Merge "Hide credential strings from puppet logs"

2021-12-08 02:28:00 +00:00 · 2021-12-08 02:28:00 +00:00 · 28a866b03c
commit 28a866b03c
parent be32caa76d ab0d7ee0f0
4 changed files with 33 additions and 3 deletions
--- a/lib/puppet/type/ceph_config.rb
+++ b/lib/puppet/type/ceph_config.rb
@ -45,5 +45,29 @@ Puppet::Type.newtype(:ceph_config) do
      value.downcase! if value =~ /^(true|false)$/i
      value
    end
    def is_to_s( currentvalue )
      if resource.secret?
        return '[old secret redacted]'
      else
        return currentvalue
      end
    end
    def should_to_s( newvalue )
      if resource.secret?
        return '[new secret redacted]'
      else
        return newvalue
      end
    end
  end
  newparam(:secret, :boolean => true) do
    desc 'Whether to hide the value from Puppet logs. Defaults to `false`.'
    newvalues(:true, :false)
    defaultto false
  end
 end
--- a/manifests/rgw/keystone.pp
+++ b/manifests/rgw/keystone.pp
@ -88,6 +88,6 @@ define ceph::rgw::keystone (
    "client.${name}/rgw_keystone_admin_domain":   value => $rgw_keystone_admin_domain;
    "client.${name}/rgw_keystone_admin_project":  value => $rgw_keystone_admin_project;
    "client.${name}/rgw_keystone_admin_user":     value => $rgw_keystone_admin_user;
-    "client.${name}/rgw_keystone_admin_password": value => $rgw_keystone_admin_password;
+    "client.${name}/rgw_keystone_admin_password": value => $rgw_keystone_admin_password, secret => true;
  }
 }
--- a/releasenotes/notes/ceph_config-secret-211b7aa50e393b47.yaml
+++ b/releasenotes/notes/ceph_config-secret-211b7aa50e393b47.yaml
@ -0,0 +1,6 @@
 ---
 features:
  - |
    Now the ``ceph_config`` resource type supports the new ``secret`` property.
    When this property is set to ``true``, value of the parameter is hidden
    from puppet logs.
--- a/spec/defines/ceph_rgw_keystone_spec.rb
+++ b/spec/defines/ceph_rgw_keystone_spec.rb
@ -46,7 +46,7 @@ describe 'ceph::rgw::keystone' do
      it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_domain').with_value('default') }
      it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_project').with_value('openstack') }
      it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_user').with_value('rgwuser') }
-      it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_password').with_value('123456') }
+      it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_password').with_value('123456').with_secret(true) }
      it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_url').with_value('http://127.0.0.1:5000') }
      it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_accepted_roles').with_value('member') }
      it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_token_cache_size').with_value(500) }
@ -84,7 +84,7 @@ describe 'ceph::rgw::keystone' do
      it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_admin_domain').with_value('default') }
      it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_admin_project').with_value('openstack') }
      it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_admin_user').with_value('rgwuser') }
-      it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_admin_password').with_value('123456') }
+      it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_admin_password').with_value('123456').with_secret(true) }
      it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_url').with_value('http://keystone.custom:5000') }
      it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_accepted_roles').with_value('_role1_,role2') }
      it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_token_cache_size').with_value(100) }