From 54e1239e040008bfb4626c2e7189fdd6e21bc435 Mon Sep 17 00:00:00 2001 From: relusc Date: Fri, 6 Feb 2026 11:52:13 +0100 Subject: [PATCH 1/4] Redact credentials from endpoint when logging --- pkg/client/noop_client.go | 4 +++- pkg/client/otlp_grpcclient.go | 4 +++- pkg/client/otlp_httpclient.go | 4 +++- pkg/client/stdout_client.go | 4 +++- pkg/config/config_test.go | 13 +++++++++++++ 5 files changed, 25 insertions(+), 4 deletions(-) diff --git a/pkg/client/noop_client.go b/pkg/client/noop_client.go index d3f47228..9b7b50af 100644 --- a/pkg/client/noop_client.go +++ b/pkg/client/noop_client.go @@ -7,6 +7,7 @@ package client import ( "context" "fmt" + "regexp" "github.com/go-logr/logr" @@ -61,5 +62,6 @@ func (c *NoopClient) StopWait() { // GetEndPoint returns the configured endpoint func (c *NoopClient) GetEndPoint() string { - return c.endpoint + // Redact possible credentials in endpoint URL + return regexp.MustCompile(`//.*@`).ReplaceAllString(c.endpoint, "//xxxxx@") } diff --git a/pkg/client/otlp_grpcclient.go b/pkg/client/otlp_grpcclient.go index 20f7eab4..b02c6961 100644 --- a/pkg/client/otlp_grpcclient.go +++ b/pkg/client/otlp_grpcclient.go @@ -7,6 +7,7 @@ import ( "context" "errors" "fmt" + "regexp" "time" "github.com/go-logr/logr" @@ -210,5 +211,6 @@ func (c *OTLPGRPCClient) StopWait() { // GetEndPoint returns the configured endpoint func (c *OTLPGRPCClient) GetEndPoint() string { - return c.endpoint + // Redact possible credentials in endpoint URL + return regexp.MustCompile(`//.*@`).ReplaceAllString(c.endpoint, "//xxxxx@") } diff --git a/pkg/client/otlp_httpclient.go b/pkg/client/otlp_httpclient.go index 40eb12eb..c3374cf0 100644 --- a/pkg/client/otlp_httpclient.go +++ b/pkg/client/otlp_httpclient.go @@ -6,6 +6,7 @@ package client import ( "context" "fmt" + "regexp" "time" "github.com/go-logr/logr" @@ -197,5 +198,6 @@ func (c *OTLPHTTPClient) StopWait() { // GetEndPoint returns the configured endpoint func (c *OTLPHTTPClient) GetEndPoint() string { - return c.endpoint + // Redact possible credentials in endpoint URL + return regexp.MustCompile(`//.*@`).ReplaceAllString(c.endpoint, "//xxxxx@") } diff --git a/pkg/client/stdout_client.go b/pkg/client/stdout_client.go index 17ef643b..062f743a 100644 --- a/pkg/client/stdout_client.go +++ b/pkg/client/stdout_client.go @@ -8,6 +8,7 @@ import ( "encoding/json" "fmt" "os" + "regexp" "github.com/go-logr/logr" @@ -83,5 +84,6 @@ func (c *StdoutClient) StopWait() { // GetEndPoint returns the configured endpoint func (c *StdoutClient) GetEndPoint() string { - return c.endpoint + // Redact possible credentials in endpoint URL + return regexp.MustCompile(`//.*@`).ReplaceAllString(c.endpoint, "//xxxxx@") } diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go index ad8d87c0..9d568045 100644 --- a/pkg/config/config_test.go +++ b/pkg/config/config_test.go @@ -179,6 +179,19 @@ var _ = Describe("Config", func() { Expect(cfg.OTLPConfig.RetryConfig.MaxElapsedTime).To(Equal(2 * time.Minute)) }) + It("should redact username and password from endpoint", func() { + configMap := map[string]any{ + "Endpoint": "https://otel-user:password@otel-collector.example.com:4317", + } + + cfg, err := config.ParseConfig(configMap) + Expect(err).ToNot(HaveOccurred()) + Expect(cfg).ToNot(BeNil()) + + // Verify credentials were redacted + Expect(cfg.OTLPConfig.Endpoint).To(Equal("https://xxxxx@otel-collector.example.com:4317")) + }) + It("should disable retry configuration when RetryEnabled is false", func() { configMap := map[string]any{ "Endpoint": "https://otel-collector.example.com:4317", From 757d732bed9dadb587cba6127aad4c3f919cb240 Mon Sep 17 00:00:00 2001 