From 03e1162856b0f37fc0754bdc8365449930b37c44 Mon Sep 17 00:00:00 2001
From: "Dr. Stefan Schimanski" <stefan.schimanski@gmail.com>
Date: Fri, 12 Jul 2019 09:40:59 +0200
Subject: [PATCH] resourceapply: don't log secret data

---
 pkg/operator/resource/resourceapply/core.go | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/pkg/operator/resource/resourceapply/core.go b/pkg/operator/resource/resourceapply/core.go
index 870b7ceb64..eb196c283f 100644
--- a/pkg/operator/resource/resourceapply/core.go
+++ b/pkg/operator/resource/resourceapply/core.go
@@ -196,6 +196,10 @@ func ApplyConfigMap(client coreclientv1.ConfigMapsGetter, recorder events.Record
 
 // ApplySecret merges objectmeta, requires data
 func ApplySecret(client coreclientv1.SecretsGetter, recorder events.Recorder, required *corev1.Secret) (*corev1.Secret, bool, error) {
+	if len(required.StringData) > 0 {
+		return nil, false, fmt.Errorf("Secret.stringData is not supported")
+	}
+
 	existing, err := client.Secrets(required.Namespace).Get(required.Name, metav1.GetOptions{})
 	if apierrors.IsNotFound(err) {
 		actual, err := client.Secrets(required.Namespace).Create(required)
@@ -210,6 +214,7 @@ func ApplySecret(client coreclientv1.SecretsGetter, recorder events.Recorder, re
 	existingCopy := existing.DeepCopy()
 
 	resourcemerge.EnsureObjectMeta(modified, &existingCopy.ObjectMeta, required.ObjectMeta)
+
 	dataSame := equality.Semantic.DeepEqual(existingCopy.Data, required.Data)
 	if dataSame && !*modified {
 		return existingCopy, false, nil
@@ -217,7 +222,21 @@ func ApplySecret(client coreclientv1.SecretsGetter, recorder events.Recorder, re
 	existingCopy.Data = required.Data
 
 	if klog.V(4) {
-		klog.Infof("Secret %q changes: %v", required.Namespace+"/"+required.Name, JSONPatch(existing, required))
+		safeRequired := required.DeepCopy()
+		safeExisting := existing.DeepCopy()
+
+		for s := range safeExisting.Data {
+			safeExisting.Data[s] = []byte("OLD")
+		}
+		for s := range safeRequired.Data {
+			if _, preexisting := existing.Data[s]; !preexisting || !equality.Semantic.DeepEqual(existing.Data[s], safeRequired.Data[s]) {
+				safeRequired.Data[s] = []byte("NEW")
+			} else {
+				safeRequired.Data[s] = []byte("OLD")
+			}
+		}
+
+		klog.Infof("Secret %q changes: %v", required.Namespace+"/"+required.Name, JSONPatch(safeExisting, safeRequired))
 	}
 	actual, err := client.Secrets(required.Namespace).Update(existingCopy)