-
Notifications
You must be signed in to change notification settings - Fork 257
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a gitlab_runner_no_log_secrets
option to prevent secret leaks
#278
Conversation
defaults/main.yml
Outdated
gitlab_runner_show_config_diff: no | ||
|
||
# controls logs on ansible configuration tasks, uncomment to prevent secret leaks (Unix support only). | ||
# gitlab_runner_no_log: yes |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe this name can be a little bit more specific because it doesn't turn off all logs but only a specific category...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't have a lot of inspiration for this naming… What name would be acceptable for you?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe just: gitlab_runner_no_log_secrets
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if it has that logical name, no issues with merging it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for my answer delay.
So I pushed a fixup 14ef966 with the new naming: gitlab_runner_no_log_secrets
.
However, the name still seems misleading to me because it obfuscates more than secrets.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@loliee If you are happy with the name (even if it is not 100% accurate but it gives a hint that more or less sensitive information is hidden with that flag), I'm happy to merge.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
14ef966
to
42dea4c
Compare
This setup is only supported on unix runners. The default behavior doesn't changes anything, config outputs are still there.
42dea4c
to
2d76acd
Compare
gitlab_runner_no_log
option to prevent secret leaksgitlab_runner_no_log_secrets
option to prevent secret leaks
The PR title and commit subject are also now reword with the new option name. |
Goal
Ensure no secrets will leaks when running
ansible
.Implementation
Add a new option that is not defined by default, adding this option will mute a lot of config tasks output.
Test
ansible-playbook
with-vvvv
arggitlab_runner_no_log_secrets: yes
and run againNote
Thanks for your role it does exactly what I was looking for !
I just need this feature to use it for production purposes.