diff --git a/CHANGELOG.md b/CHANGELOG.md index 82dd7ba7..95a7364c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file. ## [Unreleased] +### Added + +- The associated configuration is now logged for each issued secret ([#413]). + ### Changed - [BREAKING] The TLS CA Secret is now installed into the Namespace of the operator (typically `stackable-operators`), rather than `default` ([#397]). @@ -19,6 +23,7 @@ All notable changes to this project will be documented in this file. [#397]: https://github.com/stackabletech/secret-operator/pull/397 [#403]: https://github.com/stackabletech/secret-operator/pull/403 +[#413]: https://github.com/stackabletech/secret-operator/pull/413 [#440]: https://github.com/stackabletech/secret-operator/pull/440 ## [24.3.0] - 2024-03-20 diff --git a/rust/operator-binary/src/backend/dynamic.rs b/rust/operator-binary/src/backend/dynamic.rs index 131166fc..dfa1bbaa 100644 --- a/rust/operator-binary/src/backend/dynamic.rs +++ b/rust/operator-binary/src/backend/dynamic.rs @@ -1,12 +1,18 @@ //! Support code for runtime-configurable dynamic [`SecretBackend`]s -use std::{collections::HashSet, fmt::Display}; +use std::{ + collections::HashSet, + fmt::{Debug, Display}, +}; use async_trait::async_trait; use snafu::{ResultExt, Snafu}; use stackable_operator::kube::runtime::reflector::ObjectRef; -use crate::crd::{self, SecretClass}; +use crate::{ + crd::{self, SecretClass}, + utils::Unloggable, +}; use super::{ kerberos_keytab::{self, KerberosProfile}, @@ -14,12 +20,17 @@ use super::{ tls, SecretBackend, SecretBackendError, SecretVolumeSelector, }; -#[derive(Debug)] pub struct DynError(Box); +impl Debug for DynError { + fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { + Debug::fmt(&self.0, f) + } +} + impl Display for DynError { fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { - self.0.fmt(f) + Display::fmt(&self.0, f) } } impl std::error::Error for DynError { @@ -35,6 +46,12 @@ impl SecretBackendError for DynError { pub struct DynamicAdapter(B); +impl Debug for DynamicAdapter { + fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { + self.0.fmt(f) + } +} + #[async_trait] impl SecretBackend for DynamicAdapter { type Error = DynError; @@ -96,7 +113,7 @@ pub async fn from_class( Ok(match class.spec.backend { crd::SecretClassBackend::K8sSearch(crd::K8sSearchBackend { search_namespace }) => { from(super::K8sSearch { - client: client.clone(), + client: Unloggable(client.clone()), search_namespace, }) } diff --git a/rust/operator-binary/src/backend/k8s_search.rs b/rust/operator-binary/src/backend/k8s_search.rs index 13735d1f..7e7aebee 100644 --- a/rust/operator-binary/src/backend/k8s_search.rs +++ b/rust/operator-binary/src/backend/k8s_search.rs @@ -12,7 +12,7 @@ use stackable_operator::{ kvp::{LabelError, LabelSelectorExt, Labels}, }; -use crate::{crd::SearchNamespace, format::SecretData}; +use crate::{crd::SearchNamespace, format::SecretData, utils::Unloggable}; use super::{ pod_info::{PodInfo, SchedulingPodInfo}, @@ -60,8 +60,10 @@ impl SecretBackendError for Error { } } +#[derive(Debug)] pub struct K8sSearch { - pub client: stackable_operator::client::Client, + // Not secret per se, but isn't Debug: https://github.com/stackabletech/secret-operator/issues/411 + pub client: Unloggable, pub search_namespace: SearchNamespace, } diff --git a/rust/operator-binary/src/backend/kerberos_keytab.rs b/rust/operator-binary/src/backend/kerberos_keytab.rs index 0f04f927..bdec1e37 100644 --- a/rust/operator-binary/src/backend/kerberos_keytab.rs +++ b/rust/operator-binary/src/backend/kerberos_keytab.rs @@ -12,6 +12,7 @@ use tokio::{ use crate::{ crd::{Hostname, InvalidKerberosPrincipal, KerberosKeytabBackendAdmin, KerberosPrincipal}, format::{well_known, SecretData, WellKnownSecretData}, + utils::Unloggable, }; use super::{ @@ -72,15 +73,17 @@ impl SecretBackendError for Error { } } +#[derive(Debug)] pub struct KerberosProfile { pub realm_name: Hostname, pub kdc: Hostname, pub admin: KerberosKeytabBackendAdmin, } +#[derive(Debug)] pub struct KerberosKeytab { profile: KerberosProfile, - admin_keytab: Vec, + admin_keytab: Unloggable>, admin_principal: KerberosPrincipal, } @@ -110,7 +113,7 @@ impl KerberosKeytab { .0; Ok(Self { profile, - admin_keytab, + admin_keytab: Unloggable(admin_keytab), admin_principal, }) } diff --git a/rust/operator-binary/src/backend/mod.rs b/rust/operator-binary/src/backend/mod.rs index b76ea7f4..81363ed5 100644 --- a/rust/operator-binary/src/backend/mod.rs +++ b/rust/operator-binary/src/backend/mod.rs @@ -14,7 +14,7 @@ use stackable_operator::{ k8s_openapi::chrono::{DateTime, FixedOffset}, time::Duration, }; -use std::{collections::HashSet, convert::Infallible}; +use