kube backend: prevent secrets from leaking to Kubernetes apiserver logs (#5196)

pipeline/backend/kubernetes/pod.go

@@ -235,7 +235,15 @@ func podContainer(step *types.Step, podName, goos string, options BackendOptions
 		container.Command = step.Entrypoint
 	}
 
-	container.Env = mapToEnvVars(step.Environment)
+	stepSecret, err := stepSecretName(step)
+	if err != nil {
+		return container, err
+	}
+
+	// filter environment variables to non-secrets and secrets, refer secrets from step secrets
+	envs, secs := filterSecrets(step.Environment, step.SecretMapping)
+	envsFromSecrets := mapToEnvVarsFromStepSecrets(secs, stepSecret)
+	container.Env = append(mapToEnvVars(envs), envsFromSecrets...)
 
 	container.Resources, err = resourceRequirements(options.Resources)
 	if err != nil {
@@ -254,6 +262,38 @@ func podContainer(step *types.Step, podName, goos string, options BackendOptions
 	return container, nil
 }
 
+func mapToEnvVarsFromStepSecrets(secs []string, stepSecretName string) []v1.EnvVar {
+	var ev []v1.EnvVar
+	for _, key := range secs {
+		ev = append(ev, v1.EnvVar{
+			Name: key,
+			ValueFrom: &v1.EnvVarSource{
+				SecretKeyRef: &v1.SecretKeySelector{
+					LocalObjectReference: v1.LocalObjectReference{
+						Name: stepSecretName,
+					},
+					Key: key,
+				},
+			},
+		})
+	}
+	return ev
+}
+
+func filterSecrets(environment, secrets map[string]string) (map[string]string, []string) {
+	ev := map[string]string{}
+	var secs []string
+
+	for k, v := range environment {
+		if _, found := secrets[k]; found {
+			secs = append(secs, k)
+		} else {
+			ev[k] = v
+		}
+	}
+	return ev, secs
+}
+
 func pvcVolumes(volumes []string) ([]v1.Volume, error) {
 	var vols []v1.Volume