From c96176e503ba8c7cdcfb8c72bfe8c5a6b8f3a7e7 Mon Sep 17 00:00:00 2001 From: Ewoud Kohl van Wijngaarden Date: Tue, 14 May 2024 16:24:24 +0200 Subject: [PATCH] Pass secrets as sensitive data types to katello/candlepin katello/candlepin 12.2.0 introduced support for Sensitive and this utilizes it. This allows Puppet to better avoid logging passwords. --- manifests/candlepin.pp | 6 +++--- manifests/init.pp | 8 ++++---- manifests/params.pp | 4 ++-- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/manifests/candlepin.pp b/manifests/candlepin.pp index 4db6e9a6..589bb6c0 100644 --- a/manifests/candlepin.pp +++ b/manifests/candlepin.pp @@ -29,7 +29,7 @@ Optional[Stdlib::Port] $db_port = undef, String $db_name = 'candlepin', String $db_user = 'candlepin', - Optional[String] $db_password = undef, + Variant[Undef, Sensitive[String], String] $db_password = undef, Boolean $db_ssl = false, Boolean $db_ssl_verify = true, Optional[Stdlib::Absolutepath] $db_ssl_ca = undef, @@ -54,9 +54,9 @@ ca_key => $certs::candlepin::ca_key, ca_cert => $certs::candlepin::ca_cert, keystore_file => $certs::candlepin::keystore, - keystore_password => $certs::candlepin::keystore_password, + keystore_password => Sensitive($certs::candlepin::keystore_password), truststore_file => $certs::candlepin::truststore, - truststore_password => $certs::candlepin::truststore_password, + truststore_password => Sensitive($certs::candlepin::truststore_password), artemis_client_dn => $artemis_client_dn, java_home => '/usr/lib/jvm/jre-17', java_package => 'java-17-openjdk', diff --git a/manifests/init.pp b/manifests/init.pp index 822da21a..825bf8b8 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -45,7 +45,7 @@ Optional[Stdlib::Port] $candlepin_db_port = undef, String $candlepin_db_name = 'candlepin', String $candlepin_db_user = 'candlepin', - Optional[String] $candlepin_db_password = undef, + Variant[Undef, Sensitive[String[1]], String] $candlepin_db_password = undef, Boolean $candlepin_db_ssl = false, Boolean $candlepin_db_ssl_verify = true, Optional[Stdlib::Absolutepath] $candlepin_db_ssl_ca = undef, @@ -55,8 +55,8 @@ Integer[0] $hosts_queue_workers = 1, ) { class { 'katello::params': - candlepin_oauth_key => $candlepin_oauth_key, - candlepin_oauth_secret => $candlepin_oauth_secret, + candlepin_oauth_key => Sensitive($candlepin_oauth_key), + candlepin_oauth_secret => Sensitive($candlepin_oauth_secret), } if $katello::params::meta_package != '' { @@ -75,7 +75,7 @@ db_port => $candlepin_db_port, db_name => $candlepin_db_name, db_user => $candlepin_db_user, - db_password => $candlepin_db_password, + db_password => if $candlepin_db_password { Sensitive($candlepin_db_password) } else { $candlepin_db_password }, db_ssl => $candlepin_db_ssl, db_ssl_verify => $candlepin_db_ssl_verify, db_ssl_ca => $candlepin_db_ssl_ca, diff --git a/manifests/params.pp b/manifests/params.pp index fca56663..a7d754e3 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -19,8 +19,8 @@ # @param postgresql_evr_package # The contextual package name for the PostgreSQL EVR extension class katello::params ( - String[1] $candlepin_oauth_key = $katello::globals::candlepin_oauth_key, - String[1] $candlepin_oauth_secret = $katello::globals::candlepin_oauth_secret, + Variant[Sensitive[String[1], String[1]]] $candlepin_oauth_key = $katello::globals::candlepin_oauth_key, + Variant[Sensitive[String[1], String[1]]] $candlepin_oauth_secret = $katello::globals::candlepin_oauth_secret, Stdlib::Host $candlepin_host = 'localhost', Stdlib::Port $candlepin_port = 23443, Stdlib::HTTPSUrl $candlepin_url = "https://${candlepin_host}:${candlepin_port}/candlepin",