mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
Respect VAULT_SKIP_VERIFY envionment variable setting in hashi_vault lookup plugin (#1024)
* add skip_certificate_validation from env VAULT_SKIP_VERIFY * use os.envrion.env instead of skip_certificat_validation * fix typo in test * add tests for different truthy options * fix linting * add changelog * change precedence for validate_certs * add precedence test * fix inverted logic * Fix documentation Co-authored-by: Felix Fontein <felix@fontein.de> * Update plugins/lookup/hashi_vault.py Co-authored-by: Felix Fontein <felix@fontein.de> * fix linting * Update plugins/lookup/hashi_vault.py Co-authored-by: Felix Fontein <felix@fontein.de> * Update plugins/lookup/hashi_vault.py Co-authored-by: Felix Fontein <felix@fontein.de> Co-authored-by: Felix Fontein <felix@fontein.de>
This commit is contained in:
parent
08b81b570e
commit
3af4be34b2
4 changed files with 71 additions and 3 deletions
3
changelogs/fragments/1024-vault-skip-verify-support.yml
Normal file
3
changelogs/fragments/1024-vault-skip-verify-support.yml
Normal file
|
@ -0,0 +1,3 @@
|
|||
---
|
||||
minor_changes:
|
||||
- hashi_vault - support ``VAULT_SKIP_VERIFY`` environment variable for determining if to verify certificates (in addition to the ``validate_certs=`` flag supported today) (https://github.com/ansible-collections/community.general/pull/1024).
|
|
@ -116,9 +116,12 @@ DOCUMENTATION = """
|
|||
description: Path to certificate to use for authentication.
|
||||
aliases: [ cacert ]
|
||||
validate_certs:
|
||||
description: Controls verification and validation of SSL certificates, mostly you only want to turn off with self signed ones.
|
||||
description:
|
||||
- Controls verification and validation of SSL certificates, mostly you only want to turn off with self signed ones.
|
||||
- Will be populated with the inverse of C(VAULT_SKIP_VERIFY) if that is set and I(validate_certs) is not explicitly
|
||||
provided (added in community.general 1.3.0).
|
||||
- Will default to C(true) if neither I(validate_certs) or C(VAULT_SKIP_VERIFY) are set.
|
||||
type: boolean
|
||||
default: True
|
||||
namespace:
|
||||
description: Namespace where secrets reside. Requires HVAC 0.7.0+ and Vault 0.11+.
|
||||
env:
|
||||
|
@ -257,6 +260,7 @@ import os
|
|||
from ansible.errors import AnsibleError
|
||||
from ansible.plugins.lookup import LookupBase
|
||||
from ansible.utils.display import Display
|
||||
from ansible.module_utils.parsing.convert_bool import boolean
|
||||
|
||||
HAS_HVAC = False
|
||||
try:
|
||||
|
@ -486,8 +490,28 @@ class LookupModule(LookupBase):
|
|||
#
|
||||
'''' return a bool or cacert '''
|
||||
ca_cert = self.get_option('ca_cert')
|
||||
|
||||
validate_certs = self.get_option('validate_certs')
|
||||
|
||||
if validate_certs is None:
|
||||
# Validate certs option was not explicitly set
|
||||
|
||||
# Check if VAULT_SKIP_VERIFY is set
|
||||
vault_skip_verify = os.environ.get('VAULT_SKIP_VERIFY')
|
||||
|
||||
if vault_skip_verify is not None:
|
||||
# VAULT_SKIP_VERIFY is set
|
||||
try:
|
||||
# Check that we have a boolean value
|
||||
vault_skip_verify = boolean(vault_skip_verify)
|
||||
# Use the inverse of VAULT_SKIP_VERIFY
|
||||
validate_certs = not vault_skip_verify
|
||||
except TypeError:
|
||||
# Not a boolean value fallback to default value (True)
|
||||
validate_certs = True
|
||||
else:
|
||||
validate_certs = True
|
||||
|
||||
if not (validate_certs and ca_cert):
|
||||
self.set_option('ca_cert', validate_certs)
|
||||
|
||||
|
|
|
@ -30,7 +30,7 @@
|
|||
|
||||
- name: 'Failure expected when inexistent secret is read'
|
||||
vars:
|
||||
secret_inexistent: "{{ lookup('community.general.:qhashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/secret4 auth_method=approle secret_id=' ~ secret_id ~ ' role_id=' ~ role_id) }}"
|
||||
secret_inexistent: "{{ lookup('community.general.hashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/non_existent_secret4 auth_method=approle secret_id=' ~ secret_id ~ ' role_id=' ~ role_id) }}"
|
||||
debug:
|
||||
msg: 'Failure is expected ({{ secret_inexistent }})'
|
||||
register: test_inexistent
|
||||
|
|
|
@ -33,3 +33,44 @@
|
|||
include_tasks: '{{ auth_type }}_test.yml'
|
||||
vars:
|
||||
conn_params: 'url=https://localhost:8201 validate_certs=False '
|
||||
|
||||
- name: 'test {{ auth_type }} auth with certs (validation using env VAR, lookup parameters)'
|
||||
include_tasks: '{{ auth_type }}_test.yml'
|
||||
args:
|
||||
apply:
|
||||
vars:
|
||||
conn_params: ''
|
||||
environment:
|
||||
VAULT_ADDR: 'https://localhost:8201'
|
||||
VAULT_SKIP_VERIFY: 1
|
||||
|
||||
- name: 'test {{ auth_type }} auth with certs (validation using env VAR (True), lookup parameters)'
|
||||
include_tasks: '{{ auth_type }}_test.yml'
|
||||
args:
|
||||
apply:
|
||||
vars:
|
||||
conn_params: ''
|
||||
environment:
|
||||
VAULT_ADDR: 'https://localhost:8201'
|
||||
VAULT_SKIP_VERIFY: True
|
||||
|
||||
- name: 'test {{ auth_type }} auth with certs (validation using env VAR (y), lookup parameters)'
|
||||
include_tasks: '{{ auth_type }}_test.yml'
|
||||
args:
|
||||
apply:
|
||||
vars:
|
||||
conn_params: ''
|
||||
environment:
|
||||
VAULT_ADDR: 'https://localhost:8201'
|
||||
VAULT_SKIP_VERIFY: y
|
||||
|
||||
- name: 'test {{ auth_type }} auth with certs (precedence of validate_certs over env VAR, lookup parameters)'
|
||||
include_tasks: '{{ auth_type }}_test.yml'
|
||||
args:
|
||||
apply:
|
||||
vars:
|
||||
conn_params: 'validate_certs=False '
|
||||
environment:
|
||||
VAULT_ADDR: 'https://localhost:8201'
|
||||
VAULT_SKIP_VERIFY: False
|
||||
|
Loading…
Reference in a new issue