Skip to content

enable opt-in to redact Secret data from Object status #193

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Feb 9, 2024
Merged

enable opt-in to redact Secret data from Object status #193

merged 3 commits into from
Feb 9, 2024

Conversation

ravilr
Copy link
Contributor

@ravilr ravilr commented Feb 7, 2024
edited
Loading

Description of your changes

Fixes #178

  • Adds a new flag --sanitize-secrets when set in controllerConfig/deploymentRuntimeConfig of provider-kubernetes, redacts the Secret data from Object status.atProvider.manifest.

  • the new redact behavior is off by default so as to not break any existing compositions relying on status.atProvider.manifest.data for patches. Usages meant to shuttling observed secret data to/from remote/control-plane clusters can be updated to use spec.references[].patchesFrom or spec.connectionDetails and avoid leaking secret data to Object MR status resources.

I have:

  • Read and followed Crossplane's contribution process.
  • Run make reviewable test to ensure this PR is ready for review.

How has this code been tested

  • make test and make e2e

Updating the provider-kubernetes's deploymentRuntimeConfig with below additional arg:

         args:
           ......
+          - '--sanitize-secrets'

$ kubectl get provider.pkg provider-kubernetes
NAME                  INSTALLED   HEALTHY   PACKAGE                                           
provider-kubernetes   True        True      ravilr/provider-kubernetes:v0.11.6

will reconcile any existing and new Object resources managing Secrets to have their status.atProvider.manifest.data redacted:

apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
metadata:
  annotations:
    crossplane.io/composition-resource-name: credential-secret
    crossplane.io/external-create-pending: "2024-02-07T07:29:20Z"
    crossplane.io/external-create-succeeded: "2024-02-07T07:29:20Z"
    crossplane.io/external-name: provider-token-nkm7s-9wlpl
  creationTimestamp: "2024-02-07T07:29:21Z"
  finalizers:
  - finalizer.managedresource.crossplane.io
  generateName: provider-token-nkm7s-
  generation: 2
  labels:
    crossplane.io/claim-name: provider-token
    crossplane.io/claim-namespace: awsuswest2-admin
    crossplane.io/composite: provider-token-nkm7s
  name: provider-token-nkm7s-9wlpl
  ownerReferences:
  - apiVersion: security.example.com/v1
    blockOwnerDeletion: true
    controller: true
    kind: XCredential
    name: provider-token-nkm7s
    uid: 1569a117-9227-4567-8db3-259e18171da5
  resourceVersion: "86940719"
  uid: 7ce9094d-f06a-4c9d-8e66-3f1a41544893
spec:
  deletionPolicy: Delete
  forProvider:
    manifest:
      apiVersion: v1
      kind: Secret
      metadata:
        name: provider-token
        namespace: awsuswest2-admin
      stringData:
        createdBy: provider-token-nkm7s
      type: Opaque
  managementPolicies:
  - '*'
  providerConfigRef:
    name: example
  readiness:
    policy: SuccessfulCreate
status:
  atProvider:
    manifest:
      apiVersion: v1
      data:
        redacted: null      #<<<<<<<<<======== this is the impact of this change.
      kind: Secret
      metadata:
        ......
      type: Opaque
  conditions:
  - lastTransitionTime: "2024-02-07T07:29:21Z"
    reason: Available
    status: "True"
    type: Ready
  - lastTransitionTime: "2024-02-07T07:29:21Z"
    reason: ReconcileSuccess
    status: "True"
    type: Synced

@ravilr
Copy link
Contributor Author

ravilr commented Feb 7, 2024

@lsviben @bobh66 PTAL.

turkenh
turkenh reviewed Feb 8, 2024
View reviewed changes
turkenh
turkenh approved these changes Feb 9, 2024
View reviewed changes
Copy link
Collaborator

@turkenh turkenh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking great, thanks @ravilr 🙌

@ravilr
Copy link
Contributor Author

ravilr commented Feb 9, 2024

@turkenh looks like the CI jobs are failing since minimum go version in go.mod was updated to 1.21. Does https://github.com/crossplane-contrib/provider-kubernetes/blob/main/.github/workflows/ci.yml#L13 needs update to 1.21.7 ? Thanks.

@turkenh
Copy link
Collaborator

turkenh commented Feb 9, 2024

Yes, I think I forgot it in my previous PR. It would be great if you could do it here 🙏

update CI go version to go-1.21
c5a1709 
Signed-off-by: rladdukodiraghav <[email protected]>
@ravilr
Copy link
Contributor Author

ravilr commented Feb 9, 2024

Yes, I think I forgot it in my previous PR. It would be great if you could do it here 🙏

Done.

@turkenh turkenh merged commit c90088c into crossplane-contrib:main Feb 9, 2024
@ravilr ravilr deleted the redact_secret_data branch February 10, 2024 01:02
@ravilr ravilr mentioned this pull request Feb 16, 2024
Merged
2 tasks
@stevendborrelli stevendborrelli mentioned this pull request Apr 16, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@turkenh turkenh turkenh approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Hide Secret data in Object status
2 participants
@ravilr @turkenh