OCPBUGS-87841: gather: redact pull-secret auth tokens from machineconfigs.json

[patrickdillon]

The bootstrap gather collects machineconfigs.json via oc get machineconfigs -o json, which includes MachineConfig resources containing Ignition file definitions for /var/lib/kubelet/config.json. The pull-secret JSON is URL-encoded inside data: URIs and contains real base64 registry auth credentials and Kubernetes service account JWTs.

Add a sed post-processing step after resource collection to replace all URL-encoded "auth" values with REDACTED before the log bundle is assembled.

Summary by CodeRabbit

• Bug Fixes
  • Improved security by redacting sensitive pull-secret tokens from gathered cluster artifacts when present.
  • Prevents encoded authentication values from being exposed in exported configuration data.

[openshift-ci-robot]

@patrickdillon: This pull request references Jira Issue OCPBUGS-87841, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

The bootstrap gather collects machineconfigs.json via oc get machineconfigs -o json, which includes MachineConfig resources containing Ignition file definitions for /var/lib/kubelet/config.json. The pull-secret JSON is URL-encoded inside data: URIs and contains real base64 registry auth credentials and Kubernetes service account JWTs.

Add a sed post-processing step after resource collection to replace all URL-encoded "auth" values with REDACTED before the log bundle is assembled.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

📝 Walkthrough

Walkthrough

The bootstrap gather script now post-processes machineconfigs.json in the artifacts directory and redacts URL-encoded pull-secret auth values inside Ignition data: URIs when the file exists.

Changes

Bootstrap artifact redaction

Layer / File(s)	Summary
Machineconfig auth redaction data/data/bootstrap/files/usr/local/bin/bootstrap-cluster-gather.sh	cluster_bootstrap_gather() adds a conditional machineconfigs.json redaction step that rewrites matching encoded auth values to REDACTED.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 1 warning)

Check name	Status	Explanation	Resolution
No-Sensitive-Data-In-Logs	❌ Error	The new machineconfigs.json redaction is case-sensitive; lowercase %3a/%2f/%2b/%3d variants are not redacted, so auth tokens can still reach the bundle.	Broaden the sed pattern to match case-insensitive percent-escapes (e.g. %3[Aa], %2[Ff], %2[Bb], %3[Dd]) or normalize before redacting.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (13 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: redacting pull-secret auth tokens from machineconfigs.json during gather.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The PR only changes a shell gather script; it adds no Ginkgo test titles and contains no dynamic test names.
Test Structure And Quality	✅ Passed	PR only changes a shell-script redaction step; no Ginkgo tests or cluster-interaction test code were added.
Microshift Test Compatibility	✅ Passed	PR only changes bootstrap-cluster-gather.sh redaction logic; no new Ginkgo specs or MicroShift-unsupported APIs/features were added.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR only updates bootstrap-cluster-gather.sh redaction logic; no Ginkgo e2e tests were added or modified, so the SNO test check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	Only a log-bundle redaction change in bootstrap-cluster-gather.sh; no manifests, controllers, replicas, nodeSelectors, or affinity changes.
Ote Binary Stdout Contract	✅ Passed	PR only changes a bootstrap shell script; no Go process-level entrypoints or stdout logging were added, so the OTE JSON stdout contract isn’t impacted.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR only changes a bootstrap shell script; no Ginkgo/e2e test files or networking assumptions were added.
No-Weak-Crypto	✅ Passed	The PR only adds a sed redaction in a shell script; no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, custom crypto, or secret comparisons are present.
Container-Privileges	✅ Passed	Only a shell script changed; no privileged/container settings or K8s manifests were added.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands.}

[openshift-ci-robot]

@patrickdillon: This pull request references Jira Issue OCPBUGS-87841, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

The bootstrap gather collects machineconfigs.json via oc get machineconfigs -o json, which includes MachineConfig resources containing Ignition file definitions for /var/lib/kubelet/config.json. The pull-secret JSON is URL-encoded inside data: URIs and contains real base64 registry auth credentials and Kubernetes service account JWTs.

Add a sed post-processing step after resource collection to replace all URL-encoded "auth" values with REDACTED before the log bundle is assembled.

Summary by CodeRabbit

• Bug Fixes
• Improved security by redacting sensitive pull-secret tokens from gathered cluster artifacts when present.
• Prevents encoded authentication values from being exposed in exported configuration data.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@data/data/bootstrap/files/usr/local/bin/bootstrap-cluster-gather.sh`:
- Around line 77-78: The redaction pattern in bootstrap-cluster-gather.sh only
matches uppercase percent-escapes, so lowercase-encoded auth values can bypass
the filter. Update the sed expression in the redaction block to treat
percent-encoding case-insensitively so both uppercase and lowercase variants of
the auth field are replaced with REDACTED, using the existing redaction step in
the script as the location to adjust.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 5b260459-1c32-47bf-9baa-220a69a34013

📥 Commits

Reviewing files that changed from the base of the PR and between 6831905 and e24e52c.

