kubeadm: add datapolicy tags for v1beta3 token fields

cmd/kubeadm/app/apis/kubeadm/v1beta3/bootstraptokenstring.go

@@ -31,8 +31,8 @@ import (
 // of view and as an authentication method for the node in the bootstrap phase of
 // "kubeadm join". This token is and should be short-lived
 type BootstrapTokenString struct {
-	ID     string `json:"-"`
-	Secret string `json:"-"`
+	ID     string `json:"-" datapolicy:"token"`
+	Secret string `json:"-" datapolicy:"token"`
 }
 
 // MarshalJSON implements the json.Marshaler interface.

cmd/kubeadm/app/apis/kubeadm/v1beta3/doc.go

@@ -27,6 +27,8 @@ limitations under the License.
 // Kubeadm no longer supports the hyperkube image.
 // - The "ClusterConfiguration.DNS.Type" field has been removed since CoreDNS is the only supported
 // DNS server type by kubeadm.
+// - Include "datapolicy" tags on the fields that hold secrets.
+// This would result in the field values to be omitted when API structures are printed with klog.
 //
 // Migration from old kubeadm config versions
 //

cmd/kubeadm/app/apis/kubeadm/v1beta3/types.go

@@ -202,7 +202,7 @@ type Networking struct {
 type BootstrapToken struct {
 	// Token is used for establishing bidirectional trust between nodes and control-planes.
 	// Used for joining nodes in the cluster.
-	Token *BootstrapTokenString `json:"token"`
+	Token *BootstrapTokenString `json:"token" datapolicy:"token"`
 	// Description sets a human-friendly message why this token exists and what it's used
 	// for, so other administrators can know its purpose.
 	Description string `json:"description,omitempty"`
@@ -315,7 +315,7 @@ type Discovery struct {
 	// TLSBootstrapToken is a token used for TLS bootstrapping.
 	// If .BootstrapToken is set, this field is defaulted to .BootstrapToken.Token, but can be overridden.
 	// If .File is set, this field **must be set** in case the KubeConfigFile does not contain any other authentication information
-	TLSBootstrapToken string `json:"tlsBootstrapToken,omitempty"`
+	TLSBootstrapToken string `json:"tlsBootstrapToken,omitempty" datapolicy:"token"`
 
 	// Timeout modifies the discovery timeout
 	Timeout *metav1.Duration `json:"timeout,omitempty"`
@@ -325,7 +325,7 @@ type Discovery struct {
 type BootstrapTokenDiscovery struct {
 	// Token is a token used to validate cluster information
 	// fetched from the control-plane.
-	Token string `json:"token"`
+	Token string `json:"token" datapolicy:"token"`
 
 	// APIServerEndpoint is an IP or domain name to the API server from which info will be fetched.
 	APIServerEndpoint string `json:"apiServerEndpoint,omitempty"`
@@ -337,7 +337,7 @@ type BootstrapTokenDiscovery struct {
 	// where the only currently supported type is "sha256". This is a hex-encoded
 	// SHA-256 hash of the Subject Public Key Info (SPKI) object in DER-encoded
 	// ASN.1. These hashes can be calculated using, for example, OpenSSL.
-	CACertHashes []string `json:"caCertHashes,omitempty"`
+	CACertHashes []string `json:"caCertHashes,omitempty" datapolicy:"security-key"`
 
 	// UnsafeSkipCAVerification allows token-based discovery
 	// without CA verification via CACertHashes. This can weaken