+++ This bug was initially created as a clone of Bug #1723472 +++ Description of problem: Some secret data is redacted but annotations are kept. This means the encoded secret is gathered. Version-Release number of selected component (if applicable): oc version: v4.1.0+515979d-839-dirty (note this is the version reported by oc binary from quay.io/openshift/origin-cli:4.2.0) How reproducible: Every time Steps to Reproduce: 1. Get latest 4.2.0 cli from quay.io/openshift/origin-cli:4.2.0 2. Login to v4 cluster as kubeadmin 3. Run `oc adm must-gather` Actual results: Annotation "kubectl.kubernetes.io/last-applied-configuration" with passwords are not redacted. Expected results: Annotation "kubectl.kubernetes.io/last-applied-configuration" with passwords are redacted along with the secret data. Additional info: Example of this is secret for LDAP bindPassword created in openshift-config namespace. Both this secret and the copy of the secret in openshift-authentication have the encoded "bindPassword" value in annotation "kubectl.kubernetes.io/last-applied-configuration" in the must-gather output. --- Additional comment from Luis Sanchez on 2019-07-31 20:03:51 UTC --- https://github.com/openshift/must-gather/pull/115
Confirmed with payload 4.1.0-0.nightly-2019-08-25-164016, the issue has fixed: metadata: annotations: kubectl.kubernetes.io/last-applied-configuration: ""
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2019:2594