Do not include sensitive data in support bundle

Use rancer/support-bundle-kit:v0.0.5 Signed-off-by: Weihang Lo <weihang.lo@suse.com>
robbie1978 · Dec 20, 2021 · 680efb7 · 680efb7
1 parent b9613f9
commit 680efb7
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 1 deletion.
diff --git a/pkg/controller/master/supportbundle/manager.go b/pkg/controller/master/supportbundle/manager.go
@@ -7,6 +7,7 @@ import (
 	"net/http"
 	"strings"
 
+	rancherv3 "github.com/rancher/rancher/pkg/apis/management.cattle.io/v3"
 	ctlappsv1 "github.com/rancher/wrangler/pkg/generated/controllers/apps/v1"
 	ctlcorev1 "github.com/rancher/wrangler/pkg/generated/controllers/core/v1"
 	"github.com/sirupsen/logrus"
@@ -112,6 +113,10 @@ func (m *Manager) Create(sb *harvesterv1.SupportBundle, image string) error {
 									Name:  "SUPPORT_BUNDLE_NODE_SELECTOR",
 									Value: "harvesterhci.io/managed=true",
 								},
+								{
+									Name:  "SUPPORT_BUNDLE_EXCLUDE_RESOURCES",
+									Value: m.getExcludeResources(),
+								},
 							},
 							Ports: []corev1.ContainerPort{
 								{
@@ -149,6 +154,20 @@ func (m *Manager) getCollectNamespaces() string {
 	return strings.Join(namespaces, ",")
 }
 
+func (m *Manager) getExcludeResources() string {
+	resources := []string{}
+
+	// Sensitive data not go into support bundle
+	resources = append(resources, harvesterv1.Resource(harvesterv1.SettingResourceName).String()) // TLS certificate and private key
+	resources = append(resources, rancherv3.Resource(rancherv3.AuthConfigResourceName).String())
+	resources = append(resources, rancherv3.Resource(rancherv3.AuthTokenResourceName).String())
+	resources = append(resources, rancherv3.Resource(rancherv3.SamlTokenResourceName).String())
+	resources = append(resources, rancherv3.Resource(rancherv3.TokenResourceName).String())
+	resources = append(resources, rancherv3.Resource(rancherv3.UserResourceName).String())
+
+	return strings.Join(resources, ",")
+}
+
 func (m *Manager) getImagePullPolicy() corev1.PullPolicy {
 	switch strings.ToLower(settings.SupportBundleImagePullPolicy.Get()) {
 	case "always":

diff --git a/pkg/settings/settings.go b/pkg/settings/settings.go
@@ -32,7 +32,7 @@ var (
 	LogLevel                     = NewSetting("log-level", "info") // options are info, debug and trace
 	SSLCertificates              = NewSetting(SSLCertificatesSettingName, "{}")
 	SSLParameters                = NewSetting(SSLParametersName, "{}")
-	SupportBundleImage           = NewSetting("support-bundle-image", "rancher/support-bundle-kit:v0.0.4")
+	SupportBundleImage           = NewSetting("support-bundle-image", "rancher/support-bundle-kit:v0.0.5")
 	SupportBundleImagePullPolicy = NewSetting("support-bundle-image-pull-policy", "IfNotPresent")
 	SupportBundleNamespaces      = NewSetting("support-bundle-namespaces", "")
 	SupportBundleTimeout         = NewSetting(SupportBundleTimeoutSettingName, "10") // Unit is minute. 0 means disable timeout.