diff --git a/pkg/driver/controller.go b/pkg/driver/controller.go index d48789906c..0d579a289d 100644 --- a/pkg/driver/controller.go +++ b/pkg/driver/controller.go @@ -199,7 +199,9 @@ func (d *controllerService) ListVolumes(ctx context.Context, req *csi.ListVolume // ValidateVolumeCapabilities validates volume capabilities func (d *controllerService) ValidateVolumeCapabilities(ctx context.Context, req *csi.ValidateVolumeCapabilitiesRequest) (*csi.ValidateVolumeCapabilitiesResponse, error) { log := klog.NewKlogr().WithName("ValidateVolumeCapabilities") - log.V(1).Info("called with args", "args", req) + secrets := req.Secrets + req.Secrets = nil + log.V(1).Info("called with args", "args", req, "secrets", util.StripSecret(secrets)) volumeID := req.GetVolumeId() if len(volumeID) == 0 { return nil, status.Error(codes.InvalidArgument, "Volume ID not provided") @@ -269,7 +271,9 @@ func (d *controllerService) ListSnapshots(ctx context.Context, req *csi.ListSnap // ControllerExpandVolume adjusts quota according to capacity settings func (d *controllerService) ControllerExpandVolume(ctx context.Context, req *csi.ControllerExpandVolumeRequest) (*csi.ControllerExpandVolumeResponse, error) { log := klog.NewKlogr().WithName("ControllerExpandVolume") - log.V(1).Info("request", "request", req) + secrets := req.Secrets + req.Secrets = nil + log.V(1).Info("called with args", "args", req, "secrets", util.StripSecret(secrets)) volumeID := req.GetVolumeId() if len(volumeID) == 0 { @@ -309,7 +313,6 @@ func (d *controllerService) ControllerExpandVolume(ctx context.Context, req *csi if err != nil { return nil, status.Errorf(codes.Internal, "get quotaPath error: %v", err) } - secrets := req.GetSecrets() settings, err := d.juicefs.Settings(ctx, volumeID, volumeID, secrets["name"], secrets, nil, options) if err != nil { return nil, status.Errorf(codes.Internal, "get settings: %v", err) diff --git a/pkg/driver/node.go b/pkg/driver/node.go index ca1ada8d41..9b78f94edb 100644 --- a/pkg/driver/node.go +++ b/pkg/driver/node.go @@ -119,9 +119,9 @@ func (d *nodeService) NodePublishVolume(ctx context.Context, req *csi.NodePublis log = log.WithValues("volumeId", volumeID) ctxWithLog := util.WithLog(ctx, log) - - // WARNING: debug only, secrets included - log.V(1).Info("called with args", "args", req) + secrets := req.Secrets + req.Secrets = nil + log.V(1).Info("called with args", "args", req, "secrets", util.StripSecret(secrets)) target := req.GetTargetPath() if len(target) == 0 { @@ -154,7 +154,6 @@ func (d *nodeService) NodePublishVolume(ctx context.Context, req *csi.NodePublis log.Info("get volume context", "volCtx", volCtx) - secrets := req.Secrets mountOptions := []string{} // get mountOptions from PV.volumeAttributes or StorageClass.parameters if opts, ok := volCtx["mountOptions"]; ok { diff --git a/pkg/juicefs/juicefs.go b/pkg/juicefs/juicefs.go index 8aebb1e2cc..5918875f5f 100644 --- a/pkg/juicefs/juicefs.go +++ b/pkg/juicefs/juicefs.go @@ -87,7 +87,7 @@ type jfs struct { Name string MountPath string Options []string - Setting *config.JfsSetting + Setting *config.JfsSetting `json:"-"` } // Jfs is the interface of a mounted file system diff --git a/pkg/util/log.go b/pkg/util/log.go index a9200c766b..d882e58a25 100644 --- a/pkg/util/log.go +++ b/pkg/util/log.go @@ -18,6 +18,7 @@ package util import ( "context" + "encoding/json" "k8s.io/klog/v2" ) @@ -40,3 +41,41 @@ func GenLog(ctx context.Context, log klog.Logger, name string) klog.Logger { } return log } + +var stripKeys = []string{ + "token", + "accesskey", + "access-key", + "accesskey2", + "access-key2", + "secretkey", + "secret-key", + "secretkey2", + "secret-key2", + "passphrase", + "password", +} + +func StripSecret(secret map[string]string) map[string]string { + s := make(map[string]string) + for k, v := range secret { + s[k] = v + } + if len(s) == 0 { + return s + } + for _, key := range stripKeys { + if _, ok := s[key]; ok { + s[key] = "***" + } + } + if _, ok := s["initconfig"]; ok { + var initconfig map[string]string + _ = json.Unmarshal([]byte(s["initconfig"]), &initconfig) + + stripped := StripSecret(initconfig) + b, _ := json.Marshal(stripped) + s["initconfig"] = string(b) + } + return s +}