Skip to content

fix: redact credentials and AdminKey from controller logs#435

Open
shreemaan-abhishek wants to merge 1 commit into
masterfrom
sec/b05-credential-logging
Open

fix: redact credentials and AdminKey from controller logs#435
shreemaan-abhishek wants to merge 1 commit into
masterfrom
sec/b05-credential-logging

Conversation

@shreemaan-abhishek

@shreemaan-abhishek shreemaan-abhishek commented Jul 17, 2026

Copy link
Copy Markdown

What this PR does

Several controller log sites serialize whole, secret-bearing objects, so
credentials end up in controller stdout / log aggregation on routine paths
(a weaker boundary than secrets/get RBAC). This redacts them.

Leaks fixed

  • AdminKey (ADCServerOpts.Token): the ADC request body was logged verbatim
    at V(1) in buildHTTPRequest, printing the plaintext admin key.
  • TLS private keys & consumer credentials (adctypes.Resources): Task
    logging at ERROR (store insert/delete failed) and V(1) (updating config)
    dumped SSL.Certificates[].Key and consumer credential material.
  • Inline plugin credentials: controllers logged full ApisixConsumer,
    Consumer, ApisixRoute, ApisixGlobalRule and filtered HTTPRoute objects,
    whose specs can carry inline plugin config (key-auth key, hmac/jwt secrets).
  • Raw credential/plugin blobs: the consumer translator logged the raw
    credential/plugin JSON on unmarshal errors.
  • Global-rule plugin config: the store logged full global-rule items
    (logger-plugin tokens).

Approach

  • Add MarshalLog (logr.Marshaler) to adctypes.Resources, client.Task and
    ADCServerRequest. These emit identity + counts, and [REDACTED] for the
    token, never secret bodies. MarshalLog affects logging only - the JSON
    actually sent to the data plane is untouched (a MarshalJSON-based redaction
    would have corrupted the wire payload, which is why it is not used here).
  • Log only NamespacedName / identity at the controller, provider, translator
    and store sites.

Tests

internal/adc/client/redaction_test.go builds the production logger
(zapr + zap console encoder) into a buffer, logs a Task and an
ADCServerRequest populated with a TLS key, a consumer credential and an admin
key, and asserts none of the secrets appear in the output while identity still
does. It also asserts the request's real Token field is unchanged after
logging.

go test ./internal/adc/client/ -run MarshalLog -v

Sync

This is the enterprise-side half of a shared fix. The upstream OSS PR is
apache/apisix-ingress-controller#2808; both must merge to complete the sync.
The two sides carry identical hunks.

Summary by CodeRabbit

  • Bug Fixes
    • Improved log safety by redacting tokens, credentials, private keys, and other sensitive configuration values.
    • Reduced verbose resource and request logging to concise summaries.
    • Added clearer resource identifiers and structured context to reconciliation and translation errors.
  • Tests
    • Added coverage verifying sensitive values are excluded from logs while request data remains unchanged.

Whole-object logging serialized secret-bearing material into controller
stdout on routine paths:

- The ADC request body was logged at V(1) with the plaintext AdminKey
  (ADCServerOpts.Token) and full config resources.
- Task/args logging at ERROR and V(1) dumped TLS private keys and
  consumer credentials (adctypes.Resources).
- Controllers logged full ApisixConsumer / Consumer / ApisixRoute /
  ApisixGlobalRule / HTTPRoute objects, whose specs can carry inline
  plugin credentials.
- The translator logged raw credential/plugin blobs on unmarshal errors.
- The store logged full global-rule plugin config.

Fixes:
- Add MarshalLog (logr.Marshaler) to adctypes.Resources, client.Task and
  ADCServerRequest so logging emits identity/counts and [REDACTED] for
  the token, never secret bodies. Wire JSON is unchanged.
- Log only NamespacedName / identity at the controller, provider,
  translator and store sites.
- Add tests asserting secrets never reach the real console-encoder log
  output while identity still does.
@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 4a6921b3-ad0e-404a-a914-d74f844f7d59

📥 Commits

Reviewing files that changed from the base of the PR and between 5f84a00 and 2dd2d89.

📒 Files selected for processing (12)
  • api/adc/types.go
  • internal/adc/cache/store.go
  • internal/adc/client/client.go
  • internal/adc/client/executor.go
  • internal/adc/client/redaction_test.go
  • internal/adc/translator/consumer.go
  • internal/controller/apisixconsumer_controller.go
  • internal/controller/apisixglobalrule_controller.go
  • internal/controller/apisixroute_controller.go
  • internal/controller/consumer_controller.go
  • internal/controller/httproute_controller.go
  • internal/provider/apisix/provider.go

📝 Walkthrough

Walkthrough

Logging output now redacts sensitive ADC data, summarizes resource collections, adds structured translation context, and uses namespaced identifiers for Kubernetes objects. Request payloads and reconciliation behavior remain unchanged.

