From 2c28ea5ecf3863f3c3444513f7ba5c3bc2ed09e9 Mon Sep 17 00:00:00 2001
From: Luigi Toscano <ltoscano@redhat.com>
Date: Tue, 23 Dec 2025 23:51:45 +0100
Subject: [PATCH 1/3] [cifmw_cephadm] default to shared container registry vars

As default, use the already known set of variables which are meant
to be used to store the URL and the credentials of the container
registry.

Signed-off-by: Luigi Toscano <ltoscano@redhat.com>
---
 roles/cifmw_cephadm/tasks/bootstrap.yml | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/roles/cifmw_cephadm/tasks/bootstrap.yml b/roles/cifmw_cephadm/tasks/bootstrap.yml
index 9ac56bfffe..87f8c5d0c1 100644
--- a/roles/cifmw_cephadm/tasks/bootstrap.yml
+++ b/roles/cifmw_cephadm/tasks/bootstrap.yml
@@ -50,6 +50,10 @@
     - name: Run cephadm bootstrap
       become: true
       register: cephadm_bootstrap
+      vars:
+        _container_registry_url: "{{ cifmw_cephadm_registry_url|default(cifmw_registry_token_registry_url|default(''), True) }}"
+        _container_registry_username: "{{ cifmw_cephadm_registry_username|default(cifmw_registry_token.credentials.username|default(''), True) }}"
+        _container_registry_password: "{{ cifmw_cephadm_registry_password|default(cifmw_registry_token.credentials.password|default(''), True) }}"
       ansible.builtin.shell: |
         {{ cifmw_cephadm_bin }} \
         {% if not cifmw_cephadm_default_container %}--image {{ cifmw_cephadm_container_ns + '/' + cifmw_cephadm_container_image + ':' + cifmw_cephadm_container_tag|string }} \{% endif %}
@@ -65,9 +69,9 @@
         --output-keyring {{ cifmw_cephadm_admin_keyring }} \
         --output-config {{ cifmw_cephadm_conf }} \
         --fsid {{ cifmw_cephadm_fsid }} \
-        {% if cifmw_cephadm_registry_url|length > 0 %}--registry-url {{ cifmw_cephadm_registry_url }} \{% endif %}
-        {% if cifmw_cephadm_registry_username|length > 0 %}--registry-username {{ cifmw_cephadm_registry_username }} \{% endif %}
-        {% if cifmw_cephadm_registry_password|length > 0 %}--registry-password {{ cifmw_cephadm_registry_password }} \{% endif %}
+        {% if _container_registry_url|length > 0 %}--registry-url {{ _container_registry_url }} \{% endif %}
+        {% if _container_registry_username|length > 0 %}--registry-username {{ _container_registry_username }} \{% endif %}
+        {% if _container_registry_password|length > 0 %}--registry-password {{ _container_registry_password }} \{% endif %}
         {% if cifmw_cephadm_spec_on_bootstrap %}--apply-spec {{ cifmw_cephadm_spec }} \{% endif %}
         {% if cifmw_cephadm_assimilate_conf_stat.stat.exists %}--config {{ cifmw_cephadm_assimilate_conf }} \{% endif %}
         {% if cifmw_cephadm_single_host_defaults %}--single-host-defaults \{% endif %}

From dda38491b927bb1833b13e796413652e7b88f6c8 Mon Sep 17 00:00:00 2001
From: Luigi Toscano <ltoscano@redhat.com>
Date: Wed, 24 Dec 2025 16:21:46 +0100
Subject: [PATCH 2/3] [cifmw_cephadm] quote the ceph credentials

Username and password may contain characters which are also valid
string characters, so quote them.
---
 roles/cifmw_cephadm/tasks/bootstrap.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/roles/cifmw_cephadm/tasks/bootstrap.yml b/roles/cifmw_cephadm/tasks/bootstrap.yml
index 87f8c5d0c1..77fa0dd16a 100644
--- a/roles/cifmw_cephadm/tasks/bootstrap.yml
+++ b/roles/cifmw_cephadm/tasks/bootstrap.yml
@@ -70,8 +70,8 @@
         --output-config {{ cifmw_cephadm_conf }} \
         --fsid {{ cifmw_cephadm_fsid }} \
         {% if _container_registry_url|length > 0 %}--registry-url {{ _container_registry_url }} \{% endif %}
-        {% if _container_registry_username|length > 0 %}--registry-username {{ _container_registry_username }} \{% endif %}
-        {% if _container_registry_password|length > 0 %}--registry-password {{ _container_registry_password }} \{% endif %}
+        {% if _container_registry_username|length > 0 %}--registry-username {{ _container_registry_username|quote }} \{% endif %}
+        {% if _container_registry_password|length > 0 %}--registry-password {{ _container_registry_password|quote }} \{% endif %}
         {% if cifmw_cephadm_spec_on_bootstrap %}--apply-spec {{ cifmw_cephadm_spec }} \{% endif %}
         {% if cifmw_cephadm_assimilate_conf_stat.stat.exists %}--config {{ cifmw_cephadm_assimilate_conf }} \{% endif %}
         {% if cifmw_cephadm_single_host_defaults %}--single-host-defaults \{% endif %}

From 8426aab80f77a6da7567aaa31b5dacbb19a00de4 Mon Sep 17 00:00:00 2001
From: Luigi Toscano <ltoscano@redhat.com>
Date: Wed, 24 Dec 2025 16:22:43 +0100
Subject: [PATCH 3/3] [cifmw_cephadm] hide ceph sensitive details

At least some between username and password (and maybe also the URI) are
sensitive information that should not be printed in the output of
the cephadm bootstrap command.

Using no_log completely on the task may hinders debugging.

Signed-off-by: Luigi Toscano <ltoscano@redhat.com>
---
 roles/cifmw_cephadm/tasks/bootstrap.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/roles/cifmw_cephadm/tasks/bootstrap.yml b/roles/cifmw_cephadm/tasks/bootstrap.yml
index 77fa0dd16a..270993a19c 100644
--- a/roles/cifmw_cephadm/tasks/bootstrap.yml
+++ b/roles/cifmw_cephadm/tasks/bootstrap.yml
@@ -82,7 +82,11 @@
     - name: Show results of bootstrap
       when: cifmw_cephadm_verbose | bool
       ansible.builtin.debug:
-        msg: "{{ cephadm_bootstrap }}"
+        msg: >-
+          {{
+            cephadm_bootstrap
+            | to_yaml | regex_replace("(--registry-[^\s]+)\s+(['\"])(.+?)\2", "\1 \2<REDACTED>\2")
+          }}
 
     - name: Ensure cifmw_cephadm_ceph_cli is set
       when: