Hide sensitive data values

[linuxmail]

Hello,

• Puppet: node: 3.7.2-4 / puppet server: 2.7.2-1puppetlabs1 / puppetdb: 4.4.0-1puppetlabs1
• Distribution: Debian Jessie
• Module version: latest

How to reproduce (e.g Puppet code you use)

class profile::grafana::base (
...
  $grafana_database_password = Sensitive(hiera('monitoring::grafana::database::password')),
...
)
{
...
  $database_cfg = {
    database => {
      type     => 'mysql',
      host     => "${database_server}:3306",
      name     => "$grafana_database",
      user     => "$grafana_database_user",
      password => $grafana_database_password.unwrap,
    }
  }
....

What are you seeing

Password in plaintext

I trying to hide all secrets from logs and the PuppetDB server. The secrets are saved in hiera-eyaml, but I can't find a way to hide the secrets for database/ldap.

Is there a way to support it?

cu denny

[wyardley]

I agree that this is a problem, not sure what the fix would be since as of now, the config hash is just a straight passthrough.

[alexjfisher]

Is this the same issue as #82 or just related?

[dhoppe]

@alexjfisher I am not sure if this is related, because the Puppet type Sensitive has been introduced with Puppet 4.6, but he uses Puppet 3.7.

[linuxmail]

hi,

we switched to Puppet5 and we have the same problem on many Puppet modules too, so I close the issue, until there is a reliable way to solve it.