Merge "Hide secrets from puppet logs"

lib/puppet/type/glance_api_config.rb

@@ -14,6 +14,30 @@ Puppet::Type.newtype(:glance_api_config) do
       value.capitalize! if value =~ /^(true|false)$/i
       value
     end
+
+    def is_to_s( currentvalue )
+      if resource.secret?
+        return '[old secret redacted]'
+      else
+        return currentvalue
+      end
+    end
+
+    def should_to_s( newvalue )
+      if resource.secret?
+        return '[new secret redacted]'
+      else
+        return newvalue
+      end
+    end
+  end
+
+  newparam(:secret, :boolean => true) do
+    desc 'Whether to hide the value from Puppet logs. Defaults to `false`.'
+
+    newvalues(:true, :false)
+
+    defaultto false
   end
 
 end

lib/puppet/type/glance_api_paste_ini.rb

@@ -14,6 +14,30 @@ Puppet::Type.newtype(:glance_api_paste_ini) do
       value.capitalize! if value =~ /^(true|false)$/i
       value
     end
+
+    def is_to_s( currentvalue )
+      if resource.secret?
+        return '[old secret redacted]'
+      else
+        return currentvalue
+      end
+    end
+
+    def should_to_s( newvalue )
+      if resource.secret?
+        return '[new secret redacted]'
+      else
+        return newvalue
+      end
+    end
+  end
+
+  newparam(:secret, :boolean => true) do
+    desc 'Whether to hide the value from Puppet logs. Defaults to `false`.'
+
+    newvalues(:true, :false)
+
+    defaultto false
   end
 
 end

lib/puppet/type/glance_cache_config.rb

@@ -14,6 +14,30 @@ Puppet::Type.newtype(:glance_cache_config) do
       value.capitalize! if value =~ /^(true|false)$/i
       value
     end
+
+    def is_to_s( currentvalue )
+      if resource.secret?
+        return '[old secret redacted]'
+      else
+        return currentvalue
+      end
+    end
+
+    def should_to_s( newvalue )
+      if resource.secret?
+        return '[new secret redacted]'
+      else
+        return newvalue
+      end
+    end
+  end
+
+  newparam(:secret, :boolean => true) do
+    desc 'Whether to hide the value from Puppet logs. Defaults to `false`.'
+
+    newvalues(:true, :false)
+
+    defaultto false
   end
 
 end

lib/puppet/type/glance_registry_config.rb

@@ -14,6 +14,30 @@ Puppet::Type.newtype(:glance_registry_config) do
       value.capitalize! if value =~ /^(true|false)$/i
       value
     end
+
+    def is_to_s( currentvalue )
+      if resource.secret?
+        return '[old secret redacted]'
+      else
+        return currentvalue
+      end
+    end
+
+    def should_to_s( newvalue )
+      if resource.secret?
+        return '[new secret redacted]'
+      else
+        return newvalue
+      end
+    end
+  end
+
+  newparam(:secret, :boolean => true) do
+    desc 'Whether to hide the value from Puppet logs. Defaults to `false`.'
+
+    newvalues(:true, :false)
+
+    defaultto false
   end
 
 end

lib/puppet/type/glance_registry_paste_ini.rb

@@ -14,6 +14,30 @@ Puppet::Type.newtype(:glance_registry_paste_ini) do
       value.capitalize! if value =~ /^(true|false)$/i
       value
     end
+
+    def is_to_s( currentvalue )
+      if resource.secret?
+        return '[old secret redacted]'
+      else
+        return currentvalue
+      end
+    end
+
+    def should_to_s( newvalue )
+      if resource.secret?
+        return '[new secret redacted]'
+      else
+        return newvalue
+      end
+    end
+  end
+
+  newparam(:secret, :boolean => true) do
+    desc 'Whether to hide the value from Puppet logs. Defaults to `false`.'
+
+    newvalues(:true, :false)
+
+    defaultto false
   end
 
 end

manifests/api.pp

@@ -258,7 +258,7 @@ class glance::api(
       fail("Invalid db connection ${database_connection_real}")
     }
     glance_api_config {
-      'database/connection':   value => $database_connection_real;
+      'database/connection':   value => $database_connection_real, secret => true;
       'database/idle_timeout': value => $database_idle_timeout_real;
     }
   }
@@ -344,13 +344,13 @@ class glance::api(
     glance_api_config {
       'keystone_authtoken/admin_tenant_name': value => $keystone_tenant;
       'keystone_authtoken/admin_user'       : value => $keystone_user;
-      'keystone_authtoken/admin_password'   : value => $keystone_password;
+      'keystone_authtoken/admin_password'   : value => $keystone_password, secret => true;
     }
     glance_cache_config {
       'DEFAULT/auth_url'         : value => $auth_url;
       'DEFAULT/admin_tenant_name': value => $keystone_tenant;
       'DEFAULT/admin_user'       : value => $keystone_user;
-      'DEFAULT/admin_password'   : value => $keystone_password;
+      'DEFAULT/admin_password'   : value => $keystone_password, secret => true;
     }
   }
 

manifests/notify/qpid.pp

@@ -15,7 +15,7 @@ class glance::notify::qpid(
     'DEFAULT/qpid_port':         value => $qpid_port;
     'DEFAULT/qpid_protocol':     value => $qpid_protocol;
     'DEFAULT/qpid_username':     value => $qpid_username;
-    'DEFAULT/qpid_password':     value => $qpid_password;
+    'DEFAULT/qpid_password':     value => $qpid_password, secret => true;
   }
 
 }

manifests/notify/rabbitmq.pp

@@ -89,7 +89,7 @@ class glance::notify::rabbitmq(
   glance_api_config {
     'DEFAULT/notification_driver':          value => 'messaging';
     'DEFAULT/rabbit_virtual_host':          value => $rabbit_virtual_host;
-    'DEFAULT/rabbit_password':              value => $rabbit_password;
+    'DEFAULT/rabbit_password':              value => $rabbit_password, secret => true;
     'DEFAULT/rabbit_userid':                value => $rabbit_userid;
     'DEFAULT/rabbit_notification_exchange': value => $rabbit_notification_exchange;
     'DEFAULT/rabbit_notification_topic':    value => $rabbit_notification_topic;

manifests/registry.pp

@@ -192,7 +192,7 @@ class glance::registry(
       fail("Invalid db connection ${database_connection_real}")
     }
     glance_registry_config {
-      'database/connection':   value => $database_connection_real;
+      'database/connection':   value => $database_connection_real, secret => true;
       'database/idle_timeout': value => $database_idle_timeout_real;
     }
   }
@@ -245,7 +245,7 @@ class glance::registry(
     glance_registry_config {
       'keystone_authtoken/admin_tenant_name': value => $keystone_tenant;
       'keystone_authtoken/admin_user'       : value => $keystone_user;
-      'keystone_authtoken/admin_password'   : value => $keystone_password;
+      'keystone_authtoken/admin_password'   : value => $keystone_password, secret => true;
     }
   }
 

spec/classes/glance_api_spec.rb

@@ -115,6 +115,7 @@ describe 'glance::api' do
 
       it 'should config db' do
         should contain_glance_api_config('database/connection').with_value(param_hash[:database_connection])
+        should contain_glance_api_config('database/connection').with_value(param_hash[:database_connection]).with_secret(true)
         should contain_glance_api_config('database/idle_timeout').with_value(param_hash[:database_idle_timeout])
       end
 
@@ -138,12 +139,16 @@ describe 'glance::api' do
       it 'should configure itself for keystone if that is the auth_type' do
         if params[:auth_type] == 'keystone'
           should contain('paste_deploy/flavor').with_value('keystone+cachemanagement')
+
           ['admin_tenant_name', 'admin_user', 'admin_password'].each do |config|
             should contain_glance_api_config("keystone_authtoken/#{config}").with_value(param_hash[config.intern])
           end
+          should contain_glance_api_config('keystone_authtoken/admin_password').with_value(param_hash[:keystone_password]).with_secret(true)
+
           ['admin_tenant_name', 'admin_user', 'admin_password'].each do |config|
             should contain_glance_cache_config("keystone_authtoken/#{config}").with_value(param_hash[config.intern])
           end
+          should contain_glance_cache_config('keystone_authtoken/admin_password').with_value(param_hash[:keystone_password]).with_secret(true)
         end
       end
     end

spec/classes/glance_notify_qpid_spec.rb

@@ -18,6 +18,7 @@ describe 'glance::notify::qpid' do
     it { should contain_glance_api_config('DEFAULT/notifier_driver').with_value('qpid') }
     it { should contain_glance_api_config('DEFAULT/qpid_username').with_value('guest') }
     it { should contain_glance_api_config('DEFAULT/qpid_password').with_value('pass') }
+    it { should contain_glance_api_config('DEFAULT/qpid_password').with_value(params[:qpid_password]).with_secret(true) }
     it { should contain_glance_api_config('DEFAULT/qpid_hostname').with_value('localhost') }
     it { should contain_glance_api_config('DEFAULT/qpid_port').with_value('5672') }
     it { should contain_glance_api_config('DEFAULT/qpid_protocol').with_value('tcp') }

spec/classes/glance_notify_rabbitmq_spec.rb

@@ -16,6 +16,7 @@ describe 'glance::notify::rabbitmq' do
     end
     it { should contain_glance_api_config('DEFAULT/notification_driver').with_value('messaging') }
     it { should contain_glance_api_config('DEFAULT/rabbit_password').with_value('pass') }
+    it { should contain_glance_api_config('DEFAULT/rabbit_password').with_value(params[:rabbit_password]).with_secret(true) }
     it { should contain_glance_api_config('DEFAULT/rabbit_userid').with_value('guest') }
     it { should contain_glance_api_config('DEFAULT/rabbit_host').with_value('localhost') }
     it { should contain_glance_api_config('DEFAULT/rabbit_port').with_value('5672') }

spec/classes/glance_registry_spec.rb

@@ -112,6 +112,7 @@ describe 'glance::registry' do
           should contain_glance_registry_config("keystone_authtoken/admin_tenant_name").with_value(param_hash[:keystone_tenant])
           should contain_glance_registry_config("keystone_authtoken/admin_user").with_value(param_hash[:keystone_user])
           should contain_glance_registry_config("keystone_authtoken/admin_password").with_value(param_hash[:keystone_password])
+          should contain_glance_registry_config("keystone_authtoken/admin_password").with_value(param_hash[:keystone_password]).with_secret(true)
         end
       end
     end