Merge "Ensure key contents are hidden"

2022-07-15 20:37:56 +00:00 · 2022-07-15 20:37:56 +00:00 · f28e3c199b
parent bae793888d c76bfbe41f
commit f28e3c199b
3 changed files with 9 additions and 0 deletions
--- a/manifests/init.pp
+++ b/manifests/init.pp
@ -654,6 +654,7 @@ running as a standalone service, or httpd for being run by a httpd server")
          'group'     => $keystone_group,
          'mode'      => '0600',
          'replace'   => $fernet_replace_keys,
+          'show_diff' => false,
          'subscribe' => 'Anchor[keystone::install::end]',
          'tag'       => 'keystone-fernet-key',
        }
@ -690,6 +691,7 @@ running as a standalone service, or httpd for being run by a httpd server")
          'owner'     => $keystone_user,
          'group'     => $keystone_group,
          'mode'      => '0600',
+          'show_diff' => false,
          'subscribe' => 'Anchor[keystone::install::end]',
        }
      )
--- a/releasenotes/notes/bug-1979672-003a5939f3bd6f67.yaml
+++ b/releasenotes/notes/bug-1979672-003a5939f3bd6f67.yaml
@ -0,0 +1,5 @@
+---
+security:
+  - |
+    Content of fernet keys and credential keys are now hidden from output, when
+    these files are updated.
--- a/spec/classes/keystone_init_spec.rb
+++ b/spec/classes/keystone_init_spec.rb
@ -371,11 +371,13 @@ describe 'keystone' do
      it { is_expected.to contain_file('/etc/keystone/credential-keys/0').with(
        'content'   => 't-WdduhORSqoyAykuqWAQSYjg2rSRuJYySgI2xh48CI=',
        'owner'     => 'keystone',
+        :show_diff  => false,
        'subscribe' => 'Anchor[keystone::install::end]',
      )}
      it { is_expected.to contain_file('/etc/keystone/credential-keys/1').with(
        'content'   => 'GLlnyygEVJP4-H2OMwClXn3sdSQUZsM5F194139Unv8=',
        'owner'     => 'keystone',
+        :show_diff  => false,
        'subscribe' => 'Anchor[keystone::install::end]',
      )}
    end