certificates: Passphrase parameters should be secret

Change-Id: I8eebb96b04c0b3b2fd330fcc4569d3cd05ec4604 (cherry picked from commit 3bcc79f125)
2024-02-26 10:18:24 +09:00 · 2024-02-26 10:18:24 +09:00 · 79d4df6248
parent 2c59039e8e
commit 79d4df6248
2 changed files with 6 additions and 5 deletions
--- a/manifests/certificates.pp
+++ b/manifests/certificates.pp
@ -131,8 +131,8 @@ class octavia::certificates (
    'certificates/endpoint_type'               : value => $endpoint_type;
    'certificates/ca_certificate'              : value => $ca_certificate;
    'certificates/ca_private_key'              : value => $ca_private_key;
-    'certificates/server_certs_key_passphrase' : value => $server_certs_key_passphrase;
-    'certificates/ca_private_key_passphrase'   : value => $ca_private_key_passphrase;
+    'certificates/server_certs_key_passphrase' : value => $server_certs_key_passphrase, secret => true;
+    'certificates/ca_private_key_passphrase'   : value => $ca_private_key_passphrase, secret => true;
    'certificates/signing_digest'              : value => $signing_digest;
    'certificates/cert_validity_time'          : value => $cert_validity_time;
    'controller_worker/client_ca'              : value => $client_ca_real;
--- a/spec/classes/octavia_certificates_spec.rb
+++ b/spec/classes/octavia_certificates_spec.rb
@ -14,7 +14,8 @@ describe 'octavia::certificates' do
        is_expected.to contain_octavia_config('certificates/endpoint_type').with_value('<SERVICE DEFAULT>')
        is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('<SERVICE DEFAULT>')
        is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('<SERVICE DEFAULT>')
-        is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_octavia_config('certificates/server_certs_key_passphrase').with_value('insecure-key-do-not-use-this-key').with_secret(true)
+        is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('<SERVICE DEFAULT>').with_secret(true)
        is_expected.to contain_octavia_config('certificates/signing_digest').with_value('<SERVICE DEFAULT>')
        is_expected.to contain_octavia_config('certificates/cert_validity_time').with_value('<SERVICE DEFAULT>')
      end
@ -55,8 +56,8 @@ describe 'octavia::certificates' do
        is_expected.to contain_octavia_config('certificates/endpoint_type').with_value('internalURL')
        is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('/etc/octavia/ca.pem')
        is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('/etc/octavia/key.pem')
-        is_expected.to contain_octavia_config('certificates/server_certs_key_passphrase').with_value('insecure-key-do-not-use-this-key')
-        is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('secure123')
+        is_expected.to contain_octavia_config('certificates/server_certs_key_passphrase').with_value('insecure-key-do-not-use-this-key').with_secret(true)
+        is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('secure123').with_secret(true)
        is_expected.to contain_octavia_config('certificates/signing_digest').with_value('sha256')
        is_expected.to contain_octavia_config('certificates/cert_validity_time').with_value(2592000)
      end