Merge pull request #1112 from lsst-it/IT-5219/sensitive

(*) mark [some] parameters with secrets as Sensitive
lsst-it · Apr 2, 2024 · 3863537 · 3863537
2 parents 265df26 + 259c1e8
commit 3863537
Show file tree

Hide file tree

Showing 18 changed files with 66 additions and 44 deletions.
diff --git a/Puppetfile b/Puppetfile
@@ -24,7 +24,7 @@ mod 'lsst/daq', '2.3.0'
 mod 'lsst/dellperc', '2.0.0'
 mod 'lsst/foreman_envsync', '2.1.0'
 mod 'lsst/helm_binary', '2.1.0'
-mod 'lsst/ipa', git: 'https://github.com/lsst-it/puppet-ipa', ref: '8ec66d1'
+mod 'lsst/ipa', git: 'https://github.com/lsst-it/puppet-ipa', ref: '37eb701'
 mod 'lsst/java_artisanal', '3.3.0'
 mod 'lsst/kubectl', '1.1.0'
 mod 'lsst/maven', '3.1.0'

diff --git a/site/profile/manifests/ccs/cfs.pp b/site/profile/manifests/ccs/cfs.pp
@@ -6,8 +6,8 @@
   archive { $cfs_tmp:
     ensure   => present,
     source   => "${profile::ccs::common::pkgurl}/cfs",
-    username => $profile::ccs::common::pkgurl_user,
-    password => $profile::ccs::common::pkgurl_pass,
+    username => $profile::ccs::common::pkgurl_user.unwrap,
+    password => $profile::ccs::common::pkgurl_pass.unwrap,
   }
   file { '/usr/local/bin/cfs':
     ensure => file,

diff --git a/site/profile/manifests/ccs/common.pp b/site/profile/manifests/ccs/common.pp
@@ -1,22 +1,22 @@
 # @summary
 #   Common functionality needed by ccs nodes.
 #
-# @param sysctls
-#   if `true`, enable `profile::ccs::sysctl` sysctls.
-# @param pkgurl
-#   String specifying URL to fetch sources from
 # @param pkgurl_user
 #   String specifying username for pkgurl
 # @param pkgurl_pass
 #   String specifying password for pkgurl
+# @param sysctls
+#   if `true`, enable `profile::ccs::sysctl` sysctls.
+# @param pkgurl
+#   String specifying URL to fetch sources from
 # @param packages
 #   Optional list of packages to install.
 #
 class profile::ccs::common (
+  Variant[Sensitive[String[1]],String[1]] $pkgurl_user,
+  Sensitive[String[1]] $pkgurl_pass,
   Boolean $sysctls = true,
   String $pkgurl = 'https://example.org',
-  String $pkgurl_user = 'someuser',
-  String $pkgurl_pass = 'somepass',
   Optional[Array[String[1]]] $packages = undef,
 ) {
   include clustershell

diff --git a/site/profile/manifests/ccs/el9.pp b/site/profile/manifests/ccs/el9.pp
@@ -15,8 +15,8 @@
     'compat-bin' => 'compat-bin-1.0.0-1.el9.noarch.rpm',
   },
   String $pkgurl = $profile::ccs::common::pkgurl,
-  String $pkgurl_user = $profile::ccs::common::pkgurl_user,
-  String $pkgurl_pass = $profile::ccs::common::pkgurl_pass,
+  Variant[Sensitive[String[1]],String[1]] $pkgurl_user = $profile::ccs::common::pkgurl_user,
+  Sensitive[String[1]] $pkgurl_pass = $profile::ccs::common::pkgurl_pass,
 ) {
   $rpm_opts = {
     ensure   => 'latest',
@@ -29,8 +29,8 @@
     archive { $file:
       ensure   => present,
       source   => "${pkgurl}/${rpm}",
-      username => $pkgurl_user,
-      password => $pkgurl_pass,
+      username => $pkgurl_user.unwrap,
+      password => $pkgurl_pass.unwrap,
     }
     package { $package:
       source => $file,

diff --git a/site/profile/manifests/ccs/file_transfer.pp b/site/profile/manifests/ccs/file_transfer.pp
@@ -41,8 +41,8 @@
 #  String giving s3daemon secret key
 #
 class profile::ccs::file_transfer (
-  String[1] $s3daemon_env_access,
-  String[1] $s3daemon_env_secret,
+  Sensitive[String[1]] $s3daemon_env_access,
+  Sensitive[String[1]] $s3daemon_env_secret,
   Boolean $s3daemon = false,
   Stdlib::HTTPUrl $s3daemon_repo_url = 'https://github.com/lsst-dm/s3daemon',
   Optional[String[1]] $s3daemon_repo_rev = undef,
@@ -55,11 +55,11 @@
   String $repo_directory = '/home/ccs-ipa/file-transfer',
   String $repo_url = 'https://github.com/lsst-camera-dh/ccs-data-transfer',
   String $repo_ref = 'main',
-  String $secret = "export MC_HOST_oga=localhost\n",
+  Sensitive[String[1]] $secret = "export MC_HOST_oga=localhost\n",
   String $secret_file = 'mc-secret',
   String $pkgurl = $profile::ccs::common::pkgurl,
-  String $pkgurl_user = $profile::ccs::common::pkgurl_user,
-  String $pkgurl_pass = $profile::ccs::common::pkgurl_pass,
+  Variant[Sensitive[String[1]],String[1]] $pkgurl_user = $profile::ccs::common::pkgurl_user,
+  Sensitive[String[1]] $pkgurl_pass = $profile::ccs::common::pkgurl_pass,
 ) {
   $parent = "${dirname($directory)}"
 
