From 4336449b1887fe72be538d12325bb34db57cd2c3 Mon Sep 17 00:00:00 2001 From: Kiril Christov Date: Fri, 22 May 2026 15:55:26 +0300 Subject: [PATCH 1/3] fix: VC-53362 --- deploy/charts/disco-agent/values.yaml | 5 +++- deploy/charts/discovery-agent/values.yaml | 5 +++- .../venafi-kubernetes-agent/values.yaml | 5 +++- pkg/datagatherer/k8sdynamic/fieldfilter.go | 8 ++++- .../k8sdynamic/fieldfilter_test.go | 29 +++++++++++++++++++ 5 files changed, 48 insertions(+), 4 deletions(-) diff --git a/deploy/charts/disco-agent/values.yaml b/deploy/charts/disco-agent/values.yaml index 7f362328..f9949eae 100644 --- a/deploy/charts/disco-agent/values.yaml +++ b/deploy/charts/disco-agent/values.yaml @@ -177,7 +177,10 @@ config: # to avoid YAML parsing issues with `\.`. # # Example: excludeAnnotationKeysRegex: ['^kapp\.k14s\.io/original.*'] - excludeAnnotationKeysRegex: [] + excludeAnnotationKeysRegex: + - '^kapp\.k14s\.io/original$' + - '^objectset\.rio\.cattle\.io/applied$' + - '^banzaicloud\.com/last-applied$' excludeLabelKeysRegex: [] # A human readable name for the cluster where the agent is deployed (optional). diff --git a/deploy/charts/discovery-agent/values.yaml b/deploy/charts/discovery-agent/values.yaml index 885d3db1..9c53d93d 100644 --- a/deploy/charts/discovery-agent/values.yaml +++ b/deploy/charts/discovery-agent/values.yaml @@ -36,7 +36,10 @@ config: # to avoid YAML parsing issues with `\.`. # # Example: excludeAnnotationKeysRegex: ['^kapp\.k14s\.io/original.*'] - excludeAnnotationKeysRegex: [] + excludeAnnotationKeysRegex: + - '^kapp\.k14s\.io/original$' + - '^objectset\.rio\.cattle\.io/applied$' + - '^banzaicloud\.com/last-applied$' excludeLabelKeysRegex: [] # Deprecated: Client ID for the configured service account. diff --git a/deploy/charts/venafi-kubernetes-agent/values.yaml b/deploy/charts/venafi-kubernetes-agent/values.yaml index 92829937..bc8644f0 100644 --- a/deploy/charts/venafi-kubernetes-agent/values.yaml +++ b/deploy/charts/venafi-kubernetes-agent/values.yaml @@ -299,7 +299,10 @@ config: # to avoid YAML parsing issues with `\.`. # # Example: excludeAnnotationKeysRegex: ['^kapp\.k14s\.io/original.*'] - excludeAnnotationKeysRegex: [] + excludeAnnotationKeysRegex: + - '^kapp\.k14s\.io/original$' + - '^objectset\.rio\.cattle\.io/applied$' + - '^banzaicloud\.com/last-applied$' excludeLabelKeysRegex: [] # Specify ConfigMap details to load config from an existing resource. diff --git a/pkg/datagatherer/k8sdynamic/fieldfilter.go b/pkg/datagatherer/k8sdynamic/fieldfilter.go index 392c75fd..38a3649e 100644 --- a/pkg/datagatherer/k8sdynamic/fieldfilter.go +++ b/pkg/datagatherer/k8sdynamic/fieldfilter.go @@ -69,10 +69,16 @@ var RouteSelectedFields = []FieldPath{ {"status"}, } -// RedactFields are removed from all objects +// RedactFields are removed from all objects. +// Includes known GitOps tool annotations that store a full copy of the original +// manifest (including Secret .data) to prevent private key material leaking via +// the annotation channel. var RedactFields = []FieldPath{ {"metadata", "managedFields"}, {"metadata", "annotations", "kubectl.kubernetes.io/last-applied-configuration"}, + {"metadata", "annotations", "kapp.k14s.io/original"}, + {"metadata", "annotations", "objectset.rio.cattle.io/applied"}, + {"metadata", "annotations", "banzaicloud.com/last-applied"}, } type FieldPath []string diff --git a/pkg/datagatherer/k8sdynamic/fieldfilter_test.go b/pkg/datagatherer/k8sdynamic/fieldfilter_test.go index 097e735f..7e35717f 100644 --- a/pkg/datagatherer/k8sdynamic/fieldfilter_test.go +++ b/pkg/datagatherer/k8sdynamic/fieldfilter_test.go @@ -329,6 +329,35 @@ func TestRedactPod(t *testing.T) { assert.Equal(t, expectedJSON, string(bytes)) } +func