DEVPROD-4507 Redact secrets from OTEL traces and Splunk logs for all …

…graphql requests (evergreen-ci#7556)
ZackarySantana · Feb 21, 2024 · 879dbcd · 879dbcd
1 parent 1e4f9bf
commit 879dbcd
Show file tree

Hide file tree

Showing 24 changed files with 542 additions and 26 deletions.
diff --git a/cmd/gqlgen/generate_secret_fields.go b/cmd/gqlgen/generate_secret_fields.go
@@ -0,0 +1,39 @@
+package main
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/99designs/gqlgen/codegen/config"
+
+	"github.com/evergreen-ci/evergreen/graphql"
+)
+
+func main() {
+	fmt.Println("Generating gqlgen secret fields code...")
+
+	// Load the gqlgen config from file
+	cfg, err := config.LoadConfigFromDefaultLocations()
+	if err != nil {
+		fmt.Printf("Failed to load gqlgen config: %v", err)
+		// Exit with a non-zero status code to indicate failure
+		os.Exit(1)
+	}
+
+	if err := cfg.LoadSchema(); err != nil {
+		fmt.Println("failed to load schema: %w", err)
+		os.Exit(1)
+
+	}
+
+	if err := cfg.Init(); err != nil {
+		fmt.Println("generating core failed: %w", err)
+		os.Exit(1)
+	}
+
+	err = graphql.GenerateSecretFields(cfg)
+	if err != nil {
+		fmt.Printf("Failed to generate secret fields: %v", err)
+		os.Exit(1)
+	}
+}
diff --git a/config_db.go b/config_db.go
@@ -121,6 +121,7 @@ var (
 	tracerEnabledKey                   = bsonutil.MustHaveTag(TracerConfig{}, "Enabled")
 	tracerCollectorEndpointKey         = bsonutil.MustHaveTag(TracerConfig{}, "CollectorEndpoint")
 	tracerCollectorInternalEndpointKey = bsonutil.MustHaveTag(TracerConfig{}, "CollectorInternalEndpoint")
+	tracerCollectorAPIKeyKey           = bsonutil.MustHaveTag(TracerConfig{}, "CollectorAPIKey")
 
 	// GithubCheckRun keys
 	checkRunLimitKey = bsonutil.MustHaveTag(GitHubCheckRunConfig{}, "CheckRunLimit")

diff --git a/config_tracer.go b/config_tracer.go
@@ -13,6 +13,7 @@ import (
 type TracerConfig struct {
 	Enabled                   bool   `yaml:"enabled" bson:"enabled" json:"enabled"`
 	CollectorEndpoint         string `yaml:"collector_endpoint" bson:"collector_endpoint" json:"collector_endpoint"`
+	CollectorAPIKey           string `yaml:"collector_api_key" bson:"collector_api_key" json:"collector_api_key"`
 	CollectorInternalEndpoint string `yaml:"collector_internal_endpoint" bson:"collector_internal_endpoint" json:"collector_internal_endpoint"`
 }
 
@@ -44,6 +45,7 @@ func (c *TracerConfig) Set(ctx context.Context) error {
 			tracerEnabledKey:                   c.Enabled,
 			tracerCollectorEndpointKey:         c.CollectorEndpoint,
 			tracerCollectorInternalEndpointKey: c.CollectorInternalEndpoint,
+			tracerCollectorAPIKeyKey:           c.CollectorAPIKey,
 		},
 	}, options.Update().SetUpsert(true))
 	return errors.Wrapf(err, "updating config section '%s'", c.SectionId())

diff --git a/environment.go b/environment.go
@@ -72,6 +72,8 @@ const (
 	mongoExternalAuthSource = "$external"
 
 	s3ClientsPrefix = "evergreen/clients"
+
+	honeycombCollectorHeader = "x-honeycomb-team"
 )
 
 func init() { globalEnvLock = &sync.RWMutex{} }
@@ -891,6 +893,11 @@ func (e *envState) initTracer(ctx context.Context, useInternalDNS bool) error {
 		opts = append(opts, otlptracegrpc.WithInsecure())
 	} else {
 		opts = append(opts, otlptracegrpc.WithEndpoint(e.settings.Tracer.CollectorEndpoint))
+		if e.settings.Tracer.CollectorAPIKey != "" {
+			opts = append(opts, otlptracegrpc.WithHeaders(map[string]string{
+				honeycombCollectorHeader: e.settings.Tracer.CollectorAPIKey,
+			}))
+		}
 	}
 	client := otlptracegrpc.NewClient(opts...)
 	exp, err := otlptrace.New(ctx, client)

diff --git a/graphql/config_resolver.go b/graphql/config_resolver.go
@@ -2,6 +2,7 @@ package graphql
 
 import (
 	"context"
+	"sort"
 
 	"github.com/evergreen-ci/evergreen/rest/model"
 )
@@ -23,6 +24,18 @@ func (r *spruceConfigResolver) Keys(ctx context.Context, obj *model.APIAdminSett
 	return sshKeys, nil
 }
 
+// SecretFields is the resolver for the secretFields field.
+func (r *spruceConfigResolver) SecretFields(ctx context.Context, obj *model.APIAdminSettings) ([]string, error) {
+	redactedFieldsAsSlice := []string{}
+	for field := range redactedFields {
+		redactedFieldsAsSlice = append(redactedFieldsAsSlice, field)
+	}
+
+	sort.Strings(redactedFieldsAsSlice)
+
+	return redactedFieldsAsSlice, nil
+}
+
 // ContainerPool returns ContainerPoolResolver implementation.
 func (r *Resolver) ContainerPool() ContainerPoolResolver { return &containerPoolResolver{r} }