1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
kyverno/pkg/utils/kube/secret.go

69 lines
2 KiB
Go
Raw Normal View History

package kube
import (
"encoding/json"
"fmt"
datautils "github.com/kyverno/kyverno/pkg/utils/data"
corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
)
// RedactSecret masks keys of data and metadata.annotation fields of Secrets.
func RedactSecret(resource *unstructured.Unstructured) (unstructured.Unstructured, error) {
var secret *corev1.Secret
data, err := json.Marshal(resource.Object)
if err != nil {
return *resource, err
}
err = json.Unmarshal(data, &secret)
if err != nil {
return *resource, fmt.Errorf("unable to convert object to secret: %w", err)
}
stringSecret := struct {
Data map[string]string `json:"string_data"`
*corev1.Secret
}{
Data: make(map[string]string),
Secret: secret,
}
for key := range secret.Data {
secret.Data[key] = []byte("**REDACTED**")
stringSecret.Data[key] = string(secret.Data[key])
}
for key := range secret.Annotations {
secret.Annotations[key] = "**REDACTED**"
}
updateSecret := map[string]interface{}{}
raw, err := json.Marshal(stringSecret)
if err != nil {
return *resource, nil
}
err = json.Unmarshal(raw, &updateSecret)
if err != nil {
return *resource, fmt.Errorf("unable to convert object from secret: %w", err)
}
if secret.Data != nil {
v := updateSecret["string_data"].(map[string]interface{})
err = unstructured.SetNestedMap(resource.Object, v, "data")
if err != nil {
return *resource, fmt.Errorf("failed to set secret.data: %w", err)
}
}
if secret.Annotations != nil {
metadata, err := datautils.ToMap(resource.Object["metadata"])
if err != nil {
return *resource, fmt.Errorf("unable to convert metadata to map: %w", err)
}
updatedMeta := updateSecret["metadata"].(map[string]interface{})
if err != nil {
return *resource, fmt.Errorf("unable to convert object from secret: %w", err)
}
err = unstructured.SetNestedMap(metadata, updatedMeta["annotations"].(map[string]interface{}), "annotations")
if err != nil {
return *resource, fmt.Errorf("failed to set secret.annotations: %w", err)
}
}
return *resource, nil
}