puppet-jenkins
puppet-jenkins copied to clipboard
voxpupuli
Fix/jenkins credentials
Pull Request (PR) description
When updating credentials or using the puppet debug flag credentials leak to the puppet log. This PR is an attempt to avoid this without requiring the user to apply the Sensitive data type to all parameters.
Hello,
I'm not a fan of this solution, that places a lot of code in the provider to fix a issue that there's already a solution for it. IMHO if the user wants to hide credentials/sensitive info from leaking to the logs, then they should use the proper solution, Sensitive data type, instead of relying to hacky workarounds.
If, for some reason, the module doesn't support Sensitive data types that's something that needs to be added instead of using workarounds.
We looked into solving this via the sensitive datatype.
Because of the multiple implementation types and the many different credentials we use in Jenkins this is very impractical. For each implementation type we need a different hiera sensitive setting. Because we pass all credentials in a hash that requires a setting for each var.
This 'solution' is works for everyone & always, also for people who forget about or don't know the sensitive data type.
I understand your objection and would agree if this was just 1 password.
Regards,
Stefan Goethals.
@zipkid you can use regexp in the lookup_options, would that work for converting to Sensitive? Might have to arrange your data structure differently, not sure how it looks. https://puppet.com/docs/puppet/7/hiera_merging.html#setting_lookup_options_to_refine_the_result_of_a_lookup-lookup-options-format
@kenyon We have tried, believe me. The problem is that sensitive does not work in hiera on members of a hash.