2023-01-03 10:33:09 +01:00
|
|
|
package kube
|
|
|
|
|
|
|
|
import (
|
|
|
|
"encoding/json"
|
2023-02-01 14:38:04 +08:00
|
|
|
"fmt"
|
2023-01-03 10:33:09 +01:00
|
|
|
|
|
|
|
datautils "github.com/kyverno/kyverno/pkg/utils/data"
|
|
|
|
corev1 "k8s.io/api/core/v1"
|
|
|
|
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
|
|
|
)
|
|
|
|
|
|
|
|
// RedactSecret masks keys of data and metadata.annotation fields of Secrets.
|
|
|
|
func RedactSecret(resource *unstructured.Unstructured) (unstructured.Unstructured, error) {
|
|
|
|
var secret *corev1.Secret
|
|
|
|
data, err := json.Marshal(resource.Object)
|
|
|
|
if err != nil {
|
|
|
|
return *resource, err
|
|
|
|
}
|
|
|
|
err = json.Unmarshal(data, &secret)
|
|
|
|
if err != nil {
|
2023-02-01 14:38:04 +08:00
|
|
|
return *resource, fmt.Errorf("unable to convert object to secret: %w", err)
|
2023-01-03 10:33:09 +01:00
|
|
|
}
|
|
|
|
stringSecret := struct {
|
|
|
|
Data map[string]string `json:"string_data"`
|
|
|
|
*corev1.Secret
|
|
|
|
}{
|
|
|
|
Data: make(map[string]string),
|
|
|
|
Secret: secret,
|
|
|
|
}
|
|
|
|
for key := range secret.Data {
|
|
|
|
secret.Data[key] = []byte("**REDACTED**")
|
|
|
|
stringSecret.Data[key] = string(secret.Data[key])
|
|
|
|
}
|
|
|
|
for key := range secret.Annotations {
|
|
|
|
secret.Annotations[key] = "**REDACTED**"
|
|
|
|
}
|
|
|
|
updateSecret := map[string]interface{}{}
|
|
|
|
raw, err := json.Marshal(stringSecret)
|
|
|
|
if err != nil {
|
|
|
|
return *resource, nil
|
|
|
|
}
|
|
|
|
err = json.Unmarshal(raw, &updateSecret)
|
|
|
|
if err != nil {
|
2023-02-01 14:38:04 +08:00
|
|
|
return *resource, fmt.Errorf("unable to convert object from secret: %w", err)
|
2023-01-03 10:33:09 +01:00
|
|
|
}
|
|
|
|
if secret.Data != nil {
|
|
|
|
v := updateSecret["string_data"].(map[string]interface{})
|
|
|
|
err = unstructured.SetNestedMap(resource.Object, v, "data")
|
|
|
|
if err != nil {
|
2023-02-01 14:38:04 +08:00
|
|
|
return *resource, fmt.Errorf("failed to set secret.data: %w", err)
|
2023-01-03 10:33:09 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
if secret.Annotations != nil {
|
|
|
|
metadata, err := datautils.ToMap(resource.Object["metadata"])
|
|
|
|
if err != nil {
|
2023-02-01 14:38:04 +08:00
|
|
|
return *resource, fmt.Errorf("unable to convert metadata to map: %w", err)
|
2023-01-03 10:33:09 +01:00
|
|
|
}
|
|
|
|
updatedMeta := updateSecret["metadata"].(map[string]interface{})
|
|
|
|
if err != nil {
|
2023-02-01 14:38:04 +08:00
|
|
|
return *resource, fmt.Errorf("unable to convert object from secret: %w", err)
|
2023-01-03 10:33:09 +01:00
|
|
|
}
|
|
|
|
err = unstructured.SetNestedMap(metadata, updatedMeta["annotations"].(map[string]interface{}), "annotations")
|
|
|
|
if err != nil {
|
2023-02-01 14:38:04 +08:00
|
|
|
return *resource, fmt.Errorf("failed to set secret.annotations: %w", err)
|
2023-01-03 10:33:09 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
return *resource, nil
|
|
|
|
}
|