Sanitize secrets in log messages

Signed-off-by: torredil <[email protected]>
kubernetes-sigs · May 13, 2024 · 262d24d · 262d24d
1 parent a8d4dae
commit 262d24d
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 13 deletions.
diff --git a/pkg/driver/controller.go b/pkg/driver/controller.go
@@ -77,7 +77,8 @@ func NewControllerService(c cloud.Cloud, o *Options) *ControllerService {
 }
 
 func (d *ControllerService) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest) (*csi.CreateVolumeResponse, error) {
-	klog.V(4).InfoS("CreateVolume: called", "args", *req)
+	klog.V(4).InfoS("CreateVolume: called", "args", util.ClearSecrets(req))
+
 	if err := validateCreateVolumeRequest(req); err != nil {
 		return nil, err
 	}
@@ -366,7 +367,7 @@ func validateCreateVolumeRequest(req *csi.CreateVolumeRequest) error {
 }
 
 func (d *ControllerService) DeleteVolume(ctx context.Context, req *csi.DeleteVolumeRequest) (*csi.DeleteVolumeResponse, error) {
-	klog.V(4).InfoS("DeleteVolume: called", "args", *req)
+	klog.V(4).InfoS("DeleteVolume: called", "args", util.ClearSecrets(req))
 	if err := validateDeleteVolumeRequest(req); err != nil {
 		return nil, err
 	}
@@ -398,7 +399,7 @@ func validateDeleteVolumeRequest(req *csi.DeleteVolumeRequest) error {
 }
 
 func (d *ControllerService) ControllerPublishVolume(ctx context.Context, req *csi.ControllerPublishVolumeRequest) (*csi.ControllerPublishVolumeResponse, error) {
-	klog.V(4).InfoS("ControllerPublishVolume: called", "args", *req)
+	klog.V(4).InfoS("ControllerPublishVolume: called", "args", util.ClearSecrets(req))
 	if err := validateControllerPublishVolumeRequest(req); err != nil {
 		return nil, err
 	}
@@ -447,7 +448,7 @@ func validateControllerPublishVolumeRequest(req *csi.ControllerPublishVolumeRequ
 }
 
 func (d *ControllerService) ControllerUnpublishVolume(ctx context.Context, req *csi.ControllerUnpublishVolumeRequest) (*csi.ControllerUnpublishVolumeResponse, error) {
-	klog.V(4).InfoS("ControllerUnpublishVolume: called", "args", *req)
+	klog.V(4).InfoS("ControllerUnpublishVolume: called", "args", util.ClearSecrets(req))
 
 	if err := validateControllerUnpublishVolumeRequest(req); err != nil {
 		return nil, err
@@ -541,7 +542,7 @@ func (d *ControllerService) ValidateVolumeCapabilities(ctx context.Context, req
 }
 
 func (d *ControllerService) ControllerExpandVolume(ctx context.Context, req *csi.ControllerExpandVolumeRequest) (*csi.ControllerExpandVolumeResponse, error) {
-	klog.V(4).InfoS("ControllerExpandVolume: called", "args", *req)
+	klog.V(4).InfoS("ControllerExpandVolume: called", "args", util.ClearSecrets(req))
 	volumeID := req.GetVolumeId()
 	if len(volumeID) == 0 {
 		return nil, status.Error(codes.InvalidArgument, "Volume ID not provided")
@@ -579,7 +580,7 @@ func (d *ControllerService) ControllerExpandVolume(ctx context.Context, req *csi
 }
 
 func (d *ControllerService) ControllerModifyVolume(ctx context.Context, req *csi.ControllerModifyVolumeRequest) (*csi.ControllerModifyVolumeResponse, error) {
-	klog.V(4).InfoS("ControllerModifyVolume: called", "args", *req)
+	klog.V(4).InfoS("ControllerModifyVolume: called", "args", util.ClearSecrets(req))
 
 	volumeID := req.GetVolumeId()
 	if len(volumeID) == 0 {
@@ -660,7 +661,7 @@ func isValidVolumeContext(volContext map[string]string) bool {
 }
 
 func (d *ControllerService) CreateSnapshot(ctx context.Context, req *csi.CreateSnapshotRequest) (*csi.CreateSnapshotResponse, error) {
-	klog.V(4).InfoS("CreateSnapshot: called", "args", req)
+	klog.V(4).InfoS("CreateSnapshot: called", "args", util.ClearSecrets(req))
 	if err := validateCreateSnapshotRequest(req); err != nil {
 		return nil, err
 	}
@@ -789,7 +790,7 @@ func validateCreateSnapshotRequest(req *csi.CreateSnapshotRequest) error {
 }
 
 func (d *ControllerService) DeleteSnapshot(ctx context.Context, req *csi.DeleteSnapshotRequest) (*csi.DeleteSnapshotResponse, error) {
-	klog.V(4).InfoS("DeleteSnapshot: called", "args", req)
+	klog.V(4).InfoS("DeleteSnapshot: called", "args", util.ClearSecrets(req))
 	if err := validateDeleteSnapshotRequest(req); err != nil {
 		return nil, err
 	}
@@ -822,7 +823,7 @@ func validateDeleteSnapshotRequest(req *csi.DeleteSnapshotRequest) error {
 }
 
 func (d *ControllerService) ListSnapshots(ctx context.Context, req *csi.ListSnapshotsRequest) (*csi.ListSnapshotsResponse, error) {
-	klog.V(4).InfoS("ListSnapshots: called", "args", req)
+	klog.V(4).InfoS("ListSnapshots: called", "args", util.ClearSecrets(req))
 	var snapshots []*cloud.Snapshot
 
 	snapshotID := req.GetSnapshotId()

diff --git a/pkg/driver/node.go b/pkg/driver/node.go
@@ -113,7 +113,7 @@ func NewNodeService(o *Options, md metadata.MetadataService, m mounter.Mounter,
 }
 
 func (d *NodeService) NodeStageVolume(ctx context.Context, req *csi.NodeStageVolumeRequest) (*csi.NodeStageVolumeResponse, error) {
-	klog.V(4).InfoS("NodeStageVolume: called", "args", *req)
+	klog.V(4).InfoS("NodeStageVolume: called", "args", util.ClearSecrets(req))
 
 	volumeID := req.GetVolumeId()
 	if len(volumeID) == 0 {
@@ -349,7 +349,7 @@ func (d *NodeService) NodeUnstageVolume(ctx context.Context, req *csi.NodeUnstag
 }
 
 func (d *NodeService) NodeExpandVolume(ctx context.Context, req *csi.NodeExpandVolumeRequest) (*csi.NodeExpandVolumeResponse, error) {
-	klog.V(4).InfoS("NodeExpandVolume: called", "args", *req)
+	klog.V(4).InfoS("NodeExpandVolume: called", "args", util.ClearSecrets(req))
 	volumeID := req.GetVolumeId()
 	if len(volumeID) == 0 {
 		return nil, status.Error(codes.InvalidArgument, "Volume ID not provided")
@@ -413,7 +413,7 @@ func (d *NodeService) NodeExpandVolume(ctx context.Context, req *csi.NodeExpandV
 }
 
 func (d *NodeService) NodePublishVolume(ctx context.Context, req *csi.NodePublishVolumeRequest) (*csi.NodePublishVolumeResponse, error) {
-	klog.V(4).InfoS("NodePublishVolume: called", "args", *req)
+	klog.V(4).InfoS("NodePublishVolume: called", "args", util.ClearSecrets(req))
 	volumeID := req.GetVolumeId()
 	if len(volumeID) == 0 {
 		return nil, status.Error(codes.InvalidArgument, "Volume ID not provided")
@@ -466,7 +466,7 @@ func (d *NodeService) NodePublishVolume(ctx context.Context, req *csi.NodePublis
 }
 
 func (d *NodeService) NodeUnpublishVolume(ctx context.Context, req *csi.NodeUnpublishVolumeRequest) (*csi.NodeUnpublishVolumeResponse, error) {
-	klog.V(4).InfoS("NodeUnpublishVolume: called", "args", *req)
+	klog.V(4).InfoS("NodeUnpublishVolume: called", "args", util.ClearSecrets(req))
 	volumeID := req.GetVolumeId()
 	if len(volumeID) == 0 {
 		return nil, status.Error(codes.InvalidArgument, "Volume ID not provided")

diff --git a/pkg/util/util.go b/pkg/util/util.go
@@ -22,6 +22,7 @@ import (
 	"net/url"
 	"os"
 	"path/filepath"
+	"reflect"
 	"regexp"
 	"runtime"
 	"strings"
@@ -144,3 +145,20 @@ func NormalizeWindowsPath(path string) string {
 	}
 	return normalizedPath
 }
+
+// ClearSecrets takes a request object and returns a copy of the request with
+// the "Secrets" field cleared.
+func ClearSecrets(req interface{}) interface{} {
+	v := reflect.ValueOf(&req).Elem()
+	e := reflect.New(v.Elem().Type()).Elem()
+
+	e.Set(v.Elem())
+
+	f := reflect.Indirect(e).FieldByName("Secrets")
+
+	if f.IsValid() && f.CanSet() && f.Kind() == reflect.Map {
+		f.Set(reflect.MakeMap(f.Type()))
+		v.Set(e)
+	}
+	return req
+}