-
Notifications
You must be signed in to change notification settings - Fork 23.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add option to allow users to ignore decryption errors with ansible-inventory #78765
base: devel
Are you sure you want to change the base?
Conversation
related #37019 |
note that while this is the only vars plugin we ship, it is not the only one in use |
The test
|
Yes, and I fully want to use this on its own in AWX, but over the long term I expect the plugin here will diverge and there will be problems. That's why I thought the best solution, ultimately, is to contribute it upstream. I wish that I could subclass the plugin and override just the behavior I want, but that's very brittle because the plugin here isn't written in a way I can do that to begin with, and because the DOCUMENTATION string creates a lot of problems for subclassing. |
my point is that this does not really belong in the plugin but as a more general vault option, as 'unvaulting' can happen at other stages, for example the inventory source file itself could be vaulted, called directly or as one of many in a directory. |
I agree, #37019 would be better. I need to verify that it doesn't alter the pass-through behavior of If that was on the agenda, then I could still use a custom vars plugin as a stopgap. |
is this still relevant? |
I'm more than happy to accept this statement
And to accept #37019 as a solution to that. Its related issue #13244 was closed due to inactivity. At the time it was raised, another enhancement was going on in parallel, and now we are dealing with problems that can't be solved by that (vault pass-through) enhancement which did make it in. A configurable would be the best solution to the linked AWX problems of vault files throwing errors in inventory imports, although it can also be solved by turning off vars plugins entirely. Either way, this accounts for significant user pain (with the increased reliance on SCM inventory) and a somewhat near-term solution, one or the other, should happen. But it seems no one likes the solution in this PR. |
809f137
to
30ab129
Compare
rezzed and updated my code #81918 |
The test
|
SUMMARY
This adds an option to allow ignoring decryption errors from content inside of
group_vars/
andhost_vars/
folders.This is really intended for use coupled with
ansible-inventory
, because the feature was added to that to support pass-through of encrypted variables. If you use that, it looks like this:from example.
This is very useful, but it creates a problem. We would like to use the output from
ansible-inventory
to save an inventory snapshot, put it in the database, and produce a copy of it for later use. Vault credentials can latter be used to decrypt the secret from the example above... but it's also common to encrypt a file and this trick doesn't work for that.Subsequently, we still have a lot of complaints from AWX users that the inventory process is not compatible with their workflow. See ansible/awx#12829
I have an example to demonstrate that and the proposed fix here:
https://github.com/AlanCoding/Ansible-inventory-file-examples/tree/master/vault/file_vars
A key point here is that many users co-locate their inventory with their playbook (same folder), so they really just want
ansible-inventory
to ignore vault variables.ISSUE TYPE
COMPONENT NAME
lib/ansible/plugins/vars/host_group_vars.py
ADDITIONAL INFORMATION
I would be happy to write tests for this, but the best way for me would be as a bash script, because
ansible-inventory
is really the important thing, and that requires the inventory structure along with the associated vars files. I can't quite figure out where to do that yet.