argo-workflows icon indicating copy to clipboard operation
argo-workflows copied to clipboard
verified publisher icon argoproj

Hide secrets in logs. Fixes #8685

Open anilkumar-pcs opened this issue 3 years ago • 3 comments

Fixes #8685

Introduced environment variable ARGO_REDACT_POD_LOGS to filter and mask secrets in workflow logs.

Logs when running examples/secrets.yaml workflow with no redaction

secrets-tdwm7: time="2022-10-19T12:47:54.251Z" level=info msg="capturing logs" argo=true
secrets-tdwm7: secret from env: S00perS3cretPa55word
secrets-tdwm7: secret from file: S00perS3cretPa55word
secrets-tdwm7: time="2022-10-19T12:47:55.263Z" level=info msg="sub-process exited" argo=true error="<nil>"

Logs when running examples/secrets.yaml workflow with redaction enabled

secrets-tdwm7: time="2022-10-19T12:47:54.251Z" level=info msg="capturing logs" [ redacted ]=true
secrets-tdwm7: secret from env: [ redacted ]
secrets-tdwm7: secret from file: [ redacted ]
secrets-tdwm7: time="2022-10-19T12:47:55.263Z" level=info msg="sub-process exited" [ redacted ]=true error="<nil>"

Please do not open a pull request until you have checked ALL of these:

  • [x] Create the PR as draft .
  • [x] Run make pre-commit -B to fix codegen and lint problems.
  • [x] Sign-off your commits (otherwise the DCO check will fail).
  • [x] Use a conventional commit message (otherwise the commit message check will fail).
  • [x] "Fixes #" is in both the PR title (for release notes) and this description (to automatically link and close the issue).
  • [x] Add unit or e2e tests. Say how you tested your changes. If you changed the UI, attach screenshots.
  • [x] Github checks are green.
  • [x] Once required tests have passed, mark your PR "Ready for review".

If changes were requested, and you've made them, dismiss the review to get it reviewed again.

anilkumar-pcs avatar Oct 19 '22 03:10 anilkumar-pcs

@alexec @terrytangyuan Can one of you review the changes?

anilkumar-pcs avatar Oct 19 '22 13:10 anilkumar-pcs

This is cool. I wonder if it can be even smarter? E.g. auto-detect secrets using a regex?

alexec avatar Oct 19 '22 17:10 alexec

@alexec while the idea to auto-detect the secrets is nice, secrets are something user configurable and they can be literally anything. I believe it would be difficult to have a regex to identify all possible secrets.

Do you have any references in mind? Please share your thoughts.

anilkumar-pcs avatar Oct 19 '22 18:10 anilkumar-pcs

@alexec I have introduced configuration as it was suggested in here

We can remove the env variable configuration and mask the secrets by default. WDYT?

anilkumar-pcs avatar Oct 29 '22 16:10 anilkumar-pcs

@alexec made changes to remove the env configuration and masking secrets by default.

anilkumar-pcs avatar Oct 31 '22 03:10 anilkumar-pcs

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. If this is a mentoring request, please provide an update here. Thank you for your contributions.

stale[bot] avatar Nov 23 '22 03:11 stale[bot]

This issue has been closed due to inactivity. Feel free to re-open if you still encounter this issue.

stale[bot] avatar Dec 31 '22 22:12 stale[bot]