-
Notifications
You must be signed in to change notification settings - Fork 15
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Migrate ansible-conjur-host-identity #38
Conversation
763f814
to
579000e
Compare
faf2b0b
to
0cc0384
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Quality-Architects are on the review for the .codeclimate.yml file. That looks good to me. The rest is not anything I reviewed though.
6c03545
to
6525585
Compare
aebc97e
to
4dd364a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This has made some nice progress, but I've left a bunch of comments still - some of which can be filed as follow-on issues to get this in and continue work in smaller follow-on issues. I also want to note:
- I don't think
meta/runtime.yml
should have been moved - it looks like that belongs in the project root - if we're going to move the lookup plugin tests to a subdirectory of
tests/
, can the subdirectory be named to better indicate what it contains? e.g.lookup_plugin
? - I noted in the PR that the role tests should also live under the project root
tests/
directory; file a follow up issue if that's easier, but either way I think we'll need to do this
Jenkinsfile
Outdated
junit 'tests/junit/*' | ||
parallel { | ||
stage("Test conjur_lookup Plugin") { | ||
agent { label 'executor-v2-large' } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why does this need a large executor?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It doesn't, but I ran into issues with all the test containers running on the same executor and this was the only solution that I had at the time. I'm not sure how to fix it otherwise right now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
was it just midair collisions due to not setting COMPOSE_PROJECT_NAME
or something else?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
regardless, this merits a follow-up issue too
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That might be it, I'll investigate
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This has been resolved! The COMPOSE_PROJECT_NAME was being set in the individual test scripts for the plugin and role, which overrode the project name I was assigning. I changed them a bit so that they won't confuse docker.
- name: Ubuntu | ||
versions: | ||
- trusty | ||
- xenial | ||
- name: EL | ||
versions: | ||
- 7 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is worth digging into at some point, but looks ok for now
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@BradleyBoutcher should be captured in an issue, that we need to review the supported platforms for the role
f97c052
to
54e6955
Compare
CHANGELOG.md
Outdated
- Added retries to tasks/identity/Request identity from Conjur. | ||
This will increase the reliability of host factory requests without introducing any extra delay |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is this something you did in this PR, or was this ported from an unreleased change in the role?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was ported from the Conjur-host-identity project. I wasn't sure what to do with it, because those features are currently unreleased.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we can leave it in there, and tag that project just before we tag this one to indicate the migration
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
just rereading and realizing this is not clear, I meant that we can drop this entry from the collection changelog and just be clear in the collection changelog that we migrated at the point-in-time of the {soon to be added} last role release.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah gotcha, I will do so!
54e6955
to
dca4c33
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
left a few more minor comments - this is getting quite close to done, and then we'll have a handful of follow-up issues to work on before we can tag. can you please be sure to add a comment to this PR that aggregates the links to the follow-up issues we'll need after this PR is merged?
Jenkinsfile
Outdated
junit 'tests/junit/*' | ||
parallel { | ||
stage("Test conjur_lookup Plugin") { | ||
agent { label 'executor-v2-large' } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
regardless, this merits a follow-up issue too
- `CONJUR_ACCOUNT` : The Conjur account name | ||
- `CONJUR_APPLIANCE_URL` : URL of the running Conjur service | ||
- `CONJUR_CERT_FILE` : Path to the Conjur certificate file | ||
- `CONJUR_AUTHN_LOGIN` : A valid Conjur host username | ||
- `CONJUR_AUTHN_API_KEY` : The api key that corresponds to the Conjur host username | ||
- `CONJUR_AUTHN_TOKEN_FILE` : Path to a file containing a valid Conjur auth token |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it's striking me as weird that you configure the role with playbook keys (?) and you configure the lookup plugin with env vars. how do you use them together? if I set up the role, will the plugin not be configured?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this might be a follow-up issue (it would go hand-in-hand with your own experiments running the e2e flow)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that's just the nature of how they work. The role is configured through the playbook with what are called "role variables", while the plugin is an executable that may depend on variables being present in the system. Both environment variables and role variables can be set in the playbook, but it's an important distinction, and people who are familiar with playbooks will know how to use them. Boilerplate READMEs for Ansible roles include the role variables
section, and for the plugin, it's a good idea for us to have them there.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
On the topic of "can I set them once and have them used in both places?" - I'm not sure. There's probably a way to chain things together, but I'm not sure if that's necessary or a "safe" way to handle parameters for a role and plugin.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@BradleyBoutcher can we make sure it's captured in a follow-up issue that we need to review the UX of using the role and then the lookup plugin within the collection?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
README.md
Outdated
``` | ||
|
||
This example: | ||
- Registers the host `{insert whatever the hostname is}` with Conjur, adding it into the Conjur |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the note insert whatever the hostname is
is for you - what is the hostname? is it the value of inventory_hostname
? should this be replaced with {{ inventory_hostname }}
, or is there something more clear we could put here instead?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed - it should tie into the example above with {{ inventory_hostname }}
CHANGELOG.md
Outdated
- Added retries to tasks/identity/Request identity from Conjur. | ||
This will increase the reliability of host factory requests without introducing any extra delay |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we can leave it in there, and tag that project just before we tag this one to indicate the migration
README.md
Outdated
|
||
This collection contains plugins to be used for CyberArk Conjur & DAP hosted in [ansible galaxy](https://galaxy.ansible.com/cyberark/conjur). | ||
- [CyberArk Ansible Conjur Collection](#cyberark-ansible-conjur-collection) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can the TOC be updated to remove this top level item? it doesn't add anything, and it just indents the whole TOC over one
README.md
Outdated
```yml | ||
- hosts: servers | ||
roles: | ||
- role: cyberark.conjur-host-identity |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is this definition the same once it's part of the collection?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure, but I should be able to answer this once I've finished testing more
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
might be good to know for sure before we merge, since this will land in the project README on merge
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@BradleyBoutcher I think this still needs to be verified ...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Based on the documentations and my short experimenting, the correct syntax is cyberark.conjur.conjur_host_identity
when using this role installed through the collection.
