ingress-controller logs admin token in plaint text

[abalage]

Hi,

I have changed the default admin key in apisix and apisix-ingress-controller according to the FAQ.
Checking the logs of the ingress controller it logs the new admin token in plain text.
As container logs are usually collected and shipped to 3rd party systems this effect leaks sensitive data.

Snippet generated by helm template on release 0.11.2.

apiVersion: v1
data:
  config.yaml: |
    # log options
    log_level: "info"
    log_output: "stderr"
    cert_file: "/etc/webhook/certs/cert.pem"
    key_file: "/etc/webhook/certs/key.pem"
    http_listen: ":8080"
    https_listen: ":8443"
    ingress_publish_service:
    enable_profiling: false
    apisix-resource-sync-interval: 300s
    kubernetes:
      kubeconfig: ""
      resync_interval: "6h"
      app_namespaces:
      - "cddmp"
      namespace_selector:
      - ""
      election_id: "ingress-apisix-leader"
      ingress_class: "apisix"
      ingress_version: "networking/v1"
      watch_endpointslices: false
      apisix_route_version: "apisix.apache.org/v2"
      enable_gateway_api: false
    apisix:

      default_cluster_base_url: http://apisix-admin.foobar.svc.cluster.local:9180/apisix/admin

      default_cluster_admin_key: "newsecrettoken"
      default_cluster_name: "default"
kind: ConfigMap
metadata:
  name: apisix-configmap
  namespace: cddmp
  labels:
    helm.sh/chart: ingress-controller-0.10.1
    app.kubernetes.io/name: ingress-controller
    app.kubernetes.io/instance: apisix
    app.kubernetes.io/version: "1.5.0"
    app.kubernetes.io/managed-by: Helm

Snippet from the very beginning of log file.

2022-11-17T18:43:52+08:00	�[34minfo�[0m	ingress/ingress.go:113	apisix ingress controller started
2022-11-17T18:43:52+08:00	�[34minfo�[0m	ingress/ingress.go:115	version:
Version: 1.5.0
Git SHA: no-git-module
Go Version: go1.19.2
Building OS/Arch: linux/amd64
Running OS/Arch: linux/amd64

2022-11-17T18:43:52+08:00	�[34minfo�[0m	ingress/ingress.go:121	use configuration
{
	"cert_file": "/etc/webhook/certs/cert.pem",
	"key_file": "/etc/webhook/certs/key.pem",
	"log_level": "info",
	"log_output": "stderr",
	"http_listen": ":8080",
	"https_listen": ":8443",
	"ingress_publish_service": "",
	"ingress_status_address": [],
	"enable_profiling": false,
	"kubernetes": {
		"kubeconfig": "",
		"resync_interval": "6h0m0s",
		"app_namespaces": [
			"cddmp"
		],
		"namespace_selector": [],
		"election_id": "ingress-apisix-leader",
		"ingress_class": "apisix",
		"ingress_version": "networking/v1",
		"watch_endpoint_slices": false,
		"apisix_route_version": "apisix.apache.org/v2",
		"api_version": "apisix.apache.org/v2",
		"enable_gateway_api": false
	},
	"apisix": {
		"default_cluster_name": "default",
		"default_cluster_base_url": "http://apisix-admin.foobar.svc.cluster.local:9180/apisix/admin",
		"default_cluster_admin_key": "newsecrettoken"
	},
	"apisix-resource-sync-interval": "5m0s"
}

[macmiranda]

You should probably open an issue on https://github.com/apache/apisix-ingress-controller

[abalage]

Thanks for the hint. It makes sense as the logs is created by the ingress controller not by the helm chart.