puppetlabs-puppetdb icon indicating copy to clipboard operation
puppetlabs-puppetdb copied to clipboard

Published 20 hours ago verified publisher icon puppetlabs

Allow `Sensitive` data type for secrets

Open cocker-cc opened this issue 3 years ago • 4 comments

cocker-cc avatar Jun 29 '21 19:06 cocker-cc

puppetdb::database::postgresql is a class

that may have no external impact to Forge modules.

puppetdb is a class

Breaking changes to this file WILL impact these 6 modules (exact match):
Breaking changes to this file MAY impact these 2 modules (near match):

puppetdb::server is a class

that may have no external impact to Forge modules.

puppetdb::server::database is a class

that may have no external impact to Forge modules.

puppetdb::server::read_database is a class

that may have no external impact to Forge modules.

puppetdb::server::validate_db is a class

that may have no external impact to Forge modules.

puppetdb::server::validate_read_db is a class

that may have no external impact to Forge modules.

This module is declared in 33 of 576 indexed public Puppetfiles.

These results were generated with Rangefinder, a tool that helps predict the downstream impact of breaking changes to elements used in Puppet modules. You can run this on the command line to get a full report.

Exact matches are those that we can positively identify via namespace and the declaring modules' metadata. Non-namespaced items, such as Puppet 3.x functions, will always be reported as near matches only.

puppet-community-rangefinder[bot] avatar Jun 29 '21 19:06 puppet-community-rangefinder[bot]

CLA assistant check
All committers have signed the CLA.

CLAassistant avatar Sep 01 '21 18:09 CLAassistant

A few more extra Optional[...] seems to be present.

I removed Optional. Indeed it was unnecessary.

Also, while we are improving this, what about making the default Sensitive too in params.pp? $foo = Sensitive('bar')

I do not see this necessary, as the Default-Value is publicly visible anyway.

cocker-cc avatar Sep 21 '23 23:09 cocker-cc

I do not see this necessary, as the Default-Value is publicly visible anyway.

My understanding is that it helps to have Puppet automatically redact secrets in diff, and that at some point only a Sensitive would be accepted in a future major version. That being said, we have default passwords in this module which is not a best practice so maybe this will not happen before a loooong time :smile:.

I am fine with the PR as it is, so will let other reviewers tell what they think!

Thank you!

smortex avatar Sep 22 '23 00:09 smortex