redact secret values

This commit adds a feature that shows what changes have been done to a secret without exposing the secret values.
Its enabled by default and can disabled by adding the --show-secrets flag

Author: databus23

cmd/release.go

@@ -19,6 +19,7 @@ type release struct {
 	releases         []string
 	outputContext    int
 	includeTests     bool
+	showSecrets      bool
 }
 
 const releaseCmdLongUsage = `
@@ -71,6 +72,7 @@ func releaseCmd() *cobra.Command {
 	}
 
 	releaseCmd.Flags().BoolP("suppress-secrets", "q", false, "suppress secrets in the output")
+	releaseCmd.Flags().BoolVar(&diff.showSecrets, "show-secrets", false, "do not redact secret values in the output")
 	releaseCmd.Flags().StringArrayVar(&diff.suppressedKinds, "suppress", []string{}, "allows suppression of the values listed in the diff output")
 	releaseCmd.Flags().IntVarP(&diff.outputContext, "context", "C", -1, "output NUM lines of context around changes")
 	releaseCmd.Flags().BoolVar(&diff.includeTests, "include-tests", false, "enable the diffing of the helm test hooks")
@@ -112,6 +114,7 @@ func (d *release) differentiateHelm3() error {
 			manifest.Parse(string(releaseResponse1), namespace, excludes...),
 			manifest.Parse(string(releaseResponse2), namespace, excludes...),
 			d.suppressedKinds,
+			d.showSecrets,
 			d.outputContext,
 			os.Stdout)
 
@@ -144,6 +147,7 @@ func (d *release) differentiate() error {
 			manifest.ParseRelease(releaseResponse1.Release, d.includeTests),
 			manifest.ParseRelease(releaseResponse2.Release, d.includeTests),
 			d.suppressedKinds,
+			d.showSecrets,
 			d.outputContext,
 			os.Stdout)
 

cmd/revision.go

@@ -21,6 +21,7 @@ type revision struct {
 	revisions        []string
 	outputContext    int
 	includeTests     bool
+	showSecrets      bool
 }
 
 const revisionCmdLongUsage = `
@@ -81,6 +82,7 @@ func revisionCmd() *cobra.Command {
 	}
 
 	revisionCmd.Flags().BoolP("suppress-secrets", "q", false, "suppress secrets in the output")
+	revisionCmd.Flags().BoolVar(&diff.showSecrets, "show-secrets", false, "do not redact secret values in the output")
 	revisionCmd.Flags().StringArrayVar(&diff.suppressedKinds, "suppress", []string{}, "allows suppression of the values listed in the diff output")
 	revisionCmd.Flags().IntVarP(&diff.outputContext, "context", "C", -1, "output NUM lines of context around changes")
 	revisionCmd.Flags().BoolVar(&diff.includeTests, "include-tests", false, "enable the diffing of the helm test hooks")
@@ -117,6 +119,7 @@ func (d *revision) differentiateHelm3() error {
 			manifest.Parse(string(revisionResponse), namespace, excludes...),
 			manifest.Parse(string(releaseResponse), namespace, excludes...),
 			d.suppressedKinds,
+			d.showSecrets,
 			d.outputContext,
 			os.Stdout)
 
@@ -141,6 +144,7 @@ func (d *revision) differentiateHelm3() error {
 			manifest.Parse(string(revisionResponse1), namespace, excludes...),
 			manifest.Parse(string(revisionResponse2), namespace, excludes...),
 			d.suppressedKinds,
+			d.showSecrets,
 			d.outputContext,
 			os.Stdout)
 
@@ -178,6 +182,7 @@ func (d *revision) differentiate() error {
 			manifest.ParseRelease(revisionResponse.Release, d.includeTests),
 			manifest.ParseRelease(releaseResponse.Release, d.includeTests),
 			d.suppressedKinds,
+			d.showSecrets,
 			d.outputContext,
 			os.Stdout)
 
@@ -202,6 +207,7 @@ func (d *revision) differentiate() error {
 			manifest.ParseRelease(revisionResponse1.Release, d.includeTests),
 			manifest.ParseRelease(revisionResponse2.Release, d.includeTests),
 			d.suppressedKinds,
+			d.showSecrets,
 			d.outputContext,
 			os.Stdout)
 

cmd/rollback.go

@@ -21,6 +21,7 @@ type rollback struct {
 	revisions        []string
 	outputContext    int
 	includeTests     bool
+	showSecrets      bool
 }
 
 const rollbackCmdLongUsage = `
@@ -73,6 +74,7 @@ func rollbackCmd() *cobra.Command {
 	}
 
 	rollbackCmd.Flags().BoolP("suppress-secrets", "q", false, "suppress secrets in the output")
+	rollbackCmd.Flags().BoolVar(&diff.showSecrets, "show-secrets", false, "do not redact secret values in the output")
 	rollbackCmd.Flags().StringArrayVar(&diff.suppressedKinds, "suppress", []string{}, "allows suppression of the values listed in the diff output")
 	rollbackCmd.Flags().IntVarP(&diff.outputContext, "context", "C", -1, "output NUM lines of context around changes")
 	rollbackCmd.Flags().BoolVar(&diff.includeTests, "include-tests", false, "enable the diffing of the helm test hooks")
@@ -110,6 +112,7 @@ func (d *rollback) backcastHelm3() error {
 		manifest.Parse(string(releaseResponse), namespace, excludes...),
 		manifest.Parse(string(revisionResponse), namespace, excludes...),
 		d.suppressedKinds,
+		d.showSecrets,
 		d.outputContext,
 		os.Stdout)
 
@@ -144,6 +147,7 @@ func (d *rollback) backcast() error {
 		manifest.ParseRelease(releaseResponse.Release, d.includeTests),
 		manifest.ParseRelease(revisionResponse.Release, d.includeTests),
 		d.suppressedKinds,
+		d.showSecrets,
 		d.outputContext,
 		os.Stdout)
 

cmd/upgrade.go

@@ -32,6 +32,7 @@ type diffCmd struct {
 	includeTests     bool
 	suppressedKinds  []string
 	outputContext    int
+	showSecrets      bool
 }
 
 const globalUsage = `Show a diff explaining what a helm upgrade would change.
@@ -82,6 +83,7 @@ func newChartCommand() *cobra.Command {
 	f.StringVar(&diff.chartVersion, "version", "", "specify the exact chart version to use. If this is not specified, the latest version is used")
 	f.BoolVar(&diff.detailedExitCode, "detailed-exitcode", false, "return a non-zero exit code when there are changes")
 	f.BoolP("suppress-secrets", "q", false, "suppress secrets in the output")
+	f.BoolVar(&diff.showSecrets, "show-secrets", false, "do not redact secret values in the output")
 	f.VarP(&diff.valueFiles, "values", "f", "specify values in a YAML file (can specify multiple)")
 	f.StringArrayVar(&diff.values, "set", []string{}, "set values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)")
 	f.StringArrayVar(&diff.stringValues, "set-string", []string{}, "set STRING values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)")
@@ -155,7 +157,7 @@ func (d *diffCmd) runHelm3() error {
 		newSpecs = manifest.Parse(string(installManifest), d.namespace, helm3TestHook, helm2TestSuccessHook)
 	}
 
-	seenAnyChanges := diff.Manifests(currentSpecs, newSpecs, d.suppressedKinds, d.outputContext, os.Stdout)
+	seenAnyChanges := diff.Manifests(currentSpecs, newSpecs, d.suppressedKinds, d.showSecrets, d.outputContext, os.Stdout)
 
 	if d.detailedExitCode && seenAnyChanges {
 		return Error{
@@ -241,7 +243,7 @@ func (d *diffCmd) run() error {
 		}
 	}
 
-	seenAnyChanges := diff.Manifests(currentSpecs, newSpecs, d.suppressedKinds, d.outputContext, os.Stdout)
+	seenAnyChanges := diff.Manifests(currentSpecs, newSpecs, d.suppressedKinds, d.showSecrets, d.outputContext, os.Stdout)
 
 	if d.detailedExitCode && seenAnyChanges {
 		return Error{

diff/diff.go

@@ -1,6 +1,7 @@
 package diff
 
 import (
+	"bytes"
 	"fmt"
 	"io"
 	"math"
@@ -9,19 +10,27 @@ import (
 
 	"github.com/aryann/difflib"
 	"github.com/mgutz/ansi"
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/runtime/serializer/json"
+	"k8s.io/apimachinery/pkg/util/yaml"
+	"k8s.io/client-go/kubernetes/scheme"
 
 	"github.com/databus23/helm-diff/manifest"
 )
 
 // Manifests diff on manifests
-func Manifests(oldIndex, newIndex map[string]*manifest.MappingResult, suppressedKinds []string, context int, to io.Writer) bool {
+func Manifests(oldIndex, newIndex map[string]*manifest.MappingResult, suppressedKinds []string, showSecrets bool, context int, to io.Writer) bool {
 	seenAnyChanges := false
 	emptyMapping := &manifest.MappingResult{}
 	for key, oldContent := range oldIndex {
 		if newContent, ok := newIndex[key]; ok {
 			if oldContent.Content != newContent.Content {
 				// modified
 				fmt.Fprintf(to, ansi.Color("%s has changed:", "yellow")+"\n", key)
+				if !showSecrets {
+					redactSecrets(oldContent, newContent)
+				}
+
 				diffs := diffMappingResults(oldContent, newContent)
 				if len(diffs) > 0 {
 					seenAnyChanges = true
@@ -31,6 +40,10 @@ func Manifests(oldIndex, newIndex map[string]*manifest.MappingResult, suppressed
 		} else {
 			// removed
 			fmt.Fprintf(to, ansi.Color("%s has been removed:", "yellow")+"\n", key)
+			if !showSecrets {
+				redactSecrets(oldContent, nil)
+
+			}
 			diffs := diffMappingResults(oldContent, emptyMapping)
 			if len(diffs) > 0 {
 				seenAnyChanges = true
@@ -43,6 +56,9 @@ func Manifests(oldIndex, newIndex map[string]*manifest.MappingResult, suppressed
 		if _, ok := oldIndex[key]; !ok {
 			// added
 			fmt.Fprintf(to, ansi.Color("%s has been added:", "yellow")+"\n", key)
+			if !showSecrets {
+				redactSecrets(nil, newContent)
+			}
 			diffs := diffMappingResults(emptyMapping, newContent)
 			if len(diffs) > 0 {
 				seenAnyChanges = true
@@ -53,11 +69,79 @@ func Manifests(oldIndex, newIndex map[string]*manifest.MappingResult, suppressed
 	return seenAnyChanges
 }
 
