fix: Mask sensitive values in log

adityachoudhari26 · adityachoudhari26 · commit 6551e110a81a · 2024-06-26T17:02:56.000-07:00
diff --git a/controllers/weightsandbiases_controller.go b/controllers/weightsandbiases_controller.go
@@ -148,12 +148,12 @@ func (r *WeightsAndBiasesReconciler) Reconcile(ctx context.Context, req ctrl.Req
 	desiredSpec.Merge(deployerSpec)
 	desiredSpec.Merge(operator.Defaults(wandb, r.Scheme))
 
-	log.Info("Desired spec", "spec", desiredSpec)
+	log.Info("Desired spec", "spec", desiredSpec.SensitiveValuesMasked())
 
 	hasNotBeenFlaggedForDeletion := wandb.ObjectMeta.DeletionTimestamp.IsZero()
 	if hasNotBeenFlaggedForDeletion {
 		if currentActiveSpec != nil {
-			log.Info("Active spec found", "spec", currentActiveSpec)
+			log.Info("Active spec found", "spec", currentActiveSpec.SensitiveValuesMasked())
 			if currentActiveSpec.IsEqual(desiredSpec) {
 				log.Info("No changes found")
 				statusManager.Set(status.Completed)
diff --git a/pkg/wandb/spec/spec.go b/pkg/wandb/spec/spec.go
@@ -117,3 +117,38 @@ func (s *Spec) Merge(spec *Spec) {
 		s.mergeConfig(spec.Values)
 	}
 }
+
+func (s *Spec) SensitiveValuesMasked() *Spec {
+	if s.Values != nil {
+		return &Spec{
+			Metadata: s.Metadata,
+			Chart:    s.Chart,
+			Values:   maskValues(s.Values),
+		}
+	}
+	return s
+}
+
+var sensitiveKeys = map[string]bool{
+	"secret":    true,
+	"accessKey": true,
+}
+
+func maskValues(values map[string]interface{}) map[string]interface{} {
+	newValues := make(map[string]interface{})
+	for key, value := range values {
+		switch v := value.(type) {
+		case map[string]interface{}:
+			newValues[key] = maskValues(v)
+		case string:
+			if sensitiveKeys[key] {
+				newValues[key] = "***"
+			} else {
+				newValues[key] = value
+			}
+		default:
+			newValues[key] = value
+		}
+	}
+	return newValues
+}
