Mask the secret parts of Secrets at log levels >= Debug.

pkg/controller/controller.go

@@ -213,8 +213,25 @@ func NewIngressController(
 	return &ingc, nil
 }
 
+var maskedSecret = []byte{}
+
+func mask(obj interface{}) interface{} {
+	secret, ok := obj.(*api_v1.Secret)
+	if !ok {
+		return obj
+	}
+	cpy := secret.DeepCopy()
+	for k := range cpy.Data {
+		cpy.Data[k] = maskedSecret
+	}
+	for k := range cpy.StringData {
+		cpy.StringData[k] = string(maskedSecret)
+	}
+	return cpy
+}
+
 func (ingc *IngressController) logObj(action string, obj interface{}) {
-	ingc.log.Debug(action, ":", obj)
+	ingc.log.Debug(action, ":", mask(obj))
 	m, mErr := meta.Accessor(obj)
 	t, tErr := meta.TypeAccessor(obj)
 	if mErr == nil && tErr == nil {
@@ -260,7 +277,7 @@ func (ingc *IngressController) deleteObj(obj interface{}) {
 }
 
 func (ingc *IngressController) updateObj(old, new interface{}) {
-	ingc.log.Debug("Update:", old, new)
+	ingc.log.Debug("Update:", mask(old), mask(new))
 	incWatchCounter(new, "Update")
 	oldMeta, oldErr := meta.Accessor(old)
 	newMeta, newErr := meta.Accessor(new)