+func redactSecrets(old, new *manifest.MappingResult) {
+	if old != nil && old.Kind != "Secret" && new != nil && new.Kind != "Secret" {
+		return
+	}
+	serializer := json.NewYAMLSerializer(json.DefaultMetaFactory, scheme.Scheme,
+		scheme.Scheme)
+	var oldSecret, newSecret v1.Secret
+
+	if old != nil {
+		if err := yaml.NewYAMLToJSONDecoder(bytes.NewBufferString(old.Content)).Decode(&oldSecret); err != nil {
+			old.Content = fmt.Sprintf("Error parsing old secret: %s", err)
+		}
+	}
+	if new != nil {
+		if err := yaml.NewYAMLToJSONDecoder(bytes.NewBufferString(new.Content)).Decode(&newSecret); err != nil {
+			new.Content = fmt.Sprintf("Error parsing new secret: %s", err)
+		}
+	}
+	if old != nil {
+		oldSecret.StringData = make(map[string]string, len(oldSecret.Data))
+		for k, v := range oldSecret.Data {
+			if new != nil && bytes.Equal(v, newSecret.Data[k]) {
+				oldSecret.StringData[k] = fmt.Sprintf("REDACTED # (%d bytes)", len(v))
+			} else {
+				oldSecret.StringData[k] = fmt.Sprintf("-------- # (%d bytes)", len(v))
+			}
+		}
+	}
+	if new != nil {
+		newSecret.StringData = make(map[string]string, len(newSecret.Data))
+		for k, v := range newSecret.Data {
+			if old != nil && bytes.Equal(v, oldSecret.Data[k]) {
+				newSecret.StringData[k] = fmt.Sprintf("REDACTED # (%d bytes)", len(v))
+			} else {
+				newSecret.StringData[k] = fmt.Sprintf("++++++++ # (%d bytes)", len(v))
+			}
+		}
+	}
+	// remove Data field now that we are using StringData for serialization
+	var buf bytes.Buffer
+	if old != nil {
+		oldSecret.Data = nil
+		if err := serializer.Encode(&oldSecret, &buf); err != nil {
+
+		}
+		old.Content = getComment(old.Content) + strings.Replace(strings.Replace(buf.String(), "stringData", "data", 1), "  creationTimestamp: null\n", "", 1)
+		buf.Reset() //reuse buffer for new secret
+	}
+	if new != nil {
+		newSecret.Data = nil
+		if err := serializer.Encode(&newSecret, &buf); err != nil {
+
+		}
+		new.Content = getComment(new.Content) + strings.Replace(strings.Replace(buf.String(), "stringData", "data", 1), "  creationTimestamp: null\n", "", 1)
+	}
+}
+
+// return the first line of a string if its a comment.
+// This gives as the # Source: lines from the rendering
+func getComment(s string) string {
+	i := strings.Index(s, "\n")
+	if i < 0 || !strings.HasPrefix(s, "#") {
+		return ""
+	}
+	return s[:i+1]
+
+}
+
 // Releases reindex the content  based on the template names and pass it to Manifests
-func Releases(oldIndex, newIndex map[string]*manifest.MappingResult, suppressedKinds []string, context int, to io.Writer) bool {
+func Releases(oldIndex, newIndex map[string]*manifest.MappingResult, suppressedKinds []string, showSecrets bool, context int, to io.Writer) bool {
 	oldIndex = reIndexForRelease(oldIndex)
 	newIndex = reIndexForRelease(newIndex)
-	return Manifests(oldIndex, newIndex, suppressedKinds, context, to)
+	return Manifests(oldIndex, newIndex, suppressedKinds, showSecrets, context, to)
 }
 
 func diffMappingResults(oldContent *manifest.MappingResult, newContent *manifest.MappingResult) []difflib.DiffRecord {
@@ -71,6 +155,7 @@ func diffStrings(before, after string) []difflib.DiffRecord {
 
 func printDiffRecords(suppressedKinds []string, kind string, context int, diffs []difflib.DiffRecord, to io.Writer) {
 	for _, ckind := range suppressedKinds {
+
 		if ckind == kind {
 			str := fmt.Sprintf("+ Changes suppressed on sensitive content of type %s\n", kind)
 			fmt.Fprintf(to, ansi.Color(str, "yellow"))