luxolus
/
open-nomad
2
0
Fork 0
Code Issues 1 Pull Requests Packages Releases Wiki Activity

csi: fix redaction of `volume status` mount flags (#12150) 

The `volume status` command and associated API redacts the entire
mount options instead of just the `MountFlags` field that can contain
sensitive data. Return a redacted value so that the return value makes
sense to operators who have set this field.
This commit is contained in:
Tim Gross 2022-03-01 08:34:03 -05:00 committed by GitHub
parent 99d03cdc6c
commit a499401b34
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 10 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.changelog/12150.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:improvement
cli: Return a redacted value for mount flags in the `volume status` command, instead of `<none>`
```

12
command/agent/csi_endpoint.go
View File

@ -136,7 +136,6 @@ func (s *HTTPServer) csiVolumeGet(id string, resp http.ResponseWriter, req *http
// remove sensitive fields, as our redaction mechanism doesn't // remove sensitive fields, as our redaction mechanism doesn't
// help serializing here // help serializing here
vol.Secrets = nil vol.Secrets = nil
vol.MountOptions = nil
return vol, nil return vol, nil
} }
@ -761,11 +760,14 @@ func structsCSIMountOptionsToApi(opts *structs.CSIMountOptions) *api.CSIMountOpt
if opts == nil { if opts == nil {
return nil return nil
} }
apiOpts := &api.CSIMountOptions{
return &api.CSIMountOptions{ FSType: opts.FSType,
FSType: opts.FSType,
MountFlags: opts.MountFlags,
} }
if len(opts.MountFlags) > 0 {
apiOpts.MountFlags = []string{"[REDACTED]"}
}
return apiOpts
} }
func structsCSISecretsToApi(secrets structs.CSISecrets) api.CSISecrets { func structsCSISecretsToApi(secrets structs.CSISecrets) api.CSISecrets {