From 8baf515b16344761a49f7b034d225113a2a97398 Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Thu, 23 Sep 2021 22:18:40 +0900 Subject: [PATCH] The ha_vrrp_auth_password password should be secret Change-Id: Ieaf1507ca63b2ab72c666f6e308a70c937524eb0 --- lib/puppet/type/neutron_l3_agent_config.rb | 22 ++++++++++++++++++++++ manifests/agents/l3.pp | 2 +- spec/classes/neutron_agents_l3_spec.rb | 2 +- 3 files changed, 24 insertions(+), 2 deletions(-) diff --git a/lib/puppet/type/neutron_l3_agent_config.rb b/lib/puppet/type/neutron_l3_agent_config.rb index 666f4c1db..86dbaeaaf 100644 --- a/lib/puppet/type/neutron_l3_agent_config.rb +++ b/lib/puppet/type/neutron_l3_agent_config.rb @@ -14,6 +14,28 @@ Puppet::Type.newtype(:neutron_l3_agent_config) do value.capitalize! if value =~ /^(true|false)$/i value end + + def is_to_s( currentvalue ) + if resource.secret? + return '[old secret redacted]' + else + return currentvalue + end + end + + def should_to_s( newvalue ) + if resource.secret? + return '[new secret redacted]' + else + return newvalue + end + end + end + + newparam(:secret, :boolean => true) do + desc 'Whether to hide the value from Puppet logs. Defaults to `false`.' + newvalues(:true, :false) + defaultto false end newparam(:ensure_absent_val) do diff --git a/manifests/agents/l3.pp b/manifests/agents/l3.pp index ea9c0e3f9..81806f43b 100644 --- a/manifests/agents/l3.pp +++ b/manifests/agents/l3.pp @@ -171,7 +171,7 @@ class neutron::agents::l3 ( if $ha_enabled { neutron_l3_agent_config { 'DEFAULT/ha_vrrp_auth_type': value => $ha_vrrp_auth_type; - 'DEFAULT/ha_vrrp_auth_password': value => $ha_vrrp_auth_password; + 'DEFAULT/ha_vrrp_auth_password': value => $ha_vrrp_auth_password, secret => true; 'DEFAULT/ha_vrrp_advert_int': value => $ha_vrrp_advert_int; } } diff --git a/spec/classes/neutron_agents_l3_spec.rb b/spec/classes/neutron_agents_l3_spec.rb index 81a4fc544..32283b9bf 100644 --- a/spec/classes/neutron_agents_l3_spec.rb +++ b/spec/classes/neutron_agents_l3_spec.rb @@ -110,7 +110,7 @@ describe 'neutron::agents::l3' do end it 'should configure VRRP' do should contain_neutron_l3_agent_config('DEFAULT/ha_vrrp_auth_type').with_value(p[:ha_vrrp_auth_type]) - should contain_neutron_l3_agent_config('DEFAULT/ha_vrrp_auth_password').with_value(p[:ha_vrrp_auth_password]) + should contain_neutron_l3_agent_config('DEFAULT/ha_vrrp_auth_password').with_value(p[:ha_vrrp_auth_password]).with_secret(true) should contain_neutron_l3_agent_config('DEFAULT/ha_vrrp_advert_int').with_value(p[:ha_vrrp_advert_int]) end end