-
Notifications
You must be signed in to change notification settings - Fork 23.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conjur Lookup Plugin #34280
Conjur Lookup Plugin #34280
Conversation
The test
The test
The test
|
@jvanderhoof This PR contains |
cc @CiscoUcs @GGabriele @MarkusTeufelberger @Nosmoht @Qalthos @Spredzy @abellotti @adq @Akasurde @akazakov @alcamie101 @atabachnik @brusMX @cben @chouseknecht @cmoberg @cnasten @dagwieers @dav1x @dkorn @dsoper2 @ericsysmin @fabianvf @flaper87 @ganeshrn @garethr @grastogi23 @gtanzillo @gundalow @gurumaia @haroldwongms @jborean93 @jcpowermac @jctanner @jedelman8 @jhawkesworth @jmcgill298 @johnamcdonough @joshludwig @kamsz @kedarX @khaltore @machacekondra @marqelme @matze @maxamillion @mgruener @mikewiebe @mtnbikenc @mwperina @nerzhul @nitzmahone @pekdon @privateip @rahushen @ravibhure @rcarrillocruz @resmo @robinro @ryansb @ryansydnor @s-hertel @samerd @sdoran @sebasdoes @skg-net @smadam813 @sozercan @tchernomax @trishnaguha @tstringer @vallard @vvb @willthames @wimnat @wojtek0806 @xscript @yaacov @yuwzho @zgalor @zikalino |
The machine identity used is that of the Ansible controlling host, not any server being provisioned or instructed. This documentation change aims to make that relationship clear.
These error messages are less likely to confuse a user as to which machine is associated with the files, identities, and configurations being described.
Thank you @garymoon and @dustinmm80 for helping to validate the plugin. Let me know if you have any questions as to how I addressed your feedback. @sivel same goes for you, please let me know if this round of patches raises any concerns. |
These changes all look good to me, thanks Ryan. This lookup plugin is helpful when configuring nodes with secrets when the controlling host has been assigned a Conjur identity. It uses the standard paths for Conjur identity and configuration files, that's nice. My review is 👍 , let's ship it! |
LGTM 👍 |
@sivel - we received and resolved some feedback from two team members not involved in this effort, but with significant Ansible experience. Anything else we can do to get this in? |
@jvanderhoof in order to get rid of |
ready_for_review |
#ready_for_review |
bot_status |
Components.github/BOTMETA.yml lib/ansible/plugins/lookup/conjur_variable.py test/units/plugins/lookup/test_conjur_variable.py Metadatawaiting_on: jvanderhoof |
We've "identified" what appears to be an issue with GitHub on a few pull requests, where the UI indicates that the PR is "green" (which is correct), but "mergeable_state" is indicated to be "unstable". Although this PR currently states "needs_revision" it should be fine. Removing it will just cause the bot to re-add that label. |
@sivel - what does that mean for this PR? |
@jvanderhoof nothing specifically, other than I am saying if the PR is "green" we can ignore "needs_revision". It just needs final reviews. I will personally not have time today to get to this. |
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) | ||
from __future__ import (absolute_import, division, print_function) | ||
__metaclass__ = type | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could you add below here?
ANSIBLE_METADATA = {'metadata_version': '1.1',
'status': ['preview'],
'supported_by': 'community'}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@thaumos - Thanks for the feedback. Mind giving it one more look? I'd love for this to be able to make in today if possible with code freeze on the 22nd.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm. there shouldn't be a concern having this merged before code freeze.
Next steps? I'm going to click the big green button. |
* Imported lookup plugin from Role * Plugin cleanup, including: * Use existing Python YAML parsing * Remove environment variables as connection options * Added initial debugging information * Reworked the lookup plugin using the Python Request library. As it's available through Ansible, it makes communication with Conjur much more straight forward. * Removed un-used libraries * Fixed linting issues * Standardized output on `format` and insure it works for 2.6, 2.7, and 3.x. * Use quote_plus from the six library for improved python 2/3 behavior. * Refactored identity & configuration to prefer user's file. This also includes a refactor to remove an un-needed dictionary merge method. * Removed `requests` in favor of `ansible.module_utils.urls`. * Refactored netrc loading to warn if host is not present. * Tests and a refactor to support easier testing. * Added reference to website * Fixed two linting errors * Fixed an extra line found by linting * Updated file write to use binary to insure config files are written correctly * Resolved linting issues * Refactored config & identity loading to take advantage of plugin options * Cleanup a bunch of small items caught by linting * Removed extra line caught by linting * Swapped in pytest and added some tests with mocked network responses * Pushing to see if this approach works better... * Refactored be open_url mocking based on feedback * Fixed a couple linting issues & refactored mocking into each method to attempt to resolve a failing test * Use a generic MagicMock for python 2.6 * Fixes doc typo require -> required * Use `type: path` in identity_file and config_file Also removes `expanduser` calls below (which will now be called automatically on paths.) * Defines maintainers for conjur_variable plugin * BOTMETA.yml: ** defines $team_cyberark_conjur as maintainers of Conjur Variable plugin ** adds myself and @jvanderhoof to that team * Adds URLs to relevant documentation for Conjur Variable lookup plugin * Clarifies "the server," "the machine" -> "controlling host" The machine identity used is that of the Ansible controlling host, not any server being provisioned or instructed. This documentation change aims to make that relationship clear. * Adds response code to exception message on authentication failure * Enhances exception messages to specify the controlling host These error messages are less likely to confuse a user as to which machine is associated with the files, identities, and configurations being described. * Adds ANSIBLE_METADATA for Conjur variable lookup plugin
SUMMARY
This PR adds an Ansible Lookup Plugin which allows Ansible to retrieve secrets from Conjur using the Ansible controller's Conjur identity.
ISSUE TYPE
COMPONENT NAME
Conjur Variable (ex.
lookup('conjur_variable', 'db/password')
ANSIBLE VERSION
ADDITIONAL INFORMATION
This lookup plugin requires Conjur (https://www.conjur.org/) to be running and accessible from the machine executing the playbook using the Conjur lookup plugin.
I wrote a small project to simplify building and validating this plugin: https://github.com/jvanderhoof/ansible-testing. It uses Docker Compose provide all the parts necessary.