runtimeconfig: Encapsulate options as 'secret' strings to make accidental exposure harder

Signed-off-by: Danielle Lancashire <[email protected]>

Author: endocrimes

go.mod

@@ -6,6 +6,7 @@ toolchain go1.22.0
 
 require (
 	github.com/go-logr/logr v1.4.1
+	github.com/pelletier/go-toml/v2 v2.1.1
 	github.com/prometheus/common v0.49.0
 	github.com/stretchr/testify v1.9.0
 	golang.org/x/sync v0.5.0

go.sum

@@ -76,6 +76,8 @@ github.com/onsi/ginkgo/v2 v2.14.0 h1:vSmGj2Z5YPb9JwCWT6z6ihcUvDhuXLc3sJiqd3jMKAY
 github.com/onsi/ginkgo/v2 v2.14.0/go.mod h1:JkUdW7JkN0V6rFvsHcJ478egV3XH9NxpD27Hal/PhZw=
 github.com/onsi/gomega v1.30.0 h1:hvMK7xYz4D3HapigLTeGdId/NcfQx1VHMJc60ew99+8=
 github.com/onsi/gomega v1.30.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ=
+github.com/pelletier/go-toml/v2 v2.1.1 h1:LWAJwfNvjQZCFIDKWYQaM62NcYeYViCmWIwmOStowAI=
+github.com/pelletier/go-toml/v2 v2.1.1/go.mod h1:tJU2Z3ZkXwnxa4DPO899bsyIoywizdUvyaeZurnPPDc=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=

internal/runtimeconfig/types.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 
 	spinv1 "github.com/spinkube/spin-operator/api/v1"
+	"github.com/spinkube/spin-operator/pkg/secret"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
 )
@@ -26,9 +27,9 @@ type VariablesProvider struct {
 	EnvVariablesProviderOptions
 }
 
-type KeyValueStoreOptions map[string]string
+type KeyValueStoreOptions map[string]secret.String
 
-type SQLiteDatabaseOptions map[string]string
+type SQLiteDatabaseOptions map[string]secret.String
 
 type Spin struct {
 	Variables []VariablesProvider `toml:"config_provider,omitempty"`
@@ -37,7 +38,7 @@ type Spin struct {
 
 	SQLiteDatabases map[string]SQLiteDatabaseOptions `toml:"sqlite_database,omitempty"`
 
-	LLMCompute map[string]string `toml:"llm_compute,omitempty"`
+	LLMCompute map[string]secret.String `toml:"llm_compute,omitempty"`
 }
 
 func (s *Spin) AddKeyValueStore(
@@ -98,9 +99,9 @@ func (s *Spin) AddLLMCompute(computeType, namespace string,
 
 func renderOptionsIntoMap(typeOpt, namespace string,
 	opts []spinv1.RuntimeConfigOption,
-	secrets map[types.NamespacedName]*corev1.Secret, configMaps map[types.NamespacedName]*corev1.ConfigMap) (map[string]string, error) {
-	options := map[string]string{
-		"type": typeOpt,
+	secrets map[types.NamespacedName]*corev1.Secret, configMaps map[types.NamespacedName]*corev1.ConfigMap) (map[string]secret.String, error) {
+	options := map[string]secret.String{
+		"type": secret.String(typeOpt),
 	}
 
 	for _, opt := range opts {
@@ -125,7 +126,7 @@ func renderOptionsIntoMap(typeOpt, namespace string,
 			value = string(sec.Data[secKeyRef.Key])
 		}
 
-		options[opt.Name] = value
+		options[opt.Name] = secret.String(value)
 	}
 
 	return options, nil

pkg/secret/secret.go

@@ -0,0 +1,26 @@
+// Secret is a package for types that make it harder to accidentally expose
+// secret variables when passing them around.
+package secret
+
+type String string
+
+const redacted = "REDACTED"
+
+// String implements fmt.Stringer and redacts the sensitive value.
+func (s String) String() string {
+	return redacted
+}
+
+// GoString implements fmt.GoStringer and redacts the sensitive value.
+func (s String) GoString() string {
+	return redacted
+}
+
+// Value returns the sensitive value as a string.
+func (s String) Value() string {
+	return string(s)
+}
+
+func (s String) MarshalJSON() ([]byte, error) {
+	return []byte(`"` + redacted + `"`), nil
+}

pkg/secret/secret_test.go

@@ -0,0 +1,33 @@
+package secret
+
+import (
+	"encoding/json"
+	"fmt"
+	"testing"
+
+	toml "github.com/pelletier/go-toml/v2"
+	"github.com/stretchr/testify/require"
+)
+
+func TestSecret(t *testing.T) {
+	s := String("secret")
+	require.Equal(t, "secret", s.Value(), "secret")
+	require.Equal(t, "REDACTED", fmt.Sprintf("%v", s))
+	require.Equal(t, "REDACTED", s.String())
+	require.Equal(t, "REDACTED", s.GoString())
+
+	b, err := json.Marshal(s)
+	require.NoError(t, err)
+	require.Equal(t, `"REDACTED"`, string(b))
+}
+
+func TestSecret_TOMLMarshal(t *testing.T) {
+	toMarshal := map[string]String{
+		"some_key": String("some_secret_value"),
+	}
+	data, err := toml.Marshal(toMarshal)
+	require.NoError(t, err)
+	// If `toml` changes its default marshal formatting it is fine to update this
+	// test to match - we only care that the secret is rendered in plain text.
+	require.Equal(t, "some_key = 'some_secret_value'\n", string(data))
+}