kolla_passwords: add no_log for password overrides

The kolla_passwords module overrides parameter may contain sensitive data, including passwords and SSH keys. It should be protected via no_log. Without this, the parameter value may be exposed in Ansible logs, or if level 3 verbosity is used, Ansible output. This change adds no_log to the parameter. Change-Id: I3f499d63d19ba7f7372b401bd2da23ce627f18e5

kolla_passwords: add no_log for password overrides
51a57394 · Mark Goddard · 5ede8765 · 51a57394 · 51a57394
Commit 51a57394 authored 3 years ago by Mark Goddard
--- a/ansible/roles/kolla-ansible/library/kolla_passwords.py
+++ b/ansible/roles/kolla-ansible/library/kolla_passwords.py
@@ -181,7 +181,7 @@ def main():
    module = AnsibleModule(
        argument_spec = dict(
            dest=dict(default='/etc/kolla/passwords.yml', type='str'),
-            overrides=dict(default={}, type='dict'),
+            overrides=dict(default={}, type='dict', no_log=True),
            sample=dict(default='/usr/share/kolla-ansible/etc_examples/kolla/passwords.yml', type='str'),
            src=dict(default='/etc/kolla/passwords.yml', type='str'),
            vault_password=dict(type='str', no_log=True),

--- a/releasenotes/notes/kolla-passwords-overrides-no-log-57054ce64fae8143.yaml
+++ b/releasenotes/notes/kolla-passwords-overrides-no-log-57054ce64fae8143.yaml
+---
+security:
+  - |
+    Fixes an issue where any passwords in ``kolla_ansible_custom_passwords``
+    were exposed in Ansible logs. When using verbosity level 3 (``-vvv``), they
+    were also exposed in Ansible output.
+fixes:
+  - |
+    Fixes an issue where any passwords in ``kolla_ansible_custom_passwords``
+    were exposed in Ansible logs. When using verbosity level 3 (``-vvv``), they
+    were also exposed in Ansible output.