From 017aa406e9fc9db2700e5c6a20960e6ed8b946ff Mon Sep 17 00:00:00 2001
From: Filip Nikolic <oss.filipn@gmail.com>
Date: Thu, 25 Apr 2024 15:15:46 +0200
Subject: [PATCH] docs: explicitly state which regex flavour is used for
 redaction

Signed-off-by: Filip Nikolic <oss.filipn@gmail.com>
---
 api/v1/README.md                                       |  4 ++--
 api/v1/tetragon/events.pb.go                           |  4 ++--
 api/v1/tetragon/events.proto                           |  4 ++--
 .../cilium/tetragon/api/v1/tetragon/events.pb.go       |  4 ++--
 .../cilium/tetragon/api/v1/tetragon/events.proto       |  4 ++--
 docs/content/en/docs/concepts/events.md                | 10 ++++++++--
 docs/content/en/docs/reference/grpc-api.md             |  4 ++--
 install/kubernetes/tetragon/values.yaml                |  8 ++++++--
 .../cilium/tetragon/api/v1/tetragon/events.pb.go       |  4 ++--
 .../cilium/tetragon/api/v1/tetragon/events.proto       |  4 ++--
 10 files changed, 30 insertions(+), 20 deletions(-)

diff --git a/api/v1/README.md b/api/v1/README.md
index 850527d79ff..9c58ae15488 100644
--- a/api/v1/README.md
+++ b/api/v1/README.md
@@ -1306,8 +1306,8 @@ Capability set to filter over. NOTE: you may specify only ONE set here.
 | Field | Type | Label | Description |
 | ----- | ---- | ----- | ----------- |
 | match | [Filter](#tetragon-Filter) | repeated | **Deprecated.** Deprecated, do not use. |
-| redact | [string](#string) | repeated | Regular expressions to use for redaction. Strings inside capture groups are redacted. |
-| binary_regex | [string](#string) | repeated | Regular expression to match binary name. If supplied, redactions will only be applied to matching processes. |
+| redact | [string](#string) | repeated | RE2 regular expressions to use for redaction. Strings inside capture groups are redacted. |
+| binary_regex | [string](#string) | repeated | RE2 regular expression to match binary name. If supplied, redactions will only be applied to matching processes. |
 
 
 
diff --git a/api/v1/tetragon/events.pb.go b/api/v1/tetragon/events.pb.go
index 75a44746a1e..d0755844e13 100644
--- a/api/v1/tetragon/events.pb.go
+++ b/api/v1/tetragon/events.pb.go
@@ -441,9 +441,9 @@ type RedactionFilter struct {
 	//
 	// Deprecated: Marked as deprecated in tetragon/events.proto.
 	Match []*Filter `protobuf:"bytes,1,rep,name=match,proto3" json:"match,omitempty"`
-	// Regular expressions to use for redaction. Strings inside capture groups are redacted.
+	// RE2 regular expressions to use for redaction. Strings inside capture groups are redacted.
 	Redact []string `protobuf:"bytes,2,rep,name=redact,proto3" json:"redact,omitempty"`
-	// Regular expression to match binary name. If supplied, redactions will only be applied to matching processes.
+	// RE2 regular expression to match binary name. If supplied, redactions will only be applied to matching processes.
 	BinaryRegex []string `protobuf:"bytes,3,rep,name=binary_regex,json=binaryRegex,proto3" json:"binary_regex,omitempty"`
 }
 
diff --git a/api/v1/tetragon/events.proto b/api/v1/tetragon/events.proto
index 2f0cc43994e..86ec34ce66f 100644
--- a/api/v1/tetragon/events.proto
+++ b/api/v1/tetragon/events.proto
@@ -86,9 +86,9 @@ message CapFilterSet {
 message RedactionFilter {
     // Deprecated, do not use.
     repeated Filter match = 1 [deprecated=true];
-    // Regular expressions to use for redaction. Strings inside capture groups are redacted.
+    // RE2 regular expressions to use for redaction. Strings inside capture groups are redacted.
     repeated string redact = 2;
-    // Regular expression to match binary name. If supplied, redactions will only be applied to matching processes.
+    // RE2 regular expression to match binary name. If supplied, redactions will only be applied to matching processes.
     repeated string binary_regex = 3;
 }
 
