ipa: make sure a bunch of calls do not log sensitive data

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
2025-03-20 14:48:12 -07:00 · 2025-03-20 14:48:12 -07:00 · 58bbbca299
commit 58bbbca299
parent 1251149241
5 changed files with 6 additions and 0 deletions
--- a/roles/ipa/server/tasks/main.yml
+++ b/roles/ipa/server/tasks/main.yml
@ -164,6 +164,7 @@
    ansible.builtin.shell: set -o pipefail && echo "{{ ipa_admin_password }}" | kinit admin
    delegate_to: "{{ ipa_server }}"
    changed_when: false
+    no_log: true

    # Replication agreement needs to be removed from ipa cluster
    # before installing the replica
@ -249,6 +250,7 @@
    set -o pipefail
    echo "{{ ipa_admin_password }}" | kinit admin
  changed_when: false
+  no_log: true
  tags:
  - ipa/server
  - config
--- a/roles/ipa/servicedelegationrule/tasks/main.yml
+++ b/roles/ipa/servicedelegationrule/tasks/main.yml
@ -4,6 +4,7 @@
  ansible.builtin.shell: echo "{{ipa_admin_password}}" | kinit admin
  check_mode: no
  changed_when: "1 != 1"
+  no_log: true
  tags:
  - config
  - krb5
--- a/roles/ipa/servicedelegationtarget/tasks/main.yml
+++ b/roles/ipa/servicedelegationtarget/tasks/main.yml
@ -3,6 +3,7 @@
  delegate_to: "{{ ipa_server }}"
  ansible.builtin.shell: echo "{{ipa_admin_password}}" | kinit admin
  check_mode: no
+  no_log: true
  changed_when: "1 != 1"
  tags:
  - config
--- a/roles/ipsilon/tasks/main.yml
+++ b/roles/ipsilon/tasks/main.yml
@ -66,6 +66,7 @@
 - name: Get admin ticket
  ansible.builtin.shell: echo "{{ipa_admin_password}}" | kinit admin
  check_mode: no
+  no_log: true
  tags:
  - ipsilon

--- a/roles/keytab/service/tasks/main.yml
+++ b/roles/keytab/service/tasks/main.yml
@ -31,6 +31,7 @@
  delegate_to: "{{ ipa_server }}"
  ansible.builtin.shell: echo "{{ipa_admin_password}}" | kinit admin
  check_mode: no
+  no_log: true
  changed_when: "1 != 1"
  tags:
  - keytab