Merge pull request #278 from mediapart/feat/no-log-setup-unix

Add a `gitlab_runner_no_log_secrets` option to prevent secret leaks
riemers · Sep 12, 2023 · c55eb7b · c55eb7b
2 parents c6fce88 + 2d76acd
commit c55eb7b
Show file tree

Hide file tree

Showing 6 changed files with 78 additions and 1 deletion.
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -84,9 +84,12 @@ gitlab_runner_restart_state: restarted
 # default value for force accept self signed certificates
 force_accept_gitlab_server_self_signed: false
 
-# controls diffs for assemle config file
+# controls diffs for assemble config file
 gitlab_runner_show_config_diff: no
 
+# controls logs on ansible configuration tasks, uncomment to prevent secret leaks (Unix support only).
+# gitlab_runner_no_log_secrets: yes
+
 # A list of runners to register and configure
 gitlab_runner_runners:
     # The identifier of the runner.

diff --git a/tasks/config-runner.yml b/tasks/config-runner.yml
@@ -15,6 +15,7 @@
     content: "{{ runner_config }}"
   check_mode: no
   changed_when: false
+  no_log: "{{ gitlab_runner_no_log_secrets | default(omit) }}"
 
 - include_tasks: update-config-runner.yml
   vars:
@@ -26,6 +27,7 @@
   loop_control:
     index_var: gitlab_runner_index
     loop_var: gitlab_runner
+  no_log: "{{ gitlab_runner_no_log_secrets | default(omit) }}"
 
 - name: "{{ conf_name_prefix }} Remove runner config"
   file:
@@ -38,3 +40,4 @@
   loop_control:
     index_var: gitlab_runner_index
     loop_var: gitlab_runner
+  no_log: "{{ gitlab_runner_no_log_secrets | default(omit) }}"
diff --git a/tasks/config-runners.yml b/tasks/config-runners.yml
@@ -8,6 +8,7 @@
 - name: Get pre-existing runner configs
   set_fact:
     runner_configs: "{{ (runner_config_file['content'] | b64decode).split('[[runners]]\n') }}"
+  no_log: "{{ gitlab_runner_no_log_secrets | default(omit) }}"
 
 - name: Create temporary directory
   tempfile:
@@ -25,6 +26,7 @@
   loop_control:
     index_var: runner_config_index
     loop_var: runner_config
+  no_log: "{{ gitlab_runner_no_log_secrets | default(omit) }}"
 
 - name: Assemble new config.toml
   assemble:

diff --git a/tasks/global-setup.yml b/tasks/global-setup.yml
@@ -21,6 +21,7 @@
     line: '\1concurrent = {{ gitlab_runner_concurrent }}'
     state: present
     backrefs: yes
+  no_log: "{{ gitlab_runner_no_log_secrets | default(omit) }}"
   become: "{{ gitlab_runner_system_mode }}"
   notify:
     - restart_gitlab_runner
@@ -33,6 +34,7 @@
     line: 'listen_address = "{{ gitlab_runner_listen_address }}"'
     insertafter: '\s*concurrent.*'
     state: present
+  no_log: "{{ gitlab_runner_no_log_secrets | default(omit) }}"
   when: gitlab_runner_listen_address | length > 0  # Ensure value is set
   become: "{{ gitlab_runner_system_mode }}"
   notify:
@@ -46,6 +48,7 @@
     line: 'log_format = "{{ gitlab_runner_log_format|default("runner") }}"'
     insertbefore: BOF
     state: present
+  no_log: "{{ gitlab_runner_no_log_secrets | default(omit) }}"
   when: gitlab_runner_log_format is defined # Ensure value is set
   become: "{{ gitlab_runner_system_mode }}"
   notify:
@@ -59,6 +62,7 @@
     line: 'sentry_dsn = "{{ gitlab_runner_sentry_dsn }}"'
     insertafter: '\s*concurrent.*'
     state: present
+  no_log: "{{ gitlab_runner_no_log_secrets | default(omit) }}"
   when: gitlab_runner_sentry_dsn | length > 0  # Ensure value is set
   become: "{{ gitlab_runner_system_mode }}"
   notify:
@@ -72,6 +76,7 @@
     line: '  listen_address = "{{ gitlab_runner_session_server_listen_address }}"'
     insertafter: '^\s*\[session_server\]'
     state: "{{ 'present' if gitlab_runner_session_server_listen_address | length > 0 else 'absent' }}"
+  no_log: "{{ gitlab_runner_no_log_secrets | default(omit) }}"
   become: "{{ gitlab_runner_system_mode }}"
   notify:
     - restart_gitlab_runner
@@ -85,6 +90,7 @@
     insertafter: '^\s*\[session_server\]'
     state: "{{ 'present' if gitlab_runner_session_server_advertise_address | length > 0 else 'absent' }}"
   become: "{{ gitlab_runner_system_mode }}"
+  no_log: "{{ gitlab_runner_no_log_secrets | default(omit) }}"
   notify:
     - restart_gitlab_runner
     - restart_gitlab_runner_macos
@@ -96,6 +102,7 @@
     line: "  session_timeout = {{ gitlab_runner_session_server_session_timeout }}"
     insertafter: '^\s*\[session_server\]'
     state: present
+  no_log: "{{ gitlab_runner_no_log_secrets | default(omit) }}"
   when: gitlab_runner_session_server_session_timeout
   become: "{{ gitlab_runner_system_mode }}"
   notify:

diff --git a/tasks/main-unix.yml b/tasks/main-unix.yml
@@ -32,6 +32,7 @@
   loop_control:
     index_var: gitlab_runner_index
     loop_var: gitlab_runner
+  no_log: "{{ gitlab_runner_no_log_secrets | default(omit) }}"
 
 - name: Unregister runners which are not longer configured
   include_tasks: unregister-runner-if-not-longer-configured.yml