common: do not log keyring secret

let's not display any keyring secret by default in ansible log. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1980744 Signed-off-by: Guillaume Abrioux <gabrioux@redhat.com> (cherry picked from commit 7511195738)
2021-08-09 14:57:33 +02:00 · 2021-08-09 14:57:33 +02:00 · 5b30a72869
parent fa8b58fb33
commit 5b30a72869
20 changed files with 42 additions and 18 deletions
--- a/group_vars/all.yml.sample
+++ b/group_vars/all.yml.sample
@ -800,7 +800,7 @@ dummy:
 #client_connections: {}
-
+#no_log_on_ceph_key_tasks: True
 ###############
 # DEPRECATION #
--- a/group_vars/rhcs.yml.sample
+++ b/group_vars/rhcs.yml.sample
@ -800,7 +800,7 @@ alertmanager_container_image: registry.redhat.io/openshift4/ose-prometheus-alert
 #client_connections: {}
-
+#no_log_on_ceph_key_tasks: True
 ###############
 # DEPRECATION #
--- a/roles/ceph-client/tasks/create_users_keys.yml
+++ b/roles/ceph-client/tasks/create_users_keys.yml
@ -28,7 +28,7 @@
    - cephx | bool
    - keys | length > 0
    - inventory_hostname == groups.get('_filtered_clients') | first
-  no_log: true
+  no_log: "{{ no_log_on_ceph_key_tasks }}"
 - name: slurp client cephx key(s)
  slurp:
@ -40,7 +40,7 @@
    - cephx | bool
    - keys | length > 0
    - inventory_hostname == groups.get('_filtered_clients') | first
-  no_log: true
+  no_log: "{{ no_log_on_ceph_key_tasks }}"
 - name: pool related tasks
  when:
@ -81,5 +81,5 @@
    group: "{{ ceph_uid }}"
  with_items: "{{ hostvars[groups['_filtered_clients'][0]]['slurp_client_keys']['results'] }}"
  when: not item.get('skipped', False)
-  no_log: true
+  no_log: "{{ no_log_on_ceph_key_tasks }}"
--- a/roles/ceph-client/tasks/pre_requisite.yml
+++ b/roles/ceph-client/tasks/pre_requisite.yml
@ -11,6 +11,7 @@
      when:
        - cephx | bool
        - item.copy_key | bool
      no_log: "{{ no_log_on_ceph_key_tasks }}"
    - name: copy ceph key(s) if needed
      copy:
@ -22,5 +23,5 @@
      with_items: "{{ _client_keys.results }}"
      when:
        - item.item.copy_key | bool
-      no_log: true
+      no_log: "{{ no_log_on_ceph_key_tasks }}"
  when: cephx | bool
--- a/roles/ceph-crash/tasks/main.yml
+++ b/roles/ceph-crash/tasks/main.yml
@ -19,6 +19,7 @@
        CEPH_CONTAINER_BINARY: "{{ container_binary }}"
      delegate_to: "{{ groups.get(mon_group_name, [])[0] }}"
      run_once: True
      no_log: "{{ no_log_on_ceph_key_tasks }}"
    - name: enforce container_binary on first monitor
      import_role:
@ -42,6 +43,7 @@
      check_mode: False
      changed_when: False
      run_once: true
      no_log: "{{ no_log_on_ceph_key_tasks }}"
    - name: copy ceph key(s) if needed
      copy:
@ -50,7 +52,7 @@
        owner: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
        group: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
        mode: "{{ ceph_keyring_permissions }}"
-      no_log: true
+      no_log: "{{ no_log_on_ceph_key_tasks }}"
 - name: start ceph-crash daemon
  when: containerized_deployment | bool
