Ensure key contents are hidden

By default, the file resource shows differences when the file changes.
This change disables that for the key files so that key contents are
not displayed in output.

Closes-Bug: #1979672
Change-Id: Ic0398cfbb14782ce16710a838e5428be50f2a0b3
(cherry picked from commit c76bfbe41f)
(cherry picked from commit 6a0ca3f0f5)

manifests/init.pp

@@ -716,6 +716,7 @@ running as a standalone service, or httpd for being run by a httpd server")
           'group'     => $keystone_group,
           'mode'      => '0600',
           'replace'   => $fernet_replace_keys,
+          'show_diff' => false,
           'subscribe' => 'Anchor[keystone::install::end]',
           'tag'       => 'keystone-fernet-key',
         }
@@ -752,6 +753,7 @@ running as a standalone service, or httpd for being run by a httpd server")
           'owner'     => $keystone_user,
           'group'     => $keystone_group,
           'mode'      => '0600',
+          'show_diff' => false,
           'subscribe' => 'Anchor[keystone::install::end]',
         }
       )

releasenotes/notes/bug-1979672-003a5939f3bd6f67.yaml

@@ -0,0 +1,5 @@
+---
+security:
+  - |
+    Content of fernet keys and credential keys are now hidden from output, when
+    these files are updated.

spec/classes/keystone_init_spec.rb

@@ -373,11 +373,13 @@ describe 'keystone' do
       it { is_expected.to contain_file('/etc/keystone/credential-keys/0').with(
         'content'   => 't-WdduhORSqoyAykuqWAQSYjg2rSRuJYySgI2xh48CI=',
         'owner'     => 'keystone',
+        :show_diff  => false,
         'subscribe' => 'Anchor[keystone::install::end]',
       )}
       it { is_expected.to contain_file('/etc/keystone/credential-keys/1').with(
         'content'   => 'GLlnyygEVJP4-H2OMwClXn3sdSQUZsM5F194139Unv8=',
         'owner'     => 'keystone',
+        :show_diff  => false,
         'subscribe' => 'Anchor[keystone::install::end]',
       )}
     end