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.pb.go b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.pb.go
index 75a44746a1e..d0755844e13 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.pb.go
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.pb.go
@@ -441,9 +441,9 @@ type RedactionFilter struct {
 	//
 	// Deprecated: Marked as deprecated in tetragon/events.proto.
 	Match []*Filter `protobuf:"bytes,1,rep,name=match,proto3" json:"match,omitempty"`
-	// Regular expressions to use for redaction. Strings inside capture groups are redacted.
+	// RE2 regular expressions to use for redaction. Strings inside capture groups are redacted.
 	Redact []string `protobuf:"bytes,2,rep,name=redact,proto3" json:"redact,omitempty"`
-	// Regular expression to match binary name. If supplied, redactions will only be applied to matching processes.
+	// RE2 regular expression to match binary name. If supplied, redactions will only be applied to matching processes.
 	BinaryRegex []string `protobuf:"bytes,3,rep,name=binary_regex,json=binaryRegex,proto3" json:"binary_regex,omitempty"`
 }
 
diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.proto b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.proto
index 2f0cc43994e..86ec34ce66f 100644
--- a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.proto
+++ b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.proto
@@ -86,9 +86,9 @@ message CapFilterSet {
 message RedactionFilter {
     // Deprecated, do not use.
     repeated Filter match = 1 [deprecated=true];
-    // Regular expressions to use for redaction. Strings inside capture groups are redacted.
+    // RE2 regular expressions to use for redaction. Strings inside capture groups are redacted.
     repeated string redact = 2;
-    // Regular expression to match binary name. If supplied, redactions will only be applied to matching processes.
+    // RE2 regular expression to match binary name. If supplied, redactions will only be applied to matching processes.
     repeated string binary_regex = 3;
 }
 
diff --git a/docs/content/en/docs/concepts/events.md b/docs/content/en/docs/concepts/events.md
index 6cfd9acaa29..71428cfaee9 100644
--- a/docs/content/en/docs/concepts/events.md
+++ b/docs/content/en/docs/concepts/events.md
@@ -209,10 +209,16 @@ used to string patterns to redact from exported process arguments. These filters
 in JSON and passed to the Tetragon agent via the `--redaction-filters` command
 line flag or the `redactionFilters` Helm value.
 
-To perform redactions, redaction filters define regular expressions in the
-`redact` field. Any capture groups in these regular expressions are redacted and
+To perform redactions, redaction filters define RE2 regular expressions in the
+`redact` field. Any capture groups in these RE2 regular expressions are redacted and
 replaced with `"*****"`.
 
+{{< note >}}
+This feature uses RE2 as its regular expression library. Make sure that you follow
+RE2 regular expression guidelines as you may observe unexpected results otherwise.
+More information on RE2 syntax can be found [here](https://github.com/google/re2/wiki/Syntax).
+{{< /note >}}
+
 {{< warning >}}
 When writing regular expressions in JSON, it is important to escape backslash
 characters. For instance `\Wpasswd\W?` would be written as `{"redact": "\\Wpasswd\\W?"}`.
diff --git a/docs/content/en/docs/reference/grpc-api.md b/docs/content/en/docs/reference/grpc-api.md
index 16dbae830a1..a0bdbab0553 100644
--- a/docs/content/en/docs/reference/grpc-api.md
+++ b/docs/content/en/docs/reference/grpc-api.md
@@ -803,8 +803,8 @@ Capability set to filter over. NOTE: you may specify only ONE set here.
 | Field | Type | Label | Description |
 | ----- | ---- | ----- | ----------- |
 | match | [Filter](#tetragon-Filter) | repeated | **Deprecated.** Deprecated, do not use. |
-| redact | [string](#string) | repeated | Regular expressions to use for redaction. Strings inside capture groups are redacted. |
-| binary_regex | [string](#string) | repeated | Regular expression to match binary name. If supplied, redactions will only be applied to matching processes. |
+| redact | [string](#string) | repeated | RE2 regular expressions to use for redaction. Strings inside capture groups are redacted. |
+| binary_regex | [string](#string) | repeated | RE2 regular expression to match binary name. If supplied, redactions will only be applied to matching processes. |
 