Changes

Logging hygiene

Layer / File(s) Summary
ADC log serialization and redaction
api/adc/types.go, internal/adc/client/..., internal/adc/client/redaction_test.go
Resources, tasks, and ADC requests use reduced log representations that redact secrets; tests verify redaction and unchanged request payloads.
ADC cache and translation logging
internal/adc/cache/store.go, internal/adc/translator/consumer.go
Global rule logs report counts, while credential and plugin errors include structured resource context.
Controller and provider resource identifiers
internal/controller/..., internal/provider/apisix/provider.go
Logs use namespaced or namespaced-kind identifiers instead of full Kubernetes objects.

Estimated code review effort: 3 (Moderate) | ~20 minutes

Suggested reviewers: alinsran


Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 1 warning)

Check name Status Explanation Resolution
Security Check ❌ Error Several logs still serialize raw Config/GlobalRule values and deleted client.Objects, which can expose ADC tokens and plugin secrets despite the new redaction methods. Add logr.Marshaler or identity-only logging for Config, GlobalRule, and Delete paths; never log raw config maps, delta objects, or Kubernetes objects.
E2e Test Quality Review ⚠️ Warning The new coverage is unit-level only; redaction_test.go logs in-memory objects and never exercises the API→controller→provider/ADC server flow required for E2E. Add at least one end-to-end/integration test through the real reconciliation/request path, and keep unit tests as supplementary checks.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly captures the main theme of the change: redacting credentials and admin keys from logs.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch sec/b05-credential-logging

Comment @coderabbitai help to get the list of available commands.

@github-actions

Copy link
Copy Markdown
Contributor

conformance test report - apisix-standalone mode

apiVersion: gateway.networking.k8s.io/v1
date: "2026-07-17T11:36:43Z"
gatewayAPIChannel: experimental
gatewayAPIVersion: v1.3.0
implementation:
  contact: null
  organization: APISIX
  project: apisix-ingress-controller
  url: https://github.com/apache/apisix-ingress-controller.git
  version: v2.0.0
kind: ConformanceReport
mode: default
profiles:
- core:
    result: success
    statistics:
      Failed: 0
      Passed: 12
      Skipped: 0
  name: GATEWAY-GRPC
  summary: Core tests succeeded.
- core:
    result: partial
    skippedTests:
    - HTTPRouteHTTPSListener
    statistics:
      Failed: 0
      Passed: 32
      Skipped: 1
  extended:
    result: partial
    skippedTests:
    - HTTPRouteRedirectPortAndScheme
    statistics:
      Failed: 0
      Passed: 11
      Skipped: 1
    supportedFeatures:
    - GatewayAddressEmpty
    - GatewayPort8080
    - HTTPRouteBackendProtocolWebSocket
    - HTTPRouteDestinationPortMatching
    - HTTPRouteHostRewrite
    - HTTPRouteMethodMatching
    - HTTPRoutePathRewrite
    - HTTPRoutePortRedirect
    - HTTPRouteQueryParamMatching
    - HTTPRouteRequestMirror
    - HTTPRouteResponseHeaderModification
    - HTTPRouteSchemeRedirect
    unsupportedFeatures:
    - GatewayHTTPListenerIsolation
    - GatewayInfrastructurePropagation
    - GatewayStaticAddresses
    - HTTPRouteBackendProtocolH2C
    - HTTPRouteBackendRequestHeaderModification
    - HTTPRouteBackendTimeout
    - HTTPRouteParentRefPort
    - HTTPRoutePathRedirect
    - HTTPRouteRequestMultipleMirrors
    - HTTPRouteRequestPercentageMirror
    - HTTPRouteRequestTimeout
  name: GATEWAY-HTTP
  summary: Core tests partially succeeded with 1 test skips. Extended tests partially
    succeeded with 1 test skips.
- core:
    result: partial
    skippedTests:
    - TLSRouteSimpleSameNamespace
    statistics:
      Failed: 0
      Passed: 10
      Skipped: 1
  name: GATEWAY-TLS
  summary: Core tests partially succeeded with 1 test skips.

@github-actions

Copy link
Copy Markdown
Contributor

conformance test report - apisix mode

apiVersion: gateway.networking.k8s.io/v1
date: "2026-07-17T11:36:59Z"
gatewayAPIChannel: experimental
gatewayAPIVersion: v1.3.0
implementation:
  contact: null
  organization: APISIX
  project: apisix-ingress-controller
  url: https://github.com/apache/apisix-ingress-controller.git
  version: v2.0.0
kind: ConformanceReport
mode: default
profiles:
- core:
    result: success
    statistics:
      Failed: 0
      Passed: 12
      Skipped: 0
  name: GATEWAY-GRPC
  summary: Core tests succeeded.
- core:
    failedTests:
    - HTTPRouteInvalidBackendRefUnknownKind
    result: failure
    skippedTests:
    - HTTPRouteHTTPSListener
    statistics:
      Failed: 1
      Passed: 31
      Skipped: 1
  extended:
    result: partial
    skippedTests:
    - HTTPRouteRedirectPortAndScheme
    statistics:
      Failed: 0
      Passed: 11
      Skipped: 1
    supportedFeatures:
    - GatewayAddressEmpty
    - GatewayPort8080
    - HTTPRouteBackendProtocolWebSocket
    - HTTPRouteDestinationPortMatching
    - HTTPRouteHostRewrite
    - HTTPRouteMethodMatching
    - HTTPRoutePathRewrite
    - HTTPRoutePortRedirect
    - HTTPRouteQueryParamMatching
    - HTTPRouteRequestMirror
    - HTTPRouteResponseHeaderModification
    - HTTPRouteSchemeRedirect
    unsupportedFeatures:
    - GatewayHTTPListenerIsolation
    - GatewayInfrastructurePropagation
    - GatewayStaticAddresses
    - HTTPRouteBackendProtocolH2C
    - HTTPRouteBackendRequestHeaderModification
    - HTTPRouteBackendTimeout
    - HTTPRouteParentRefPort
    - HTTPRoutePathRedirect
    - HTTPRouteRequestMultipleMirrors
    - HTTPRouteRequestPercentageMirror
    - HTTPRouteRequestTimeout
  name: GATEWAY-HTTP
  summary: Core tests failed with 1 test failures. Extended tests partially succeeded
    with 1 test skips.
- core:
    result: partial
    skippedTests:
    - TLSRouteSimpleSameNamespace
    statistics:
      Failed: 0
      Passed: 10
      Skipped: 1
  name: GATEWAY-TLS
  summary: Core tests partially succeeded with 1 test skips.

@github-actions

Copy link
Copy Markdown
Contributor

conformance test report

apiVersion: gateway.networking.k8s.io/v1
date: "2026-07-17T11:55:26Z"
gatewayAPIChannel: experimental
gatewayAPIVersion: v1.3.0
implementation:
  contact: null
  organization: APISIX
  project: apisix-ingress-controller
  url: https://github.com/apache/apisix-ingress-controller.git
  version: v2.0.0
kind: ConformanceReport
mode: default
profiles:
- core:
    failedTests:
    - GatewayModifyListeners
    result: failure
    statistics:
      Failed: 1
      Passed: 11
      Skipped: 0
  name: GATEWAY-GRPC
  summary: Core tests failed with 1 test failures.
- core:
    failedTests:
    - GatewayModifyListeners
    result: failure
    skippedTests:
    - HTTPRouteHTTPSListener
    statistics:
      Failed: 1
      Passed: 31
      Skipped: 1
  extended:
    failedTests:
    - HTTPRouteBackendProtocolWebSocket
    result: failure
    skippedTests:
    - HTTPRouteRedirectPortAndScheme
    statistics:
      Failed: 1
      Passed: 10
      Skipped: 1
    supportedFeatures:
    - GatewayAddressEmpty
    - GatewayPort8080
    - HTTPRouteBackendProtocolWebSocket
    - HTTPRouteDestinationPortMatching
    - HTTPRouteHostRewrite
    - HTTPRouteMethodMatching
    - HTTPRoutePathRewrite
    - HTTPRoutePortRedirect
    - HTTPRouteQueryParamMatching
    - HTTPRouteRequestMirror
    - HTTPRouteResponseHeaderModification
    - HTTPRouteSchemeRedirect
    unsupportedFeatures:
    - GatewayHTTPListenerIsolation
    - GatewayInfrastructurePropagation
    - GatewayStaticAddresses
    - HTTPRouteBackendProtocolH2C
    - HTTPRouteBackendRequestHeaderModification
    - HTTPRouteBackendTimeout
    - HTTPRouteParentRefPort
    - HTTPRoutePathRedirect
    - HTTPRouteRequestMultipleMirrors
    - HTTPRouteRequestPercentageMirror
    - HTTPRouteRequestTimeout
  name: GATEWAY-HTTP
  summary: Core tests failed with 1 test failures. Extended tests failed with 1 test
    failures.
- core:
    failedTests:
    - GatewayModifyListeners
    - TLSRouteSimpleSameNamespace
    result: failure
    statistics:
      Failed: 2
      Passed: 9
      Skipped: 0
  name: GATEWAY-TLS
  summary: Core tests failed with 2 test failures.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant