Merge "Hide secrets from puppet logs"

Jenkins · openstack-gerrit · commit 02322492a7bb · 2014-08-11T17:11:42.000Z
diff --git a/lib/puppet/type/neutron_api_config.rb b/lib/puppet/type/neutron_api_config.rb
@@ -14,5 +14,30 @@
       value.capitalize! if value =~ /^(true|false)$/i
       value
     end
+
+    def is_to_s( currentvalue )
+      if resource.secret?
+        return '[old secret redacted]'
+      else
+        return currentvalue
+      end
+    end
+
+    def should_to_s( newvalue )
+      if resource.secret?
+        return '[new secret redacted]'
+      else
+        return newvalue
+      end
+    end
   end
+
+  newparam(:secret, :boolean => true) do
+    desc 'Whether to hide the value from Puppet logs. Defaults to `false`.'
+
+    newvalues(:true, :false)
+
+    defaultto false
+  end
+
 end
diff --git a/lib/puppet/type/neutron_config.rb b/lib/puppet/type/neutron_config.rb
@@ -14,6 +14,30 @@
       value.capitalize! if value =~ /^(true|false)$/i
       value
     end
+
+    def is_to_s( currentvalue )
+      if resource.secret?
+        return '[old secret redacted]'
+      else
+        return currentvalue
+      end
+    end
+
+    def should_to_s( newvalue )
+      if resource.secret?
+        return '[new secret redacted]'
+      else
+        return newvalue
+      end
+    end
+  end
+
+  newparam(:secret, :boolean => true) do
+    desc 'Whether to hide the value from Puppet logs. Defaults to `false`.'
+
+    newvalues(:true, :false)
+
+    defaultto false
   end
 
   def create
diff --git a/lib/puppet/type/neutron_metadata_agent_config.rb b/lib/puppet/type/neutron_metadata_agent_config.rb
@@ -14,5 +14,30 @@
       value.capitalize! if value =~ /^(true|false)$/i
       value
     end
+
+    def is_to_s( currentvalue )
+      if resource.secret?
+        return '[old secret redacted]'
+      else
+        return currentvalue
+      end
+    end
+
+    def should_to_s( newvalue )
+      if resource.secret?
+        return '[new secret redacted]'
+      else
+        return newvalue
+      end
+    end
   end
+
+  newparam(:secret, :boolean => true) do
+    desc 'Whether to hide the value from Puppet logs. Defaults to `false`.'
+
+    newvalues(:true, :false)
+
+    defaultto false
+  end
+
 end
diff --git a/lib/puppet/type/neutron_plugin_cisco.rb b/lib/puppet/type/neutron_plugin_cisco.rb
@@ -18,5 +18,30 @@
       value.capitalize! if value =~ /^(true|false)$/i
       value
     end
+
+    def is_to_s( currentvalue )
+      if resource.secret?
+        return '[old secret redacted]'
+      else
+        return currentvalue
+      end
+    end
+
+    def should_to_s( newvalue )
+      if resource.secret?
+        return '[new secret redacted]'
+      else
+        return newvalue
+      end
+    end
   end
+
+  newparam(:secret, :boolean => true) do
+    desc 'Whether to hide the value from Puppet logs. Defaults to `false`.'
+
+    newvalues(:true, :false)
+
+    defaultto false
+  end
+
 end
diff --git a/lib/puppet/type/neutron_plugin_cisco_credentials.rb b/lib/puppet/type/neutron_plugin_cisco_credentials.rb
@@ -18,5 +18,30 @@
       value.capitalize! if value =~ /^(true|false)$/i
       value
     end
+
+    def is_to_s( currentvalue )
+      if resource.secret?
+        return '[old secret redacted]'
+      else
+        return currentvalue
+      end
+    end
+
+    def should_to_s( newvalue )
+      if resource.secret?
+        return '[new secret redacted]'
+      else
+        return newvalue
+      end
+    end
+  end
+
+  newparam(:secret, :boolean => true) do
+    desc 'Whether to hide the value from Puppet logs. Defaults to `false`.'
+
+    newvalues(:true, :false)
+
+    defaultto false
+
   end
 end
diff --git a/lib/puppet/type/neutron_plugin_nvp.rb b/lib/puppet/type/neutron_plugin_nvp.rb
@@ -14,5 +14,30 @@
       value.capitalize! if value =~ /^(true|false)$/i
       value
     end
+
+    def is_to_s( currentvalue )
+      if resource.secret?
+        return '[old secret redacted]'
+      else
+        return currentvalue
+      end
+    end
+
+    def should_to_s( newvalue )
+      if resource.secret?
+        return '[new secret redacted]'
+      else
+        return newvalue
+      end
+    end
   end
+
+  newparam(:secret, :boolean => true) do
+    desc 'Whether to hide the value from Puppet logs. Defaults to `false`.'
+
+    newvalues(:true, :false)
+
+    defaultto false
+  end
+
 end
diff --git a/manifests/agents/metadata.pp b/manifests/agents/metadata.pp
@@ -92,7 +92,7 @@
     'DEFAULT/auth_region':                    value => $auth_region;
     'DEFAULT/admin_tenant_name':              value => $auth_tenant;
     'DEFAULT/admin_user':                     value => $auth_user;
-    'DEFAULT/admin_password':                 value => $auth_password;
+    'DEFAULT/admin_password':                 value => $auth_password, secret => true;
     'DEFAULT/nova_metadata_ip':               value => $metadata_ip;
     'DEFAULT/nova_metadata_port':             value => $metadata_port;
     'DEFAULT/metadata_proxy_shared_secret':   value => $shared_secret;
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -363,7 +363,7 @@
 
     neutron_config {
       'DEFAULT/rabbit_userid':       value => $rabbit_user;
-      'DEFAULT/rabbit_password':     value => $rabbit_password;
+      'DEFAULT/rabbit_password':     value => $rabbit_password, secret => true;
       'DEFAULT/rabbit_virtual_host': value => $rabbit_virtual_host;
       'DEFAULT/rabbit_use_ssl':      value => $rabbit_use_ssl;
     }
@@ -391,7 +391,7 @@
       'DEFAULT/qpid_hostname':               value => $qpid_hostname;
       'DEFAULT/qpid_port':                   value => $qpid_port;
       'DEFAULT/qpid_username':               value => $qpid_username;
-      'DEFAULT/qpid_password':               value => $qpid_password;
+      'DEFAULT/qpid_password':               value => $qpid_password, secret => true;
       'DEFAULT/qpid_heartbeat':              value => $qpid_heartbeat;
       'DEFAULT/qpid_protocol':               value => $qpid_protocol;
       'DEFAULT/qpid_tcp_nodelay':            value => $qpid_tcp_nodelay;
diff --git a/manifests/plugins/cisco.pp b/manifests/plugins/cisco.pp
@@ -164,7 +164,7 @@
 
   neutron_plugin_cisco_credentials {
     'keystone/username': value => $keystone_username;
-    'keystone/password': value => $keystone_password;
+    'keystone/password': value => $keystone_password, secret => true;
     'keystone/auth_url': value => $keystone_auth_url;
     'keystone/tenant'  : value => $keystone_tenant;
   }
diff --git a/manifests/plugins/nvp.pp b/manifests/plugins/nvp.pp
@@ -48,7 +48,7 @@
     'DEFAULT/default_tz_uuid': value => $default_tz_uuid;
     'DEFAULT/nvp_controllers': value => join($nvp_controllers, ',');
     'DEFAULT/nvp_user':        value => $nvp_user;
-    'DEFAULT/nvp_password':    value => $nvp_password;
+    'DEFAULT/nvp_password':    value => $nvp_password, secret => true;
     'nvp/metadata_mode':       value => 'access_network';
   }
 
diff --git a/manifests/server.pp b/manifests/server.pp
@@ -272,7 +272,7 @@
     'DEFAULT/api_workers':             value => $api_workers;
     'DEFAULT/agent_down_time':         value => $agent_down_time;
     'DEFAULT/router_scheduler_driver': value => $router_scheduler_driver;
-    'database/connection':             value => $database_connection_real;
+    'database/connection':             value => $database_connection_real, secret => true;
     'database/idle_timeout':           value => $database_idle_timeout_real;
     'database/retry_interval':         value => $database_retry_interval_real;
     'database/max_retries':            value => $database_max_retries_real;
@@ -303,7 +303,7 @@
         'keystone_authtoken/auth_protocol':     value => $auth_protocol;
         'keystone_authtoken/admin_tenant_name': value => $auth_tenant;
         'keystone_authtoken/admin_user':        value => $auth_user;
-        'keystone_authtoken/admin_password':    value => $auth_password;
+        'keystone_authtoken/admin_password':    value => $auth_password, secret => true;
       }
 
       neutron_api_config {
@@ -312,7 +312,7 @@
         'filter:authtoken/auth_protocol':     value => $auth_protocol;
         'filter:authtoken/admin_tenant_name': value => $auth_tenant;
         'filter:authtoken/admin_user':        value => $auth_user;
-        'filter:authtoken/admin_password':    value => $auth_password;
+        'filter:authtoken/admin_password':    value => $auth_password, secret => true;
       }
 
       if $auth_admin_prefix {
diff --git a/manifests/server/notifications.pp b/manifests/server/notifications.pp
@@ -91,7 +91,7 @@
     'DEFAULT/nova_url':                           value => $nova_url;
     'DEFAULT/nova_admin_auth_url':                value => $nova_admin_auth_url;
     'DEFAULT/nova_admin_username':                value => $nova_admin_username;
-    'DEFAULT/nova_admin_password':                value => $nova_admin_password;
+    'DEFAULT/nova_admin_password':                value => $nova_admin_password, secret => true;
     'DEFAULT/nova_region_name':                   value => $nova_region_name;
   }
 
diff --git a/spec/classes/neutron_agents_metadata_spec.rb b/spec/classes/neutron_agents_metadata_spec.rb
@@ -55,6 +55,7 @@
       should contain_neutron_metadata_agent_config('DEFAULT/admin_tenant_name').with(:value => params[:auth_tenant])
       should contain_neutron_metadata_agent_config('DEFAULT/admin_user').with(:value => params[:auth_user])
       should contain_neutron_metadata_agent_config('DEFAULT/admin_password').with(:value => params[:auth_password])
+      should contain_neutron_metadata_agent_config('DEFAULT/admin_password').with_secret( true )
       should contain_neutron_metadata_agent_config('DEFAULT/nova_metadata_ip').with(:value => params[:metadata_ip])
       should contain_neutron_metadata_agent_config('DEFAULT/nova_metadata_port').with(:value => params[:metadata_port])
       should contain_neutron_metadata_agent_config('DEFAULT/metadata_workers').with(:value => params[:metadata_workers])
diff --git a/spec/classes/neutron_init_spec.rb b/spec/classes/neutron_init_spec.rb
@@ -97,6 +97,7 @@
     it 'configures credentials for rabbit' do
       should contain_neutron_config('DEFAULT/rabbit_userid').with_value( params[:rabbit_user] )
       should contain_neutron_config('DEFAULT/rabbit_password').with_value( params[:rabbit_password] )
+      should contain_neutron_config('DEFAULT/rabbit_password').with_secret( true )
       should contain_neutron_config('DEFAULT/rabbit_virtual_host').with_value( params[:rabbit_virtual_host] )
     end
 
diff --git a/spec/classes/neutron_plugins_cisco_spec.rb b/spec/classes/neutron_plugins_cisco_spec.rb
@@ -105,6 +105,7 @@ class { 'neutron': rabbit_password => 'passw0rd' }"
         with_value(params[:keystone_username])
       should contain_neutron_plugin_cisco_credentials('keystone/password').\
         with_value(params[:keystone_password])
+      should contain_neutron_plugin_cisco_credentials('keystone/password').with_secret( true )
       should contain_neutron_plugin_cisco_credentials('keystone/auth_url').\
         with_value(params[:keystone_auth_url])
       should contain_neutron_plugin_cisco_credentials('keystone/tenant').\
diff --git a/spec/classes/neutron_plugins_nvp_spec.rb b/spec/classes/neutron_plugins_nvp_spec.rb
@@ -58,6 +58,7 @@
       should contain_neutron_plugin_nvp('DEFAULT/nvp_controllers').with_value(p[:nvp_controllers].join(','))
       should contain_neutron_plugin_nvp('DEFAULT/nvp_user').with_value(p[:nvp_user])
       should contain_neutron_plugin_nvp('DEFAULT/nvp_password').with_value(p[:nvp_password])
+      should contain_neutron_plugin_nvp('DEFAULT/nvp_password').with_secret( true )
       should_not contain_neutron_plugin_nvp('DEFAULT/default_l3_gw_service_uuid').with_value(p[:default_l3_gw_service_uuid])
     end
 
diff --git a/spec/classes/neutron_server_notifications_spec.rb b/spec/classes/neutron_server_notifications_spec.rb
@@ -53,6 +53,7 @@
             should contain_neutron_config('DEFAULT/nova_admin_auth_url').with_value('http://127.0.0.1:35357/v2.0')
             should contain_neutron_config('DEFAULT/nova_admin_username').with_value('nova')
             should contain_neutron_config('DEFAULT/nova_admin_password').with_value('secrete')
+            should contain_neutron_config('DEFAULT/nova_admin_password').with_secret( true )
             should contain_neutron_config('DEFAULT/nova_region_name').with_value('RegionOne')
             should contain_neutron_config('DEFAULT/nova_admin_tenant_id').with_value('UUID')
         end
@@ -78,6 +79,7 @@
                 should contain_neutron_config('DEFAULT/nova_admin_auth_url').with_value('http://keystone:35357/v2.0')
                 should contain_neutron_config('DEFAULT/nova_admin_username').with_value('joe')
                 should contain_neutron_config('DEFAULT/nova_admin_password').with_value('secrete')
+                should contain_neutron_config('DEFAULT/nova_admin_password').with_secret( true )
                 should contain_neutron_config('DEFAULT/nova_region_name').with_value('MyRegion')
                 should contain_neutron_config('DEFAULT/nova_admin_tenant_id').with_value('UUID2')
             end
diff --git a/spec/classes/neutron_server_spec.rb b/spec/classes/neutron_server_spec.rb
@@ -37,6 +37,7 @@
 
     it 'should perform default database configuration of' do
       should contain_neutron_config('database/connection').with_value(p[:database_connection])
+      should contain_neutron_config('database/connection').with_secret( true )
       should contain_neutron_config('database/max_retries').with_value(p[:database_max_retries])
       should contain_neutron_config('database/idle_timeout').with_value(p[:database_idle_timeout])
       should contain_neutron_config('database/retry_interval').with_value(p[:database_retry_interval])
@@ -50,6 +51,7 @@
       should contain_neutron_api_config('filter:authtoken/admin_tenant_name').with_value(p[:auth_tenant]);
       should contain_neutron_api_config('filter:authtoken/admin_user').with_value(p[:auth_user]);
       should contain_neutron_api_config('filter:authtoken/admin_password').with_value(p[:auth_password]);
+      should contain_neutron_api_config('filter:authtoken/admin_password').with_secret( true )
       should contain_neutron_api_config('filter:authtoken/auth_admin_prefix').with(:ensure => 'absent')
       should contain_neutron_api_config('filter:authtoken/auth_uri').with_value("http://localhost:5000/");
     end

Original file line number	Diff line number	Diff line change
`@@ -164,7 +164,7 @@`
`164`	`164`
`165`	`165`	`neutron_plugin_cisco_credentials {`
`166`	`166`	`'keystone/username': value => $keystone_username;`
`167`		`- 'keystone/password': value => $keystone_password;`
	`167`	`+ 'keystone/password': value => $keystone_password, secret => true;`
`168`	`168`	`'keystone/auth_url': value => $keystone_auth_url;`
`169`	`169`	`'keystone/tenant' : value => $keystone_tenant;`
`170`	`170`	`}`
Original file line number	Diff line number	Diff line change
`@@ -48,7 +48,7 @@`
`48`	`48`	`'DEFAULT/default_tz_uuid': value => $default_tz_uuid;`
`49`	`49`	`'DEFAULT/nvp_controllers': value => join($nvp_controllers, ',');`
`50`	`50`	`'DEFAULT/nvp_user': value => $nvp_user;`
`51`		`- 'DEFAULT/nvp_password': value => $nvp_password;`
	`51`	`+ 'DEFAULT/nvp_password': value => $nvp_password, secret => true;`
`52`	`52`	`'nvp/metadata_mode': value => 'access_network';`
`53`	`53`	`}`
`54`	`54`