fix: log sanitizer

Sanitize the output logs.
Add e2e manual test example.

Signed-off-by: Serge Logvinov <[email protected]>

.goreleaser.yml

@@ -57,6 +57,7 @@ snapshot:
 
 brews:
   - name: pvecsictl
+    directory: Formula
     homepage: https://github.com/sergelogvinov/proxmox-csi-plugin
     description: "Proxmox VE CSI Mutate tool"
     license: Apache-2.0

go.mod

@@ -14,15 +14,15 @@ require (
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.8.1
 	github.com/stretchr/testify v1.9.0
-	google.golang.org/grpc v1.66.2
+	google.golang.org/grpc v1.67.0
 	k8s.io/api v0.31.1
 	k8s.io/apimachinery v0.31.1
 	k8s.io/client-go v0.31.1
 	k8s.io/cloud-provider-openstack v1.31.1
 	k8s.io/component-base v0.31.1
 	k8s.io/klog/v2 v2.130.1
 	k8s.io/mount-utils v0.31.1
-	k8s.io/utils v0.0.0-20240902221715-702e33fdd3c3
+	k8s.io/utils v0.0.0-20240921022957-49e7df575cb6
 )
 
 require (
@@ -72,7 +72,7 @@ require (
 	golang.org/x/term v0.24.0 // indirect
 	golang.org/x/text v0.18.0 // indirect
 	golang.org/x/time v0.6.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240924160255-9d4c2d233b61 // indirect
 	google.golang.org/protobuf v1.34.2 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect

go.sum

@@ -176,10 +176,10 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 h1:pPJltXNxVzT4pK9yD8vR9X75DaWYYmLGMsEvBfFQZzQ=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU=
-google.golang.org/grpc v1.66.2 h1:3QdXkuq3Bkh7w+ywLdLvM56cmGvQHUMZpiCzt6Rqaoo=
-google.golang.org/grpc v1.66.2/go.mod h1:s3/l6xSSCURdVfAnL+TqCNMyTDAGN6+lZeVxnZR128Y=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240924160255-9d4c2d233b61 h1:N9BgCIAUvn/M+p4NJccWPWb3BWh88+zyL0ll9HgbEeM=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240924160255-9d4c2d233b61/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU=
+google.golang.org/grpc v1.67.0 h1:IdH9y6PF5MPSdAntIcpjQ+tXO41pcQsfZV2RxtQgVcw=
+google.golang.org/grpc v1.67.0/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA=
 google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=
 google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -211,8 +211,8 @@ k8s.io/kube-openapi v0.0.0-20240903163716-9e1beecbcb38 h1:1dWzkmJrrprYvjGwh9kEUx
 k8s.io/kube-openapi v0.0.0-20240903163716-9e1beecbcb38/go.mod h1:coRQXBK9NxO98XUv3ZD6AK3xzHCxV6+b7lrquKwaKzA=
 k8s.io/mount-utils v0.31.1 h1:f8UrH9kRynljmdNGM6BaCvFUON5ZPKDgE+ltmYqI4wA=
 k8s.io/mount-utils v0.31.1/go.mod h1:HV/VYBUGqYUj4vt82YltzpWvgv8FPg0G9ItyInT3NPU=
-k8s.io/utils v0.0.0-20240902221715-702e33fdd3c3 h1:b2FmK8YH+QEwq/Sy2uAEhmqL5nPfGYbJOcaqjeYYZoA=
-k8s.io/utils v0.0.0-20240902221715-702e33fdd3c3/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+k8s.io/utils v0.0.0-20240921022957-49e7df575cb6 h1:MDF6h2H/h4tbzmtIKTuctcwZmY0tY9mD9fNT47QO6HI=
+k8s.io/utils v0.0.0-20240921022957-49e7df575cb6/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
 sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4=