--- a/roles/ceph-defaults/defaults/main.yml
+++ b/roles/ceph-defaults/defaults/main.yml
@ -792,7 +792,7 @@ rbd_devices: {}
 client_connections: {}
-
+no_log_on_ceph_key_tasks: True
 ###############
 # DEPRECATION #
--- a/roles/ceph-iscsi-gw/tasks/common.yml
+++ b/roles/ceph-iscsi-gw/tasks/common.yml
@ -9,6 +9,7 @@
  when:
    - cephx | bool
    - item.copy_key | bool
  no_log: "{{ no_log_on_ceph_key_tasks }}"
 - name: copy ceph key(s) if needed
  copy:
@ -21,7 +22,7 @@
  when:
    - cephx | bool
    - item.item.copy_key | bool
-  no_log: true
+  no_log: "{{ no_log_on_ceph_key_tasks }}"
 - name: add mgr ip address to trusted list with dashboard - ipv4
  set_fact:
--- a/roles/ceph-mds/tasks/common.yml
+++ b/roles/ceph-mds/tasks/common.yml
@ -21,6 +21,7 @@
  when:
    - cephx | bool
    - item.copy_key | bool
  no_log: "{{ no_log_on_ceph_key_tasks }}"
 - name: copy ceph key(s) if needed
  copy:
@ -33,5 +34,5 @@
  when:
    - cephx | bool
    - item.item.copy_key | bool
-  no_log: true
+  no_log: "{{ no_log_on_ceph_key_tasks }}"
--- a/roles/ceph-mds/tasks/non_containerized.yml
+++ b/roles/ceph-mds/tasks/non_containerized.yml
@ -25,6 +25,7 @@
  args:
    creates: /var/lib/ceph/mds/{{ cluster }}-{{ ansible_facts['hostname'] }}/keyring
  changed_when: false
  no_log: "{{ no_log_on_ceph_key_tasks }}"
  when: cephx
 - name: set mds key permissions
--- a/roles/ceph-mgr/tasks/common.yml
+++ b/roles/ceph-mgr/tasks/common.yml
@ -24,6 +24,7 @@
    CEPH_CONTAINER_IMAGE: "{{ ceph_docker_registry + '/' + ceph_docker_image + ':' + ceph_docker_image_tag if containerized_deployment else None }}"
    CEPH_CONTAINER_BINARY: "{{ container_binary }}"
  when: groups.get(mgr_group_name, []) | length == 0 # the key is present already since one of the mons created it in "create ceph mgr keyring(s)"
  no_log: "{{ no_log_on_ceph_key_tasks }}"
 - name: create and copy keyrings
  when: groups.get(mgr_group_name, []) | length > 0
@ -46,6 +47,7 @@
      with_items: "{{ groups.get(mgr_group_name, []) }}"
      run_once: True
      delegate_to: "{{ groups[mon_group_name][0] }}"
      no_log: "{{ no_log_on_ceph_key_tasks }}"
    - name: set_fact _mgr_keys
      set_fact:
@ -61,6 +63,7 @@
      when:
        - cephx | bool
        - item.copy_key | bool
      no_log: "{{ no_log_on_ceph_key_tasks }}"
    - name: copy ceph key(s) if needed
      copy:
@ -74,7 +77,7 @@
        - cephx | bool
        - item is not skipped
        - item.item.copy_key | bool
-      no_log: true
+      no_log: "{{ no_log_on_ceph_key_tasks }}"
 - name: set mgr key permissions
  file:
--- a/roles/ceph-mon/tasks/ceph_keys.yml
+++ b/roles/ceph-mon/tasks/ceph_keys.yml
@ -27,5 +27,6 @@
    CEPH_CONTAINER_IMAGE: "{{ ceph_docker_registry + '/' + ceph_docker_image + ':' + ceph_docker_image_tag if containerized_deployment else None }}"
    CEPH_CONTAINER_BINARY: "{{ container_binary }}"
    CEPH_ROLLING_UPDATE: "{{ rolling_update }}"
  no_log: "{{ no_log_on_ceph_key_tasks }}"
  when:
    - cephx | bool
--- a/roles/ceph-mon/tasks/deploy_monitors.yml
