enable opt-in to redact Secret data from Object status

.github/workflows/ci.yml

@@ -10,7 +10,7 @@ on:
 
 env:
   # Common versions
-  GO_VERSION: '1.20.12'
+  GO_VERSION: '1.21.7'
   GOLANGCI_VERSION: 'v1.55.2'
   DOCKER_BUILDX_VERSION: 'v0.8.2'
 

cmd/provider/main.go

@@ -57,6 +57,7 @@ func main() {
 		leaderElection           = app.Flag("leader-election", "Use leader election for the controller manager.").Short('l').Default("false").Envar("LEADER_ELECTION").Bool()
 		maxReconcileRate         = app.Flag("max-reconcile-rate", "The number of concurrent reconciliations that may be running at one time.").Default("10").Int()
 		enableManagementPolicies = app.Flag("enable-management-policies", "Enable support for Management Policies.").Default("true").Envar("ENABLE_MANAGEMENT_POLICIES").Bool()
+		sanitizeSecrets          = app.Flag("sanitize-secrets", "when enabled, redacts Secret data from Object status").Default("false").Envar("SANITIZE_SECRETS").Bool()
 	)
 	kingpin.MustParse(app.Parse(os.Args[1:]))
 
@@ -129,7 +130,7 @@ func main() {
 	// notice and remove when we drop support for v1alpha1.
 	kingpin.FatalIfError(ctrl.NewWebhookManagedBy(mgr).For(&v1alpha1.Object{}).Complete(), "Cannot create Object webhook")
 
-	kingpin.FatalIfError(object.Setup(mgr, o), "Cannot setup controller")
+	kingpin.FatalIfError(object.Setup(mgr, o, *sanitizeSecrets), "Cannot setup controller")
 	kingpin.FatalIfError(mgr.Start(ctrl.SetupSignalHandler()), "Cannot start controller manager")
 }
 

internal/controller/kubernetes.go

@@ -27,14 +27,12 @@ import (
 
 // Setup creates all Template controllers with the supplied logger and adds them to
 // the supplied manager.
-func Setup(mgr ctrl.Manager, o controller.Options) error {
-	for _, setup := range []func(ctrl.Manager, controller.Options) error{
-		config.Setup,
-		object.Setup,
-	} {
-		if err := setup(mgr, o); err != nil {
-			return err
-		}
+func Setup(mgr ctrl.Manager, o controller.Options, sanitizeSecrets bool) error {
+	if err := config.Setup(mgr, o); err != nil {
+		return err
+	}
+	if err := object.Setup(mgr, o, sanitizeSecrets); err != nil {
+		return err
 	}
 	return nil
 }

internal/controller/object/object.go

@@ -87,17 +87,19 @@ const (
 	errGetConnectionDetails = "cannot get connection details"
 	errGetValueAtFieldPath  = "cannot get value at fieldPath"
 	errDecodeSecretData     = "cannot decode secret data"
+	errSanitizeSecretData   = "cannot sanitize secret data"
 )
 
 // Setup adds a controller that reconciles Object managed resources.
-func Setup(mgr ctrl.Manager, o controller.Options) error {
+func Setup(mgr ctrl.Manager, o controller.Options, sanitizeSecrets bool) error {
 	name := managed.ControllerName(v1alpha2.ObjectGroupKind)
 
 	cps := []managed.ConnectionPublisher{managed.NewAPISecretPublisher(mgr.GetClient(), mgr.GetScheme())}
 
 	reconcilerOptions := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(&connector{
 			logger:           o.Logger,
+			sanitizeSecrets:  sanitizeSecrets,
 			kube:             mgr.GetClient(),
 			usage:            resource.NewProviderConfigUsageTracker(mgr.GetClient(), &apisv1alpha1.ProviderConfigUsage{}),
 			kcfgExtractorFn:  resource.CommonCredentialExtractor,
@@ -132,9 +134,10 @@ func Setup(mgr ctrl.Manager, o controller.Options) error {
 }
 
 type connector struct {
-	kube   client.Client
-	usage  resource.Tracker
-	logger logging.Logger
+	kube            client.Client
+	usage           resource.Tracker
+	logger          logging.Logger
+	sanitizeSecrets bool
 
 	kcfgExtractorFn  func(ctx context.Context, src xpv1.CredentialsSource, c client.Client, ccs xpv1.CommonCredentialSelectors) ([]byte, error)
 	gcpExtractorFn   func(ctx context.Context, src xpv1.CredentialsSource, c client.Client, ccs xpv1.CommonCredentialSelectors) ([]byte, error)
@@ -232,15 +235,17 @@ func (c *connector) Connect(ctx context.Context, mg resource.Managed) (managed.E
 			Client:     k,
 			Applicator: resource.NewAPIPatchingApplicator(k),
 		},
-		localClient: c.kube,
+		localClient:     c.kube,
+		sanitizeSecrets: c.sanitizeSecrets,
 	}, nil
 }
 
 type external struct {
 	logger logging.Logger
 	client resource.ClientApplicator
 	// localClient is specifically used to connect to local cluster
-	localClient client.Client
+	localClient     client.Client
+	sanitizeSecrets bool
 }
 
 func (c *external) Observe(ctx context.Context, mg resource.Managed) (managed.ExternalObservation, error) {
@@ -382,6 +387,16 @@ func getLastApplied(obj *v1alpha2.Object, observed *unstructured.Unstructured) (
 
 func (c *external) setObserved(obj *v1alpha2.Object, observed *unstructured.Unstructured) error {
 	var err error
+
+	if c.sanitizeSecrets {
+		if observed.GetKind() == "Secret" && observed.GetAPIVersion() == "v1" {
+			data := map[string][]byte{"redacted": []byte(nil)}
+			if err = fieldpath.Pave(observed.Object).SetValue("data", data); err != nil {
+				return errors.Wrap(err, errSanitizeSecretData)
+			}
+		}
+	}
+
 	if obj.Status.AtProvider.Manifest.Raw, err = observed.MarshalJSON(); err != nil {
 		return errors.Wrap(err, errFailedToMarshalExisting)
 	}