openstack-k8s-operators · rebtoor · Dec 10, 2025 · Dec 10, 2025
diff --git a/ci/playbooks/collect-logs.yml b/ci/playbooks/collect-logs.yml
@@ -177,6 +177,6 @@
       become: true
       ansible.builtin.shell: |
           journalctl -u kubelet > kubelet.log
-      no_log: true
+      no_log: "{{ cifmw_nolog | default(true) | bool }}"
       args:
         chdir: "{{ ansible_user_dir }}/zuul-output/logs/"
diff --git a/ci/playbooks/e2e-collect-logs.yml b/ci/playbooks/e2e-collect-logs.yml
@@ -47,6 +47,6 @@
       become: true
       ansible.builtin.shell: |
         journalctl -u kubelet > kubelet.log
-      no_log: true
+      no_log: "{{ cifmw_nolog | default(true) | bool }}"
       args:
         chdir: "{{ ansible_user_dir }}/zuul-output/logs/"
diff --git a/group_vars/all.yml b/group_vars/all.yml
@@ -10,3 +10,4 @@ cifmw_installyamls_repos_relative: src/github.com/openstack-k8s-operators/instal
 cifmw_installyamls_repos: "{{ ansible_user_dir }}/{{ cifmw_installyamls_repos_relative }}"
 cifmw_architecture_repo_relative: src/github.com/openstack-k8s-operators/architecture
 cifmw_architecture_repo: "{{ ansible_user_dir }}/{{ cifmw_architecture_repo_relative }}"
+cifmw_nolog: true # set to false to enable logging of sensitive data
diff --git a/hooks/playbooks/ceph.yml b/hooks/playbooks/ceph.yml
@@ -47,7 +47,7 @@
     - name: Create private key if it does not exist
       ansible.builtin.command:
         cmd: "ssh-keygen -t rsa -q -N '' -f {{ private_key }}"
-      no_log: true
+      no_log: "{{ cifmw_nolog | default(true) | bool }}"
       when:
         - not private_key_stat.stat.exists
 
@@ -83,7 +83,7 @@
         src: "{{ lookup('env', 'HOME') }}/.ssh/{{ cifmw_admin_user }}-id_rsa"
       register: private_key_get
       delegate_to: localhost
-      no_log: true
+      no_log: "{{ cifmw_nolog | default(true) | bool }}"
 
     - name: Get local public key
       ansible.builtin.slurp:
@@ -96,7 +96,7 @@
       cifmw_admin_pubkey: "{{ public_key_get['content'] | b64decode }}"
       cifmw_admin_prikey: "{{ private_key_get['content'] | b64decode }}"
       cifmw_admin_distribute_private_key: true
-      no_log: true
+      no_log: "{{ cifmw_nolog | default(true) | bool }}"
 
 - name: Create Block Device on target nodes
   tags: block
@@ -332,7 +332,7 @@
     - name: Generate a cephx key
       cephx_key:
       register: cephx
-      no_log: true
+      no_log: "{{ cifmw_nolog | default(true) | bool }}"
 
     - name: Set cifmw_cephadm_keys with the cephx key and cifmw_cephadm_pools
       ansible.builtin.set_fact:
@@ -347,7 +347,7 @@
                                    'profile rbd pool=\\1') | join(', ') }}"
       vars:
         pools: "{{ cifmw_cephadm_pools | map(attribute='name') | list }}"
-      no_log: true
+      no_log: "{{ cifmw_nolog | default(true) | bool }}"
 
     # for deploying external ceph for 17.1 using cifmw, we need this playbook to create keyring
     # for manila client and manila_data pool
@@ -370,7 +370,7 @@
           pg_autoscale_mode: true
           application: cephfs
       when: adoption_deploy_ceph_for_tripleo | default (false)
-      no_log: true
+      no_log: "{{ cifmw_nolog | default(true) | bool }}"
 
