Pass secrets as sensitive data types to katello/candlepin

katello/candlepin 12.2.0 introduced support for Sensitive and this
utilizes it. This allows Puppet to better avoid logging passwords.

Author: ekohl

manifests/candlepin.pp

@@ -29,7 +29,7 @@
   Optional[Stdlib::Port] $db_port = undef,
   String $db_name = 'candlepin',
   String $db_user = 'candlepin',
-  Optional[String] $db_password = undef,
+  Variant[Undef, Sensitive[String], String] $db_password = undef,
   Boolean $db_ssl = false,
   Boolean $db_ssl_verify = true,
   Optional[Stdlib::Absolutepath] $db_ssl_ca = undef,
@@ -54,9 +54,9 @@
     ca_key                       => $certs::candlepin::ca_key,
     ca_cert                      => $certs::candlepin::ca_cert,
     keystore_file                => $certs::candlepin::keystore,
-    keystore_password            => $certs::candlepin::keystore_password,
+    keystore_password            => Sensitive($certs::candlepin::keystore_password),
     truststore_file              => $certs::candlepin::truststore,
-    truststore_password          => $certs::candlepin::truststore_password,
+    truststore_password          => Sensitive($certs::candlepin::truststore_password),
     artemis_client_dn            => $artemis_client_dn,
     java_home                    => '/usr/lib/jvm/jre-17',
     java_package                 => 'java-17-openjdk',

manifests/init.pp

@@ -45,7 +45,7 @@
   Optional[Stdlib::Port] $candlepin_db_port = undef,
   String $candlepin_db_name = 'candlepin',
   String $candlepin_db_user = 'candlepin',
-  Optional[String] $candlepin_db_password = undef,
+  Variant[Undef, Sensitive[String[1]], String] $candlepin_db_password = undef,
   Boolean $candlepin_db_ssl = false,
   Boolean $candlepin_db_ssl_verify = true,
   Optional[Stdlib::Absolutepath] $candlepin_db_ssl_ca = undef,
@@ -55,8 +55,8 @@
   Integer[0] $hosts_queue_workers = 1,
 ) {
   class { 'katello::params':
-    candlepin_oauth_key    => $candlepin_oauth_key,
-    candlepin_oauth_secret => $candlepin_oauth_secret,
+    candlepin_oauth_key    => Sensitive($candlepin_oauth_key),
+    candlepin_oauth_secret => Sensitive($candlepin_oauth_secret),
   }
 
   if $katello::params::meta_package != '' {
@@ -75,7 +75,7 @@
     db_port           => $candlepin_db_port,
     db_name           => $candlepin_db_name,
     db_user           => $candlepin_db_user,
-    db_password       => $candlepin_db_password,
+    db_password       => if $candlepin_db_password { Sensitive($candlepin_db_password) } else { $candlepin_db_password },
     db_ssl            => $candlepin_db_ssl,
     db_ssl_verify     => $candlepin_db_ssl_verify,
     db_ssl_ca         => $candlepin_db_ssl_ca,

manifests/params.pp

@@ -19,8 +19,8 @@
 # @param postgresql_evr_package
 #   The contextual package name for the PostgreSQL EVR extension
 class katello::params (
-  String[1] $candlepin_oauth_key = $katello::globals::candlepin_oauth_key,
-  String[1] $candlepin_oauth_secret = $katello::globals::candlepin_oauth_secret,
+  Variant[Sensitive[String[1], String[1]]] $candlepin_oauth_key = $katello::globals::candlepin_oauth_key,
+  Variant[Sensitive[String[1], String[1]]] $candlepin_oauth_secret = $katello::globals::candlepin_oauth_secret,
   Stdlib::Host $candlepin_host = 'localhost',
   Stdlib::Port $candlepin_port = 23443,
   Stdlib::HTTPSUrl $candlepin_url = "https://${candlepin_host}:${candlepin_port}/candlepin",