-
Notifications
You must be signed in to change notification settings - Fork 23.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docker: improve TLS config #53906
docker: improve TLS config #53906
Conversation
1f787f7
to
611cca9
Compare
bot_status |
Componentslib/ansible/module_utils/docker/common.py lib/ansible/modules/cloud/docker/docker_container.py lib/ansible/plugins/doc_fragments/docker.py lib/ansible/plugins/inventory/docker_swarm.py Metadatawaiting_on: maintainer |
Looks like either ansibot didn't update its metadata, or something else doesn't work so that @morph027 isn't notified. |
Hah, now i'am ;) Will look into it. |
7d1d6fd
to
b9fe410
Compare
Besides my 2 little findings, i just tested successfully w/ and w/o TLS 🎉 |
@@ -29,7 +29,9 @@ | |||
required: true | |||
choices: docker_swarm | |||
host: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
needs to be renamed to docker_host
or we'll get this warning:
[WARNING]: * Failed to parse /home/morph/ansible/docker_swarm.yml with auto plugin: 'Requested entry (plugin_type:
inventory plugin: docker_swarm setting: docker_host ) was not defined in configuration.'
Applies to examples too
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done. It would also be enough to fix line 151, but I think docker_host
is somewhat better than host
since it's the same name for the docker_*
modules.
raise AnsibleError('Argument to timeout function must be an integer') | ||
update_tls_hostname(raw_params) | ||
connect_params = get_connect_params(raw_params, fail_function=self._fail) | ||
self.client = docker.DockerClient(**get_connect_params) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not self.client = docker.DockerClient(**connect_params)
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, good spot! Fixed.
Just to confirm - if you provide only the |
|
||
def get_connect_params(auth, fail_function): | ||
if auth['tls'] or auth['tls_verify']: | ||
auth['docker_host'] = auth['docker_host'].replace('tcp://', 'https://') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would drop it. Let the docker library handle this if tcp://
is provided. The kwargs_from_env
from docker.utils
handles that, also parse_host
method.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would keep it for this PR, and remove it in another PR, so that this refactoring doesn't change any behavior. Just in case this has some impact somewhere, it can be undone quickly without reverting everything from this PR :)
(Also, we're not using kwargs_from_env
.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No problem, if then all integration tests are still good we may leave it to docker library to change it or not
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All failing integration tests are unrelated (installing packages for Fedora fails a lot), at least so far. So it probably is fine :) Could you test whether you can still connect to your swarm with TLS both with the inventory plugin and some of the docker_* modules? If yes, I'd like to get this merged soon (especially since every CI run takes foreeeever and has so many unrelated problems :) ).
Yes (assuming they are set to |
Did you test both the inventory plugin and the regular docker_* modules (I guess one suffices, since they all use the same setup code) with TLS? |
I only tested the inventory plugin....did not yet used the others. |
I will test later today the modules |
Tested |
Does one of you have a chance to test this with TLS verification? If not, we can probably just merge now. The part of the code which decides between verification and not looks "harmless" enough so that should still work (assuming it ever worked, that is :) ). |
Will do. |
TLS with client cert auth works 👍 |
Awesome! I'll try to get this merged soon. Once the tests pass... |
shipit |
1 similar comment
shipit |
ansibot is busy processing old issues/PRs, it will take some more time until it will reprocess this PR... |
That was faster than I hoped. Good for us :D @WojciechowskiPiotr @morph027 thanks a lot for reviewing and testing! |
SUMMARY
This PR does several things:
tls
andtls_verify
options no longer mutually exclusive, and lettls_verify
(host verification) take precedence overtls
(no host verification) in case both are set toyes
.This also fixes #15614 and makes #51271 no longer necessary.
ISSUE TYPE
COMPONENT NAME
lib/ansible/module_utils/docker/common.py
lib/ansible/plugins/doc_fragments/docker.py
lib/ansible/plugins/inventory/docker_swarm.py