Description of problem:
Some secret data is redacted but annotations are kept. This means the encoded secret is gathered.
Version-Release number of selected component (if applicable):
oc version: v4.1.0+515979d-839-dirty
(note this is the version reported by oc binary from quay.io/openshift/origin-cli:4.2.0)
Steps to Reproduce:
1. Get latest 4.2.0 cli from quay.io/openshift/origin-cli:4.2.0
2. Login to v4 cluster as kubeadmin
3. Run `oc adm must-gather`
Annotation "kubectl.kubernetes.io/last-applied-configuration" with passwords are not redacted.
Annotation "kubectl.kubernetes.io/last-applied-configuration" with passwords are redacted along with the secret data.
Example of this is secret for LDAP bindPassword created in openshift-config namespace. Both this secret and the copy of the secret in openshift-authentication have the encoded "bindPassword" value in annotation "kubectl.kubernetes.io/last-applied-configuration" in the must-gather output.
Confirmed with image from Payload: 4.2.0-0.nightly-2019-08-01-035705, the issue has fixed:
Now all the secrets all empty like this:
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.