Prevent secrets from leaking to Kubernetes API Server logs (#5305)

2025-09-06 03:14:33 +00:00 · 2025-07-14 17:45:13 +03:00
parent b382287170
commit 5c00b9d74b
9 changed files with 369 additions and 15 deletions
--- a/pipeline/backend/kubernetes/kubernetes.go
+++ b/pipeline/backend/kubernetes/kubernetes.go
@@ -233,6 +233,13 @@ func (e *kube) StartStep(ctx context.Context, step *types.Step, taskUUID string)
 		}
 	}

+	if needsStepSecret(step) {
+		err = startStepSecret(ctx, e, step)
+		if err != nil {
+			return err
+		}
+	}
+
 	log.Trace().Str("taskUUID", taskUUID).Msgf("starting step: %s", step.Name)
 	_, err = startPod(ctx, e, step, options)
 	return err
@@ -398,6 +405,13 @@ func (e *kube) DestroyStep(ctx context.Context, step *types.Step, taskUUID strin
 		}
 	}

+	if needsStepSecret(step) {
+		err := stopStepSecret(ctx, e, step, defaultDeleteOptions)
+		if err != nil {
+			errs = append(errs, err)
+		}
+	}
+
 	err := stopPod(ctx, e, step, defaultDeleteOptions)
 	if err != nil {
 		errs = append(errs, err)