From 69528291dade77d88aaa42b9a1bfaaba7cc12a3b Mon Sep 17 00:00:00 2001
From: dervoeti <lukas.krug@stackable.tech>
Date: Mon, 18 May 2026 11:44:12 +0200
Subject: [PATCH 1/2] fix: Redact PKCS#12 keystore password in operator logs

---
 CHANGELOG.md                                  | 5 +++++
 rust/operator-binary/src/format/convert.rs    | 5 ++++-
 rust/operator-binary/src/format/well_known.rs | 7 +++++--
 rust/operator-binary/src/utils.rs             | 7 +++++++
 4 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index bf2c12eb..ad70d71c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,7 +13,12 @@ All notable changes to this project will be documented in this file.
 
 - Document Helm deployed RBAC permissions and remove unnecessary permissions ([#693]).
 
+### Fixed
+
+- Redact the user-provided PKCS#12 keystore password in operator logs. ([#706]).
+
 [#693]: https://github.com/stackabletech/secret-operator/pull/693
+[#706]: https://github.com/stackabletech/secret-operator/pull/706
 
 ## [26.3.0] - 2026-03-16
 
diff --git a/rust/operator-binary/src/format/convert.rs b/rust/operator-binary/src/format/convert.rs
index a7d837e6..c36e91f2 100644
--- a/rust/operator-binary/src/format/convert.rs
+++ b/rust/operator-binary/src/format/convert.rs
@@ -22,7 +22,10 @@ pub fn convert(
         (WellKnownSecretData::TlsPem(pem), SecretFormat::TlsPkcs12) => {
             Ok(WellKnownSecretData::TlsPkcs12(convert_tls_to_pkcs12(
                 pem,
-                compat.tls_pkcs12_password.as_deref().unwrap_or_default(),
+                compat
+                    .tls_pkcs12_password
+                    .as_deref()
+                    .map_or("", String::as_str),
             )?))
         }
 
diff --git a/rust/operator-binary/src/format/well_known.rs b/rust/operator-binary/src/format/well_known.rs
index 495b0ea9..4a9da944 100644
--- a/rust/operator-binary/src/format/well_known.rs
+++ b/rust/operator-binary/src/format/well_known.rs
@@ -4,7 +4,10 @@ use stackable_operator::schemars::{self, JsonSchema};
 use strum::EnumDiscriminants;
 
 use super::{ConvertError, SecretFiles, convert};
-use crate::{backend::ProvisionParts, utils::ResultExt};
+use crate::{
+    backend::ProvisionParts,
+    utils::{ResultExt, Unloggable},
+};
 
 const FILE_PEM_CERT_CERT: &str = "tls.crt";
 const FILE_PEM_CERT_KEY: &str = "tls.key";
@@ -168,7 +171,7 @@ pub struct CompatibilityOptions {
         rename = "secrets.stackable.tech/format.compatibility.tls-pkcs12.password",
         default
     )]
-    pub tls_pkcs12_password: Option<String>,
+    pub tls_pkcs12_password: Option<Unloggable<String>>,
 }
 
 /// Options to customize the well-known format file names.
diff --git a/rust/operator-binary/src/utils.rs b/rust/operator-binary/src/utils.rs
index 9821d364..246de7d5 100644
--- a/rust/operator-binary/src/utils.rs
+++ b/rust/operator-binary/src/utils.rs
@@ -179,6 +179,7 @@ pub fn asn1time_to_offsetdatetime(asn: &Asn1TimeRef) -> Result<OffsetDateTime, A
 
 /// Wrapper for (mostly) secret values that should not be logged.
 // When/if migrating to Valuable, provide a dummy implementation of Value too
+#[derive(Default)]
 pub struct Unloggable<T>(pub T);
 
 impl<T> Debug for Unloggable<T> {
@@ -201,6 +202,12 @@ impl<T> DerefMut for Unloggable<T> {
     }
 }
 
+impl<'de, T: serde::Deserialize<'de>> serde::Deserialize<'de> for Unloggable<T> {
+    fn deserialize<D: serde::Deserializer<'de>>(deserializer: D) -> Result<Self, D::Error> {
+        T::deserialize(deserializer).map(Unloggable)
+    }
+}
+
 /// Wrapper type for [`Iterator::collect`] that flattens the incoming [`Iterator`].
 ///
 /// This isn't super useful for "regular" collects (just call [`Iterator::flatten`]!),

From c8b33d52e9b3f17eb181c14dbeb91d85397e3977 Mon Sep 17 00:00:00 2001
From: dervoeti <lukas.krug@stackable.tech>
Date: Mon, 18 May 2026 12:39:58 +0200
Subject: [PATCH 2/2] review: Bounded Default impl + simplified call site

---
 rust/operator-binary/src/format/convert.rs |  5 +----
 rust/operator-binary/src/utils.rs          | 10 +++++++++-
 2 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/rust/operator-binary/src/format/convert.rs b/rust/operator-binary/src/format/convert.rs
index c36e91f2..37f65757 100644
--- a/rust/operator-binary/src/format/convert.rs
+++ b/rust/operator-binary/src/format/convert.rs
@@ -22,10 +22,7 @@ pub fn convert(
         (WellKnownSecretData::TlsPem(pem), SecretFormat::TlsPkcs12) => {
             Ok(WellKnownSecretData::TlsPkcs12(convert_tls_to_pkcs12(
                 pem,
-                compat
-                    .tls_pkcs12_password
-                    .as_deref()
-                    .map_or("", String::as_str),
+                &compat.tls_pkcs12_password.unwrap_or_default(),
             )?))
         }
 
diff --git a/rust/operator-binary/src/utils.rs b/rust/operator-binary/src/utils.rs
index 246de7d5..637377be 100644
--- a/rust/operator-binary/src/utils.rs
+++ b/rust/operator-binary/src/utils.rs
@@ -179,9 +179,17 @@ pub fn asn1time_to_offsetdatetime(asn: &Asn1TimeRef) -> Result<OffsetDateTime, A
 
 /// Wrapper for (mostly) secret values that should not be logged.
 // When/if migrating to Valuable, provide a dummy implementation of Value too
-#[derive(Default)]
 pub struct Unloggable<T>(pub T);
 
+impl<T> Default for Unloggable<T>
+where
+    T: Default,
+{
+    fn default() -> Self {
+        Self(T::default())
+    }
+}
+
 impl<T> Debug for Unloggable<T> {
     fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
         f.write_str("<redacted>")