diff --git a/.gitignore b/.gitignore index e041747..12749cb 100644 --- a/.gitignore +++ b/.gitignore @@ -189,3 +189,7 @@ cython_debug/ *.sarif **tar.gz + +# Secrets and certificates +*.pem +*.key diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md index bf829d8..0164155 100644 --- a/CODE_OF_CONDUCT.md +++ b/CODE_OF_CONDUCT.md @@ -1,4 +1,3 @@ # Community Code of Conduct -Please see the official -[Ansible Community Code of Conduct](https://docs.ansible.com/ansible/latest/community/code_of_conduct.html). +Please see the official [Ansible Community Code of Conduct](https://docs.ansible.com/ansible/latest/community/code_of_conduct.html). diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..ce1aa8d --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,15 @@ +# Security Policy + +## Supported Versions + +Ansible applies security fixes according to the 3-versions-back support +policy. Please find more information in [our docs]( +https://docs.ansible.com/ansible/devel/reference_appendices/release_and_maintenance.html#release-status +). + +## Reporting a Vulnerability + +We encourage responsible disclosure practices for security +vulnerabilities. Please read our [policies for reporting bugs]( +https://docs.ansible.com/ansible/devel/community/reporting_bugs_and_features.html#reporting-a-bug +) if you want to report a security issue that might affect Ansible. diff --git a/inventory.yml b/inventory.yml index 59c01a4..92ad911 100644 --- a/inventory.yml +++ b/inventory.yml @@ -16,7 +16,7 @@ all: aap_validate_certs: false controller_validate_certs: false - # If secure_logging is set to 'true', Secrets may be displayed in logs. + # If secure_logging is set to 'true', secrets are hidden from logs. # secure_logging: false ## Operators to deploy on the OpenShift Hub Cluster diff --git a/roles/aap_deploy/tasks/install.yml b/roles/aap_deploy/tasks/install.yml index 02b9fed..357286d 100644 --- a/roles/aap_deploy/tasks/install.yml +++ b/roles/aap_deploy/tasks/install.yml @@ -1,5 +1,6 @@ --- - name: install | Validate OpenShift bearer token + no_log: true ansible.builtin.uri: url: "{{ aap_deploy_openshift_host | default(lookup('ansible.builtin.env', 'K8S_AUTH_HOST')) }}" method: GET diff --git a/roles/aap_seed/tasks/main.yml b/roles/aap_seed/tasks/main.yml index a9695bb..4645ed4 100644 --- a/roles/aap_seed/tasks/main.yml +++ b/roles/aap_seed/tasks/main.yml @@ -56,6 +56,7 @@ delay: 5 register: aap_seed_api_status until: aap_seed_api_status.status == 200 + no_log: true ansible.builtin.uri: url: https://{{ aap_seed_controller_hostname }}/api{{ '/controller' if aap_version is not defined or aap_version is defined and aap_version is version('2.5', '>=') }}/v2/config/ # noqa: yaml[line-length] method: GET @@ -72,6 +73,7 @@ delay: 5 register: aap_seed_api_status until: aap_seed_api_status.status == 200 + no_log: true ansible.builtin.uri: url: https://{{ aap_seed_controller_hostname }}/api{{ '/controller' if aap_version is not defined or aap_version is defined and aap_version is version('2.5', '>=') }}/v2/config/ # noqa: yaml[line-length] method: GET @@ -94,9 +96,7 @@ - name: Set variables for {{ aap_seed_cac_collection }} ansible.builtin.set_fact: - controller_configuration_secure_logging: false # noqa: var-naming[no-role-prefix] controller_configuration_async_delay: 5 # noqa: var-naming[no-role-prefix] - aap_configuration_secure_logging: false # noqa: var-naming[no-role-prefix] aap_configuration_async_delay: 5 # noqa: var-naming[no-role-prefix] - name: Call dispatch role diff --git a/roles/bootstrap/tasks/aap_subscription.yml b/roles/bootstrap/tasks/aap_subscription.yml index 4bdf936..e4150d0 100644 --- a/roles/bootstrap/tasks/aap_subscription.yml +++ b/roles/bootstrap/tasks/aap_subscription.yml @@ -65,6 +65,7 @@ register: __bootstrap_aap_license_manifest_content - name: aap_subscription | Apply license to AAP + no_log: true ansible.builtin.uri: method: POST status_code: 200 diff --git a/roles/create_mf_aap_token/files/crb_migration_factory_aap_cluster_admin.yaml b/roles/create_mf_aap_token/files/crb_migration_factory_aap_cluster_admin.yaml index fd7512d..651936f 100644 --- a/roles/create_mf_aap_token/files/crb_migration_factory_aap_cluster_admin.yaml +++ b/roles/create_mf_aap_token/files/crb_migration_factory_aap_cluster_admin.yaml @@ -1,4 +1,5 @@ --- +# WARNING: cluster-admin grants unrestricted cluster access. Replace with a scoped ClusterRole for production use. apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: diff --git a/roles/mtv_management/tasks/mtv_query_inventory.yml b/roles/mtv_management/tasks/mtv_query_inventory.yml index 27a6f15..5a3e31b 100644 --- a/roles/mtv_management/tasks/mtv_query_inventory.yml +++ b/roles/mtv_management/tasks/mtv_query_inventory.yml @@ -81,6 +81,7 @@ headers: Authorization: Bearer {{ openshift_api_key }} register: _mtv_management_mtv_inventory_query_result + no_log: true - name: mtv_query_inventory | Set Result Fact ansible.builtin.set_fact: diff --git a/roles/vm_hot_plug/tasks/_storage.yml b/roles/vm_hot_plug/tasks/_storage.yml index 8060e3d..d9846b5 100644 --- a/roles/vm_hot_plug/tasks/_storage.yml +++ b/roles/vm_hot_plug/tasks/_storage.yml @@ -19,6 +19,7 @@ default([]) | selectattr('name', 'equalto', vm_hot_plug_storage_instance.name) | list | length == 0 ) + no_log: true ansible.builtin.uri: url: "{{ vm_hot_plug_openshift_host }}/apis/subresources.{{ vm_hot_plug_kubevirt_api_version }}\ diff --git a/roles/vm_lifecycle/tasks/_perform_operation.yml b/roles/vm_lifecycle/tasks/_perform_operation.yml index cedb815..2926258 100644 --- a/roles/vm_lifecycle/tasks/_perform_operation.yml +++ b/roles/vm_lifecycle/tasks/_perform_operation.yml @@ -1,6 +1,7 @@ --- - name: _perform_operation | Perform VM Operation + no_log: true ansible.builtin.uri: url: "{{ vm_lifecycle_openshift_host }}/apis/subresources.{{ vm_lifecycle_kubevirt_api_version }}/namespaces/{{ vm_operations_vm.vm.metadata.namespace }}/virtualmachines/{{ vm_operations_vm.vm.metadata.name }}/{{ vm_lifecycle_valid_vm_operations[vm_operations_vm['operation']].endpoint }}" # noqa: yaml[line-length] validate_certs: "{{ vm_lifecycle_openshift_verify_ssl }}"