search

crossplane-contrib / provider-kubernetes

Crossplane provider to provision and manage Kubernetes objects on (remote) Kubernetes clusters.
Apache License 2.0
136 stars 80 forks source link

Stop secrets payload from ending in the MR and resolve it when used instead #253

Open mad01 opened 1 month ago

mad01 commented 1 month ago

Description of your changes

Change Observer loop not resolve secret in start of loop but rather resolve the secret in the create/update/delete funcs to not leak the secrets data in the the k8s MR object. Fixes #223

Description of your changes

I have:

How has this code been tested

manual test locally to see that the secret is not leaking in to the MR using this manifests. provider for testing have been started with --sanitize-secrets 

---
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
metadata:
  name: secretpatch
spec:
  references:
  - patchesFrom:
      apiVersion: v1
      kind: Secret
      name: secretpatch
      namespace: crossplane-system
      fieldPath: data.sensitive
    toFieldPath: data.key-from-secret
  forProvider:
    manifest:
      apiVersion: v1
      kind: Secret
      metadata:
        namespace: default
      data: {}
  providerConfigRef:
    name: kubernetes-provider
---
apiVersion: v1
kind: Secret
metadata:
  name: secretpatch
  namespace: crossplane-system
type: Opaque
data:
  sensitive: cGFzc3dvcmQ=
mad01 commented 1 month ago

I have looked at the test but could not see any clear way to add testing to confirm the new secrets logic