-
Notifications
You must be signed in to change notification settings - Fork 3.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
security: Redact credentials when marshalled to YAML #6186
Conversation
Change the type of the credentials flags for the BOS client configuration from string to flagext.Secret, which automatically redacts to `********` when marshalled to YAML. Signed-off-by: Christian Haudum <christian.haudum@gmail.com>
cb02927
to
0b86cc9
Compare
Signed-off-by: Christian Haudum <christian.haudum@gmail.com>
instead of a package private, similar implementation of a secret type flag The redacted output of the value changes from `redacted` to `********`. Signed-off-by: Christian Haudum <christian.haudum@gmail.com>
0b86cc9
to
f2d5c73
Compare
./tools/diff_coverage.sh ../loki-main/test_results.txt test_results.txt ingester,distributor,querier,querier/queryrange,iter,storage,chunkenc,logql,loki Change in test coverage per package. Green indicates 0 or positive change, red indicates that test coverage for a package fell. + ingester 0%
+ distributor 0%
+ querier 0%
+ querier/queryrange 0%
+ iter 0%
+ storage 0%
+ chunkenc 0%
+ logql 0%
+ loki 0% |
Signed-off-by: Christian Haudum <christian.haudum@gmail.com>
…ring flag Signed-off-by: Christian Haudum <christian.haudum@gmail.com>
./tools/diff_coverage.sh ../loki-main/test_results.txt test_results.txt ingester,distributor,querier,querier/queryrange,iter,storage,chunkenc,logql,loki Change in test coverage per package. Green indicates 0 or positive change, red indicates that test coverage for a package fell. + ingester 0%
+ distributor 0%
+ querier 0%
+ querier/queryrange 0%
+ iter 0%
+ storage 0%
+ chunkenc 0%
+ logql 0%
+ loki 0% |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for fixing this so quickly.
LGTM, one non-blocking nit
Signed-off-by: Christian Haudum <christian.haudum@gmail.com>
./tools/diff_coverage.sh ../loki-main/test_results.txt test_results.txt ingester,distributor,querier,querier/queryrange,iter,storage,chunkenc,logql,loki Change in test coverage per package. Green indicates 0 or positive change, red indicates that test coverage for a package fell. + ingester 0%
+ distributor 0%
+ querier 0%
+ querier/queryrange 0%
+ iter 0%
+ storage 0%
+ chunkenc 0%
+ logql 0%
+ loki 0% |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
What this PR does / why we need it
security: Redact BOS credentials when marshalled to YAML
Change the type of the credentials flags for the BOS client configuration from string to flagext.Secret, which automatically redacts to
********
when marshalled to YAML.Use flagext.Secret for S3 object client credentials
instead of a package private, similar implementation of a secret type flag. The redacted output of the value changes from
redacted
to********
.Which issue(s) this PR fixes
Fixes #6184
Special notes for your reviewer
No changelog entry because the BOS storage feature is unreleased.
Checklist
CHANGELOG.md
.docs/sources/upgrading/_index.md