From: relusc Date: Fri, 6 Feb 2026 16:10:54 +0100 Subject: [PATCH 2/4] Redact only when logging --- pkg/client/noop_client.go | 4 +--- pkg/client/otlp_grpcclient.go | 4 +--- pkg/client/otlp_httpclient.go | 4 +--- pkg/client/stdout_client.go | 4 +--- pkg/config/config_test.go | 13 ------------- pkg/plugin/logging.go | 13 +++++++++++-- 6 files changed, 15 insertions(+), 27 deletions(-) diff --git a/pkg/client/noop_client.go b/pkg/client/noop_client.go index 9b7b50af..d3f47228 100644 --- a/pkg/client/noop_client.go +++ b/pkg/client/noop_client.go @@ -7,7 +7,6 @@ package client import ( "context" "fmt" - "regexp" "github.com/go-logr/logr" @@ -62,6 +61,5 @@ func (c *NoopClient) StopWait() { // GetEndPoint returns the configured endpoint func (c *NoopClient) GetEndPoint() string { - // Redact possible credentials in endpoint URL - return regexp.MustCompile(`//.*@`).ReplaceAllString(c.endpoint, "//xxxxx@") + return c.endpoint } diff --git a/pkg/client/otlp_grpcclient.go b/pkg/client/otlp_grpcclient.go index b02c6961..20f7eab4 100644 --- a/pkg/client/otlp_grpcclient.go +++ b/pkg/client/otlp_grpcclient.go @@ -7,7 +7,6 @@ import ( "context" "errors" "fmt" - "regexp" "time" "github.com/go-logr/logr" @@ -211,6 +210,5 @@ func (c *OTLPGRPCClient) StopWait() { // GetEndPoint returns the configured endpoint func (c *OTLPGRPCClient) GetEndPoint() string { - // Redact possible credentials in endpoint URL - return regexp.MustCompile(`//.*@`).ReplaceAllString(c.endpoint, "//xxxxx@") + return c.endpoint } diff --git a/pkg/client/otlp_httpclient.go b/pkg/client/otlp_httpclient.go index c3374cf0..40eb12eb 100644 --- a/pkg/client/otlp_httpclient.go +++ b/pkg/client/otlp_httpclient.go @@ -6,7 +6,6 @@ package client import ( "context" "fmt" - "regexp" "time" "github.com/go-logr/logr" @@ -198,6 +197,5 @@ func (c *OTLPHTTPClient) StopWait() { // GetEndPoint returns the configured endpoint func (c *OTLPHTTPClient) GetEndPoint() string { - // Redact possible credentials in endpoint URL - return regexp.MustCompile(`//.*@`).ReplaceAllString(c.endpoint, "//xxxxx@") + return c.endpoint } diff --git a/pkg/client/stdout_client.go b/pkg/client/stdout_client.go index 062f743a..17ef643b 100644 --- a/pkg/client/stdout_client.go +++ b/pkg/client/stdout_client.go @@ -8,7 +8,6 @@ import ( "encoding/json" "fmt" "os" - "regexp" "github.com/go-logr/logr" @@ -84,6 +83,5 @@ func (c *StdoutClient) StopWait() { // GetEndPoint returns the configured endpoint func (c *StdoutClient) GetEndPoint() string { - // Redact possible credentials in endpoint URL - return regexp.MustCompile(`//.*@`).ReplaceAllString(c.endpoint, "//xxxxx@") + return c.endpoint } diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go index 9d568045..ad8d87c0 100644 --- a/pkg/config/config_test.go +++ b/pkg/config/config_test.go @@ -179,19 +179,6 @@ var _ = Describe("Config", func() { Expect(cfg.OTLPConfig.RetryConfig.MaxElapsedTime).To(Equal(2 * time.Minute)) }) - It("should redact username and password from endpoint", func() { - configMap := map[string]any{ - "Endpoint": "https://otel-user:password@otel-collector.example.com:4317", - } - - cfg, err := config.ParseConfig(configMap) - Expect(err).ToNot(HaveOccurred()) - Expect(cfg).ToNot(BeNil()) - - // Verify credentials were redacted - Expect(cfg.OTLPConfig.Endpoint).To(Equal("https://xxxxx@otel-collector.example.com:4317")) - }) - It("should disable retry configuration when RetryEnabled is false", func() { configMap := map[string]any{ "Endpoint": "https://otel-collector.example.com:4317", diff --git a/pkg/plugin/logging.go b/pkg/plugin/logging.go index 56fdd484..f1424f0d 100644 --- a/pkg/plugin/logging.go +++ b/pkg/plugin/logging.go @@ -77,8 +77,12 @@ func NewPlugin(informer cache.SharedIndexInformer, cfg *config.Config, logger lo } metrics.Clients.WithLabelValues(client.Seed.String()).Inc() + // Redact possible credentials from configured endpoint before logging + r := regexp.MustCompile(`//.*@`) + sanitizedEndpoint := r.ReplaceAllString(l.seedClient.GetEndPoint(), "//xxxxx@") + logger.Info("logging plugin created", - "seed_client_url", l.seedClient.GetEndPoint(), + "seed_client_url", sanitizedEndpoint, "seed_queue_name", cfg.OTLPConfig.DQueConfig.DQueName, ) @@ -165,8 +169,13 @@ func (l *logging) Close() { if l.controller != nil { l.controller.Stop() } + + // Redact possible credentials from configured endpoint before logging + r := regexp.MustCompile(`//.*@`) + sanitizedEndpoint := r.ReplaceAllString(l.seedClient.GetEndPoint(), "//xxxxx@") + l.logger.Info("logging plugin stopped", - "seed_client_url", l.seedClient.GetEndPoint(), + "seed_client_url", sanitizedEndpoint, "seed_queue_name", l.cfg.OTLPConfig.DQueConfig.DQueName, ) } From 4ba3a1053021bc7c2e875c8afea4804484cffb20 Mon Sep 17 00:00:00 2001 From: relusc Date: Fri, 6 Feb 2026 16:14:03 +0100 Subject: [PATCH 3/4] create function for redaction --- pkg/plugin/logging.go | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/pkg/plugin/logging.go b/pkg/plugin/logging.go index f1424f0d..ad5783a9 100644 --- a/pkg/plugin/logging.go +++ b/pkg/plugin/logging.go @@ -77,12 +77,8 @@ func NewPlugin(informer cache.SharedIndexInformer, cfg *config.Config, logger lo } metrics.Clients.WithLabelValues(client.Seed.String()).Inc() - // Redact possible credentials from configured endpoint before logging - r := regexp.MustCompile(`//.*@`) - sanitizedEndpoint := r.ReplaceAllString(l.seedClient.GetEndPoint(), "//xxxxx@") - logger.Info("logging plugin created", - "seed_client_url", sanitizedEndpoint, + "seed_client_url", redactCredentialsFromEndpoint(l.seedClient.GetEndPoint()), "seed_queue_name", cfg.OTLPConfig.DQueConfig.DQueName, ) @@ -170,12 +166,8 @@ func (l *logging) Close() { l.controller.Stop() } - // Redact possible credentials from configured endpoint before logging - r := regexp.MustCompile(`//.*@`) - sanitizedEndpoint := r.ReplaceAllString(l.seedClient.GetEndPoint(), "//xxxxx@") - l.logger.Info("logging plugin stopped", - "seed_client_url", sanitizedEndpoint, + "seed_client_url", redactCredentialsFromEndpoint(l.seedClient.GetEndPoint()), "seed_queue_name", l.cfg.OTLPConfig.DQueConfig.DQueName, ) } @@ -197,3 +189,9 @@ func (l *logging) isDynamicHost(dynamicHostName string) bool { l.dynamicHostRegexp != nil && l.dynamicHostRegexp.MatchString(dynamicHostName) } + +// Helper function to redact possible `user:password` credentials from configured endpoint before logging +func redactCredentialsFromEndpoint(endpoint string) string { + r := regexp.MustCompile(`//.*@`) + return r.ReplaceAllString(endpoint, "//xxxxx@") +} From 26a050ee2cf1a3f87169faf2e6caa5902f16e75f Mon Sep 17 00:00:00 2001 From: Niki Dokovski Date: Fri, 6 Feb 2026 21:50:00 +0100 Subject: [PATCH 4/4] linter: satisfy nlreturn linter feedback --- pkg/plugin/logging.go | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/plugin/logging.go b/pkg/plugin/logging.go index ad5783a9..654011c0 100644 --- a/pkg/plugin/logging.go +++ b/pkg/plugin/logging.go @@ -193,5 +193,6 @@ func (l *logging) isDynamicHost(dynamicHostName string) bool { // Helper function to redact possible `user:password` credentials from configured endpoint before logging func redactCredentialsFromEndpoint(endpoint string) string { r := regexp.MustCompile(`//.*@`) + return r.ReplaceAllString(endpoint, "//xxxxx@") }