std::{collections::HashSet, convert::Infallible, fmt::Debug}; pub use k8s_search::K8sSearch; pub use kerberos_keytab::KerberosKeytab; @@ -228,7 +228,7 @@ impl SecretContents { /// It gets the pod information as well as volume definition and has to /// return any number of files. #[async_trait] -pub trait SecretBackend: Send + Sync { +pub trait SecretBackend: Debug + Send + Sync { type Error: SecretBackendError; /// Provision or load secret data from the source. diff --git a/rust/operator-binary/src/backend/pod_info.rs b/rust/operator-binary/src/backend/pod_info.rs index cdba2e69..2c741df8 100644 --- a/rust/operator-binary/src/backend/pod_info.rs +++ b/rust/operator-binary/src/backend/pod_info.rs @@ -101,6 +101,7 @@ pub enum FromPodError { } /// Validated metadata about a scheduled [`Pod`] +#[derive(Debug)] pub struct PodInfo { pub pod_ips: Vec, pub service_name: Option, @@ -187,6 +188,7 @@ impl TryFrom<(AddressType, &str)> for Address { } /// Validated metadata about a pod that may or may not be scheduled yet. +#[derive(Debug)] pub struct SchedulingPodInfo { pub namespace: String, pub pod_name: String, diff --git a/rust/operator-binary/src/backend/tls/ca.rs b/rust/operator-binary/src/backend/tls/ca.rs index 40c1c2b4..425622ff 100644 --- a/rust/operator-binary/src/backend/tls/ca.rs +++ b/rust/operator-binary/src/backend/tls/ca.rs @@ -34,7 +34,7 @@ use tracing::{info, info_span, warn}; use crate::{ backend::SecretBackendError, - utils::{asn1time_to_offsetdatetime, Asn1TimeParseError}, + utils::{asn1time_to_offsetdatetime, Asn1TimeParseError, Unloggable}, }; /// v1 format: support a single cert/pkey pair @@ -156,9 +156,10 @@ pub struct Config { } /// A single certificate authority certificate. +#[derive(Debug)] pub struct CertificateAuthority { pub certificate: X509, - pub private_key: PKey, + pub private_key: Unloggable>, not_after: OffsetDateTime, } @@ -227,7 +228,7 @@ impl CertificateAuthority { .context(BuildCertificateSnafu)? .build(); Ok(Self { - private_key, + private_key: Unloggable(private_key), certificate, not_after, }) @@ -274,12 +275,13 @@ impl CertificateAuthority { } })?, certificate, - private_key, + private_key: Unloggable(private_key), }) } } /// Manages multiple [`CertificateAuthorities`](`CertificateAuthority`), rotating them as needed. +#[derive(Debug)] pub struct Manager { certificate_authorities: Vec, } diff --git a/rust/operator-binary/src/backend/tls/mod.rs b/rust/operator-binary/src/backend/tls/mod.rs index 8e2f1b07..3081919b 100644 --- a/rust/operator-binary/src/backend/tls/mod.rs +++ b/rust/operator-binary/src/backend/tls/mod.rs @@ -128,6 +128,7 @@ impl SecretBackendError for Error { } } +#[derive(Debug)] pub struct TlsGenerate { ca_manager: ca::Manager, max_cert_lifetime: Duration, diff --git a/rust/operator-binary/src/csi_server/node.rs b/rust/operator-binary/src/csi_server/node.rs index 41124994..1aa8a758 100644 --- a/rust/operator-binary/src/csi_server/node.rs +++ b/rust/operator-binary/src/csi_server/node.rs @@ -10,6 +10,7 @@ use snafu::{ResultExt, Snafu}; use stackable_operator::{ builder::meta::ObjectMetaBuilder, k8s_openapi::api::core::v1::Pod, + kube::runtime::reflector::ObjectRef, kvp::{AnnotationError, Annotations}, }; use sys_mount::{unmount, Mount, MountFlags, UnmountFlags}; @@ -371,6 +372,8 @@ impl Node for SecretProvisionerNode { let backend = backend::dynamic::from_selector(&self.client, &selector) .await .context(publish_error::InitBackendSnafu)?; + let pod_ref = ObjectRef::::new(&selector.pod).within(&selector.namespace); + tracing::info!(pod = %pod_ref, ?selector, ?pod_info, ?backend, "issuing secret for Pod"); let data = backend .get_secret_data(&selector, pod_info) .await diff --git a/rust/operator-binary/src/utils.rs b/rust/operator-binary/src/utils.rs index e5445b62..49de5469 100644 --- a/rust/operator-binary/src/utils.rs +++ b/rust/operator-binary/src/utils.rs @@ -1,4 +1,9 @@ -use std::{fmt::LowerHex, os::unix::prelude::AsRawFd, path::Path}; +use std::{ + fmt::{Debug, LowerHex}, + ops::{Deref, DerefMut}, + os::unix::prelude::AsRawFd, + path::Path, +}; use futures::{pin_mut, Stream, StreamExt}; use openssl::asn1::{Asn1Time, Asn1TimeRef, TimeDiff}; @@ -173,6 +178,30 @@ pub fn asn1time_to_offsetdatetime(asn: &Asn1TimeRef) -> Result(pub T); + +impl Debug for Unloggable { + fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { + f.write_str("") + } +} + +impl Deref for Unloggable { + type Target = T; + + fn deref(&self) -> &Self::Target { + &self.0 + } +} + +impl DerefMut for Unloggable { + fn deref_mut(&mut self) -> &mut Self::Target { + &mut self.0 + } +} + #[cfg(test)] mod tests { use futures::StreamExt;