argoproj · anilkumar-pcs · Oct 18, 2022 · Oct 19, 2022 · Oct 19, 2022 · Oct 19, 2022
diff --git a/test/e2e/argo_server_test.go b/test/e2e/argo_server_test.go
@@ -1975,3 +1975,52 @@ func (s *ArgoServerSuite) TestRateLimitHeader() {
 func TestArgoServerSuite(t *testing.T) {
  suite.Run(t, new(ArgoServerSuite))
 }
+
+func (s *ArgoServerSuite) TestWorkflowLogRedaction() {
+ nsName := fixtures.Namespace
+ // create secret if not present
+ secretName := "test-secret"
+ secretData := map[string][]byte{
+ "testpassword": []byte("S00perS3cretPa55word"),
+ }
+ secret := &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: secretName}, Data: secretData}
+ ctx := context.Background()
+ s.Run("CreateSecret", func() {
+ _, e := s.KubeClient.CoreV1().Secrets(nsName).Create(ctx, secret, metav1.CreateOptions{})
+ assert.NoError(s.T(), e)
+ })
+ defer func() {
+ // Clean up created secret
+ _ = s.KubeClient.CoreV1().Secrets(nsName).Delete(ctx, secretName, metav1.DeleteOptions{})
+ }()
+
+ var name string
+ s.Given().
+ Workflow("@smoke/workflow-with-secrets.yaml").
+ When().
+ SubmitWorkflow().
+ WaitForWorkflow(fixtures.ToStart).
+ Then().
+ ExpectWorkflow(func(t *testing.T, metadata *metav1.ObjectMeta, status *wfv1.WorkflowStatus) {
+ name = metadata.Name
+ })
+
+ // lets check the logs
+ for _, tt := range []struct {
+ name string
+ path string
+ }{
+ {"PodLogs", "/" + name + "/log?logOptions.container=main"},
+ {"WorkflowLogs", "/log?podName=" + name + "&logOptions.container=main"},
+ } {
+ s.Run(tt.name, func() {
+ s.stream("/api/v1/workflows/argo/"+name+tt.path, func(t *testing.T, line string) (done bool) {
+ if strings.Contains(line, "data: ") {
+ assert.Contains(t, line, "secret from env: [*********]")
+ return true
+ }
+ return false
+ })
+ })
+ }
+}
diff --git a/test/e2e/smoke/workflow-with-secrets.yaml b/test/e2e/smoke/workflow-with-secrets.yaml
@@ -0,0 +1,17 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Workflow
+metadata:
+ generateName: secrets-
+spec:
+ entrypoint: print-secret
+ templates:
+ - name: print-secret
+ container:
+ image: argoproj/argosay:v2
+ args: [echo, "secret from env: $MYSECRETPASSWORD"]
+ env:
+ - name: MYSECRETPASSWORD
+ valueFrom:
+ secretKeyRef:
+ name: test-secret
+ key: testpassword
diff --git a/util/logs/workflow-logger.go b/util/logs/workflow-logger.go
@@ -80,6 +80,12 @@ func WorkflowLogs(ctx context.Context, wfClient versioned.Interface, kubeClient
 
  var podListOptions metav1.ListOptions
 
+ // get secrets for redaction
+ secrets, err := kubeClient.CoreV1().Secrets(req.GetNamespace()).List(ctx, metav1.ListOptions{})
+ if err != nil {
+ logCtx.WithField("err", err).Debugln("error in listing secrets")
+ }
+
  // we add selector if cli specify the pod selector when using logs
  if req.GetSelector() != "" {
  podListOptions = metav1.ListOptions{LabelSelector: common.LabelKeyWorkflow + "=" + req.GetName() + "," + req.GetSelector()}
@@ -165,6 +171,17 @@ func WorkflowLogs(ctx context.Context, wfClient versioned.Interface, kubeClient
  }
  if rx.MatchString(content) { // this means we filter the lines in the server, but will still incur the cost of retrieving them from Kubernetes
  logCtx.WithFields(log.Fields{"timestamp": timestamp, "content": content}).Debug("Log line")
+
+ // log redaction for secrets
+ if secrets != nil {
+ for _, s := range secrets.Items {
+ for _, v := range s.Data {
+ if strings.Contains(content, string(v)) {
+ content = strings.Replace(content, string(v), "[*********]", -1)
+ }
+ }
+ }
+ }
  unsortedEntries <- logEntry{podName: podName, content: content, timestamp: timestamp}
  }
  }