 }
@@ -175,7 +183,9 @@ func NewAPIUpdatingApplicator(c client.Client) *APIUpdatingApplicator {
 	return &APIUpdatingApplicator{client: c, log: logging.NewNopLogger()}
 }
 
-// WithLogger sets the logger on the APIUpdatingApplicator.
+// WithLogger sets the logger on the APIUpdatingApplicator. The logger logs
+// client operations including diffs of objects that are patched. Diffs of
+// secrets are redacted.
 func (a *APIUpdatingApplicator) WithLogger(l logging.Logger) *APIUpdatingApplicator {
 	a.log = l
 	return a
@@ -216,7 +226,13 @@ func (a *APIUpdatingApplicator) Apply(ctx context.Context, obj client.Object, ao
 	if len(patchBytes) == 0 {
 		return nil
 	}
-	log.WithValues("diff", string(patchBytes)).Info("updating object")
+	secretGVK := schema.GroupVersionKind{Group: "v1", Version: "Secret", Kind: "Secret"}
+	if obj.GetObjectKind().GroupVersionKind() == secretGVK {
+		// TODO(sttts): be more clever and only redact the secret data
+		log.WithValues("diff", "**REDACTED**").Info("patching object")
+	} else {
+		log.WithValues("diff", string(patchBytes)).Info("patching object")
+	}
 
 	return a.client.Update(ctx, obj)
 }