Helm upgrade output message can contain sensitive data on error

[shalomyasap]

Output of helm version: v3.7.1
Output of kubectl version: v1.21.2

In case helm upgrade fails its usually print the error message, the message can include sensitive data such as secrets or passwords.

I’m facing with an issue when one of the deployment parameters contains invalid certificate, this cause to an error and though helm printed the full error to the screen, including the json value which contains several secret keys. The output usually printed to external applications which other users has access as well.

Trying to execute helm upgrade and write the output to file nor dev/null wasn’t helpful, it’s still printed to the screen, this probably since the error occurs during runtime.
Also execute helm upgrade with dry-run didn’t help, since dry-run passed (dry-run doesn’t validate the certificate)

Can we control the output message, or any suggestion how to overcome such behavior?

See below and example (off course secrets masked)

Error: UPGRADE FAILED: release XXXXX-helm-chart failed, and has been rolled back due to atomic being set: cannot patch "XXXXX-secret" with kind Secret:
  "" is invalid: patch: Invalid value: "{\"apiVersion\":\"v1\",\"data\":{\"y_certificate\":\"123\",\"y_key\":\"SECRET_VALUE\"},\"kind\":\"Secret\",\"metadata\":{\"annotations\":{\"meta.helm.sh/release-name\":\"XXXXX-helm-chart\",\"meta.helm.sh/release-namespace\":\"XXXXX\"},\"creationTimestamp\":\"2022-12-21T13:02:27Z\",\"labels\":{\"app.kubernetes.io/managed-by\":\"Helm\"},\"managedFields\":[{\"manager\":\"helm\",\"operation\":\"Update\",\"apiVersion\":\"v1\",\"time\":\"2022-12-21T13:02:27Z\",\"fieldsType\":\"FieldsV1\",\"fieldsV1\":{\"f:data\":{},\"f:metadata\":{\"f:annotations\":{\".\":{},\"f:meta.helm.sh/release-name\":{},\"f:meta.helm.sh/release-namespace\":{}},\"f:labels\":{\".\":{},\"f:app.kubernetes.io/managed-by\":{}}},\"f:type\":{}}},{\"manager\":\"Go-http-client\",\"operation\":\"Update\",\"apiVersion\":\"v1\",\"time\":\"2022-12-25T11:55:40Z\",\"fieldsType\":\"FieldsV1\",\"fieldsV1\":{\"f:data\":{\"f:y_certificate\":{},\"f:y_key\":{}}}}],\"name\":\"y-secret\",\"namespace\":\"XXXXX-operator\",\"resourceVersion\":\"121158778\",\"uid\":\"aba2ee5d-2fda-4488-a890-595959c45925\"},\"type\":\"Opaque\"}": illegal base64 data at input byte 0

Ill appreciate your insights.
Regards,
Shalom

[gjenkins8]

bug? It is useful for helm to display what is failing of course. But potentially outputting creds might need to be fixed (somehow)?

[shalomyasap]

Maybe a flag to mask values in-case of an error?
Any suggestion how to overcome this vulnerability in the meantime?

[joejulian]

I'm mostly sure this comes from the Kubernetes library. If I have any time this week I was hoping to hunt it down.

[github-actions]

This issue has been marked as stale because it has been open for 90 days with no activity. This thread will be automatically closed in 30 days if no further activity occurs.

[shalomyasap]

This issue can cause to data leak of credentials.
Can this issue be fix in the next release?