PT-2448 - Redact pgbouncer secret references in pt-k8s-debug-collector#1110
Open
eslavyansky wants to merge 1 commit intopercona:3.xfrom
Open
PT-2448 - Redact pgbouncer secret references in pt-k8s-debug-collector#1110eslavyansky wants to merge 1 commit intopercona:3.xfrom
eslavyansky wants to merge 1 commit intopercona:3.xfrom
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Redact pgbouncer secret references in pt-k8s-debug-collector
pt-k8s-debug-collector now strips volumes and volumeMounts entries that reference pgbouncer secrets from exported Kubernetes resources, preventing sensitive pgbouncer data from leaking into the diagnostic archive.
Changes:
dumper/dumper.go - added redactPgbouncerVolumeRefs, redactPodSpec, and hasPgbouncerSecretRef functions that, during generic resource export, remove volume entries referencing pgbouncer secrets (via secret.secretName or projected.sources) from pod and pod template specs, along with the corresponding volumeMounts across all container types.
main_test.go - added integration test TestPgBouncerSecretsNotCollected that verifies the output archive contains no pgbouncer-frontend.ca-roots entries for pgo and pgv2 namespaces.
The contributed code is licensed under GPL v2.0
Contributor Licence Agreement (CLA) is signed
util/update-modules has been ran
Documentation updated
Test suite update