@@ -196,7 +196,7 @@
   }
 
   file { "${directory}/${secret_file}":
-    content => "${secret}\n",
+    content => "${secret.unwrap}\n",
     owner   => $user,
     group   => $group,
     mode    => '0600',
@@ -209,8 +209,8 @@
     archive { "/var/tmp/${binfile}":
       ensure   => present,
       source   => "${pkgurl}/${binfile}",
-      username => $pkgurl_user,
-      password => $pkgurl_pass,
+      username => $pkgurl_user.unwrap,
+      password => $pkgurl_pass.unwrap,
     }
     file { "${directory}/${binfile}":
       ensure  => file,

diff --git a/site/profile/manifests/ccs/graphical.pp b/site/profile/manifests/ccs/graphical.pp
@@ -79,8 +79,8 @@
     archive { $zoomfile:
       ensure   => present,
       source   => "${profile::ccs::common::pkgurl}/${zoomrpm}",
-      username => $profile::ccs::common::pkgurl_user,
-      password => $profile::ccs::common::pkgurl_pass,
+      username => $profile::ccs::common::pkgurl_user.unwrap,
+      password => $profile::ccs::common::pkgurl_pass.unwrap,
     }
 
     ## TODO use a local yum repository?

diff --git a/site/profile/manifests/ccs/postfix.pp b/site/profile/manifests/ccs/postfix.pp
@@ -8,14 +8,14 @@
 #   List of postfix packages to install
 #
 class profile::ccs::postfix (
-  String        $auth,
+  Sensitive[String[1]] $auth,
   Array[String] $packages,
 ) {
   include postfix
 
   postfix::hash { '/etc/postfix/sasl_passwd':
     ensure  => 'present',
-    content => $auth,
+    content => $auth.unwrap,
   }
 
   ensure_packages($packages)

diff --git a/site/profile/manifests/core/ipam.pp b/site/profile/manifests/core/ipam.pp
@@ -8,8 +8,8 @@
 #   phpIPAM database name
 #
 class profile::core::ipam (
-  String $database = 'null',
-  String $password = 'null',
+  String[1] $database,
+  Sensitive[String[1]] $password,
 ) {
   include profile::core::letsencrypt
 

diff --git a/site/profile/manifests/core/letsencrypt.pp b/site/profile/manifests/core/letsencrypt.pp
@@ -28,8 +28,8 @@
 # @param aws_credentials
 #   `.aws/credentials` format string for aws route53 credentials
 class profile::core::letsencrypt (
-  Optional[Hash[String, Hash]] $certonly = undef,
-  Optional[String] $aws_credentials      = undef,
+  Optional[Hash[String[1], Hash]] $certonly = undef,
+  Optional[Sensitive[String[1]]] $aws_credentials      = undef,
 ) {
   include letsencrypt
   include letsencrypt::plugin::dns_route53
@@ -68,7 +68,7 @@
         ensure  => file,
         mode    => '0600',
         backup  => false,
-        content => $aws_credentials,
+        content => $aws_credentials.unwrap,
         ;
     }
 

diff --git a/site/profile/manifests/core/puppetboard.pp b/site/profile/manifests/core/puppetboard.pp
@@ -5,7 +5,7 @@
 #  The secret key to use for the puppetboard
 #
 class profile::core::puppetboard (
-  Sensitive $secret_key,
+  Sensitive[String[1]] $secret_key,
 ) {
   docker::image { 'ghcr.io/voxpupuli/puppetboard': }
 

diff --git a/site/profile/manifests/core/yum/lsst_ts_private.pp b/site/profile/manifests/core/yum/lsst_ts_private.pp
@@ -12,8 +12,8 @@
 #
 class profile::core::yum::lsst_ts_private (
   Optional[Hash] $repos      = undef,
-  Optional[String] $username = undef,
-  Optional[String] $password = undef,
+  Optional[String[1]] $username = undef,
+  Optional[Sensitive[String[1]]] $password = undef,
 ) {
   if $repos {
     $_real_repos = $repos.map |String $k, Hash $h| {

