USHIFT-6646: Ansible: Do not log potentially sensitive data

[sjug]

Fix for CI

Summary by CodeRabbit

• Security
  • Suppressed sensitive credentials and tokens from logs across deployment configurations to prevent accidental exposure.
  • Enforced stricter file permissions on sensitive data files to limit unauthorized access.

[openshift-ci-robot]

@sjug: This pull request references USHIFT-6646 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request adds no_log: true directives to Ansible tasks handling sensitive data (bearer tokens, credentials, pull secrets) across multiple roles to suppress logging of sensitive content during execution.

Changes

Cohort / File(s)	Summary
Sensitive Data Logging Suppression ansible/roles/add-kubelet-logging/tasks/main.yml, ansible/roles/create-service-account/tasks/main.yml, ansible/roles/install-logging/tasks/main.yml, ansible/roles/install-microshift/tasks/main.yml, ansible/roles/manage-repos/tasks/main.yml	Added no_log: true to tasks handling tokens, credentials, and pull secrets to prevent sensitive content from appearing in logs. Additionally, enforced strict file permissions (mode: '0600') on a token file write operation.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly describes the main purpose of the changeset—adding no_log directives to suppress sensitive data logging across multiple Ansible tasks.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@sjug: This pull request references USHIFT-6646 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Fix for CI

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@sjug: This pull request references USHIFT-6646 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Fix for CI

Summary by CodeRabbit

• Security
• Suppressed sensitive credentials and tokens from logs across deployment configurations to prevent accidental exposure.
• Enforced stricter file permissions on sensitive data files to limit unauthorized access.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@ansible/roles/add-kubelet-logging/tasks/main.yml`:
- Around line 32-38: The task "Create metrics service account token file in
prometheus folder" currently writes the bearer_token to kubelet_auth_token_file
with mode '0644', which is too permissive; update the ansible.builtin.copy task
that runs when promdir.stat.exists to set mode to '0600' (matching
create-service-account/tasks/main.yml) so the token file is only readable by the
owner and not world-readable.

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 427f5c9 and e2cd432.

📒 Files selected for processing (5)

• ansible/roles/add-kubelet-logging/tasks/main.yml
• ansible/roles/create-service-account/tasks/main.yml
• ansible/roles/install-logging/tasks/main.yml
• ansible/roles/install-microshift/tasks/main.yml
• ansible/roles/manage-repos/tasks/main.yml

[openshift-ci]

@sjug: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[ggiguash]

/lgtm
/verified by @sjug

[openshift-ci-robot]

@ggiguash: This PR has been marked as verified by @sjug.

Details

In response to this:

/lgtm
/verified by @sjug

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ggiguash, sjug

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [ggiguash]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment