diff --git a/internal/gatewayapi/runner/runner.go b/internal/gatewayapi/runner/runner.go index 728dc0cbbde..b930b887a62 100644 --- a/internal/gatewayapi/runner/runner.go +++ b/internal/gatewayapi/runner/runner.go @@ -10,7 +10,6 @@ import ( "k8s.io/apimachinery/pkg/runtime/schema" v1 "sigs.k8s.io/gateway-api/apis/v1" - "sigs.k8s.io/yaml" "github.com/envoyproxy/gateway/api/v1alpha1" "github.com/envoyproxy/gateway/internal/envoygateway/config" @@ -78,11 +77,6 @@ func (r *Runner) subscribeAndTranslate(ctx context.Context) { // Translate to IR result := t.Translate(val) - yamlXdsIR, _ := yaml.Marshal(&result.XdsIR) - r.Logger.WithValues("output", "xds-ir").Info(string(yamlXdsIR)) - yamlInfraIR, _ := yaml.Marshal(&result.InfraIR) - r.Logger.WithValues("output", "infra-ir").Info(string(yamlInfraIR)) - var curKeys, newKeys []string // Get current IR keys for key := range r.InfraIR.LoadAll() { @@ -92,6 +86,7 @@ func (r *Runner) subscribeAndTranslate(ctx context.Context) { // Publish the IRs. // Also validate the ir before sending it. for key, val := range result.InfraIR { + r.Logger.WithValues("infra-ir", key).Info(val.YAMLString()) if err := val.Validate(); err != nil { r.Logger.Error(err, "unable to validate infra ir, skipped sending it") errChan <- err @@ -102,6 +97,7 @@ func (r *Runner) subscribeAndTranslate(ctx context.Context) { } for key, val := range result.XdsIR { + r.Logger.WithValues("xds-ir", key).Info(val.YAMLString()) if err := val.Validate(); err != nil { r.Logger.Error(err, "unable to validate xds ir, skipped sending it") errChan <- err diff --git a/internal/ir/infra.go b/internal/ir/infra.go index dc41bbe7c88..6c552b8ff47 100644 --- a/internal/ir/infra.go +++ b/internal/ir/infra.go @@ -13,6 +13,7 @@ import ( "golang.org/x/exp/slices" utilerrors "k8s.io/apimachinery/pkg/util/errors" + "sigs.k8s.io/yaml" "github.com/envoyproxy/gateway/api/v1alpha1" ) @@ -28,6 +29,11 @@ type Infra struct { Proxy *ProxyInfra `json:"proxy" yaml:"proxy"` } +func (i Infra) YAMLString() string { + y, _ := yaml.Marshal(&i) + return string(y) +} + // ProxyInfra defines managed proxy infrastructure. // +k8s:deepcopy-gen=true type ProxyInfra struct { diff --git a/internal/ir/xds.go b/internal/ir/xds.go index 54283111099..fa03a6aef15 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -13,11 +13,11 @@ import ( "reflect" "golang.org/x/exp/slices" - apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/util/validation" + "sigs.k8s.io/yaml" egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1" egv1a1validation "github.com/envoyproxy/gateway/api/v1alpha1/validation" @@ -57,6 +57,8 @@ var ( ErrHCHTTPExpectedStatusesInvalid = errors.New("field HTTPHealthChecker.ExpectedStatuses should be specified") ErrHealthCheckPayloadInvalid = errors.New("one of Text, Binary fields must be set in payload") ErrHTTPStatusInvalid = errors.New("HTTPStatus should be in [200,600)") + + redacted = []byte("[redacted]") ) // Xds holds the intermediate representation of a Gateway and is @@ -155,20 +157,29 @@ func (x Xds) GetUDPListener(name string) *UDPListener { return nil } +func (x Xds) YAMLString() string { + y, _ := yaml.Marshal(x.Printable()) + return string(y) +} + // Printable returns a deep copy of the resource that can be safely logged. func (x Xds) Printable() *Xds { out := x.DeepCopy() for _, listener := range out.HTTP { // Omit field - listener.TLS = nil + if listener.TLS != nil { + for i := range listener.TLS.Certificates { + listener.TLS.Certificates[i].PrivateKey = redacted + } + } for _, route := range listener.Routes { // Omit field if route.OIDC != nil { - route.OIDC.ClientSecret = []byte{} + route.OIDC.ClientSecret = redacted } if route.BasicAuth != nil { - route.BasicAuth.Users = []byte{} + route.BasicAuth.Users = redacted } } } diff --git a/internal/ir/xds_test.go b/internal/ir/xds_test.go index 6145fd1e93a..c2a55a4ea2e 100644 --- a/internal/ir/xds_test.go +++ b/internal/ir/xds_test.go @@ -42,6 +42,20 @@ var ( }}}, Routes: []*HTTPRoute{&happyHTTPRoute}, } + redactedHappyHTTPSListener = HTTPListener{ + Name: "happy", + Address: "0.0.0.0", + Port: 80, + Hostnames: []string{"example.com"}, + TLS: &TLSConfig{ + Certificates: []TLSCertificate{{ + + Name: "happy", + ServerCertificate: []byte{1, 2, 3}, + PrivateKey: redacted, + }}}, + Routes: []*HTTPRoute{&happyHTTPRoute}, + } invalidAddrHTTPListener = HTTPListener{ Name: "invalid-addr", Address: "1.0.0", @@ -1217,7 +1231,7 @@ func TestPrintable(t *testing.T) { HTTP: []*HTTPListener{&happyHTTPSListener}, }, want: &Xds{ - HTTP: []*HTTPListener{&happyHTTPListener}, + HTTP: []*HTTPListener{&redactedHappyHTTPSListener}, }, }, }