     # public network always exist because is provided by the ceph_spec role
     - name: Get Storage network range

diff --git a/roles/adoption_osp_deploy/tasks/login_registries.yml b/roles/adoption_osp_deploy/tasks/login_registries.yml
@@ -21,7 +21,7 @@
   block:
     - name: Make redhat subscription
       become: true
-      no_log: true
+      no_log: "{{ cifmw_nolog | default(true) | bool }}"
       community.general.redhat_subscription:
         activationkey: "{{ cifmw_adoption_osp_deploy_rhsm_key }}"
         org_id: "{{ cifmw_adoption_osp_deploy_rhsm_org }}"
@@ -58,7 +58,7 @@
 
     - name: Login to container registry both zuul and root users
       become: "{{ item == 'root' }}"
-      no_log: true
+      no_log: "{{ cifmw_nolog | default(true) | bool }}"
       ansible.builtin.command: >
         podman login
         --username "{{ _container_user }}"

diff --git a/roles/ci_dcn_site/tasks/remove_node.yml b/roles/ci_dcn_site/tasks/remove_node.yml
@@ -228,4 +228,4 @@
         content: "{{ item.content | b64decode | from_yaml | ansible.utils.remove_keys(target=[_node_to_remove]) | to_nice_yaml }}"
         mode: '0644'
       with_items: "{{ vars_files.results }}"
-      no_log: true
+      no_log: "{{ cifmw_nolog | default(true) | bool }}"
diff --git a/roles/ci_dcn_site/tasks/scaledown_site.yml b/roles/ci_dcn_site/tasks/scaledown_site.yml
@@ -192,7 +192,7 @@
     cinder_prefix: "{{ (item.metadata.name | regex_search('^(cinder-[a-z0-9]+)')) }}"
   loop: "{{ pod_list.resources }}"
   when: item.metadata.name is match('^cinder-.*-scheduler-0$')
-  no_log: true
+  no_log: "{{ cifmw_nolog | default(true) | bool }}"
 
 - name: Delete the cinder-volume service
   kubernetes.core.k8s_exec:

diff --git a/roles/ci_setup/tasks/packages.yml b/roles/ci_setup/tasks/packages.yml
@@ -73,7 +73,7 @@
           {{ cifmw_ci_setup_oc_install_path }}/oc completion bash |
           tee -a ~/.oc_completion
         creates: "{{ ansible_user_dir }}/.oc_completion"
-      no_log: true
+      no_log: "{{ cifmw_nolog | default(true) | bool }}"
 
     - name: Source completion from within .bashrc
       ansible.builtin.blockinfile:

diff --git a/roles/cifmw_ceph_client/tasks/main.yml b/roles/cifmw_ceph_client/tasks/main.yml
@@ -60,15 +60,15 @@
     src: "{{ cifmw_ceph_client_fetch_dir }}/{{ cifmw_ceph_client_cluster | default('ceph') }}.conf"
   register: cifmw_ceph_client_conf_file_b64
   delegate_to: localhost
-  no_log: true
+  no_log: "{{ cifmw_nolog | default(true) | bool }}"
 
 - name: Base64 encode cephx key file
   tags: k8s
   ansible.builtin.slurp:
     src: "{{ cifmw_ceph_client_fetch_dir }}/{{ cifmw_ceph_client_cluster | default('ceph') }}.client.openstack.keyring"
   register: cifmw_ceph_client_key_file_b64
   delegate_to: localhost
-  no_log: true
+  no_log: "{{ cifmw_nolog | default(true) | bool }}"
 
 - name: Create k8s_ceph_secret.yml with base64 encoded files
   tags: k8s

diff --git a/roles/cifmw_external_dns/tasks/cleanup.yml b/roles/cifmw_external_dns/tasks/cleanup.yml
@@ -15,7 +15,7 @@
 # under the License.
 
 - name: Remove key and certificate files on target host
-  no_log: true
+  no_log: "{{ cifmw_nolog | default(true) | bool }}"
   become: true
   ansible.builtin.file:
     state: absent

diff --git a/roles/devscripts/tasks/320_restore_pull_secret.yml b/roles/devscripts/tasks/320_restore_pull_secret.yml
@@ -20,13 +20,13 @@
 # pulling images from external registries for operators and other workloads.
 
