From 06db51b27df1864078fa9950acb52e5976a3142c Mon Sep 17 00:00:00 2001 From: Brent Eagles Date: Mon, 8 Mar 2021 10:16:26 -0330 Subject: [PATCH] Do not log ssh keys by default This patch adds a no_log clause to tasks that might dump ssh key information to the ansible logs on deployment. Logging can be re-enabled by setting hide_sensitive_logs to false. Related-bug: #1918138 Change-Id: I89dccbac7c450b16956edf6a136aed6f4a21214d --- .../octavia_undercloud/defaults/main.yml | 19 +++++++++++++++++++ .../roles/octavia_undercloud/tasks/main.yml | 3 +++ 2 files changed, 22 insertions(+) create mode 100644 tripleo_ansible/roles/octavia_undercloud/defaults/main.yml diff --git a/tripleo_ansible/roles/octavia_undercloud/defaults/main.yml b/tripleo_ansible/roles/octavia_undercloud/defaults/main.yml new file mode 100644 index 000000000..599365d89 --- /dev/null +++ b/tripleo_ansible/roles/octavia_undercloud/defaults/main.yml @@ -0,0 +1,19 @@ +--- +# Copyright 2020 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +# All variables intended for modification should be placed in this file. +octavia_undercloud_config_hide_sensitive_logs: "{{ hide_sensitive_logs | default(true) }}" diff --git a/tripleo_ansible/roles/octavia_undercloud/tasks/main.yml b/tripleo_ansible/roles/octavia_undercloud/tasks/main.yml index f88fee562..7377db914 100644 --- a/tripleo_ansible/roles/octavia_undercloud/tasks/main.yml +++ b/tripleo_ansible/roles/octavia_undercloud/tasks/main.yml @@ -62,6 +62,7 @@ - name: Set final key fact set_fact: amp_ssh_key_path_final: "{{ ssh_key_tmp_file.path }}" + no_log: "{{ octavia_undercloud_config_hide_sensitive_logs | bool }}" when: - amp_ssh_key_path is not defined or ((amp_ssh_key_path | length) < 1) @@ -69,6 +70,7 @@ shell: | set -o pipefail ssh-keygen -E md5 -lf {{ amp_ssh_key_path_final }} | awk '{ print $2 }' | cut -c 5- + no_log: "{{ octavia_undercloud_config_hide_sensitive_logs | bool }}" register: ssh_keygen_results - name: Create keypair @@ -76,6 +78,7 @@ state: present name: "{{ amp_ssh_key_name }}" public_key_file: "{{ amp_ssh_key_path_final }}" + no_log: "{{ octavia_undercloud_config_hide_sensitive_logs | bool }}" register: keypair_fingerprint environment: OS_USERNAME: "{{ auth_username }}"