[WIP] Add secure error and exception handling framework #3035

mathur07 · 2025-12-02T07:24:11Z

Implements secure error handling utilities to prevent sensitive information leakage through error messages, logs, and Kubernetes events.

This addresses SRVKP-4185 T159 requirements for secure error handling:

Centralized error message generation and handling
Automatic sanitization of sensitive data (passwords, tokens, API keys, secrets)
Generic error messages that don't reveal internal system details
Secure logging with debug-level internal details
Error categorization for better classification
Integration with Kubernetes reconcilers and event recording

Components added:

pkg/common/secerrors: Core secure error handling package
- SecureError type with user/internal message separation
- Automatic pattern-based sanitization (passwords, tokens, keys, etc.)
- Error categories (authentication, authorization, configuration, etc.)
- Secure logging utilities with zap integration
- ReconcilerErrorHandler for consistent reconciler error handling
- Comprehensive test coverage (100% of core functions)
Documentation:
- docs/SecureErrorHandling.md: Complete usage guide and best practices
- docs/SecureErrorHandlingExamples.md: Real-world code examples
- docs/SecureErrorHandling_ReconcilerUpdateExample.md: Migration guide
- pkg/common/secerrors/README.md: Package documentation

Features:

Detects and redacts: passwords, API keys, tokens, secrets, private keys, AWS keys, JWT tokens, credentials in URLs, base64-encoded secrets
Preserves error chains for errors.Is() and errors.As() compatibility
Pre-defined common errors for reuse
Zero dependencies beyond existing project dependencies

All tests passing with no linter errors.

Future work: Update existing reconcilers to use secure error handling (tracked separately).

Changes

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

Run make test lint before submitting a PR
Includes tests (if functionality changed/added)
Includes docs (if user facing)
Commit messages follow commit message best practices

See the contribution guide for more details.

Release Notes

NONE

Implements secure error handling utilities to prevent sensitive information leakage through error messages, logs, and Kubernetes events. This addresses SRVKP-4185 T159 requirements for secure error handling: - Centralized error message generation and handling - Automatic sanitization of sensitive data (passwords, tokens, API keys, secrets) - Generic error messages that don't reveal internal system details - Secure logging with debug-level internal details - Error categorization for better classification - Integration with Kubernetes reconcilers and event recording Components added: - pkg/common/secerrors: Core secure error handling package - SecureError type with user/internal message separation - Automatic pattern-based sanitization (passwords, tokens, keys, etc.) - Error categories (authentication, authorization, configuration, etc.) - Secure logging utilities with zap integration - ReconcilerErrorHandler for consistent reconciler error handling - Comprehensive test coverage (100% of core functions) - Documentation: - docs/SecureErrorHandling.md: Complete usage guide and best practices - docs/SecureErrorHandlingExamples.md: Real-world code examples - docs/SecureErrorHandling_ReconcilerUpdateExample.md: Migration guide - pkg/common/secerrors/README.md: Package documentation Features: - Detects and redacts: passwords, API keys, tokens, secrets, private keys, AWS keys, JWT tokens, credentials in URLs, base64-encoded secrets - Preserves error chains for errors.Is() and errors.As() compatibility - Pre-defined common errors for reuse - Zero dependencies beyond existing project dependencies All tests passing with no linter errors. Future work: Update existing reconcilers to use secure error handling (tracked separately). Signed-off-by: Shubham Mathur <[email protected]>

tekton-robot · 2025-12-02T07:24:17Z

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please assign jkandasa after the PR has been reviewed.
You can assign the PR to them by writing /assign @jkandasa in a comment when ready.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

tekton-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. release-note-none Denotes a PR that doesnt merit a release note. labels Dec 2, 2025

tekton-robot requested review from PuneetPunamiya and jkhelil December 2, 2025 07:24

tekton-robot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label Dec 2, 2025

mathur07 marked this pull request as draft December 2, 2025 07:24

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[WIP] Add secure error and exception handling framework #3035

[WIP] Add secure error and exception handling framework #3035

Uh oh!

mathur07 commented Dec 2, 2025

Uh oh!

tekton-robot commented Dec 2, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

[WIP] Add secure error and exception handling framework #3035

Are you sure you want to change the base?

[WIP] Add secure error and exception handling framework #3035

Uh oh!

Conversation

mathur07 commented Dec 2, 2025

Changes

Submitter Checklist

Release Notes

Uh oh!

tekton-robot commented Dec 2, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants