Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

redact secret_paths from elastic-agent inspect output #5621

Merged
merged 10 commits into from
Oct 7, 2024
Merged

redact secret_paths from elastic-agent inspect output #5621

merged 10 commits into from
Oct 7, 2024

Conversation

michel-laterman
Copy link
Contributor

@michel-laterman michel-laterman commented Sep 27, 2024
edited
Loading

What does this PR do?

redact secret_paths from elastic-agent inspect output.
elastic-agent inspect will now redact the value for any key in the secret_paths array.
secret_paths is expected to be part of the policy.

Why is it important?

displaying secrets is to be avoided

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in ./changelog/fragments using the changelog tool
  • I have added an integration test or an E2E test

Disruptive User Impact

Output of elastic-agent inspect will change. Any workflow that uses this command to extract secret values will be broken.

@michel-laterman michel-laterman added enhancement New feature or request Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team labels Sep 27, 2024
@michel-laterman michel-laterman requested a review from a team as a code owner September 27, 2024 16:24
@elasticmachine
Copy link
Contributor

Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)

@mergify Mergify
Copy link
Contributor

mergify bot commented Sep 27, 2024

This pull request does not have a backport label. Could you fix it @michel-laterman? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

  • backport-./d./d is the label to automatically backport to the 8./d branch. /d is the digit

@mergify Mergify
Copy link
Contributor

mergify bot commented Sep 27, 2024

backport-v8.x has been added to help with the transition to the new branch 8.x.
If you don't need it please use backport-skip label and remove the backport-8.x label.

@mergify mergify bot added the backport-8.x Automated backport to the 8.x branch with mergify label Sep 27, 2024
@michel-laterman michel-laterman mentioned this pull request Sep 27, 2024
Merged
4 tasks
@michel-laterman michel-laterman force-pushed the inspect-redact-secret_paths branch from 7ea1e70 to ea7eead Compare September 27, 2024 19:14
@ycombinator
Copy link
Contributor

ycombinator commented Sep 27, 2024
edited
Loading

@lucabelluccini Heads up for Support on the disruptive user impact due to this change.

@ycombinator ycombinator force-pushed the inspect-redact-secret_paths branch from ea7eead to 4397d53 Compare October 1, 2024 00:18
@ycombinator ycombinator requested review from andrzej-stencel and pchila and removed request for pkoutsovasilis and pchila October 1, 2024 23:51
blakerouse
blakerouse approved these changes Oct 3, 2024
View reviewed changes
Copy link
Contributor

@blakerouse blakerouse left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good and has good test coverage.

@rowlandgeoff
Copy link
Contributor

Rerunning the failed Sonar steps in the PR got this unblocked

@michel-laterman
Copy link
Contributor Author

Looks like an integration test is failing:

>>> (linux-amd64-ubuntu-2404-container) Test output (sudo) (stdout): container_cmd_test.go:261:
--
  | >>> (linux-amd64-ubuntu-2404-container) Test output (sudo) (stdout): Error Trace:	/home/ubuntu/agent/testing/integration/container_cmd_test.go:261
  | >>> (linux-amd64-ubuntu-2404-container) Test output (sudo) (stdout): Error:      	Condition never satisfied
  | >>> (linux-amd64-ubuntu-2404-container) Test output (sudo) (stdout): Test:       	TestContainerCMDWithAVeryLongStatePath/small_path
  | >>> (linux-amd64-ubuntu-2404-container) Test output (sudo) (stdout): Messages:   	Elastic-Agent did not report healthy. Agent status error: "<nil>", Agent logs
  | >>> (linux-amd64-ubuntu-2404-container) Test output (sudo) (stdout): agent container initialisation - chown paths
  | >>> (linux-amd64-ubuntu-2404-container) Test output (sudo) (stdout): Warning: failed to walk path /tmp/foo/bar: lstat /tmp/foo/bar: no such file or directory

@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
87.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

@michel-laterman michel-laterman merged commit d7546dd into elastic:main Oct 7, 2024
14 checks passed
@michel-laterman michel-laterman deleted the inspect-redact-secret_paths branch October 7, 2024 15:54
mergify bot pushed a commit that referenced this pull request Oct 7, 2024
@michel-laterman @mergify
redact secret_paths from elastic-agent inspect output (#5621)
277c381 
redact secret_paths from elastic-agent inspect output.
elastic-agent inspect will now redact the value for any key in the secret_paths array.
secret_paths is expected to be part of the policy.

(cherry picked from commit d7546dd)
@mergify mergify bot mentioned this pull request Oct 7, 2024
Merged
4 tasks
@michel-laterman michel-laterman added backport-8.15 Automated backport to the 8.15 branch with mergify and removed backport-8.15 Automated backport to the 8.15 branch with mergify labels Oct 7, 2024
michel-laterman added a commit that referenced this pull request Oct 7, 2024
@mergify @michel-laterman @jlind23
redact secret_paths from elastic-agent inspect output (#5621) (#5721)
f86bda2 
redact secret_paths from elastic-agent inspect output.
elastic-agent inspect will now redact the value for any key in the secret_paths array.
secret_paths is expected to be part of the policy.

(cherry picked from commit d7546dd)

Co-authored-by: Michel Laterman <82832767+michel-laterman@users.noreply.github.com>
Co-authored-by: Julien Lind <julien.lind@elastic.co>
@michel-laterman michel-laterman mentioned this pull request Oct 11, 2024
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@blakerouse blakerouse blakerouse approved these changes

@andrzej-stencel andrzej-stencel Awaiting requested review from andrzej-stencel

Assignees

@michel-laterman michel-laterman

Labels
backport-8.x Automated backport to the 8.x branch with mergify enhancement New feature or request Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@michel-laterman @elasticmachine @ycombinator @rowlandgeoff @blakerouse