Skip to content

Redact credentials from endpoint when logging #434

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
nickytd merged 4 commits into from
Feb 6, 2026
Merged

Redact credentials from endpoint when logging #434

nickytd merged 4 commits into from
Feb 6, 2026
+10 −2

Conversation

@relusc
Copy link
Contributor

@relusc relusc commented Feb 6, 2026

How to categorize this PR?

/kind enhancement
/area logging

What this PR does / why we need it:

Which issue(s) this PR fixes:
No related issue, small change

Special notes for your reviewer:

After plugin creation and stopping, a success message is logged. This also prints out the configured endpoint. When having credentials in the endpoint URL, they are not redacted. This change replaces possible ...user:password... credentials in the endpoint URL when logging.

Release note:

During plugin creation and stop, redact credentials from configured endpoints when logging success info message.

@relusc relusc requested a review from nickytd as a code owner February 6, 2026 10:58
@gardener-prow gardener-prow bot added kind/enhancement Enhancement, improvement, extension area/logging Logging related labels Feb 6, 2026
@CLAassistant
Copy link

CLAassistant commented Feb 6, 2026
edited
Loading

CLA assistant check
All committers have signed the CLA.

@gardener-prow
Copy link

gardener-prow bot commented Feb 6, 2026

Welcome @relusc!

It looks like this is your first PR to gardener/logging 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if gardener/logging has its own contribution guidelines.

Thank you, and welcome to Gardener. 😃

@gardener-prow gardener-prow bot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. cla: yes Indicates the PR's author has signed the cla-assistant.io CLA. labels Feb 6, 2026
nickytd
nickytd requested changes Feb 6, 2026
View reviewed changes
pkg/config/config_test.go Outdated
Expect(cfg).ToNot(BeNil())

// Verify credentials were redacted
Expect(cfg.OTLPConfig.Endpoint).To(Equal("https://xxxxx@otel-collector.example.com:4317"))
Copy link
Collaborator

@nickytd nickytd Feb 6, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here the test wrongly checks the configuration value, where the intent is to return an obscured value from GetEndPoint() functions of the clients, which per se shall not be the case.

pkg/client/otlp_httpclient.go
}

// GetEndPoint returns the configured endpoint
func (c *OTLPHTTPClient) GetEndPoint() string {
Copy link
Collaborator

@nickytd nickytd Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the intent is to print obscured logs, the correct place is where the logs are printed and not to modify the value at the GetEndPoint function.

Copy link
Contributor Author

@relusc relusc Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you are totally right :) Updated

pkg/client/noop_client.go Outdated
// GetEndPoint returns the configured endpoint
func (c *NoopClient) GetEndPoint() string {
return c.endpoint
// Redact possible credentials in endpoint URL
Copy link
Collaborator

@nickytd nickytd Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same comment as otlp_httpclient.go

pkg/client/otlp_grpcclient.go Outdated
// GetEndPoint returns the configured endpoint
func (c *OTLPGRPCClient) GetEndPoint() string {
return c.endpoint
// Redact possible credentials in endpoint URL
Copy link
Collaborator

@nickytd nickytd Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same comment as otlp_httpclient.go

pkg/client/stdout_client.go Outdated
// GetEndPoint returns the configured endpoint
func (c *StdoutClient) GetEndPoint() string {
return c.endpoint
// Redact possible credentials in endpoint URL
Copy link
Collaborator

@nickytd nickytd Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same comment as otlp_httpclient.go

@nickytd
Copy link
Collaborator

nickytd commented Feb 6, 2026

It is not correct to change the GetXXX method to return different than actual value. If the logs are required to be obscured it is better to change where the logs are printed.

@relusc relusc requested a review from nickytd February 6, 2026 15:14
nickytd
nickytd approved these changes Feb 6, 2026
View reviewed changes
Copy link
Collaborator

@nickytd nickytd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@gardener-prow gardener-prow bot added the lgtm Indicates that a PR is ready to be merged. label Feb 6, 2026
@gardener-prow
Copy link

gardener-prow bot commented Feb 6, 2026

LGTM label has been added.

DetailsGit tree hash: 462139814b79952c0740d545995fa5747c07aab6

@gardener-prow
Copy link

gardener-prow bot commented Feb 6, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: nickytd

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@gardener-prow gardener-prow bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 6, 2026
@nickytd nickytd merged commit f198000 into gardener:master Feb 6, 2026
19 checks passed
@relusc relusc deleted the redactCredentials branch February 8, 2026 16:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nickytd nickytd nickytd approved these changes

Assignees

No one assigned

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. area/logging Logging related cla: yes Indicates the PR's author has signed the cla-assistant.io CLA. kind/enhancement Enhancement, improvement, extension lgtm Indicates that a PR is ready to be merged. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@relusc @CLAassistant @nickytd