feat: Add Secret redaction functionality with content-based hashing#1230
Open
John-Lin wants to merge 6 commits intoint128:mainfrom
Open
feat: Add Secret redaction functionality with content-based hashing#1230John-Lin wants to merge 6 commits intoint128:mainfrom
John-Lin wants to merge 6 commits intoint128:mainfrom
Conversation
- Add redact-secrets input parameter to action.yaml (default: false) - Implement Secret redaction logic in src/redact.ts - Redact data and stringData fields in Kubernetes Secret resources - Handle multiline values, special characters, and various Secret types - Add comprehensive test suite with 20 test cases covering edge cases - Update README.md with usage documentation and examples - Integrate redaction step after kustomize build in processing pipeline This feature allows users to safely redact sensitive data from Kubernetes Secrets in generated manifests, preventing accidental exposure in CI/CD logs or artifact storage while preserving the structure of non-sensitive resources. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
- Generate deterministic hash-based redacted values for better diff visibility - Maintain consistent redaction for identical content across runs - Improve test coverage with hash validation and edge cases - Preserve original security while enabling change detection 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
- Fix skipMultilineValue state not resetting when encountering new key-value pairs - Add comprehensive edge case tests for redaction failure scenarios - Ensure proper redaction of fields following multiline values - Validate handling of comments, indentation, and API version edge cases This resolves the issue where sso-issuer and similar fields were not being redacted when they appeared after multiline values in Secret data fields. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
- Move js-yaml from devDependencies to dependencies - Add @types/js-yaml for TypeScript support - Replace complex 198-line manual parsing with js-yaml.load/dump - Simplify redactSecretInDocument function (-59 lines, 30% reduction) - Remove redactDataField function entirely - Improve handling of YAML with comments and edge cases - Update test expectation for improved comment handling - Maintain all existing functionality and test coverage 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
Author
|
@int128 Hi, Thank you so much for creating and maintaining this GitHub Actions project. it has been incredibly helpful in my workflow and has saved me a lot of time. I really appreciate your work! I’ve opened this PR to contribute a small improvement that I believe could be useful for others as well. When you have time, I’d be grateful if you could take a look and consider reviewing or merging it. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR introduces Secret redaction functionality to the Kustomize action.
Changes
output while protecting sensitive data
manipulation
Files Modified
src/redact.tswith core redaction logic