 - name: Get original pull-secret content
-  no_log: true
+  no_log: "{{ cifmw_nolog | default(true) | bool }}"
   ansible.builtin.slurp:
     src: "{{ cifmw_devscripts_repo_dir }}/pull_secret.json"
   register: _original_pull_secret
 
 - name: Get current cluster pull-secret
-  no_log: true
+  no_log: "{{ cifmw_nolog | default(true) | bool }}"
   kubernetes.core.k8s_info:
     kubeconfig: "{{ cifmw_openshift_kubeconfig }}"
     api_key: "{{ cifmw_openshift_token | default(omit) }}"
@@ -37,7 +37,7 @@
   register: _cluster_pull_secret_raw
 
 - name: Update cluster pull-secret
-  no_log: true
+  no_log: "{{ cifmw_nolog | default(true) | bool }}"
   vars:
     _original_auths: "{{ (_original_pull_secret.content | b64decode | from_json).auths }}"
     _cluster_auths: "{{ (_cluster_pull_secret_raw.resources[0].data['.dockerconfigjson'] | b64decode | from_json).auths }}"

diff --git a/roles/fdp_update_container_images/tasks/authenticate_registry.yml b/roles/fdp_update_container_images/tasks/authenticate_registry.yml
@@ -18,11 +18,11 @@
   ansible.builtin.command: oc create token builder -n {{ cifmw_fdp_update_container_images_namespace }}
   register: _cifmw_fdp_update_container_images_token
   changed_when: false
-  no_log: true
+  no_log: "{{ cifmw_nolog | default(true) | bool }}"
 
 - name: Authenticate podman with TLS verification
   containers.podman.podman_login:
     username: unused
     password: "{{ _cifmw_fdp_update_container_images_token.stdout }}"
     registry: "{{ cifmw_fdp_update_container_images_image_registry }}"
-  no_log: true
+  no_log: "{{ cifmw_nolog | default(true) | bool }}"
diff --git a/roles/install_openstack_ca/tasks/main.yml b/roles/install_openstack_ca/tasks/main.yml
@@ -25,15 +25,15 @@
       ansible.builtin.command:
         cmd: 'oc get secret combined-ca-bundle -n openstack -o "jsonpath={.data.tls-ca-bundle\.pem}"'
       retries: 10
-      no_log: true
+      no_log: "{{ cifmw_nolog | default(true) | bool }}"
       delay: 3
       until: _ca_bundle_data.rc == 0
       register: _ca_bundle_data
 
     - name: Set _ca_bundle fact if CA returned from OCP
       when:
         - _ca_bundle_data.rc == 0
-      no_log: true
+      no_log: "{{ cifmw_nolog | default(true) | bool }}"
       ansible.builtin.set_fact:
         _ca_bundle: >-
           {{ _ca_bundle_data.stdout | ansible.builtin.b64decode }}

diff --git a/roles/manage_secrets/tasks/_push_secret.yml b/roles/manage_secrets/tasks/_push_secret.yml
@@ -58,7 +58,7 @@
     - _secret_content | length > 0
   block:
     - name: Create file from content
-      no_log: true
+      no_log: "{{ cifmw_nolog | default(true) | bool }}"
       ansible.builtin.copy:
         dest: "{{ _secret_dest }}"
         content: "{{ _secret_content }}"

diff --git a/roles/update/tasks/create_local_openstackclient.yml b/roles/update/tasks/create_local_openstackclient.yml
@@ -31,7 +31,7 @@
         username: "{{ cifmw_registry_token.credentials.username }}"
         password: "{{ cifmw_registry_token.credentials.password }}"
         registry: "registry.redhat.io"
-      no_log: true
+      no_log: "{{ cifmw_nolog | default(true) | bool }}"
 
 - name: Collect and save OpenStack config files
   ansible.builtin.include_tasks: collect_openstackclient_config.yml