Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RHPAM-4438] Sensitive Information In ENV And Pod Logs #99

Merged
merged 1 commit into from Aug 9, 2022
Merged

[RHPAM-4438] Sensitive Information In ENV And Pod Logs #99

merged 1 commit into from Aug 9, 2022

Conversation

davidesalerno
Copy link
Contributor

@davidesalerno davidesalerno commented Jul 28, 2022
edited

Signed-off-by: Davide Salerno dsalerno@redhat.com

See: RHPAM-4438

In order to avoid to print sensitive information in the logs in a production environment, it is better to log certain type of information only when the logger is not at DEBUG level (usually in a Prod env log level is at Info)

@davidesalerno davidesalerno mentioned this pull request Jul 28, 2022
Merged
@davidesalerno
Copy link
Contributor Author

@tchughesiv Can you help me reviewing this change?

ruromero
ruromero reviewed Aug 3, 2022
View reviewed changes
Copy link
Member

@ruromero ruromero left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR, I only have one question, otherwise LGTM

go.mod Outdated
@@ -14,7 +14,7 @@ require (
github.com/pkg/errors v0.9.1
github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.50.0
github.com/stretchr/testify v1.7.0
go.uber.org/zap v1.19.0
go.uber.org/zap v1.21.0
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is this needed?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ruromero This change is not strictly needed for this fix and it is due to the attempt to add some unit test using zaptest (go.uber.org/zap/zaptest) which would require huge refactoring and for this reason at the moment they are not in this PR.
I'll revert it.

jakubschwan
jakubschwan reviewed Aug 4, 2022
View reviewed changes
pkg/resource/compare/defaults.go Outdated
logger.Info("Resources are not equal", "deployed", deployed, "requested", requested)
logger.Debugf("Resources are not equal", "deployed", deployed, "requested", requested)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For case when resources or objects are not equal. Can we keep there at least some info output. Otherwise it might be hard for users to spot what is wrong.
If the debug output is not allowed, it would be good to print some info log (or warning) as well. So it can be debug easier. I think it should be okay to just print message like "Resources are not equal. For more details use debug option for your Operator."

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jakubschwan thank you for the suggestion, I agree with your concern and I'll do the change

@davidesalerno davidesalerno force-pushed the RHPAM-4438 branch 3 times, most recently from d519769 to 61525e5 Compare August 9, 2022 08:33
ruromero
ruromero requested changes Aug 9, 2022
View reviewed changes
Copy link
Member

@ruromero ruromero left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd rather use a conditional logging instead of logging twice. Something like this:

		if logs.IsDebugLevel() {
			logger.Debugf("Resources are not equal", "deployed", deployed, "requested", requested)
		} else {
			logger.Info("Resources are not equal. For more details set the Operator log level to DEBUG.")
		}

I think this function should be enough:

// IsDebugLevel returns whether the current log level is Debug
func IsDebugLevel() bool {
	return GetBoolEnv(DebugTrue.Name)
}

pkg/resource/compare/defaults.go Outdated
@@ -643,7 +649,8 @@ func EqualPairs(objects [][2]interface{}) bool {
func Equals(deployed interface{}, requested interface{}) bool {
equal := reflect.DeepEqual(deployed, requested)
if !equal {
logger.Info("Objects are not equal", "deployed", deployed, "requested", requested)
logger.Info("Objects are not equal. For more details set the Operato log level at DEBUG.")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
logger.Info("Objects are not equal. For more details set the Operato log level at DEBUG.")
logger.Info("Objects are not equal. For more details set the Operator log level to DEBUG.")

pkg/resource/compare/defaults.go Outdated
@@ -615,7 +620,8 @@ func equalBuildConfigs(deployed client.Object, requested client.Object) bool {
pairs = append(pairs, [2]interface{}{bc1.Spec, bc2.Spec})
equal := EqualPairs(pairs)
if !equal {
logger.Info("Resources are not equal", "deployed", deployed, "requested", requested)
logger.Info("Resources are not equal. For more details set the Operato log level at DEBUG.")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
logger.Info("Resources are not equal. For more details set the Operato log level at DEBUG.")
logger.Info("Resources are not equal. For more details set the Operator log level to DEBUG.")

pkg/resource/compare/defaults.go Outdated
@@ -542,7 +546,8 @@ func equalSecrets(deployed client.Object, requested client.Object) bool {
pairs = append(pairs, [2]interface{}{secret1.Data, secret2.Data})
equal := EqualPairs(pairs)
if !equal {
logger.Info("Resources are not equal", "deployed", deployed, "requested", requested)
logger.Info("Resources are not equal. For more details set the Operato log level at DEBUG.")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
logger.Info("Resources are not equal. For more details set the Operato log level at DEBUG.")
logger.Info("Resources are not equal. For more details set the Operator log level to DEBUG.")

@davidesalerno
[RHPAM-4438] Sensitive Information In ENV And Pod Logs
7a9086d 
Signed-off-by: Davide Salerno <dsalerno@redhat.com>
ruromero
ruromero approved these changes Aug 9, 2022
View reviewed changes
Copy link
Member

@ruromero ruromero left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@davidesalerno
Copy link
Contributor Author

@ruromero Thanks for the good advices, I integrated it and it is much better than before

@ruromero ruromero merged commit 4a2136b into RHsyseng:main Aug 9, 2022
@brusdev
Copy link
Contributor

brusdev commented Jul 10, 2023

@davidesalerno @ruromero this change is causing #110. I created the PR #111 to fix #110 partially reverting [RHPAM-4438] Sensitive Information In ENV And Pod Log. Could you review it?

@brusdev brusdev mentioned this pull request Jul 10, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jakubschwan jakubschwan jakubschwan left review comments

@ruromero ruromero ruromero approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@davidesalerno @brusdev @ruromero @jakubschwan