From 51a57394bee0aa98365d1fc9f441a505bdd72b27 Mon Sep 17 00:00:00 2001
From: Mark Goddard <mark@stackhpc.com>
Date: Tue, 12 Apr 2022 11:37:55 +0100
Subject: [PATCH] kolla_passwords: add no_log for password overrides

The kolla_passwords module overrides parameter may contain sensitive
data, including passwords and SSH keys. It should be protected via
no_log. Without this, the parameter value may be exposed in Ansible
logs, or if level 3 verbosity is used, Ansible output.

This change adds no_log to the parameter.

Change-Id: I3f499d63d19ba7f7372b401bd2da23ce627f18e5
---
 .../roles/kolla-ansible/library/kolla_passwords.py    |  2 +-
 ...a-passwords-overrides-no-log-57054ce64fae8143.yaml | 11 +++++++++++
 2 files changed, 12 insertions(+), 1 deletion(-)
 create mode 100644 releasenotes/notes/kolla-passwords-overrides-no-log-57054ce64fae8143.yaml

diff --git a/ansible/roles/kolla-ansible/library/kolla_passwords.py b/ansible/roles/kolla-ansible/library/kolla_passwords.py
index 9b3a215b3..4b3c0491d 100644
--- a/ansible/roles/kolla-ansible/library/kolla_passwords.py
+++ b/ansible/roles/kolla-ansible/library/kolla_passwords.py
@@ -181,7 +181,7 @@ def main():
     module = AnsibleModule(
         argument_spec = dict(
             dest=dict(default='/etc/kolla/passwords.yml', type='str'),
-            overrides=dict(default={}, type='dict'),
+            overrides=dict(default={}, type='dict', no_log=True),
             sample=dict(default='/usr/share/kolla-ansible/etc_examples/kolla/passwords.yml', type='str'),
             src=dict(default='/etc/kolla/passwords.yml', type='str'),
             vault_password=dict(type='str', no_log=True),
diff --git a/releasenotes/notes/kolla-passwords-overrides-no-log-57054ce64fae8143.yaml b/releasenotes/notes/kolla-passwords-overrides-no-log-57054ce64fae8143.yaml
new file mode 100644
index 000000000..bae196f55
--- /dev/null
+++ b/releasenotes/notes/kolla-passwords-overrides-no-log-57054ce64fae8143.yaml
@@ -0,0 +1,11 @@
+---
+security:
+  - |
+    Fixes an issue where any passwords in ``kolla_ansible_custom_passwords``
+    were exposed in Ansible logs. When using verbosity level 3 (``-vvv``), they
+    were also exposed in Ansible output.
+fixes:
+  - |
+    Fixes an issue where any passwords in ``kolla_ansible_custom_passwords``
+    were exposed in Ansible logs. When using verbosity level 3 (``-vvv``), they
+    were also exposed in Ansible output.