Add a gitlab_runner_no_log_secrets option to prevent secret leaks

[loliee]

Goal

Ensure no secrets will leaks when running ansible.

Implementation

Add a new option that is not defined by default, adding this option will mute a lot of config tasks output.

⚠️ This setup is only done for unix runners, I don't have any windows machine to test

Test

• add a S3 cache section with credentials
• run ansible-playbook with -vvvv arg
• look for credentials in output 👀 💥
• define gitlab_runner_no_log_secrets: yes and run again
• look for credentials in output 👀 ✅

Note

Thanks for your role it does exactly what I was looking for !
I just need this feature to use it for production purposes.

[guenhter]

Maybe this name can be a little bit more specific because it doesn't turn off all logs but only a specific category...

[loliee]

I don't have a lot of inspiration for this naming… What name would be acceptable for you?

[guenhter]

Maybe just: gitlab_runner_no_log_secrets

[riemers]

if it has that logical name, no issues with merging it.

[loliee]

Sorry for my answer delay.

So I pushed a fixup 14ef966 with the new naming: gitlab_runner_no_log_secrets.

However, the name still seems misleading to me because it obfuscates more than secrets.

[guenhter]

@loliee If you are happy with the name (even if it is not 100% accurate but it gives a hint that more or less sensitive information is hidden with that flag), I'm happy to merge.

[loliee]

Most important for me is to hide secrets (and avoiding the use of an internal fork)!

So I squashed the fixup.

Thanks you @riemers @guenhter for merging this !

[loliee]

The PR title and commit subject are also now reword with the new option name.