From 1abfd77351411c4a9477daccafe8448699b3152d Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 21 Apr 2026 15:10:57 -0400 Subject: [PATCH] Hide telegraf password from console and close so-minion race Two fixes on the postgres telegraf fan-out path: 1. postgres.auth cmd.run leaked the password to the console because Salt always prints the Name: field and `show_changes: False` does not apply to cmd.run. Move the user and password into the `env:` attribute so the shell body still sees them via $PG_USER / $PG_PASS but Salt's state reporter never renders them. 2. so-minion's addMinion -> setupMinionFiles sequence removes the minion pillar file and rewrites it from scratch, which wipes the postgres.telegraf.* entries the reactor may have already written on salt-key accept. Add a postgres.auth fan-out step to orch.deploy_newnode (the orch so-minion kicks off after setupMinionFiles) and require it from the new minion's highstate. Idempotent via the existing unless: guard in postgres.auth. --- salt/orch/deploy_newnode.sls | 17 +++++++++++++++++ salt/postgres/auth.sls | 7 +++++-- 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/salt/orch/deploy_newnode.sls b/salt/orch/deploy_newnode.sls index c05a812a3..0a2c448ba 100644 --- a/salt/orch/deploy_newnode.sls +++ b/salt/orch/deploy_newnode.sls @@ -12,6 +12,21 @@ attempts: 36 interval: 5 +# so-minion's setupMinionFiles rebuilds the new minion's pillar file from +# scratch, wiping any postgres.telegraf.* entries the reactor may have written +# on salt-key accept. Re-fan the cred here so the highstate below sees it. +# Idempotent via the unless: guard in postgres.auth. +manager_fanout_postgres_telegraf_{{NEWNODE}}: + salt.state: + - tgt: {{ MANAGER }} + - sls: + - postgres.auth + - queue: True + - pillar: + postgres_fanout_minion: {{ NEWNODE }} + - require: + - salt: {{NEWNODE}}_update_mine + # we need to prepare the manager for a new searchnode or heavynode {% if NEWNODE.split('_')|last in ['searchnode', 'heavynode'] %} manager_run_es_soc: @@ -30,3 +45,5 @@ manager_run_es_soc: - tgt: {{ NEWNODE }} - highstate: True - queue: True + - require: + - salt: manager_fanout_postgres_telegraf_{{NEWNODE}} diff --git a/salt/postgres/auth.sls b/salt/postgres/auth.sls index ec6f3ec7e..beed1f8bd 100644 --- a/salt/postgres/auth.sls +++ b/salt/postgres/auth.sls @@ -85,8 +85,11 @@ postgres_telegraf_minion_pillar_{{ safe }}: chown socore:socore "$PILLAR_FILE" 2>/dev/null || true chmod 640 "$PILLAR_FILE" fi - /usr/sbin/so-yaml.py replace "$PILLAR_FILE" postgres.telegraf.user '{{ entry.user }}' - /usr/sbin/so-yaml.py replace "$PILLAR_FILE" postgres.telegraf.pass '{{ entry.pass }}' + /usr/sbin/so-yaml.py replace "$PILLAR_FILE" postgres.telegraf.user "$PG_USER" + /usr/sbin/so-yaml.py replace "$PILLAR_FILE" postgres.telegraf.pass "$PG_PASS" + - env: + - PG_USER: '{{ entry.user }}' + - PG_PASS: '{{ entry.pass }}' - unless: | [ "$(/usr/sbin/so-yaml.py get -r /opt/so/saltstack/local/pillar/minions/{{ mid }}.sls postgres.telegraf.user 2>/dev/null)" = '{{ entry.user }}' ] - require: