Add option to disable output of config diff

[teluq-pbrideau]

Pull Request (PR) description

I configure my authentication through azure_activedirectory_v2, and I don’t want my client_secret to be displayed in clear in the puppet logs.

Converting the gitlab.rb.erb to .epp so it supports the sensitive type would probably be cleaner, but I did not have success with it. So this PR add option to disable output of the diff for sensitive information

class example {
  class { 'gitlab' :
    [...]
    config_show_diff => false,
  }
}

I’ve included the option to also affect the file containing $pgbouncer_password, as it is sensitive information. Is it is already a epp template, it could support sensitive type, but as I did not convert to the sensitive type elsewhere, it seemed simpler this way.

Feel free to comment if I missed anything.

This Pull Request (PR) fixes the following issues

Fixes #363

[smortex]

Thanks! I wonder if these new parameters are required after all, and if we really want this to be optional if it should rather default to false.

[teluq-pbrideau]

I sure can default the $config_show_diff in the init.pp to false if you want to. I was just trying to not change anything from the default values, but I agree it could be set secured by default.

[teluq-pbrideau]

Would you like me to add the config_show_diff option to global_hook.pp, system_hook.pp and custom_hook.pp, and set the default value to false? It would give option to people who want to display the diff be able to do it.

[teluq-pbrideau]

@smortex I’ve stumble over this today, is there anything else I could do to make the change to get merged?

[root-expert]

@teluq-pbrideau Please rebase with out master branch and it can be merged afterwards

[smortex]

As requested by @root-expert, can you please rebase your changes on top of the main branch?

From your working directory:

git fetch origin         # Download the latest code we have here
git rebase origin/master # Move your commits on top of the main branch
git push -f              # Send the changes (-f is required because we re-wrote history)

[smortex]

As far as I can tell, the previous code did show the diff so if we want to be backward compatible, this should default to true?

Also, when we switch to epp templates, this setting would be useless if I recall correctly because in this case the diff is not shown when it contains sensitive data.

[teluq-pbrideau]

As far as I can tell, the previous code did show the diff so if we want to be backward compatible, this should default to true?

That is also what I thought previously, and was then asked to put a secure default value. But any value is OK for me, i’ll set the one you want!

Also, when we switch to epp templates, this setting would be useless if I recall correctly because in this case the diff is not shown when it contains sensitive data.

As said in the PR description, I first tried to convert to an epp template without success. As it was more than 3 month ago, I do not remember why exactly… But you are right, once the template is converted to epp, the strings marked as Sensitive() will be obfuscated.