Change all passwords default values to Sensitive

smortex · smortex · commit 875256f9bea3 · 2026-01-05T09:56:55.000-10:00
Default values for passwords is a terrible idea.  Removing them is a
backwards-incompatible change, so we jump on this occasion to mandate
the use of Sensitive data type to pass passwords.  In order to be able
to test each change, we first switch these default values to Sensitive.
This will allow us to remove support for String passwords next, and
then the default values.
diff --git a/REFERENCE.md b/REFERENCE.md
@@ -384,7 +384,7 @@ Data type: `Bacula::Password`
 
 A password to use for communication with this File Daemon
 
-Default value: `'secret'`
+Default value: `Sensitive('secret')`
 
 ##### <a name="-bacula--client--max_concurrent_jobs"></a>`max_concurrent_jobs`
 
@@ -589,7 +589,7 @@ Data type: `Bacula::Password`
 
 The database user's password
 
-Default value: `'notverysecret'`
+Default value: `Sensitive('notverysecret')`
 
 ##### <a name="-bacula--director--db_user"></a>`db_user`
 
@@ -686,7 +686,7 @@ Data type: `Bacula::Password`
 
 password to connect to the director
 
-Default value: `'secret'`
+Default value: `Sensitive('secret')`
 
 ##### <a name="-bacula--director--port"></a>`port`
 
@@ -941,7 +941,7 @@ Data type: `Bacula::Password`
 
 Specifies the password that must be supplied by the named Director
 
-Default value: `'secret'`
+Default value: `Sensitive('secret')`
 
 ##### <a name="-bacula--storage--port"></a>`port`
 
@@ -1482,7 +1482,7 @@ Data type: `Bacula::Password`
 
 Bacula director configuration for Storage option 'Password'
 
-Default value: `'secret'`
+Default value: `Sensitive('secret')`
 
 ##### <a name="-bacula--director--storage--device_name"></a>`device_name`
 
diff --git a/manifests/client.pp b/manifests/client.pp
@@ -63,7 +63,7 @@
   String[1]                      $ensure              = 'present',
   Stdlib::Port                   $port                = 9102,
   Array[String[1]]               $listen_address      = [],
-  Bacula::Password               $password            = 'secret',
+  Bacula::Password               $password            = Sensitive('secret'),
   Integer[1]                     $max_concurrent_jobs = 2,
   String[1]                      $director_name       = $bacula::director_name,
   Bacula::Yesno                  $autoprune           = true,
diff --git a/manifests/director.pp b/manifests/director.pp
@@ -44,7 +44,7 @@
   Bacula::Yesno                    $manage_db           = true,
   Stdlib::Absolutepath             $conf_dir            = $bacula::conf_dir,
   String[1]                        $db_name             = 'bacula',
-  Bacula::Password                 $db_pw               = 'notverysecret',
+  Bacula::Password                 $db_pw               = Sensitive('notverysecret'),
   String[1]                        $db_user             = 'bacula',
   Optional[String[1]]              $db_address          = undef,
   Optional[Stdlib::Port]           $db_port             = undef,
@@ -56,7 +56,7 @@
   Array[String[1]]                 $listen_address      = [],
   Integer[1]                       $max_concurrent_jobs = 20,
   Boolean                          $manage_defaults     = true,
-  Bacula::Password                 $password            = 'secret',
+  Bacula::Password                 $password            = Sensitive('secret'),
   Stdlib::Port                     $port                = 9101,
   Stdlib::Absolutepath             $rundir              = $bacula::rundir,
   String[1]                        $storage_name        = $bacula::storage_name,
diff --git a/manifests/director/storage.pp b/manifests/director/storage.pp
@@ -19,7 +19,7 @@
 define bacula::director::storage (
   String[1]            $address             = $name,
   Stdlib::Port         $port                = 9103,
-  Bacula::Password     $password            = 'secret',
+  Bacula::Password     $password            = Sensitive('secret'),
   String[1]            $device_name         = "${facts['networking']['fqdn']}-device",
   String[1]            $media_type          = 'File',
   Optional[Integer[1]] $maxconcurjobs       = undef,
diff --git a/manifests/storage.pp b/manifests/storage.pp
@@ -45,7 +45,7 @@
   Optional[Integer[1]] $maxconcurjobs              = undef,
   Integer[1]           $max_concurrent_jobs        = 20,
   String[1]            $media_type                 = 'File',
-  Bacula::Password     $password                   = 'secret',
+  Bacula::Password     $password                   = Sensitive('secret'),
   Stdlib::Port         $port                       = 9103,
   Stdlib::Absolutepath $rundir                     = $bacula::rundir,
   String[1]            $storage                    = $trusted['certname'], # storage here is not storage_name