+++ b/roles/ceph-mon/tasks/deploy_monitors.yml
@ -16,6 +16,7 @@
      run_once: True
      delegate_to: "{{ running_mon }}"
      failed_when: initial_mon_key.rc not in [0, 2]
      no_log: "{{ no_log_on_ceph_key_tasks }}"
      when: running_mon is defined
    - name: generate monitor initial keyring
@ -25,6 +26,7 @@
      delegate_to: localhost
      become: false
      run_once: true
      no_log: "{{ no_log_on_ceph_key_tasks }}"
      when:
        - initial_mon_key is skipped
          or
@ -51,6 +53,7 @@
        owner: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
        group: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
        mode: "0400"
      no_log: "{{ no_log_on_ceph_key_tasks }}"
      environment:
        CEPH_CONTAINER_IMAGE: "{{ ceph_docker_registry + '/' + ceph_docker_image + ':' + ceph_docker_image_tag if containerized_deployment else None }}"
        CEPH_CONTAINER_BINARY: "{{ container_binary }}"
@ -97,6 +100,7 @@
    CEPH_CONTAINER_IMAGE: "{{ ceph_docker_registry + '/' + ceph_docker_image + ':' + ceph_docker_image_tag if containerized_deployment else None }}"
    CEPH_CONTAINER_BINARY: "{{ container_binary }}"
  register: create_custom_admin_secret
  no_log: "{{ no_log_on_ceph_key_tasks }}"
  when:
    - cephx | bool
    - admin_secret != 'admin_secret'
--- a/roles/ceph-nfs/tasks/main.yml
+++ b/roles/ceph-nfs/tasks/main.yml
@ -75,7 +75,7 @@
      when:
        - not item.0.get('skipped', False)
        - item.0.item.name == 'client.' + ceph_nfs_ceph_user or item.0.item.name == rgw_client_name
-      no_log: true
+      no_log: "{{ no_log_on_ceph_key_tasks }}"
 - name: include start_nfs.yml
  import_tasks: start_nfs.yml
--- a/roles/ceph-nfs/tasks/pre_requisite_container.yml
+++ b/roles/ceph-nfs/tasks/pre_requisite_container.yml
@ -20,6 +20,7 @@
      when:
        - cephx | bool
        - item.copy_key | bool
      no_log: "{{ no_log_on_ceph_key_tasks }}"
    - name: copy ceph key(s) if needed
      copy:
@ -32,7 +33,7 @@
      when:
        - cephx | bool
        - item.item.copy_key | bool
-      no_log: true
+      no_log: "{{ no_log_on_ceph_key_tasks }}"
  when: groups.get(mon_group_name, []) | length > 0
 - name: dbus related tasks
--- a/roles/ceph-nfs/tasks/pre_requisite_non_container.yml
+++ b/roles/ceph-nfs/tasks/pre_requisite_non_container.yml
@ -58,6 +58,7 @@
      when:
        - cephx | bool
        - item.copy_key | bool
      no_log: "{{ no_log_on_ceph_key_tasks }}"
    - name: copy ceph key(s) if needed
      copy:
@ -70,7 +71,7 @@
      when:
        - cephx | bool
        - item.item.copy_key | bool
-      no_log: true
+      no_log: "{{ no_log_on_ceph_key_tasks }}"
    - name: nfs object gateway related tasks
      when: nfs_obj_gw | bool
@ -80,6 +81,7 @@
          args:
            creates: /var/lib/ceph/radosgw/{{ cluster }}-rgw.{{ ansible_facts['hostname'] }}/keyring
          changed_when: false
          no_log: "{{ no_log_on_ceph_key_tasks }}"
        - name: set rados gateway key permissions
          file:
--- a/roles/ceph-osd/tasks/common.yml
+++ b/roles/ceph-osd/tasks/common.yml
@ -19,6 +19,7 @@
    - { name: "client.admin", path: "/etc/ceph/{{ cluster }}.client.admin.keyring", copy_key: "{{ copy_admin_key }}" }
  delegate_to: "{{ groups.get(mon_group_name)[0] }}"
  run_once: true
  no_log: "{{ no_log_on_ceph_key_tasks }}"
  when:
    - cephx | bool
    - item.copy_key | bool
@ -35,5 +36,5 @@
    - cephx | bool
    - item is not skipped
    - item.item.copy_key | bool
-  no_log: true
+  no_log: "{{ no_log_on_ceph_key_tasks }}"
--- a/roles/ceph-osd/tasks/openstack_config.yml
+++ b/roles/ceph-osd/tasks/openstack_config.yml
@ -35,6 +35,7 @@
        CEPH_CONTAINER_BINARY: "{{ container_binary }}"
      with_items: "{{ openstack_keys }}"
      delegate_to: "{{ groups[mon_group_name][0] }}"
      no_log: "{{ no_log_on_ceph_key_tasks }}"
    - name: get keys from monitors
      command: "{{ hostvars[groups[mon_group_name][0]]['container_exec_cmd'] | default('') }} ceph --cluster {{ cluster }} auth get {{ item.name }}"
@ -42,6 +43,7 @@
      with_items: "{{ openstack_keys }}"
      run_once: true
      delegate_to: "{{ groups.get(mon_group_name)[0] }}"
      no_log: "{{ no_log_on_ceph_key_tasks }}"
    - name: copy ceph key(s) if needed
      copy:
@ -54,7 +56,7 @@
        - "{{ _osp_keys.results }}"
        - "{{ groups[mon_group_name] }}"
      delegate_to: "{{ item.1 }}"
-      no_log: true
+      no_log: "{{ no_log_on_ceph_key_tasks }}"
  when:
    - cephx | bool
    - openstack_config | bool
--- a/roles/ceph-rbd-mirror/tasks/common.yml
+++ b/roles/ceph-rbd-mirror/tasks/common.yml
@ -10,6 +10,7 @@
  when:
    - cephx | bool
    - item.copy_key | bool
  no_log: "{{ no_log_on_ceph_key_tasks }}"
 - name: copy ceph key(s) if needed
  copy:
@ -22,7 +23,7 @@
  when:
    - cephx | bool
    - item.item.copy_key | bool
-  no_log: true
+  no_log: "{{ no_log_on_ceph_key_tasks }}"
 - name: create rbd-mirror keyring
  command: >
@ -43,4 +44,5 @@
    owner: "ceph"
    group: "ceph"
    mode: "{{ ceph_keyring_permissions }}"
  no_log: "{{ no_log_on_ceph_key_tasks }}"
  when: not containerized_deployment | bool
--- a/roles/ceph-rgw/tasks/common.yml
+++ b/roles/ceph-rgw/tasks/common.yml
@ -19,6 +19,7 @@
  when:
    - cephx | bool
    - item.copy_key | bool
  no_log: "{{ no_log_on_ceph_key_tasks }}"
 - name: copy ceph key(s) if needed
  copy:
@ -32,7 +33,7 @@
    - cephx | bool
    - item is not skipped
    - item.item.copy_key | bool
-  no_log: true
+  no_log: "{{ no_log_on_ceph_key_tasks }}"
 - name: copy SSL certificate & key data to certificate path
  copy:
--- a/roles/ceph-rgw/tasks/pre_requisite.yml
+++ b/roles/ceph-rgw/tasks/pre_requisite.yml
@ -13,6 +13,7 @@
    owner: "ceph"
    group: "ceph"
    mode: "0600"
  no_log: "{{ no_log_on_ceph_key_tasks }}"
  environment:
    CEPH_CONTAINER_IMAGE: "{{ ceph_docker_registry + '/' + ceph_docker_image + ':' + ceph_docker_image_tag if containerized_deployment else None }}"
    CEPH_CONTAINER_BINARY: "{{ container_binary }}"