hack/e2e-tests.md

@@ -0,0 +1,92 @@
+# Integration tests
+
+## Manual integration tests
+
+### Encrypted PVs
+
+Create PV secret and deploy a pod that uses it.
+
+```yaml
+---
+apiVersion: v1
+data:
+  # echo 1f03928033dda2e4fd347e44266cfbc | base64
+  encryption-passphrase: MWYwMzkyODAzM2RkYTJlNGZkMzQ3ZTQ0MjY2Y2ZiYw==
+kind: Secret
+metadata:
+  creationTimestamp: null
+  name: proxmox-csi-secret
+  namespace: kube-system
+---
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: proxmox-secret
+parameters:
+  csi.storage.k8s.io/fstype: xfs
+  csi.storage.k8s.io/node-stage-secret-name: "proxmox-csi-secret"
+  csi.storage.k8s.io/node-stage-secret-namespace: "kube-system"
+  csi.storage.k8s.io/node-expand-secret-name: "proxmox-csi-secret"
+  csi.storage.k8s.io/node-expand-secret-namespace: "kube-system"
+  storage: lvm
+provisioner: csi.proxmox.sinextra.dev
+reclaimPolicy: Delete
+volumeBindingMode: WaitForFirstConsumer
+allowVolumeExpansion: true
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: test
+  namespace: default
+  labels:
+    app: alpine
+spec:
+  podManagementPolicy: Parallel
+  serviceName: test
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: alpine
+    spec:
+      terminationGracePeriodSeconds: 3
+      tolerations:
+        - effect: NoSchedule
+          key: node-role.kubernetes.io/control-plane
+      nodeSelector:
+        # kubernetes.io/hostname: kube-store-02a
+        # topology.kubernetes.io/zone: hvm-1
+      containers:
+        - name: alpine
+          image: alpine
+          command: ["sleep","1d"]
+          securityContext:
+            seccompProfile:
+              type: RuntimeDefault
+            capabilities:
+              drop: ["ALL"]
+          volumeMounts:
+            - name: storage
+              mountPath: /mnt
+  updateStrategy:
+    type: RollingUpdate
+  selector:
+    matchLabels:
+      app: alpine
+  volumeClaimTemplates:
+    - metadata:
+        name: storage
+      spec:
+        accessModes: ["ReadWriteOnce"]
+        resources:
+          requests:
+            storage: 1Gi
+        storageClassName: proxmox-secret
+```
+
+Run the statefulset, wait for it to be running and exec into the proxmox-csi-plugin-node pod to check the passphrase.
+
+```bash
+echo -n "1f03928033dda2e4fd347e44266cfbc" | kube -n csi-proxmox exec -ti proxmox-csi-plugin-node-srm6v -- /sbin/cryptsetup luksOpen --debug --test-passphrase -v /dev/sdb --key-file=-
+```

pkg/csi/helper.go

@@ -22,11 +22,9 @@ import (
 	"os"
 	"path"
 	"path/filepath"
-	"reflect"
 	"strings"
 
 	proto "github.com/container-storage-interface/spec/lib/go/csi"
-	"github.com/kubernetes-csi/csi-lib-utils/protosanitizer"
 
 	corev1 "k8s.io/api/core/v1"
 )
@@ -92,19 +90,3 @@ func locationFromTopologyRequirement(tr *proto.TopologyRequirement) (region, zon
 
 	return region, ""
 }
-
-func stripSecrets(msg interface{}) string {
-	reqValue := reflect.ValueOf(&msg)
-	reqType := reqValue.Type()
-
-	if reqType.Kind() == reflect.Struct {
-		secrets := reqValue.FieldByName("Secrets")
-		if secrets.IsValid() && secrets.Kind() == reflect.Map {
-			for _, k := range secrets.MapKeys() {
-				secrets.SetMapIndex(k, reflect.ValueOf("***stripped***"))
-			}
-		}
-	}
-
-	return fmt.Sprintf("%+v", protosanitizer.StripSecrets(reqValue.Interface()))
-}

pkg/csi/node.go

@@ -26,6 +26,7 @@ import (
 	"time"
 
