From 2b6ce769ee315c915e675d6e9012347942145c3e Mon Sep 17 00:00:00 2001
From: Sergei Petrosian <spetrosi@redhat.com>
Date: Thu, 7 May 2026 14:49:34 +0200
Subject: [PATCH] feat: Parametrize no_log usage in nbde_client role

- Replace literal no_log: true with nbde_client_secure_logging variable
- Add no_log: "{{ ansible_verbosity < 2 }}" to service_facts
- Add nbde_client_secure_logging: true to defaults/main.yml
- Document nbde_client_secure_logging variable in README.md

This change allows users to control logging of potentially sensitive
information by setting nbde_client_secure_logging: false for debugging,
while maintaining secure defaults.

For service_facts, the role now uses verbosity-based logging to hide
verbose output unless ansible_verbosity >= 2.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 README.md             | 1 +
 defaults/main.yml     | 1 +
 tasks/main-clevis.yml | 7 ++++---
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 24b91e58..f882bd0b 100644
--- a/README.md
+++ b/README.md
@@ -25,6 +25,7 @@ These are the variables that can be passed to the role:
 | `nbde_client_provider` | `clevis`| identifies the provider for the `nbde_client` role. We currently support `clevis`.|
 | `nbde_client_bindings` | | a list containing binding configurations, which include e.g. devices and slots. |
 | `nbde_client_early_boot` | `true` | by default nbde_client will configure the initrd to unlock the volume. This may need to be disabled if the managed host is using static IP addressing, or if the volume should be unlocked by clevis-luks-askpass |
+| `nbde_client_secure_logging` | `true` | If true, suppress potentially sensitive output from tasks that handle credentials, secrets, and other sensitive data. Set to false for debugging issues with credential handling or secret management, but be aware this may expose sensitive information in logs. |
 
 ### nbde_client_bindings
 
diff --git a/defaults/main.yml b/defaults/main.yml
index e560f5f5..220496dc 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -21,5 +21,6 @@ nbde_client_early_boot: true
 #        - http://server1.example.com
 #        - http://server2.example.com
 nbde_client_bindings: []
+nbde_client_secure_logging: true
 
 # vim:set ts=2 sw=2 et:
diff --git a/tasks/main-clevis.yml b/tasks/main-clevis.yml
index 75619195..2dc6a5e1 100644
--- a/tasks/main-clevis.yml
+++ b/tasks/main-clevis.yml
@@ -6,6 +6,7 @@
 
 - name: Get services
   service_facts:
+  no_log: "{{ ansible_verbosity < 2 }}"
 
 - name: Enable clevis askpass unit
   systemd:
@@ -29,7 +30,7 @@
     bindings: "{{ nbde_client_bindings | default([]) }}"
   check_mode: true
   register: __nbde_client_clevis_check_state
-  no_log: true
+  no_log: "{{ nbde_client_secure_logging }}"
 
 - name: Prepare key files, perform clevis operations and dispose of key files
   when:
@@ -55,7 +56,7 @@
       loop: "{{ nbde_client_bindings }}"
       loop_control:
         label: "{{ item.encryption_key_src | default('') }}"
-      no_log: true
+      no_log: "{{ nbde_client_secure_logging }}"
 
     - name: Perform clevis operations
       when:
@@ -65,7 +66,7 @@
         bindings: "{{ nbde_client_bindings | default([]) }}"
         data_dir: "{{ nbde_client_tempdir.path }}"
       notify: Handle nbde_client update initramfs
-      no_log: true
+      no_log: "{{ nbde_client_secure_logging }}"
 
   rescue:
     - name: Failed message