In the provision script, salt-call runs with a log level of debug, which leads to it logging some sensitive credentials on standard output.
This makes it difficult to use provision on a CI system. Even while running manually, people often redirect a command's output to a log file (provision >> provisioning.log). That can also lead to credentials getting leaked inadvertently.
With this change, while executing normally, the provision script does not log any credentials. And whenever a detailed log is needed, it can be run with a debug flag (provision --debug)
vigneshsarma
commented
5 years ago
In the
provisionscript,salt-callruns with a log level of debug, which leads to it logging some sensitive credentials on standard output.This makes it difficult to use
provisionon a CI system. Even while running manually, people often redirect a command's output to a log file (provision >> provisioning.log). That can also lead to credentials getting leaked inadvertently.With this change, while executing normally, the
provisionscript does not log any credentials. And whenever a detailed log is needed, it can be run with a debug flag (provision --debug)