From f87e93544ff7919df54b990b2e6e5b9e07479b67 Mon Sep 17 00:00:00 2001
From: Brent Eagles <beagles@redhat.com>
Date: Mon, 8 Mar 2021 10:16:26 -0330
Subject: [PATCH] Do not log ssh keys by default

This patch adds a no_log clause to tasks that might dump ssh key
information to the ansible logs on deployment. Logging can be re-enabled
by setting hide_sensitive_logs to false.

Conflicts:
    tripleo_ansible/roles/octavia_undercloud/tasks/main.yml

Related-bug: #1918138
Change-Id: I89dccbac7c450b16956edf6a136aed6f4a21214d
(cherry picked from commit 06db51b27df1864078fa9950acb52e5976a3142c)
(cherry picked from commit fb2fd1a58bfbe216b630f276528b1f6d7addac76)
---
 .../octavia_undercloud/defaults/main.yml      | 19 +++++++++++++++++++
 .../roles/octavia_undercloud/tasks/main.yml   |  2 ++
 2 files changed, 21 insertions(+)
 create mode 100644 tripleo_ansible/roles/octavia_undercloud/defaults/main.yml

diff --git a/tripleo_ansible/roles/octavia_undercloud/defaults/main.yml b/tripleo_ansible/roles/octavia_undercloud/defaults/main.yml
new file mode 100644
index 000000000..599365d89
--- /dev/null
+++ b/tripleo_ansible/roles/octavia_undercloud/defaults/main.yml
@@ -0,0 +1,19 @@
+---
+# Copyright 2020 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+# All variables intended for modification should be placed in this file.
+octavia_undercloud_config_hide_sensitive_logs: "{{ hide_sensitive_logs | default(true) }}"
diff --git a/tripleo_ansible/roles/octavia_undercloud/tasks/main.yml b/tripleo_ansible/roles/octavia_undercloud/tasks/main.yml
index f01128149..cfa3aabc3 100644
--- a/tripleo_ansible/roles/octavia_undercloud/tasks/main.yml
+++ b/tripleo_ansible/roles/octavia_undercloud/tasks/main.yml
@@ -62,6 +62,7 @@
     - name: Set final key fact
       set_fact:
         amp_ssh_key_path_final: "{{ ssh_key_tmp_file.path }}"
+  no_log: "{{ octavia_undercloud_config_hide_sensitive_logs | bool }}"
   when:
     - amp_ssh_key_path is not defined or ((amp_ssh_key_path | length) < 1)
 
@@ -69,6 +70,7 @@
   shell: |-
     openstack keypair show {{ amp_ssh_key_name }} || \
       openstack keypair create --public-key {{ amp_ssh_key_path_final }} {{ amp_ssh_key_name }}
+  no_log: "{{ octavia_undercloud_config_hide_sensitive_logs | bool }}"
   environment:
     OS_USERNAME: "{{ auth_username }}"
     OS_PASSWORD: "{{ auth_password }}"