diff --git a/site/profile/templates/ccs/file_transfer/s3daemon_envfile.epp b/site/profile/templates/ccs/file_transfer/s3daemon_envfile.epp
@@ -1,6 +1,6 @@
 <%- | String $url,
-      String $access,
-      String $secret
+      Sensitive[String[1]] $access,
+      Sensitive[String[1]] $secret
 | -%>
 S3_ENDPOINT_URL=<%= $url %>
 AWS_ACCESS_KEY_ID=<%= $access %>

diff --git a/spec/classes/ccs/file_transfer_spec.rb b/spec/classes/ccs/file_transfer_spec.rb
@@ -11,8 +11,8 @@
         let(:params) do
           {
             pkgurl: 'https://example.org',
-            pkgurl_user: 'user',
-            pkgurl_pass: 'pass',
+            pkgurl_user: sensitive('user'),
+            pkgurl_pass: sensitive('pass'),
             s3daemon: true,
           }
         end

diff --git a/spec/classes/core/letsencrypt_spec.rb b/spec/classes/core/letsencrypt_spec.rb
@@ -68,7 +68,7 @@
       context 'with aws_credentials param' do
         let(:params) do
           {
-            aws_credentials: 'foo',
+            aws_credentials: sensitive('foo'),
           }
         end
 

diff --git a/spec/classes/core/yum/lsst_ts_private_spec.rb b/spec/classes/core/yum/lsst_ts_private_spec.rb
@@ -25,7 +25,7 @@
         let(:params) do
           {
             username: 'foo',
-            password: 'bar',
+            password: sensitive('bar'),
           }
         end
 
@@ -37,7 +37,7 @@
             ensure: 'present',
             enabled: true,
             username: 'foo',
-            password: 'bar',
+            password: sensitive('bar'),
           )
         end
       end

diff --git a/spec/fixtures/hieradata/common.yaml b/spec/fixtures/hieradata/common.yaml
@@ -6,16 +6,38 @@ lookup_options:
     convert_to: "Sensitive"
   '^tailscale::auth_key$':
     convert_to: "Sensitive"
+  '^profile::core::ipam::password$':
+    convert_to: "Sensitive"
+  '^ipa::domain_join_+$':
+    convert_to: "Sensitive"
+  '^ipa::directory_services_password$':
+    convert_to: "Sensitive"
+  '^ipa::admin_password$':
+    convert_to: "Sensitive"
+  '^profile::ccs::common::pkgurl_.+$':
+    convert_to: "Sensitive"
+  '^profile::ccs::file_transfer::s3daemon_env_.+$':
+    convert_to: "Sensitive"
+  '^profile::ccs::file_transfer::secret$':
+    convert_to: "Sensitive"
+  '^restic::(id|key|password)$':
+    convert_to: "Sensitive"
+  '^profile::ccs::postfix::auth$':
+    convert_to: "Sensitive"
 ccs_database::database: "comcamdbprod"
 ccs_database::password: "foo"
-ipa::admin_password: "foofoofoofoo"  # ipa master only
-ipa::directory_services_password: "foofoofoofoo"  # ipa master only
 foreman_proxy::plugin::dns::route53::aws_access_key: "foo"
 foreman_proxy::plugin::dns::route53::aws_secret_key: "foo"
+ipa::admin_password: "foofoofoofoo"  # ipa master only
+ipa::directory_services_password: "foofoofoofoo"  # ipa master only
 ipa::domain_join_password: "foofoofoofoo"  # 8 char min
+profile::ccs::common::pkgurl_pass: "foo"
+profile::ccs::common::pkgurl_user: "foo"
 profile::ccs::file_transfer::s3daemon_env_access: "foo"
 profile::ccs::file_transfer::s3daemon_env_secret: "foo"
+profile::ccs::file_transfer::secret: "foo"
 profile::ccs::postfix::auth: "foo"
+profile::core::ipam::password: "foo"
 profile::core::monitoring::database: "foo"
 profile::core::monitoring::password: "foo"
 profile::core::monitoring::url: "foo"

diff --git a/spec/hosts/nodes/lsstcam-dc01.ls.lsst.org_spec.rb b/spec/hosts/nodes/lsstcam-dc01.ls.lsst.org_spec.rb
@@ -121,7 +121,7 @@
         )
       end
 
-      it { is_expected.to contain_file('/home/ccs-ipa/bin/mc-secret').with_content(%r{^export MC_HOST_oga=}) }
+      it { is_expected.to contain_file('/home/ccs-ipa/bin/mc-secret').with_content(%r{^foo$}) }
     end # on os
   end # on_supported_os
 end
diff --git a/spec/hosts/roles/comcam_fp_spec.rb b/spec/hosts/roles/comcam_fp_spec.rb
@@ -43,7 +43,7 @@
             )
           end
 
-          it { is_expected.to contain_file('/home/ccs-ipa/bin/mc-secret').with_content(%r{^export MC_HOST_oga=}) }
+          it { is_expected.to contain_file('/home/ccs-ipa/bin/mc-secret').with_content(%r{^foo$}) }
         end # host
       end # lsst_sites
     end # on os