[FEATURE]: filter sensitive values from log output

[stefreak]

Feature Request

Background / Motivation

For security reasons, it would be nice if Garden offered facilities to mark certain values as secrets and to avoid logging them.

What should the user be able to do?

When using a value or declaring a variable, there should be a way to mark the value as secret. One way of doing that could be using a template helper function:

variables:
  DATABASE_PASSWORD: ${markSensitive(local.env.DATABASE_PASSWORD)}

Also plugins for tools that support marking values as sensitive, like terraform where outputs can be marked sensitive, Garden should pick up that information.

In our logging facilities, we should then avoid logging these values, and mark other values derived from that secret value as sensitive too.

We should offer a security hardening guide, similar to GitHub actions: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions

Why do they want to do this? What problem does it solve?

Avoiding accidentally leaking secrets.

Suggested Implementation(s)

Possibly easier to implement this once we have input tracking (#5496)

How important is this feature for you/your team?

🌵 Not having this feature makes using Garden painful

[stefreak]

6294 adds a first step of implementing this feature; A Secret type has been added (See https://github.com/garden-io/garden/blob/6350347547e19b2cda43c12388c47e722e617763/core/src/util/secrets.ts) where we can seal secret values; If these objects get logged they will be automatically redacted.

Next step would be to add a template helper, as suggested in this feature request, and to make framework and template system be able to deal with those Secret values.