microsoft.genpolicy: never log already existing policy annotation

packages/by-name/microsoft/genpolicy/0009-genpolicy-do-not-log-policy-annotation-in-debug.patch

@@ -0,0 +1,63 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: jmxnzo <[email protected]>
+Date: Mon, 9 Dec 2024 09:56:56 +0100
+Subject: [PATCH] genpolicy: do not log policy annotation in 'debug'
+
+---
+ src/tools/genpolicy/src/obj_meta.rs | 37 ++++++++++++++++++++++++++++-
+ 1 file changed, 36 insertions(+), 1 deletion(-)
+
+diff --git a/src/tools/genpolicy/src/obj_meta.rs b/src/tools/genpolicy/src/obj_meta.rs
+index 3da75fc0ff67068af04ea98a6dfdc6989961e17c..55ec12f4a9261e340950dc94afe42092d18bc859 100644
+--- a/src/tools/genpolicy/src/obj_meta.rs
++++ b/src/tools/genpolicy/src/obj_meta.rs
+@@ -8,9 +8,10 @@
+
+ use serde::{Deserialize, Serialize};
+ use std::collections::BTreeMap;
++use std::fmt;
+
+ /// See ObjectMeta in the Kubernetes API reference.
+-#[derive(Clone, Debug, Default, Serialize, Deserialize)]
++#[derive(Clone, Default, Serialize, Deserialize)]
+ pub struct ObjectMeta {
+     #[serde(skip_serializing_if = "Option::is_none")]
+     pub name: Option<String>,
+@@ -43,3 +44,37 @@ impl ObjectMeta {
+         self.namespace.as_ref().cloned()
+     }
+ }
++
++impl fmt::Debug for ObjectMeta {
++    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
++        let mut debug_struct = f.debug_struct("ObjectMeta");
++
++        if let Some(ref name) = self.name {
++            debug_struct.field("name", name);
++        }
++        if let Some(ref generate_name) = self.generateName {
++            debug_struct.field("generateName", generate_name);
++        }
++        if let Some(ref labels) = self.labels {
++            debug_struct.field("labels", labels);
++        }
++        if let Some(ref annotations) = self.annotations {
++            let truncated_annotations: BTreeMap<_, _> = annotations
++                .iter()
++                .map(|(key, value)| {
++                    if value.len() > 4096 {
++                        (key, format!("{}<... truncated ...>", &value[..4096].to_string()))
++                    } else {
++                        (key, value.to_string())
++                    }
++                })
++                .collect();
++            debug_struct.field("annotations", &truncated_annotations);
++        }
++        if let Some(ref namespace) = self.namespace {
++            debug_struct.field("namespace", namespace);
++        }
++
++        debug_struct.finish()
++    }
++}

packages/by-name/microsoft/genpolicy/package.nix

@@ -65,7 +65,12 @@ rustPlatform.buildRustPackage rec {
       # This will be achieved when updating oci_distribution to oci_client crate on microsoft/kata-containers fork.
       # kata/kata-runtime/0011-genpolicy-bump-oci-distribution-to-v0.12.0.patch introduces this update to kata-containers.
       # After upstreaming, microsoft/kata-containers fork would need to pick up the changes.
-      ./0008-genpolicy-include-reference-in-logs-when-auth-failure.patch
+      ./0008-genpolicy-include-reference-in-logs-when-auth-failur.patch
+
+      # Simple genpolicy logging redaction of the policy annotation
+      # This avoids printing the entire annotation on log level debug, which resulted in errors of the logtranslator.go
+      # TODO(jmxnzo): remove when https://github.com/kata-containers/kata-containers/pull/10647 is picked up by microsoft/kata-containers fork
+      ./0009-genpolicy-do-not-log-policy-annotation-in-debug.patch
     ];
   };