From be6c690370cd6454f2c01e1b9d9ae7f644b02feb Mon Sep 17 00:00:00 2001 From: Manoel Benedito Neto Date: Mon, 13 Feb 2023 12:46:15 -0300 Subject: [PATCH] Mask credentials in puppet log files This commit masks the credentials used in crictl pull command, logged and executed by puppet to pull images from registry. Wrapping the data type of local_registry_auth variable as Sensitive, protects from exposing the registry credentials in log files. Test Plan: PASS: Deploy a DX system with the wrong credentials addressed to the $local_registry_auth and observe in the puppet logs from Controller-1, the exec commands are logged with Sensitive [redacted] where it would have the credentials to the registry. PASS: Deploy a DX system with the correct credentials addressed to the $local_registry_auth and observe the system successfully being available. Closes-Bug: 2008726 Signed-off-by: Manoel Benedito Neto Change-Id: I831e65ad948e62c346f56f5e9c7587e4dbdcd29f --- .../src/modules/platform/manifests/kubernetes.pp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/puppet-manifests/src/modules/platform/manifests/kubernetes.pp b/puppet-manifests/src/modules/platform/manifests/kubernetes.pp index 96004cd64..273b6bc49 100644 --- a/puppet-manifests/src/modules/platform/manifests/kubernetes.pp +++ b/puppet-manifests/src/modules/platform/manifests/kubernetes.pp @@ -328,7 +328,7 @@ class platform::kubernetes::master::init # This flag is created by Ansible on controller-0; # - Ansible replay is not impacted by flag creation. - $local_registry_auth = "${::platform::dockerdistribution::params::registry_username}:${::platform::dockerdistribution::params::registry_password}" # lint:ignore:140chars + $local_registry_auth = Sensitive("${::platform::dockerdistribution::params::registry_username}:${::platform::dockerdistribution::params::registry_password}") # lint:ignore:140chars $software_version = $::platform::params::software_version exec { 'pre pull k8s images': @@ -460,7 +460,7 @@ class platform::kubernetes::worker::init # kubeadm config images list does not use the --kubeconfig argument # and admin.conf will not exist on a pure worker, and kubelet.conf will not # exist until after a join. - $local_registry_auth = "${::platform::dockerdistribution::params::registry_username}:${::platform::dockerdistribution::params::registry_password}" # lint:ignore:140chars + $local_registry_auth = Sensitive("${::platform::dockerdistribution::params::registry_username}:${::platform::dockerdistribution::params::registry_password}") # lint:ignore:140chars exec { 'load k8s pause image by containerd': # splitting this command over multiple lines appears to break puppet-lint command => "kubeadm config images list --kubernetes-version ${version} --image-repository=registry.local:9001/k8s.gcr.io 2>/dev/null | grep k8s.gcr.io/pause: | xargs -i crictl pull --creds ${local_registry_auth} {}", # lint:ignore:140chars @@ -725,7 +725,7 @@ class platform::kubernetes::pre_pull_control_plane_images # Update kubeadm bindmount if needed require platform::kubernetes::bindmounts - $local_registry_auth = "${::platform::dockerdistribution::params::registry_username}:${::platform::dockerdistribution::params::registry_password}" # lint:ignore:140chars + $local_registry_auth = Sensitive("${::platform::dockerdistribution::params::registry_username}:${::platform::dockerdistribution::params::registry_password}") # lint:ignore:140chars exec { 'pre pull images': command => "kubeadm --kubeconfig=/etc/kubernetes/admin.conf config images list --kubernetes-version ${upgrade_to_version} --image-repository=registry.local:9001/k8s.gcr.io | xargs -i crictl pull --creds ${local_registry_auth} {}", # lint:ignore:140chars @@ -866,7 +866,7 @@ class platform::kubernetes::worker::upgrade_kubelet include ::platform::dockerdistribution::params # workers use kubelet.conf rather than admin.conf - $local_registry_auth = "${::platform::dockerdistribution::params::registry_username}:${::platform::dockerdistribution::params::registry_password}" # lint:ignore:140chars + $local_registry_auth = Sensitive("${::platform::dockerdistribution::params::registry_username}:${::platform::dockerdistribution::params::registry_password}") # lint:ignore:140chars $kubelet_version = $::platform::kubernetes::params::kubelet_version # Pull the pause image tag from kubeadm required images list for this version