dca4c33
to
f7bed15
Compare
README.md
Outdated
## Conjur Ansible Role | ||
This Ansible role provides the ability to grant Conjur machine identity to a host. Based on that | ||
identity, secrets can then be retrieved securely using the [Conjur Lookup | ||
Plugin](#conjur_variable-lookup-plugin) or using the [Summon](https://github.com/cyberark/summon) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Plugin](#conjur_variable-lookup-plugin) or using the [Summon](https://github.com/cyberark/summon) | |
Plugin](#conjur-ansible-lookup-plugin) or using the [Summon](https://github.com/cyberark/summon) |
b7f0bd5
to
e8ccd5d
Compare
e8ccd5d
to
9a72886
Compare
9a72886
to
c0a9b74
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Few nits
.gitignore
Outdated
molecule/conjur.pem | ||
*.tmp | ||
vendor/ | ||
.pytest_cache |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: These should be grouped a bit better
README.md
Outdated
``` | ||
|
||
## Conjur Ansible Role | ||
**NOTE**: This role is currently not available in releases installed through Ansible Galaxy, but will be added in the next release. Follow [issue #30](https://github.com/cyberark/ansible-conjur-collection/issues/35) for updates. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: there should be an empty line between headers and text in this file
README.md
Outdated
None. | ||
<br> | ||
<br> | ||
* `conjur_appliance_url` (_Optional)_: URL of the running Conjur service |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
* `conjur_appliance_url` (_Optional)_: URL of the running Conjur service | |
* `conjur_appliance_url` _(Optional)_: URL of the running Conjur service |
I'm guessing these other ones need that too
README.md
Outdated
* `summon.version`: version of Summon to install. Default is `0.8.2`. | ||
* `summon_conjur.version`: version of Summon-Conjur provider to install. Default is `0.5.3`. | ||
|
||
The variables marked with _`(Optional)`_ are required fields. All other variables are required for |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm... an optional value is required?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
HA good catch
README.md
Outdated
- Installs Summon with the Summon Conjur provider for secret retrieval from Conjur. | ||
|
||
### Summon & Service Managers | ||
With Summon installed, using Conjur with a Service Manager (like SystemD) becomes a snap. Here's a |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
With Summon installed, using Conjur with a Service Manager (like SystemD) becomes a snap. Here's a | |
With Summon installed, using Conjur with a Service Manager (like `systemd`) becomes a snap. Here's a |
README.md
Outdated
- Installs Summon with the Summon Conjur provider for secret retrieval from Conjur. | ||
|
||
### Summon & Service Managers | ||
With Summon installed, using Conjur with a Service Manager (like SystemD) becomes a snap. Here's a |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Needs empty newline before header
README.md
Outdated
|
||
### Summon & Service Managers | ||
With Summon installed, using Conjur with a Service Manager (like SystemD) becomes a snap. Here's a | ||
simple example of a SystemD file connecting to Conjur: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
simple example of a SystemD file connecting to Conjur: | |
simple example of a `systemd` file connecting to Conjur: |
c0a9b74
to
e182a0b
Compare
Per Ansible Collection documentation, the conjur_host_identity role has been moved to a `role` subdirectory. A `tests` subdirectory has been added for this role, and all relevant tests moved there.
e182a0b
to
00c1514
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is one last item to review the supported platforms, but everything else LGTM. Thanks for sticking with this one @BradleyBoutcher! Looking forward to addressing the follow up issues and releasing an updated version of this collection.
My review was partial and at this time outdated so it can be dismissed
What does this PR do?
they were moved to their own test directories. However, this can be improved later to potentially use the same images.
What ticket does this PR close?
Connected to cyberark/ansible-conjur-host-identity#30
Checklists
Change log
Test coverage
Documentation
README
s) were updated in this PR, and/or there is a follow-on issue to update docs, orFollow-up work
build.sh
script located in theci
directory. Since both sets of tests depend on similar images, we can probably cut down on build time by centralizing them.