Skip to content

Commit

Permalink
fix: Hide secrets in logs. Fixes #8685
Browse files Browse the repository at this point in the history 
Signed-off-by: Anil Kumar <[email protected]>
  • Loading branch information
@anilkumar-pcs
anilkumar-pcs committed Oct 18, 2022
1 parent 05e1425 commit b1ba634
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 0 deletions.
1 change: 1 addition & 0 deletions docs/environment-variables.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ most users. Environment variables may be removed at any time.
| `ARGO_AGENT_PATCH_RATE` | `time.Duration` | `DEFAULT_REQUEUE_TIME` | Rate that the Argo Agent will patch the workflow task-set. |
| `ARGO_AGENT_CPU_LIMIT` | `resource.Quantity` | `100m` | CPU resource limit for the agent. |
| `ARGO_AGENT_MEMORY_LIMIT` | `resource.Quantity` | `256m` | Memory resource limit for the agent. |
| `ARGO_REDACT_POD_LOGS` | `bool` | `false` | Whether to redact pod logs to hide/mask secrets. |
| `BUBBLE_ENTRY_TEMPLATE_ERR` | `bool` | `true` | Whether to bubble up template errors to workflow. |
| `CACHE_GC_PERIOD` | `time.Duration` | `0s` | How often to perform memoization cache GC, which is disabled by default and can be enabled by providing a non-zero duration. |
| `CACHE_GC_AFTER_NOT_HIT_DURATION` | `time.Duration` | `30s` | When a memoization cache has not been hit after this duration, it will be deleted. |
Expand Down
20 changes: 20 additions & 0 deletions util/logs/workflow-logger.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import (
"bufio"
"context"
"fmt"
"os"
"regexp"
"sort"
"strings"
Expand Down Expand Up @@ -80,6 +81,14 @@ func WorkflowLogs(ctx context.Context, wfClient versioned.Interface, kubeClient

var podListOptions metav1.ListOptions

// get env variable for pod logs redaction
enablePodLogRedaction := os.Getenv("ARGO_REDACT_POD_LOGS")
// get secrets for redaction
secrets, err := kubeClient.CoreV1().Secrets(req.GetNamespace()).List(ctx, metav1.ListOptions{})
if err != nil {
logCtx.WithField("err", err).Debugln("error in listing secrets")
}

// we add selector if cli specify the pod selector when using logs
if req.GetSelector() != "" {
podListOptions = metav1.ListOptions{LabelSelector: common.LabelKeyWorkflow + "=" + req.GetName() + "," + req.GetSelector()}
Expand Down Expand Up @@ -165,6 +174,17 @@ func WorkflowLogs(ctx context.Context, wfClient versioned.Interface, kubeClient
}
if rx.MatchString(content) { // this means we filter the lines in the server, but will still incur the cost of retrieving them from Kubernetes
logCtx.WithFields(log.Fields{"timestamp": timestamp, "content": content}).Debug("Log line")

// log redaction for secrets
if secrets != nil && enablePodLogRedaction == "true" {
for _, s := range secrets.Items {
for _, v := range s.Data {
if strings.Contains(content, string(v)) {
content = strings.Replace(content, string(v), "[ redacted ]", -1)
}
}
}
}
unsortedEntries <- logEntry{podName: podName, content: content, timestamp: timestamp}
}
}
Expand Down

0 comments on commit b1ba634

Please sign in to comment.