Comments (8)
day0hero
commented on September 17, 2024
here is the complete errror:
fatal: [localhost]: FAILED! => {"changed": false, "module_stderr": "Traceback (most recent call last):\n File \"/home/jrickard/.ansible/tmp/ansible-tmp-1664994985.2909513-413311-242601022481252/AnsiballZ_vault_load_secrets.py\", line 107, in <module>\n _ansiballz_main()\n File \"/home/jrickard/.ansible/tmp/ansible-tmp-1664994985.2909513-413311-242601022481252/AnsiballZ_vault_load_secrets.py\", line 99, in _ansiballz_main\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n File \"/home/jrickard/.ansible/tmp/ansible-tmp-1664994985.2909513-413311-242601022481252/AnsiballZ_vault_load_secrets.py\", line 47, in invoke_module\n runpy.run_module(mod_name='ansible.modules.vault_load_secrets', init_globals=dict(_module_fqn='ansible.modules.vault_load_secrets', _modlib_path=modlib_path),\n File \"/usr/lib64/python3.10/runpy.py\", line 224, in run_module\n return _run_module_code(code, init_globals, run_name, mod_spec)\n File \"/usr/lib64/python3.10/runpy.py\", line 96, in _run_module_code\n _run_code(code, mod_globals, init_globals,\n File \"/usr/lib64/python3.10/runpy.py\", line 86, in _run_code\n exec(code, run_globals)\n File \"/tmp/ansible_vault_load_secrets_payload_7srbr3th/ansible_vault_load_secrets_payload.zip/ansible/modules/vault_load_secrets.py\", line 371, in <module>\n File \"/tmp/ansible_vault_load_secrets_payload_7srbr3th/ansible_vault_load_secrets_payload.zip/ansible/modules/vault_load_secrets.py\", line 367, in main\n File \"/tmp/ansible_vault_load_secrets_payload_7srbr3th/ansible_vault_load_secrets_payload.zip/ansible/modules/vault_load_secrets.py\", line 353, in run\n File \"/tmp/ansible_vault_load_secrets_payload_7srbr3th/ansible_vault_load_secrets_payload.zip/ansible/modules/vault_load_secrets.py\", line 206, in sanitize_values\nTypeError: 'NoneType' object is not iterable\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}
values-secret.yaml used:
---
secrets:
# NEVER COMMIT THESE VALUES TO GIT
config-demo:
# Secret used for demonstrating vault storage, external secrets, and ACM distribution
secret: VALUSE
# Required for automated spoke deployment
aws:
access_key_id: VALUE
secret_access_key: VALUE
# Required for automated spoke deployment
files:
# # ssh-rsa AAA...
# publickey: ~/.ssh/id_rsa.pub
#
# # -----BEGIN RSA PRIVATE KEY
# # ...
# # -----END RSA PRIVATE KEY
# privatekey: ~/.ssh/id_rsa
#
# # {"auths":{"cloud.openshift.com":{"auth":"b3Blb... }}}
# openshiftPullSecret: ~/.dockerconfigjson
#
# azureOsServicePrincipal: ~/osServicePrincipal.json
from common.