📒 Files selected for processing (1)

• data/data/bootstrap/files/usr/local/bin/bootstrap-cluster-gather.sh

[coderabbitai]

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Handle lowercase percent-escapes in the redaction regex.

Line 78 only matches uppercase %2B/%2F/%3D and %3A. Percent-encoding is case-insensitive, so lowercase-escaped auth values will bypass this filter and land unredacted in the final log bundle.

Suggested fix

-        sed -E -i \
-            's/%22auth%22%3A%22([A-Za-z0-9_-]|%3D|%2B|%2F)*%22/%22auth%22%3A%22REDACTED%22/g' \
+        sed -E -i \
+            's/%22auth%22%3[Aa]%22([A-Za-z0-9_-]|%3[Dd]|%2[Bb]|%2[Ff])*%22/%22auth%22%3A%22REDACTED%22/g' \
             "${ARTIFACTS_TEMP}/resources/machineconfigs.json"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	sed -E -i \
	's/%22auth%22%3A%22([A-Za-z0-9_-]|%3D|%2B|%2F)*%22/%22auth%22%3A%22REDACTED%22/g' \
	sed -E -i \
	's/%22auth%22%3[Aa]%22([A-Za-z0-9_-]|%3[Dd]|%2[Bb]|%2[Ff])*%22/%22auth%22%3A%22REDACTED%22/g' \

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@data/data/bootstrap/files/usr/local/bin/bootstrap-cluster-gather.sh` around
lines 77 - 78, The redaction pattern in bootstrap-cluster-gather.sh only matches
uppercase percent-escapes, so lowercase-encoded auth values can bypass the
filter. Update the sed expression in the redaction block to treat
percent-encoding case-insensitively so both uppercase and lowercase variants of
the auth field are replaced with REDACTED, using the existing redaction step in
the script as the location to adjust.

[tthvo]

According to RFC 3986:

The uppercase hexadecimal digits 'A' through 'F' are equivalent to the lowercase digits 'a' through 'f', respectively. If two URIs differ only in the case of hexadecimal digits used in percent-encoded octets, they are equivalent. For consistency, URI producers and normalizers should use uppercase hexadecimal digits for all percent-encodings.

So, using uppercase hexadecimal here is sufficient.

[coderabbitai]

@tthvo Good point on RFC 3986 equivalence, but I don’t think that makes uppercase-only matching sufficient here.

The redaction runs on the raw JSON text in resources/machineconfigs.json; it does not normalize percent-encoding first. So if a data: URI reaches this file with lowercase escapes, the current sed pattern will miss it and the secret will remain in the gather bundle.

For a security redaction path, I’d avoid depending on producers following the uppercase recommendation unless there’s a strict upstream guarantee that MachineConfig Ignition data: URIs are always canonicalized before being stored. I don’t see that guarantee in the code here, so I’d still recommend making the regex case-insensitive for the percent-escapes.

[tthvo]

hmm fair point, should does not mean must. Better cover them all, I guess.

[coderabbitai]

@tthvo Agreed — for a redaction path, matching both uppercase and lowercase escapes is the safer choice.

[tthvo]

/retest-required

[tthvo]

/cc @zaneb

[tthvo]

/approve

The log-bundle is no longer redacted 🤩

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: tthvo

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [tthvo]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[zaneb]

/lgtm
/verified by @tthvo

[openshift-ci-robot]

@zaneb: This PR has been marked as verified by @tthvo.

Details

In response to this:

/lgtm
/verified by @tthvo

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@patrickdillon: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci-robot]

@patrickdillon: Jira Issue OCPBUGS-87841: All pull requests linked via external trackers have merged:

• openshift/release#80479
• openshift/installer#10660

Jira Issue OCPBUGS-87841 has been moved to the MODIFIED state.

Details

In response to this:

The bootstrap gather collects machineconfigs.json via oc get machineconfigs -o json, which includes MachineConfig resources containing Ignition file definitions for /var/lib/kubelet/config.json. The pull-secret JSON is URL-encoded inside data: URIs and contains real base64 registry auth credentials and Kubernetes service account JWTs.

Add a sed post-processing step after resource collection to replace all URL-encoded "auth" values with REDACTED before the log bundle is assembled.

Summary by CodeRabbit

• Bug Fixes
• Improved security by redacting sensitive pull-secret tokens from gathered cluster artifacts when present.
• Prevents encoded authentication values from being exposed in exported configuration data.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.