Merge pull request #6290 from sjug/ansible_no_log

openshift-merge-bot[bot] · web-flow · commit 6bc3e73bbeb4 · 2026-03-01T07:30:26.000Z
USHIFT-6646: Ansible: Do not log potentially sensitive data
diff --git a/ansible/roles/add-kubelet-logging/tasks/main.yml b/ansible/roles/add-kubelet-logging/tasks/main.yml
@@ -22,17 +22,20 @@
       register: bearer_token_slurp
       delegate_to: localhost
       become: false
+      no_log: true
 
     - name: Decode bearer token
       ansible.builtin.set_fact:
         bearer_token: "{{ bearer_token_slurp.content | b64decode }}"
+      no_log: true
 
     - name: Create metrics service account token file in prometheus folder
       ansible.builtin.copy:
         content: "{{ bearer_token }}"
         dest: "{{ kubelet_auth_token_file }}"
         mode: '0644'
       when: promdir.stat.exists
+      no_log: true
 
     - name: Remove the sa-token file
       ansible.builtin.file:
diff --git a/ansible/roles/create-service-account/tasks/main.yml b/ansible/roles/create-service-account/tasks/main.yml
@@ -12,6 +12,7 @@
 - name: create token for service account
   ansible.builtin.command: oc create token metrics-server -n kube-system --duration 720h
   register: token
+  no_log: true
 
 - name: remove metrics service account yaml
   ansible.builtin.file:
@@ -22,4 +23,6 @@
   ansible.builtin.copy:
     content: "{{ token.stdout }}"
     dest: "{{ sa_token_file }}"
+    mode: '0600'
   delegate_to: localhost
+  no_log: true
diff --git a/ansible/roles/install-logging/tasks/main.yml b/ansible/roles/install-logging/tasks/main.yml
@@ -60,6 +60,7 @@
           Accept: application/json
           Content-Type: application/json
         body: "{{ lookup('ansible.builtin.template', 'prometheus_datasource.json.j2') }}"
+      no_log: true
 
     - name: Create microshift perf dashboard in grafana
       ansible.builtin.uri:
@@ -73,3 +74,4 @@
           Accept: application/json
           Content-Type: application/json
         body: "{{ lookup('ansible.builtin.template', 'grafana_dashboard.json.j2') }}"
+      no_log: true
diff --git a/ansible/roles/install-microshift/tasks/main.yml b/ansible/roles/install-microshift/tasks/main.yml
@@ -163,6 +163,7 @@
     owner: root
     group: root
     mode: '0600'
+  no_log: true
   when: not pull_secret.stat.exists
 
 - name: check if crio metrics config is present
diff --git a/ansible/roles/manage-repos/tasks/main.yml b/ansible/roles/manage-repos/tasks/main.yml
@@ -21,6 +21,7 @@
           state: present
           username: "{{ rhel_username }}"
           password: "{{ rhel_password }}"
+        no_log: true
 
       - name: Enable repo management from subscription-manager
         ansible.builtin.command: subscription-manager config --rhsm.manage_repos=1
