-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add STEPPATH support to bootstrap_host and acme_cert #91
Conversation
This PR adds support for a custom STEPPATH in all roles that use the step-cli config
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am using the changes merged on top of main
as of this morning. All is working. A few comments regarding the default values, but those can be addresses separately, I think.
Thanks for all your work.
##### `step_cli_steppath` | ||
- Optionally set a custom `$STEPPATH` from which to read the step config | ||
- Example: `/etc/step-cli` | ||
- Default: `/root/.step/` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Technically, the default is $HOME/.step
, which depends on the user running. While most people are likely to use become: true
and therefore run as root
, I would still use $HOME/.step
as the default in documentation.
All step configuration will be saved in this path instead of the default `$HOME/.step/` | ||
- **NOTE**: If set, you will have to supply your custom `$STEPPATH` in all future role/module/`step-cli` calls on this host that use the step config | ||
- Example: `/etc/step-cli` | ||
- Default: `/root/.step/` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Technically, the default is $HOME/.step
, which depends on the user running. While most people are likely to use become: true
and therefore run as root
, I would still use $HOME/.step
as the default in documentation.
@@ -1,5 +1,6 @@ | |||
--- | |||
step_cli_executable: step-cli | |||
step_cli_steppath: /root/.step |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Similarly to the documentation feedback, I feel this should default to $HOME/.step
. The problem is that to actively set a reasonable default, we'd have to return to detecting the right value of $HOME
in this file.
Could use ansible_env.HOME
, but that only works if facts have been gathered. Of course, using omit
filter won't work either, since that's a hack for excluding module arguments only.
Alternatively, we could leave the value unset in the defaults, and then use slightly convoluted logic in the environment:
block to set the value of STEPPATH
to the empty string, but only if step-cli
is smart enough to look for the empty string and use their built-in default.
The last option would be to use the shell
module in place of the command
module and explicitly set the command line to something like STEPPATH="path" step-cli ...
, but only if the value of step_cli_steppath
is defined. That's gross, but might work.
Now I'm out of ideas - curious if you have any others, or think this issue isn't worth worrying about.
@@ -6,3 +6,5 @@ step_cli_executable: step-cli | |||
|
|||
step_bootstrap_install_cert: yes | |||
step_bootstrap_force: no | |||
|
|||
step_cli_steppath: /root/.step |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See other comment on the same variable in the step_acme_cert
role.
Glad to hear that the changes are working for you! As for the defaults, I agree that using As you mentioned, using An alternative would be to dynamically set - name: Get user home dir
shell: 'echo $HOME'
register: user_homedir
when: step_cli_steppath is undefined
- name: Set step_cli_steppath
set_fact:
step_cli_steppath: "{{ user_homedir.stdout }}/.step"
when: step_cli_steppath is undefined As for just leaving STEPPATH undefined when it's not supplied, that doesn't work for In order to verify the certificate, the role needs to access Unfortunately, I don't see an easy way out of the hardcoded My opinion on this is to merge as-is and then open an issue about the hard-coded root dir for documentation purposes. |
I'm good with that.
Interesting - we use As for using the Regardless, I'm good with the merge - and thanks for your work. |
I think it might depend on whether And thanks for the all the feedback! Going to merge this and another PR i have been working on, then I'll push out a release in a bit. |
This PR adds support for a custom STEPPATH in all roles that use the step-cli config.
Fixes #83
@eengstrom can you confirm that this works for you?