TestRedactGitOpsAnnotations(t *testing.T) { + resource := &unstructured.Unstructured{ + Object: map[string]any{ + "apiVersion": "v1", + "kind": "Secret", + "metadata": map[string]any{ + "name": "example", + "namespace": "example", + "annotations": map[string]any{ + "kapp.k14s.io/original": `{"data":{"tls.key":"c2VjcmV0"}}`, + "objectset.rio.cattle.io/applied": `{"data":{"tls.key":"c2VjcmV0"}}`, + "banzaicloud.com/last-applied": `{"data":{"tls.key":"c2VjcmV0"}}`, + "kubectl.kubernetes.io/last-applied-configuration": `{"data":{"tls.key":"c2VjcmV0"}}`, + "safe-annotation": "keep-me", + }, + }, + }, + } + + Redact(RedactFields, resource) + + annotations := resource.GetAnnotations() + assert.NotContains(t, annotations, "kapp.k14s.io/original") + assert.NotContains(t, annotations, "objectset.rio.cattle.io/applied") + assert.NotContains(t, annotations, "banzaicloud.com/last-applied") + assert.NotContains(t, annotations, "kubectl.kubernetes.io/last-applied-configuration") + assert.Equal(t, "keep-me", annotations["safe-annotation"]) +} + func TestRedactMissingField(t *testing.T) { resource := &unstructured.Unstructured{ Object: map[string]any{ From f76cf46583423d1f13d6ffe9b14358b01e0e31e5 Mon Sep 17 00:00:00 2001 From: Kiril Christov Date: Tue, 26 May 2026 11:47:03 +0300 Subject: [PATCH 2/3] fix: edit config --- deploy/charts/disco-agent/values.yaml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/deploy/charts/disco-agent/values.yaml b/deploy/charts/disco-agent/values.yaml index f9949eae..7f362328 100644 --- a/deploy/charts/disco-agent/values.yaml +++ b/deploy/charts/disco-agent/values.yaml @@ -177,10 +177,7 @@ config: # to avoid YAML parsing issues with `\.`. # # Example: excludeAnnotationKeysRegex: ['^kapp\.k14s\.io/original.*'] - excludeAnnotationKeysRegex: - - '^kapp\.k14s\.io/original$' - - '^objectset\.rio\.cattle\.io/applied$' - - '^banzaicloud\.com/last-applied$' + excludeAnnotationKeysRegex: [] excludeLabelKeysRegex: [] # A human readable name for the cluster where the agent is deployed (optional). From 2ccdf91bdb6c6a750264794fd0a337263a0e0798 Mon Sep 17 00:00:00 2001 From: Kiril Christov Date: Tue, 26 May 2026 11:50:04 +0300 Subject: [PATCH 3/3] fix: update configs --- deploy/charts/discovery-agent/values.yaml | 5 +---- deploy/charts/venafi-kubernetes-agent/values.yaml | 5 +---- 2 files changed, 2 insertions(+), 8 deletions(-) diff --git a/deploy/charts/discovery-agent/values.yaml b/deploy/charts/discovery-agent/values.yaml index 9c53d93d..885d3db1 100644 --- a/deploy/charts/discovery-agent/values.yaml +++ b/deploy/charts/discovery-agent/values.yaml @@ -36,10 +36,7 @@ config: # to avoid YAML parsing issues with `\.`. # # Example: excludeAnnotationKeysRegex: ['^kapp\.k14s\.io/original.*'] - excludeAnnotationKeysRegex: - - '^kapp\.k14s\.io/original$' - - '^objectset\.rio\.cattle\.io/applied$' - - '^banzaicloud\.com/last-applied$' + excludeAnnotationKeysRegex: [] excludeLabelKeysRegex: [] # Deprecated: Client ID for the configured service account. diff --git a/deploy/charts/venafi-kubernetes-agent/values.yaml b/deploy/charts/venafi-kubernetes-agent/values.yaml index bc8644f0..92829937 100644 --- a/deploy/charts/venafi-kubernetes-agent/values.yaml +++ b/deploy/charts/venafi-kubernetes-agent/values.yaml @@ -299,10 +299,7 @@ config: # to avoid YAML parsing issues with `\.`. # # Example: excludeAnnotationKeysRegex: ['^kapp\.k14s\.io/original.*'] - excludeAnnotationKeysRegex: - - '^kapp\.k14s\.io/original$' - - '^objectset\.rio\.cattle\.io/applied$' - - '^banzaicloud\.com/last-applied$' + excludeAnnotationKeysRegex: [] excludeLabelKeysRegex: [] # Specify ConfigMap details to load config from an existing resource.