operator icon indicating copy to clipboard operation
operator copied to clipboard
verified publisher icon tektoncd

[WIP] Add secure error and exception handling framework

Open mathur07 opened this issue 2 months ago • 1 comments

Implements secure error handling utilities to prevent sensitive information leakage through error messages, logs, and Kubernetes events.

This addresses SRVKP-4185 T159 requirements for secure error handling:

  • Centralized error message generation and handling
  • Automatic sanitization of sensitive data (passwords, tokens, API keys, secrets)
  • Generic error messages that don't reveal internal system details
  • Secure logging with debug-level internal details
  • Error categorization for better classification
  • Integration with Kubernetes reconcilers and event recording

Components added:

  • pkg/common/secerrors: Core secure error handling package

    • SecureError type with user/internal message separation
    • Automatic pattern-based sanitization (passwords, tokens, keys, etc.)
    • Error categories (authentication, authorization, configuration, etc.)
    • Secure logging utilities with zap integration
    • ReconcilerErrorHandler for consistent reconciler error handling
    • Comprehensive test coverage (100% of core functions)

  • Documentation:

    • docs/SecureErrorHandling.md: Complete usage guide and best practices
    • docs/SecureErrorHandlingExamples.md: Real-world code examples
    • docs/SecureErrorHandling_ReconcilerUpdateExample.md: Migration guide
    • pkg/common/secerrors/README.md: Package documentation

Features:

  • Detects and redacts: passwords, API keys, tokens, secrets, private keys, AWS keys, JWT tokens, credentials in URLs, base64-encoded secrets
  • Preserves error chains for errors.Is() and errors.As() compatibility
  • Pre-defined common errors for reuse
  • Zero dependencies beyond existing project dependencies

All tests passing with no linter errors.

Future work: Update existing reconcilers to use secure error handling (tracked separately).

Changes

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you review them:

  • [ ] Run make test lint before submitting a PR
  • [ ] Includes tests (if functionality changed/added)
  • [ ] Includes docs (if user facing)
  • [ ] Commit messages follow commit message best practices

See the contribution guide for more details.

Release Notes

NONE

mathur07 avatar Dec 02 '25 07:12 mathur07

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: To complete the pull request process, please assign jkandasa after the PR has been reviewed. You can assign the PR to them by writing /assign @jkandasa in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

tekton-robot avatar Dec 02 '25 07:12 tekton-robot