Mask credentials in puppet log files

This commit masks the credentials used in crictl pull command, logged
and executed by puppet to pull images from registry. Wrapping the data
type of local_registry_auth variable as Sensitive, protects from
exposing the registry credentials in log files.

Test Plan:
PASS: Deploy a DX system with the wrong credentials addressed to the
      $local_registry_auth and observe in the puppet logs from
      Controller-1, the exec commands are logged with Sensitive
      [redacted] where it would have the credentials to the registry.
PASS: Deploy a DX system with the correct credentials addressed to the
      $local_registry_auth and observe the system successfully being
      available.

Closes-Bug: 2008726
Signed-off-by: Manoel Benedito Neto <manoel.beneditoneto@windriver.com>
Change-Id: I831e65ad948e62c346f56f5e9c7587e4dbdcd29f

puppet-manifests/src/modules/platform/manifests/kubernetes.pp

@@ -328,7 +328,7 @@ class platform::kubernetes::master::init
     #   This flag is created by Ansible on controller-0;
     # - Ansible replay is not impacted by flag creation.
 
-    $local_registry_auth = "${::platform::dockerdistribution::params::registry_username}:${::platform::dockerdistribution::params::registry_password}" # lint:ignore:140chars
+    $local_registry_auth = Sensitive("${::platform::dockerdistribution::params::registry_username}:${::platform::dockerdistribution::params::registry_password}") # lint:ignore:140chars
     $software_version = $::platform::params::software_version
 
     exec { 'pre pull k8s images':
@@ -460,7 +460,7 @@ class platform::kubernetes::worker::init
     # kubeadm config images list does not use the --kubeconfig argument
     # and admin.conf will not exist on a pure worker, and kubelet.conf will not
     # exist until after a join.
-    $local_registry_auth = "${::platform::dockerdistribution::params::registry_username}:${::platform::dockerdistribution::params::registry_password}" # lint:ignore:140chars
+    $local_registry_auth = Sensitive("${::platform::dockerdistribution::params::registry_username}:${::platform::dockerdistribution::params::registry_password}") # lint:ignore:140chars
     exec { 'load k8s pause image by containerd':
       # splitting this command over multiple lines appears to break puppet-lint
       command   => "kubeadm config images list --kubernetes-version ${version} --image-repository=registry.local:9001/k8s.gcr.io 2>/dev/null | grep k8s.gcr.io/pause: | xargs -i crictl pull --creds ${local_registry_auth} {}", # lint:ignore:140chars
@@ -725,7 +725,7 @@ class platform::kubernetes::pre_pull_control_plane_images
   # Update kubeadm bindmount if needed
   require platform::kubernetes::bindmounts
 
-  $local_registry_auth = "${::platform::dockerdistribution::params::registry_username}:${::platform::dockerdistribution::params::registry_password}" # lint:ignore:140chars
+  $local_registry_auth = Sensitive("${::platform::dockerdistribution::params::registry_username}:${::platform::dockerdistribution::params::registry_password}") # lint:ignore:140chars
 
   exec { 'pre pull images':
     command   => "kubeadm --kubeconfig=/etc/kubernetes/admin.conf config images list --kubernetes-version ${upgrade_to_version} --image-repository=registry.local:9001/k8s.gcr.io | xargs -i crictl pull --creds ${local_registry_auth} {}", # lint:ignore:140chars
@@ -866,7 +866,7 @@ class platform::kubernetes::worker::upgrade_kubelet
   include ::platform::dockerdistribution::params
 
   # workers use kubelet.conf rather than admin.conf
-  $local_registry_auth = "${::platform::dockerdistribution::params::registry_username}:${::platform::dockerdistribution::params::registry_password}" # lint:ignore:140chars
+  $local_registry_auth = Sensitive("${::platform::dockerdistribution::params::registry_username}:${::platform::dockerdistribution::params::registry_password}") # lint:ignore:140chars
   $kubelet_version = $::platform::kubernetes::params::kubelet_version
 
   # Pull the pause image tag from kubeadm required images list for this version