Skip to content

fix: redact pkcs12 password in logs#706

Merged
dervoeti merged 2 commits into
mainfrom
fix/redact-pkcs12-password-in-logs
May 18, 2026
Merged

fix: redact pkcs12 password in logs#706
dervoeti merged 2 commits into
mainfrom
fix/redact-pkcs12-password-in-logs

Conversation

@dervoeti
Copy link
Copy Markdown
Member

@dervoeti dervoeti commented May 18, 2026

Description

The CSI node_publish_volume handler logs the full SecretVolumeSelector in the issuing secret for Pod INFO event. CompatibilityOptions derived Debug, so the user-provided PKCS#12 keystore password (from the secrets.stackable.tech/format.compatibility.tls-pkcs12.password volume attribute) was written to operator stdout in cleartext on every successful mount.

tls_pkcs12_password is now wrapped with the existing Unloggable<T> wrapper.

Reproduction

Mount a tls-pkcs12 volume with the password annotation:

volumeClaimTemplate:
  metadata:
    annotations:
      secrets.stackable.tech/class: <class>
      secrets.stackable.tech/scope: pod
      secrets.stackable.tech/format: tls-pkcs12
      secrets.stackable.tech/format.compatibility.tls-pkcs12.password: "SUPERSECRET"

Before:

INFO ... issuing secret for Pod ... selector=SecretVolumeSelector { ... compat: CompatibilityOptions { tls_pkcs12_password: Some("SUPERSECRET") } ... }

After:

INFO ... issuing secret for Pod ... selector=SecretVolumeSelector { ... compat: CompatibilityOptions { tls_pkcs12_password: Some(<redacted>) } ... }

Definition of Done Checklist

  • Not all of these items are applicable to all PRs, the author should update this template to only leave the boxes in that are relevant
  • Please make sure all these things are done and tick the boxes

Author

  • Changes are OpenShift compatible
  • CRD changes approved
  • CRD documentation for all fields, following the style guide.
  • Helm chart can be installed and deployed operator works
  • Integration tests passed (for non trivial changes)
  • Changes need to be "offline" compatible
  • Links to generated (nightly) docs added
  • Release note snippet added

Reviewer

  • Code contains useful comments
  • Code contains useful logging statements
  • (Integration-)Test cases added
  • Documentation added or updated. Follows the style guide.
  • Changelog updated
  • Cargo.toml only contains references to git tags (not specific commits or branches)

Acceptance

  • Feature Tracker has been updated
  • Proper release label has been added
  • Links to generated (nightly) docs added
  • Release note snippet added
  • Add type/deprecation label & add to the deprecation schedule
  • Add type/experimental label & add to the experimental features tracker

@dervoeti dervoeti force-pushed the fix/redact-pkcs12-password-in-logs branch from 01f81a6 to ca80f0c Compare May 18, 2026 09:41
@dervoeti dervoeti self-assigned this May 18, 2026
@dervoeti dervoeti force-pushed the fix/redact-pkcs12-password-in-logs branch from ca80f0c to 6952829 Compare May 18, 2026 09:44
@dervoeti dervoeti moved this to Development: Waiting for Review in Stackable Engineering May 18, 2026
@Techassi Techassi self-requested a review May 18, 2026 10:18
@Techassi Techassi moved this from Development: Waiting for Review to Development: In Review in Stackable Engineering May 18, 2026
Techassi
Techassi reviewed May 18, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@Techassi Techassi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, nice catch!

One suggestion about Default on Unloggable.

Comment thread rust/operator-binary/src/utils.rs Outdated
Comment thread rust/operator-binary/src/format/convert.rs Outdated
@dervoeti dervoeti added this pull request to the merge queue May 18, 2026
Merged via the queue into main with commit e5b7479 May 18, 2026
12 checks passed
@dervoeti dervoeti deleted the fix/redact-pkcs12-password-in-logs branch May 18, 2026 12:53
@sbernauer sbernauer moved this from Development: In Review to Development: Done in Stackable Engineering May 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Techassi Techassi Techassi approved these changes

Assignees

@dervoeti dervoeti

Labels

None yet

Projects

Stackable Engineering
Status: Development: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dervoeti @Techassi @sbernauer