claudiol
commented on September 17, 2024
Looking at the module I think we need to update the sanitize_values function. Specifically in the if statement:
secrets = syaml.get("secrets", {})
files = syaml.get("files", {})
if len(secrets) == 0 and len(files) == 0:
module.fail_json(
f"Neither 'secrets' nor 'files have any secrets to " f"be parsed: {syaml}"
)
Splitting the if statement to look like this will generate a better error:
secrets = syaml.get("secrets", {})
files = syaml.get("files", {})
if len(secrets) == 0:
module.fail_json(
f"The 'secrets' section is empty and does not have any secrets to " f"be parsed: {syaml}"
)
if len(files) == 0:
module.fail_json(
f"The 'files' section is empty and does not have any secrets to " f"be parsed: {syaml}"
)
This will generate the following error if the files section is empty:
$ ansible-playbook load-secrets.yaml
PLAY [localhost] **********************************************************************************************************************************************************************************************************
TASK [Gathering Facts] ****************************************************************************************************************************************************************************************************
ok: [localhost]
TASK [Loads secrets file into the vault of a cluster] *********************************************************************************************************************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "The 'files' section is empty and does not have any secrets to be parsed: {'secrets': {'imageregistry': {'username': 'claudiol+ops', 'password': 'REDACTED'}, 'quay': {'account': 'qyadmin', 'password': 'REDACTED', 'email': '[email protected]'}, 'git': {'username': 'claudiol', 'password': 'ghp_REVOKED'}, 'aws': {'s3Secret': 'REDACTED'}, 'config-demo': {'secret': 'MySup3rR3dh4tP@$$W0rd'}, 'files': None}}"}
PLAY RECAP ****************************************************************************************************************************************************************************************************************
localhost : ok=1 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
from common.
claudiol
commented on September 17, 2024
Please look at the following PR: #185
from common.
mhjacks
commented on September 17, 2024
I think it's OK for files to not exist (since a pattern may not need them); likewise, it's OK for secrets to not exist. But there has to be at least a secret to load from one of those keys. I think the error we need to check for at that point is the ensure that type(files) is dict, if files exists.
I think the problem is that the current code handles the situation fine if the keys are not present at all, but if the section is present and has nothing under it, that puts None in the variable instead of the default {} (empty dict).
Thus, I think what we need here are explicit dict() tests for both secrets and files, as that will also prevent malformed files in various ways. The len() test will fail on a NoneType.
I'll propose something here shortly
from common.
mhjacks
commented on September 17, 2024
Something like this:
files = syaml.get("files", {})
if type(secrets) is not dict or type(files) is not dict:
module.fail_json(
f"'secrets' and 'files' must both be of dict type if present: " f"{syaml}"
)
if len(secrets) == 0 and len(files) == 0:
module.fail_json(
f"Neither 'secrets' nor 'files have any secrets to " f"be parsed: {syaml}"
)
from common.
claudiol
commented on September 17, 2024
@mhjacks Just tested your suggestion but it does not quite work. We expect that the files: section is a dictionary as this will always return a dict type:
files = syaml.get("files", {})
The check will go right pass the if check suggested. I still feel that the PR addresses the issue. The length check is sufficient for either a dict or an array. If files: is found, and it's empty, then we should fail.
from common.
mbaldessari
commented on September 17, 2024
I am fixing it via #186 I added a bunch of test cases there
from common.
claudiol
commented on September 17, 2024
Ack @mbaldessari
from common.
Related Issues (20)
- trailing zero is removed from channel in subscription HOT 3
- override/empty target namespace HOT 1
- ResourceCustomizations is deprecated HOT 3
- IBM Cloud ROKS integrated use of Let's encrypt for routes creates issues with ESO Deployment HOT 3
- Extend edit access to ArgoCD instances to cluster-admin role HOT 1
- Framework support for private repo additions to ArgoCD instances HOT 3
- Support letsencrypt with non-route53 DNS01 challenges
- Extend ACM Chart support to provision clusters using ClusterDeployment HOT 1
- What is the proper way to inject a Corporate CA into a Pattern? HOT 5
- External Secrets Operator for general cluster use HOT 3
- preview-all is not rendering the clusterGroup chart HOT 3
- Support for http proxy
- Support for merging of namespaces, projects, subscriptions and application in overrides/values-common.yaml HOT 2
- multisource and spoke clusters HOT 1
- OperatorGroup without targetNamespaces HOT 1
- Allow overrides of Makefile values and include an optional values folder path HOT 1
- Add extraParameters to values.schema.json
- Additional namespace object definition for ACM Policy
- Feat: Followup to definition of extraParameters under the main section of a values file.
- Null safety is required for cluster pool creation
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from common.