 	"github.com/container-storage-interface/spec/lib/go/csi"
+	"github.com/kubernetes-csi/csi-lib-utils/protosanitizer"
 	"github.com/siderolabs/go-blockdevice/blockdevice/encryption"
 	luks "github.com/siderolabs/go-blockdevice/blockdevice/encryption/luks"
 	"github.com/siderolabs/go-blockdevice/blockdevice/filesystem"
@@ -88,7 +89,7 @@ func NewNodeService(nodeID string, clientSet kubernetes.Interface) *NodeService
 //
 //nolint:cyclop,gocyclo
 func (n *NodeService) NodeStageVolume(_ context.Context, request *csi.NodeStageVolumeRequest) (*csi.NodeStageVolumeResponse, error) {
-	klog.V(4).InfoS("NodeStageVolume: called", "args", stripSecrets(request))
+	klog.V(4).InfoS("NodeStageVolume: called", "args", protosanitizer.StripSecrets(request))
 
 	volumeID := request.GetVolumeId()
 	if len(volumeID) == 0 {
@@ -222,7 +223,7 @@ func (n *NodeService) NodeStageVolume(_ context.Context, request *csi.NodeStageV
 //
 //nolint:dupl
 func (n *NodeService) NodeUnstageVolume(_ context.Context, request *csi.NodeUnstageVolumeRequest) (*csi.NodeUnstageVolumeResponse, error) {
-	klog.V(4).InfoS("NodeUnstageVolume: called", "args", stripSecrets(request))
+	klog.V(4).InfoS("NodeUnstageVolume: called", "args", protosanitizer.StripSecrets(request))
 
 	stagingTargetPath := request.GetStagingTargetPath()
 	if len(stagingTargetPath) == 0 {
@@ -284,7 +285,7 @@ func (n *NodeService) NodeUnstageVolume(_ context.Context, request *csi.NodeUnst
 //
 //nolint:dupl
 func (n *NodeService) NodePublishVolume(_ context.Context, request *csi.NodePublishVolumeRequest) (*csi.NodePublishVolumeResponse, error) {
-	klog.V(4).InfoS("NodePublishVolume: called", "args", stripSecrets(request))
+	klog.V(4).InfoS("NodePublishVolume: called", "args", protosanitizer.StripSecrets(request))
 
 	stagingTargetPath := request.GetStagingTargetPath()
 	if len(stagingTargetPath) == 0 {
@@ -389,7 +390,7 @@ func (n *NodeService) NodePublishVolume(_ context.Context, request *csi.NodePubl
 //
 //nolint:dupl
 func (n *NodeService) NodeUnpublishVolume(_ context.Context, request *csi.NodeUnpublishVolumeRequest) (*csi.NodeUnpublishVolumeResponse, error) {
-	klog.V(4).InfoS("NodeUnpublishVolume: called", "args", stripSecrets(request))
+	klog.V(4).InfoS("NodeUnpublishVolume: called", "args", protosanitizer.StripSecrets(request))
 
 	targetPath := request.GetTargetPath()
 	if len(targetPath) == 0 {
@@ -410,7 +411,7 @@ func (n *NodeService) NodeUnpublishVolume(_ context.Context, request *csi.NodeUn
 
 // NodeGetVolumeStats get the volume stats
 func (n *NodeService) NodeGetVolumeStats(_ context.Context, request *csi.NodeGetVolumeStatsRequest) (*csi.NodeGetVolumeStatsResponse, error) {
-	klog.V(4).InfoS("NodeGetVolumeStats: called", "args", stripSecrets(request))
+	klog.V(4).InfoS("NodeGetVolumeStats: called", "args", protosanitizer.StripSecrets(request))
 
 	volumePath := request.GetVolumePath()
 	if len(volumePath) == 0 {
@@ -452,7 +453,7 @@ func (n *NodeService) NodeGetVolumeStats(_ context.Context, request *csi.NodeGet
 
 // NodeExpandVolume expand the volume
 func (n *NodeService) NodeExpandVolume(_ context.Context, request *csi.NodeExpandVolumeRequest) (*csi.NodeExpandVolumeResponse, error) {
-	klog.V(4).InfoS("NodeExpandVolume: called", "args", stripSecrets(request))
+	klog.V(4).InfoS("NodeExpandVolume: called", "args", protosanitizer.StripSecrets(request))
 
 	volumeID := request.GetVolumeId()
 	if len(volumeID) == 0 {