From 769aff667799c1b71d05a9e079004dfb7d4c8b62 Mon Sep 17 00:00:00 2001 From: Tim Gross Date: Mon, 28 Feb 2022 16:39:01 -0500 Subject: [PATCH] csi: fix redaction of `volume status` mount flags The `volume status` command and associated API redacts the entire mount options instead of just the `MountFlags` field that can contain sensitive data. Return a redacted value so that the return value makes sense to operators who have set this field. --- .changelog/12150.txt | 3 +++ command/agent/csi_endpoint.go | 12 +++++++----- 2 files changed, 10 insertions(+), 5 deletions(-) create mode 100644 .changelog/12150.txt diff --git a/.changelog/12150.txt b/.changelog/12150.txt new file mode 100644 index 000000000000..579355b371cc --- /dev/null +++ b/.changelog/12150.txt @@ -0,0 +1,3 @@ +```release-note:improvement +cli: Return a redacted value for mount flags in the `volume status` command, instead of `` +``` diff --git a/command/agent/csi_endpoint.go b/command/agent/csi_endpoint.go index 0a3bd0433781..c57c181654fe 100644 --- a/command/agent/csi_endpoint.go +++ b/command/agent/csi_endpoint.go @@ -136,7 +136,6 @@ func (s *HTTPServer) csiVolumeGet(id string, resp http.ResponseWriter, req *http // remove sensitive fields, as our redaction mechanism doesn't // help serializing here vol.Secrets = nil - vol.MountOptions = nil return vol, nil } @@ -761,11 +760,14 @@ func structsCSIMountOptionsToApi(opts *structs.CSIMountOptions) *api.CSIMountOpt if opts == nil { return nil } - - return &api.CSIMountOptions{ - FSType: opts.FSType, - MountFlags: opts.MountFlags, + apiOpts := &api.CSIMountOptions{ + FSType: opts.FSType, + } + if len(opts.MountFlags) > 0 { + apiOpts.MountFlags = []string{"[REDACTED]"} } + + return apiOpts } func structsCSISecretsToApi(secrets structs.CSISecrets) api.CSISecrets {