@@ -174,6 +174,18 @@ func isValidArchiveType(archiveType string) bool {
174174
175175type postProcessFunc func (output []byte ) ([]byte , error )
176176
177+ var envoySecretMask = jsonFieldMaskPostProcess ([]string {
178+ // Cilium LogEntry -> KafkaLogEntry{l7} -> KafkaLogEntry{api_key}
179+ "api_key" ,
180+ // This could be from one of the following:
181+ // - Cilium NetworkPolicy -> PortNetworkPolicy{ingress_per_port_policies, egress_per_port_policies}
182+ // -> PortNetworkPolicyRule{rules} -> TLSContext{downstream_tls_context, upstream_tls_context}
183+ // - Upstream Envoy tls_certificate
184+ "trusted_ca" ,
185+ "certificate_chain" ,
186+ "private_key" ,
187+ })
188+
177189func runTool () {
178190 // Validate archive type
179191 if ! isValidArchiveType (archiveType ) {
@@ -220,13 +232,13 @@ func runTool() {
220232 }
221233 } else {
222234 if envoyDump {
223- if err := dumpEnvoy (cmdDir , "http://admin/config_dump?include_eds" , "envoy-config.json" ); err != nil {
235+ if err := dumpEnvoy (cmdDir , "http://admin/config_dump?include_eds" , "envoy-config.json" , envoySecretMask ); err != nil {
224236 fmt .Fprintf (os .Stderr , "Unable to dump envoy config: %s\n " , err )
225237 }
226238 }
227239
228240 if envoyMetrics {
229- if err := dumpEnvoy (cmdDir , "http://admin/stats/prometheus" , "envoy-metrics.txt" ); err != nil {
241+ if err := dumpEnvoy (cmdDir , "http://admin/stats/prometheus" , "envoy-metrics.txt" , nil ); err != nil {
230242 fmt .Fprintf (os .Stderr , "Unable to retrieve envoy prometheus metrics: %s\n " , err )
231243 }
232244 }
@@ -520,7 +532,7 @@ func dumpHubbleMetrics(rootDir string) error {
520532 return downloadToFile (httpClient , url , filepath .Join (rootDir , "hubble-metrics.txt" ))
521533}
522534
523- func dumpEnvoy (rootDir string , resource string , fileName string ) error {
535+ func dumpEnvoy (rootDir string , resource string , fileName string , postProcess postProcessFunc ) error {
524536 // curl --unix-socket /var/run/cilium/envoy-admin.sock http:/admin/config_dump\?include_eds > dump.json
525537 c := & http.Client {
526538 Transport : & http.Transport {
@@ -529,7 +541,11 @@ func dumpEnvoy(rootDir string, resource string, fileName string) error {
529541 },
530542 },
531543 }
532- return downloadToFile (c , resource , filepath .Join (rootDir , fileName ))
544+
545+ if postProcess == nil {
546+ return downloadToFile (c , resource , filepath .Join (rootDir , fileName ))
547+ }
548+ return downloadToFileWithPostProcess (c , resource , filepath .Join (rootDir , fileName ), postProcess )
533549}
534550
535551func pprofTraces (rootDir string , pprofDebug int ) error {
@@ -593,3 +609,28 @@ func downloadToFile(client *http.Client, url, file string) error {
593609 _ , err = io .Copy (out , resp .Body )
594610 return err
595611}
612+
613+ // downloadToFileWithPostProcess downloads the content from the given URL and writes it to the given file.
614+ // The content is then post-processed using the given postProcess function before being written to the file.
615+ // Note: Please use downloadToFile instead of this function if no post-processing is required.
616+ func downloadToFileWithPostProcess (client * http.Client , url , file string , postProcess postProcessFunc ) error {
617+ resp , err := client .Get (url )
618+ if err != nil {
619+ return err
620+ }
621+ defer resp .Body .Close ()
622+ if resp .StatusCode != http .StatusOK {
623+ return fmt .Errorf ("bad status: %s" , resp .Status )
624+ }
625+
626+ b , err := io .ReadAll (resp .Body )
627+ if err != nil {
628+ return err
629+ }
630+
631+ b , err = postProcess (b )
632+ if err != nil {
633+ return err
634+ }
635+ return os .WriteFile (file , b , 0644 )
636+ }
0 commit comments