Hide secrets from puppet logs
Currently secrets like rabbit_password or admin_password are laked puppet logs when changed. This commit changes designate_*_config and designate_*_ini types adding a new parameter that triggers obfuscation the values in puppet logs. Change-Id: I54e7c0bb27e46928db1a7f0125783c02d00d0e69 Closes-Bug: #1328448
This commit is contained in:
parent
060a01db1a
commit
3caedea97a
|
@ -14,6 +14,29 @@ Puppet::Type.newtype(:designate_config) do
|
|||
value.capitalize! if value =~ /^(true|false)$/i
|
||||
value
|
||||
end
|
||||
|
||||
def is_to_s( currentvalue )
|
||||
if resource.secret?
|
||||
return '[old secret redacted]'
|
||||
else
|
||||
return currentvalue
|
||||
end
|
||||
end
|
||||
|
||||
def should_to_s( newvalue )
|
||||
if resource.secret?
|
||||
return '[new secret redacted]'
|
||||
else
|
||||
return newvalue
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
newparam(:secret, :boolean => true) do
|
||||
desc 'Whether to hide the value from Puppet logs. Defaults to `false`.'
|
||||
|
||||
newvalues(:true, :false)
|
||||
|
||||
defaultto false
|
||||
end
|
||||
end
|
||||
|
|
|
@ -46,7 +46,7 @@ class designate::api (
|
|||
'keystone_authtoken/auth_protocol' : value => $keystone_protocol;
|
||||
'keystone_authtoken/admin_tenant_name' : value => $keystone_tenant;
|
||||
'keystone_authtoken/admin_user' : value => $keystone_user;
|
||||
'keystone_authtoken/admin_password' : value => $keystone_password;
|
||||
'keystone_authtoken/admin_password' : value => $keystone_password, secret => true;
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -25,7 +25,7 @@ class designate::db (
|
|||
}
|
||||
|
||||
designate_config {
|
||||
'storage:sqlalchemy/database_connection': value => $database_connection;
|
||||
'storage:sqlalchemy/database_connection': value => $database_connection, secret => true;
|
||||
}
|
||||
|
||||
Exec['designate-dbinit'] ~> Exec['designate-dbsync']
|
||||
|
|
|
@ -51,7 +51,7 @@ class designate(
|
|||
'DEFAULT/rabbit_port' : value => $rabbit_port;
|
||||
'DEFAULT/rabbit_hosts' : value => "${rabbit_host}:${rabbit_port}";
|
||||
'DEFAULT/rabbit_userid' : value => $rabbit_userid;
|
||||
'DEFAULT/rabbit_password' : value => $rabbit_password;
|
||||
'DEFAULT/rabbit_password' : value => $rabbit_password, secret => true;
|
||||
'DEFAULT/rabbit_virtualhost' : value => $rabbit_virtualhost;
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue