feat: add STEPPATH support to bootstrap_host and acme_cert #91
Conversation
This PR adds support for a custom STEPPATH in all roles that use the step-cli config
| ##### `step_cli_steppath` | ||
| - Optionally set a custom `$STEPPATH` from which to read the step config | ||
| - Example: `/etc/step-cli` | ||
| - Default: `/root/.step/` |
There was a problem hiding this comment.
Technically, the default is $HOME/.step, which depends on the user running. While most people are likely to use become: true and therefore run as root, I would still use $HOME/.step as the default in documentation.
| All step configuration will be saved in this path instead of the default `$HOME/.step/` | ||
| - **NOTE**: If set, you will have to supply your custom `$STEPPATH` in all future role/module/`step-cli` calls on this host that use the step config | ||
| - Example: `/etc/step-cli` | ||
| - Default: `/root/.step/` |
There was a problem hiding this comment.
Technically, the default is $HOME/.step, which depends on the user running. While most people are likely to use become: true and therefore run as root, I would still use $HOME/.step as the default in documentation.
| @@ -1,5 +1,6 @@ | |||
| --- | |||
| step_cli_executable: step-cli | |||
| step_cli_steppath: /root/.step | |||
There was a problem hiding this comment.
Similarly to the documentation feedback, I feel this should default to $HOME/.step. The problem is that to actively set a reasonable default, we'd have to return to detecting the right value of $HOME in this file.
Could use ansible_env.HOME, but that only works if facts have been gathered. Of course, using omit filter won't work either, since that's a hack for excluding module arguments only.
Alternatively, we could leave the value unset in the defaults, and then use slightly convoluted logic in the environment: block to set the value of STEPPATH to the empty string, but only if step-cli is smart enough to look for the empty string and use their built-in default.
The last option would be to use the shell module in place of the command module and explicitly set the command line to something like STEPPATH="path" step-cli ..., but only if the value of step_cli_steppath is defined. That's gross, but might work.
Now I'm out of ideas - curious if you have any others, or think this issue isn't worth worrying about.
| @@ -6,3 +6,5 @@ step_cli_executable: step-cli | |||
|
|
|||
| step_bootstrap_install_cert: yes | |||
| step_bootstrap_force: no | |||
|
|
|||
| step_cli_steppath: /root/.step | |||
There was a problem hiding this comment.
See other comment on the same variable in the step_acme_cert role.
|
Glad to hear that the changes are working for you! As for the defaults, I agree that using As you mentioned, using An alternative would be to dynamically set - name: Get user home dir
shell: 'echo $HOME'
register: user_homedir
when: step_cli_steppath is undefined
- name: Set step_cli_steppath
set_fact:
step_cli_steppath: "{{ user_homedir.stdout }}/.step"
when: step_cli_steppath is undefinedAs for just leaving STEPPATH undefined when it's not supplied, that doesn't work for In order to verify the certificate, the role needs to access Unfortunately, I don't see an easy way out of the hardcoded My opinion on this is to merge as-is and then open an issue about the hard-coded root dir for documentation purposes. |
I'm good with that.
Interesting - we use As for using the Regardless, I'm good with the merge - and thanks for your work. |
I think it might depend on whether And thanks for the all the feedback! Going to merge this and another PR i have been working on, then I'll push out a release in a bit. |
This PR adds support for a custom STEPPATH in all roles that use the step-cli config.
Fixes #83
@eengstrom can you confirm that this works for you?