secrets data leaked in to logs.

[mad01]

What happened?

When creating a secret the data for the secret will be leaked in the debug level logs. (log output is dummy data so no worries that it's in the issue) (i have made the secret bold so it's more easy to see)

2024-05-21T15:28:05.996+0200 DEBUG provider-kubernetes Observing {"resource": {"kind":"Object","apiVersion":"kubernetes.crossplane.io/v1alpha2","metadata":{"name":"secretpatch","uid":"d4213d87-a666-4287-994f-f75199cf7135","resourceVersion":"1161","generation":3,"creationTimestamp":"2024-05-21T13:28:04Z","annotations":{"crossplane.io/external-create-pending":"2024-05-21T15:28:04+02:00","crossplane.io/external-create-succeeded":"2024-05-21T15:28:04+02:00","crossplane.io/external-name":"secretpatch","kubectl.kubernetes.io/last-applied-configuration":"{"apiVersion":"kubernetes.crossplane.io/v1alpha2","kind":"Object","metadata":{"annotations":{},"name":"secretpatch"},"spec":{"forProvider":{"manifest":{"apiVersion":"v1","data":{},"kind":"Secret","metadata":{"namespace":"default"}}},"providerConfigRef":{"name":"kubernetes-provider"},"references":[{"patchesFrom":{"apiVersion":"v1","fieldPath":"data.sensitive","kind":"Secret","name":"secretpatch","namespace":"crossplane-system"},"toFieldPath":"data.key-from-secret"}]}}\n"},"finalizers":["finalizer.managedresource.crossplane.io"],"managedFields":[{"manager":"kubectl-client-side-apply","operation":"Update","apiVersion":"kubernetes.crossplane.io/v1alpha2","time":"2024-05-21T13:28:04Z","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:kubectl.kubernetes.io/last-applied-configuration":{}}},"f:spec":{".":{},"f:deletionPolicy":{},"f:forProvider":{".":{},"f:manifest":{".":{},"f:apiVersion":{},"f:data":{},"f:kind":{},"f:metadata":{".":{},"f:namespace":{}}}},"f:managementPolicies":{},"f:providerConfigRef":{".":{},"f:name":{}},"f:references":{},"f:watch":{}}}},{"manager":"main","operation":"Update","apiVersion":"kubernetes.crossplane.io/v1alpha2","time":"2024-05-21T13:28:04Z","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{"f:crossplane.io/external-create-pending":{},"f:crossplane.io/external-create-succeeded":{},"f:crossplane.io/external-name":{}},"f:finalizers":{".":{},"v:"finalizer.managedresource.crossplane.io"":{}}},"f:spec":{"f:forProvider":{"f:manifest":{"f:data":{"f:key-from-secret":{}}}},"f:readiness":{".":{},"f:policy":{}}}}},{"manager":"main","operation":"Update","apiVersion":"kubernetes.crossplane.io/v1alpha2","time":"2024-05-21T13:28:05Z","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:atProvider":{".":{},"f:manifest":{".":{},"f:apiVersion":{},"f:data":{".":{},"f:redacted":{}},"f:kind":{},"f:metadata":{".":{},"f:annotations":{".":{},"f:kubectl.kubernetes.io/last-applied-configuration":{}},"f:creationTimestamp":{},"f:managedFields":{},"f:name":{},"f:namespace":{},"f:resourceVersion":{},"f:uid":{}},"f:type":{}}},"f:conditions":{".":{},"k:{"type":"Ready"}":{".":{},"f:lastTransitionTime":{},"f:reason":{},"f:status":{},"f:type":{}},"k:{"type":"Synced"}":{".":{},"f:lastTransitionTime":{},"f:reason":{},"f:status":{},"f:type":{}}}}},"subresource":"status"}]},"spec":{"providerConfigRef":{"name":"kubernetes-provider"},"managementPolicies":["*"],"deletionPolicy":"Delete","forProvider":{"manifest":{"apiVersion":"v1","data":{"key-from-secret":"cGFzc3dvcmQ="},"kind":"Secret","metadata":{"namespace":"default"}}},"references":[{"patchesFrom":{"apiVersion":"v1","kind":"Secret","name":"secretpatch","namespace":"crossplane-system","fieldPath":"data.sensitive"},"toFieldPath":"data.key-from-secret"}],"readiness":{"policy":"SuccessfulCreate"}},"status":{"conditions":[{"type":"Ready","status":"True","lastTransitionTime":"2024-05-21T13:28:05Z","reason":"Available"},{"type":"Synced","status":"True","lastTransitionTime":"2024-05-21T13:28:04Z","reason":"ReconcileSuccess"}],"atProvider":{"manifest":{"apiVersion":"v1","data":{"redacted":null},"kind":"Secret","metadata":{"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{"apiVersion":"v1","data":{"key-from-secret":"cGFzc3dvcmQ="},"kind":"Secret","metadata":{"namespace":"default"}}"},"creationTimestamp":"2024-05-21T13:28:04Z","managedFields":[{"apiVersion":"v1","fieldsType":"FieldsV1","fieldsV1":{"f:data":{".":{},"f:key-from-secret":{}},"f:metadata":{"f:annotations":{".":{},"f:kubectl.kubernetes.io/last-applied-configuration":{}}},"f:type":{}},"manager":"main","operation":"Update","time":"2024-05-21T13:28:04Z"}],"name":"secretpatch","namespace":"default","resourceVersion":"1157","uid":"fbc2356a-4b4b-4baf-a3e4-8dec5ffa0cf3"},"type":"Opaque"}}}}}

How can we reproduce it?

1. start by starting the controller with --debug.
2. create the following resources.

---
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
metadata:
  name: secretpatch
spec:
  references:
  - patchesFrom:
      apiVersion: v1
      kind: Secret
      name: secretpatch
      namespace: crossplane-system
      fieldPath: data.sensitive
    toFieldPath: data.key-from-secret
  forProvider:
    manifest:
      apiVersion: v1
      kind: Secret
      metadata:
        namespace: default
      data: {}
  providerConfigRef:
    name: kubernetes-provider
---
apiVersion: v1
kind: Secret
metadata:
  name: secretpatch
  namespace: crossplane-system
type: Opaque
data:
  sensitive: cGFzc3dvcmQ=

3. when looking at the console/terminal where std out is written for the controller we can see that the base64 secret is in the logs. The example in the above step is used to get the logs that is in this issue.

[grafanalf]

Are you running the provider with debugging enabled?

It seems to me that you are. And if debugging is disabled, what happens?

[mad01]

This is to long ago for me to remember this details