.github/workflows/e2e.yaml

@@ -55,6 +55,17 @@ jobs:
           KUBEBUILDER_ASSETS: ${{ github.workspace }}/kubebuilder/bin
       - name: Load test image
         run: kind load docker-image test/kustomize-controller:latest
+      - name: Install CRDs
+        run: make install
+      - name: Run default status test
+        run: |
+          kubectl apply -f config/testdata/status-defaults
+          RESULT=$(kubectl get kustomization status-defaults -o go-template={{.status}})
+          EXPECTED='map[observedGeneration:-1]'
+          if [ "${RESULT}" != "${EXPECTED}" ] ; then
+            echo -e "${RESULT}\n\ndoes not equal\n\n${EXPECTED}"
+            exit 1
+          fi
       - name: Deploy controllers
         run: |
           make dev-deploy IMG=test/kustomize-controller:latest

CHANGELOG.md

@@ -2,6 +2,19 @@
 
 All notable changes to this project are documented in this file.
 
+## 0.14.1
+
+**Release date:** 2021-09-09
+
+This prerelease comes with improvements to logging.
+When Kubernetes Secrets can't be reconciled due to validation errors,
+the controller will mask the secret data from logs and events to prevent
+disclosing sensitive information.
+
+Improvements:
+* Mask the Kubernetes Secrets data from dry-run and apply logs
+  [#420](https://github.com/fluxcd/kustomize-controller/pull/420)
+
 ## 0.14.0
 
 **Release date:** 2021-08-26

api/v1beta1/kustomization_types.go

@@ -340,7 +340,8 @@ type Kustomization struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 
-	Spec   KustomizationSpec   `json:"spec,omitempty"`
+	Spec KustomizationSpec `json:"spec,omitempty"`
+	// +kubebuilder:default:={"observedGeneration":-1}
 	Status KustomizationStatus `json:"status,omitempty"`
 }
 

config/crd/bases/kustomize.toolkit.fluxcd.io_kustomizations.yaml

@@ -330,6 +330,8 @@ spec:
             - sourceRef
             type: object
           status:
+            default:
+              observedGeneration: -1
             description: KustomizationStatus defines the observed state of a kustomization.
             properties:
               conditions:

config/manager/kustomization.yaml

@@ -5,4 +5,4 @@ resources:
 images:
   - name: fluxcd/kustomize-controller
     newName: fluxcd/kustomize-controller
-    newTag: v0.14.0
+    newTag: v0.14.1

config/testdata/status-defaults/empty-kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta1
+kind: Kustomization
+metadata:
+  name: status-defaults

controllers/kustomization_controller.go

@@ -356,7 +356,7 @@ func (r *KustomizationReconciler) reconcile(
 			source.GetArtifact().Revision,
 			kustomizev1.ValidationFailedReason,
 			err.Error(),
-		), err
+		), stripSensitiveData(err)
 	}
 
 	// apply
@@ -367,7 +367,7 @@ func (r *KustomizationReconciler) reconcile(
 			source.GetArtifact().Revision,
 			meta.ReconciliationFailedReason,
 			err.Error(),
-		), err
+		), stripSensitiveData(err)
 	}
 
 	// prune

controllers/utils.go

@@ -17,6 +17,8 @@ limitations under the License.
 package controllers
 
 import (
+	"errors"
+	"regexp"
 	"strings"
 )
 
@@ -77,3 +79,14 @@ func containsString(slice []string, s string) bool {
 	}
 	return false
 }
+
+func stripSensitiveData(err error) error {
+	r := regexp.MustCompile(`(v1.Secret.(StringData|Data):) (.*)`)
+	newErr := r.ReplaceAllString(err.Error(), "$1 [ ** REDACTED ** ]")
+
+	// strip data from bigger context
+	r = regexp.MustCompile(`((stringData|data)\":{)(.*)(})`)
+	newErr = r.ReplaceAllString(newErr, "$1 [ ** REDACTED ** ] $4")
+
+	return errors.New(newErr)
+}

controllers/utils_test.go

@@ -1,6 +1,7 @@
 package controllers
 
 import (
+	"errors"
 	"strings"
 	"testing"
 )
@@ -54,3 +55,32 @@ error: error validating data: unknown field "ima  ge" in io.k8s.api.core.v1.Cont
 		})
 	}
 }
+
+func TestStripSensitiveData(t *testing.T) {
+	tests := []struct {
+		name     string
+		in       error
+		expected error
+	}{
+		{
+			"stringData",
+			errors.New("apply failed: Error from server (BadRequest): error when creating \"0f1563ce-8273-4879-99dd-f6f58629cc2d.yaml\": Secret in version \"v1\" cannot be handled as a Secret: v1.Secret.StringData: ReadString: expects \" or n, but found 0, error found in #10 byte of ...|\"secret\":0}}\n|..., bigger context ...|\"namespace\":\"sensitive-data-dkgvw\"},\"stringData\":{\"secret\":0}}\n|...\n"),
+			errors.New("apply failed: Error from server (BadRequest): error when creating \"0f1563ce-8273-4879-99dd-f6f58629cc2d.yaml\": Secret in version \"v1\" cannot be handled as a Secret: v1.Secret.StringData: [ ** REDACTED ** ]\n|..., bigger context ...|\"namespace\":\"sensitive-data-dkgvw\"},\"stringData\":{ [ ** REDACTED ** ] }\n|...\n"),
+		},
+		{
+			"data",
+			errors.New("apply failed: Error from server (BadRequest): error when creating \"0f1563ce-8273-4879-99dd-f6f58629cc2d.yaml\": Secret in version \"v1\" cannot be handled as a Secret: v1.Secret.Data: ReadString: expects \" or n, but found 0, error found in #10 byte of ...|\"secret\":0}}\n|..., bigger context ...|\"namespace\":\"sensitive-data-dkgvw\"},\"data\":{\"secret\":0}}\n|...\n"),
+			errors.New("apply failed: Error from server (BadRequest): error when creating \"0f1563ce-8273-4879-99dd-f6f58629cc2d.yaml\": Secret in version \"v1\" cannot be handled as a Secret: v1.Secret.Data: [ ** REDACTED ** ]\n|..., bigger context ...|\"namespace\":\"sensitive-data-dkgvw\"},\"data\":{ [ ** REDACTED ** ] }\n|...\n"),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			expected := stripSensitiveData(tt.in)
+
+			if expected.Error() != tt.expected.Error() {
+				t.Errorf("\nexpected:\n%q\ngot:\n%q\n", tt.expected.Error(), expected.Error())
+			}
+		})
+	}
+}

go.mod

@@ -8,7 +8,7 @@ require (
 	filippo.io/age v1.0.0-beta7
 	github.com/cyphar/filepath-securejoin v0.2.2
 	github.com/drone/envsubst v1.0.3-0.20200804185402-58bc65f69603
-	github.com/fluxcd/kustomize-controller/api v0.14.0
+	github.com/fluxcd/kustomize-controller/api v0.14.1
 	github.com/fluxcd/pkg/apis/kustomize v0.2.0
 	github.com/fluxcd/pkg/apis/meta v0.10.0
 	github.com/fluxcd/pkg/runtime v0.12.0