Hide secrets from puppet logs

Currently secrets like rabbit_password or admin_password are laked puppet logs when changed. This commit changes designate_*_config and designate_*_ini types adding a new parameter that triggers obfuscation the values in puppet logs. Change-Id: I54e7c0bb27e46928db1a7f0125783c02d00d0e69 Closes-Bug: #1328448
2014-07-12 02:25:12 +02:00 · 2014-07-12 02:25:12 +02:00 · 3caedea97a
parent 060a01db1a
commit 3caedea97a
4 changed files with 26 additions and 3 deletions
--- a/lib/puppet/type/designate_config.rb
+++ b/lib/puppet/type/designate_config.rb
@ -14,6 +14,29 @@ Puppet::Type.newtype(:designate_config) do
      value.capitalize! if value =~ /^(true|false)$/i
      value
    end
+
+    def is_to_s( currentvalue )
+      if resource.secret?
+        return '[old secret redacted]'
+      else
+        return currentvalue
+      end
+    end
+
+    def should_to_s( newvalue )
+      if resource.secret?
+        return '[new secret redacted]'
+      else
+        return newvalue
+      end
+    end
  end

+  newparam(:secret, :boolean => true) do
+    desc 'Whether to hide the value from Puppet logs. Defaults to `false`.'
+
+    newvalues(:true, :false)
+
+    defaultto false
+  end
 end
--- a/manifests/api.pp
+++ b/manifests/api.pp
@ -46,7 +46,7 @@ class designate::api (
    'keystone_authtoken/auth_protocol'      : value => $keystone_protocol;
    'keystone_authtoken/admin_tenant_name'  : value => $keystone_tenant;
    'keystone_authtoken/admin_user'         : value => $keystone_user;
-    'keystone_authtoken/admin_password'     : value => $keystone_password;
+    'keystone_authtoken/admin_password'     : value => $keystone_password, secret => true;
  }

 }
--- a/manifests/db.pp
+++ b/manifests/db.pp
@ -25,7 +25,7 @@ class designate::db (
  }

  designate_config {
-    'storage:sqlalchemy/database_connection': value => $database_connection;
+    'storage:sqlalchemy/database_connection': value => $database_connection, secret => true;
  }

  Exec['designate-dbinit'] ~> Exec['designate-dbsync']
--- a/manifests/init.pp
+++ b/manifests/init.pp
@ -51,7 +51,7 @@ class designate(
    'DEFAULT/rabbit_port'            : value => $rabbit_port;
    'DEFAULT/rabbit_hosts'           : value => "${rabbit_host}:${rabbit_port}";
    'DEFAULT/rabbit_userid'          : value => $rabbit_userid;
-    'DEFAULT/rabbit_password'        : value => $rabbit_password;
+    'DEFAULT/rabbit_password'        : value => $rabbit_password, secret => true;
    'DEFAULT/rabbit_virtualhost'     : value => $rabbit_virtualhost;
  }