From a499401b345188197ec3b56f823156e66e59fa26 Mon Sep 17 00:00:00 2001 From: Tim Gross Date: Tue, 1 Mar 2022 08:34:03 -0500 Subject: [PATCH] csi: fix redaction of `volume status` mount flags (#12150) The `volume status` command and associated API redacts the entire mount options instead of just the `MountFlags` field that can contain sensitive data. Return a redacted value so that the return value makes sense to operators who have set this field. --- .changelog/12150.txt | 3 +++ command/agent/csi_endpoint.go | 12 +++++++----- 2 files changed, 10 insertions(+), 5 deletions(-) create mode 100644 .changelog/12150.txt diff --git a/.changelog/12150.txt b/.changelog/12150.txt new file mode 100644 index 000000000..579355b37 --- /dev/null +++ b/.changelog/12150.txt @@ -0,0 +1,3 @@ +```release-note:improvement +cli: Return a redacted value for mount flags in the `volume status` command, instead of `` +``` diff --git a/command/agent/csi_endpoint.go b/command/agent/csi_endpoint.go index 0a3bd0433..c57c18165 100644 --- a/command/agent/csi_endpoint.go +++ b/command/agent/csi_endpoint.go @@ -136,7 +136,6 @@ func (s *HTTPServer) csiVolumeGet(id string, resp http.ResponseWriter, req *http // remove sensitive fields, as our redaction mechanism doesn't // help serializing here vol.Secrets = nil - vol.MountOptions = nil return vol, nil } @@ -761,11 +760,14 @@ func structsCSIMountOptionsToApi(opts *structs.CSIMountOptions) *api.CSIMountOpt if opts == nil { return nil } - - return &api.CSIMountOptions{ - FSType: opts.FSType, - MountFlags: opts.MountFlags, + apiOpts := &api.CSIMountOptions{ + FSType: opts.FSType, } + if len(opts.MountFlags) > 0 { + apiOpts.MountFlags = []string{"[REDACTED]"} + } + + return apiOpts } func structsCSISecretsToApi(secrets structs.CSISecrets) api.CSISecrets {