Stop printing gitaly and praefect configuration changes diff in chef
Summary
We managed parefect and gitaly configuration via chef, when we do some changes to the configuration file chef prints the diff automatically. This is not ideal since the configuration file has unencrypted tokens such as database passwords. So these end up in chef-client logs which we store in ElasticSearch and also can result into us leaking passwords when we copy/paste chef logs for debugging purpose.
Related Incident(s)
Originating issue(s): gitlab-com/gl-infra/production#8269
Desired Outcome/Acceptance Criteria
We should be able to achieve this by marking the properties of the config as senstative. We are not sure if we need to make the whole config file as sensitive of just some fields.
-
Stop printing the diff on the config.toml
forpraefect
service.👉 gitlab-org/omnibus-gitlab!6679 (merged) -
Stop printing the diff on the config.toml
forgitaly
service.👉 gitlab-org/omnibus-gitlab!6678 (merged) -
Stop printing the diff in GitLab.rb
👉 gitlab-cookbooks/cookbook-omnibus-gitlab!113 (merged)
Associated Services
Corrective Action Issue Checklist
-
Link the incident(s) this corrective action arose out of -
Give context for what problem this corrective action is trying to prevent from re-occurring -
Assign a severity label (this is the highest sev of related incidents, defaults to 'severity::4') -
Assign a priority (this will default to 'Reliability::P4')
Edited by Steve Xuereb