openstack
/
puppet-ceph
Code Issues Proposed changes

Hide credential strings from puppet logs 

Change-Id: I2325e0a3521b3b1cc35753142a50a90bc4ea083a
This commit is contained in:
Takashi Kajinami 2021-11-29 22:13:16 +09:00
parent 5c3065db78
commit ab0d7ee0f0
4 changed files with 33 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
lib/puppet/type/ceph_config.rb
View File

@ -45,5 +45,29 @@ Puppet::Type.newtype(:ceph_config) do
value.downcase! if value =~ /^(true|false)$/i
value
end
def is_to_s( currentvalue )
if resource.secret?
return '[old secret redacted]'
else
return currentvalue
end
end
def should_to_s( newvalue )
if resource.secret?
return '[new secret redacted]'
else
return newvalue
end
end
end
newparam(:secret, :boolean => true) do
desc 'Whether to hide the value from Puppet logs. Defaults to `false`.'
newvalues(:true, :false)
defaultto false
end
end

2
manifests/rgw/keystone.pp
View File

@ -95,6 +95,6 @@ define ceph::rgw::keystone (
"client.${name}/rgw_keystone_admin_domain": value => $rgw_keystone_admin_domain;
"client.${name}/rgw_keystone_admin_project": value => $rgw_keystone_admin_project;
"client.${name}/rgw_keystone_admin_user": value => $rgw_keystone_admin_user;
"client.${name}/rgw_keystone_admin_password": value => $rgw_keystone_admin_password;
"client.${name}/rgw_keystone_admin_password": value => $rgw_keystone_admin_password, secret => true;
}
}

6
releasenotes/notes/ceph_config-secret-211b7aa50e393b47.yaml Normal file
View File

@ -0,0 +1,6 @@
---
features:
- |
Now the ``ceph_config`` resource type supports the new ``secret`` property.
When this property is set to ``true``, value of the parameter is hidden
from puppet logs.

4
spec/defines/ceph_rgw_keystone_spec.rb
View File

@ -46,7 +46,7 @@ describe 'ceph::rgw::keystone' do
it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_domain').with_value('default') }
it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_project').with_value('openstack') }
it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_user').with_value('rgwuser') }
it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_password').with_value('123456') }
it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_password').with_value('123456').with_secret(true) }
it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_url').with_value('http://127.0.0.1:5000') }
it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_accepted_roles').with_value('member') }
it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_token_cache_size').with_value(500) }
@ -84,7 +84,7 @@ describe 'ceph::rgw::keystone' do
it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_admin_domain').with_value('default') }
it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_admin_project').with_value('openstack') }
it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_admin_user').with_value('rgwuser') }
it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_admin_password').with_value('123456') }
it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_admin_password').with_value('123456').with_secret(true) }
it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_url').with_value('http://keystone.custom:5000') }
it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_accepted_roles').with_value('_role1_,role2') }
it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_token_cache_size').with_value(100) }