 <a name="tetragon-EventType"></a>
 
diff --git a/install/kubernetes/tetragon/values.yaml b/install/kubernetes/tetragon/values.yaml
index a76dc432d26..88f580b9c9a 100644
--- a/install/kubernetes/tetragon/values.yaml
+++ b/install/kubernetes/tetragon/values.yaml
@@ -113,13 +113,17 @@ tetragon:
   fieldFilters: |-
 
   # Filters to redact secrets from the args fields in Tetragon events. To perform
-  # redactions, redaction filters define regular expressions in the `redact`
-  # field. Any capture groups in these regular expressions are redacted and
+  # redactions, redaction filters define RE2 regular expressions in the `redact`
+  # field. Any capture groups in these RE2 regular expressions are redacted and
   # replaced with "*****".
   #
   # For more control, you can select which binary or binaries should have their
   # arguments redacted with the `binary_regex` field.
   #
+  # NOTE: This feature uses RE2 as its regular expression library. Make sure that you follow
+  # RE2 regular expression guidelines as you may observe unexpected results otherwise.
+  # More information on RE2 syntax can be found [here](https://github.com/google/re2/wiki/Syntax).
+  #
   # NOTE: When writing regular expressions in JSON, it is important to escape
   # backslash characters. For instance `\Wpasswd\W?` would be written as
   # `{"redact": "\\Wpasswd\\W?"}`.
diff --git a/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.pb.go b/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.pb.go
index 75a44746a1e..d0755844e13 100644
--- a/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.pb.go
+++ b/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.pb.go
@@ -441,9 +441,9 @@ type RedactionFilter struct {
 	//
 	// Deprecated: Marked as deprecated in tetragon/events.proto.
 	Match []*Filter `protobuf:"bytes,1,rep,name=match,proto3" json:"match,omitempty"`
-	// Regular expressions to use for redaction. Strings inside capture groups are redacted.
+	// RE2 regular expressions to use for redaction. Strings inside capture groups are redacted.
 	Redact []string `protobuf:"bytes,2,rep,name=redact,proto3" json:"redact,omitempty"`
-	// Regular expression to match binary name. If supplied, redactions will only be applied to matching processes.
+	// RE2 regular expression to match binary name. If supplied, redactions will only be applied to matching processes.
 	BinaryRegex []string `protobuf:"bytes,3,rep,name=binary_regex,json=binaryRegex,proto3" json:"binary_regex,omitempty"`
 }
 
diff --git a/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.proto b/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.proto
index 2f0cc43994e..86ec34ce66f 100644
--- a/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.proto
+++ b/vendor/github.com/cilium/tetragon/api/v1/tetragon/events.proto
@@ -86,9 +86,9 @@ message CapFilterSet {
 message RedactionFilter {
     // Deprecated, do not use.
     repeated Filter match = 1 [deprecated=true];
-    // Regular expressions to use for redaction. Strings inside capture groups are redacted.
+    // RE2 regular expressions to use for redaction. Strings inside capture groups are redacted.
     repeated string redact = 2;
-    // Regular expression to match binary name. If supplied, redactions will only be applied to matching processes.
+    // RE2 regular expression to match binary name. If supplied, redactions will only be applied to matching processes.
     repeated string binary_regex = 3;
 }