Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Migrate ansible-conjur-host-identity #38

Merged
merged 7 commits into from
Sep 29, 2020
Merged

Conversation

BradleyBoutcher
Copy link
Contributor

@BradleyBoutcher BradleyBoutcher commented Aug 17, 2020

What does this PR do?

  • Migrates project files (tasks, templates, meta)
  • Migrates Github issue templates
  • Adds code climate and Gitleaks configurations
  • Migrates test files
    • Since the Conjur tests and host-identity tests have some subtle differences,
      they were moved to their own test directories. However, this can be improved later to potentially use the same images.
    • Test runner updated and Jenkinsfile updated to run both sets of tests in parallel

What ticket does this PR close?

Connected to cyberark/ansible-conjur-host-identity#30

Checklists

Change log

  • The CHANGELOG has been updated, or
  • This PR does not include user-facing changes and doesn't require a CHANGELOG update

Test coverage

  • This PR includes new unit and integration tests to go with the code changes, or
  • The changes in this PR do not require tests

Documentation

  • Docs (e.g. READMEs) were updated in this PR, and/or there is a follow-on issue to update docs, or
  • This PR does not require updating any documentation

Follow-up work

  • Generate images used for integration tests with a build.sh script located in the ci directory. Since both sets of tests depend on similar images, we can probably cut down on build time by centralizing them.

@BradleyBoutcher BradleyBoutcher requested review from a team as code owners August 17, 2020 17:56
@BradleyBoutcher BradleyBoutcher force-pushed the migrate-host-identity branch 15 times, most recently from 763f814 to 579000e Compare August 18, 2020 21:30
@BradleyBoutcher BradleyBoutcher changed the title WIP: Migrate ansible-conjur-host-identity Migrate ansible-conjur-host-identity Aug 18, 2020
@BradleyBoutcher BradleyBoutcher force-pushed the migrate-host-identity branch 6 times, most recently from faf2b0b to 0cc0384 Compare August 19, 2020 15:16
Copy link
Contributor

@andytinkham andytinkham left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Quality-Architects are on the review for the .codeclimate.yml file. That looks good to me. The rest is not anything I reviewed though.

@BradleyBoutcher BradleyBoutcher force-pushed the migrate-host-identity branch 5 times, most recently from 6c03545 to 6525585 Compare August 19, 2020 20:17
@BradleyBoutcher BradleyBoutcher force-pushed the migrate-host-identity branch 4 times, most recently from aebc97e to 4dd364a Compare September 23, 2020 16:06
Copy link
Contributor

@izgeri izgeri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This has made some nice progress, but I've left a bunch of comments still - some of which can be filed as follow-on issues to get this in and continue work in smaller follow-on issues. I also want to note:

  • I don't think meta/runtime.yml should have been moved - it looks like that belongs in the project root
  • if we're going to move the lookup plugin tests to a subdirectory of tests/, can the subdirectory be named to better indicate what it contains? e.g. lookup_plugin?
  • I noted in the PR that the role tests should also live under the project root tests/ directory; file a follow up issue if that's easier, but either way I think we'll need to do this

CHANGELOG.md Outdated Show resolved Hide resolved
Jenkinsfile Outdated
junit 'tests/junit/*'
parallel {
stage("Test conjur_lookup Plugin") {
agent { label 'executor-v2-large' }
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why does this need a large executor?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It doesn't, but I ran into issues with all the test containers running on the same executor and this was the only solution that I had at the time. I'm not sure how to fix it otherwise right now.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

was it just midair collisions due to not setting COMPOSE_PROJECT_NAME or something else?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

regardless, this merits a follow-up issue too

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That might be it, I'll investigate

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This has been resolved! The COMPOSE_PROJECT_NAME was being set in the individual test scripts for the plugin and role, which overrode the project name I was assigning. I changed them a bit so that they won't confuse docker.

README.md Outdated Show resolved Hide resolved
README.md Outdated Show resolved Hide resolved
README.md Outdated Show resolved Hide resolved
README.md Outdated Show resolved Hide resolved
README.md Outdated Show resolved Hide resolved
ci/parse-changelog.sh Outdated Show resolved Hide resolved
ci/test.sh Show resolved Hide resolved
Comment on lines +14 to +20
- name: Ubuntu
versions:
- trusty
- xenial
- name: EL
versions:
- 7
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is worth digging into at some point, but looks ok for now

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@BradleyBoutcher should be captured in an issue, that we need to review the supported platforms for the role

@BradleyBoutcher BradleyBoutcher force-pushed the migrate-host-identity branch 4 times, most recently from f97c052 to 54e6955 Compare September 24, 2020 15:58
CHANGELOG.md Outdated
Comment on lines 13 to 14
- Added retries to tasks/identity/Request identity from Conjur.
This will increase the reliability of host factory requests without introducing any extra delay
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this something you did in this PR, or was this ported from an unreleased change in the role?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was ported from the Conjur-host-identity project. I wasn't sure what to do with it, because those features are currently unreleased.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we can leave it in there, and tag that project just before we tag this one to indicate the migration

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just rereading and realizing this is not clear, I meant that we can drop this entry from the collection changelog and just be clear in the collection changelog that we migrated at the point-in-time of the {soon to be added} last role release.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah gotcha, I will do so!

Copy link
Contributor

@izgeri izgeri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

left a few more minor comments - this is getting quite close to done, and then we'll have a handful of follow-up issues to work on before we can tag. can you please be sure to add a comment to this PR that aggregates the links to the follow-up issues we'll need after this PR is merged?

Jenkinsfile Outdated
junit 'tests/junit/*'
parallel {
stage("Test conjur_lookup Plugin") {
agent { label 'executor-v2-large' }
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

regardless, this merits a follow-up issue too

README.md Outdated Show resolved Hide resolved
Comment on lines +128 to +145
- `CONJUR_ACCOUNT` : The Conjur account name
- `CONJUR_APPLIANCE_URL` : URL of the running Conjur service
- `CONJUR_CERT_FILE` : Path to the Conjur certificate file
- `CONJUR_AUTHN_LOGIN` : A valid Conjur host username
- `CONJUR_AUTHN_API_KEY` : The api key that corresponds to the Conjur host username
- `CONJUR_AUTHN_TOKEN_FILE` : Path to a file containing a valid Conjur auth token
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it's striking me as weird that you configure the role with playbook keys (?) and you configure the lookup plugin with env vars. how do you use them together? if I set up the role, will the plugin not be configured?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this might be a follow-up issue (it would go hand-in-hand with your own experiments running the e2e flow)

Copy link
Contributor Author

@BradleyBoutcher BradleyBoutcher Sep 24, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that's just the nature of how they work. The role is configured through the playbook with what are called "role variables", while the plugin is an executable that may depend on variables being present in the system. Both environment variables and role variables can be set in the playbook, but it's an important distinction, and people who are familiar with playbooks will know how to use them. Boilerplate READMEs for Ansible roles include the role variables section, and for the plugin, it's a good idea for us to have them there.

Copy link
Contributor Author

@BradleyBoutcher BradleyBoutcher Sep 24, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On the topic of "can I set them once and have them used in both places?" - I'm not sure. There's probably a way to chain things together, but I'm not sure if that's necessary or a "safe" way to handle parameters for a role and plugin.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@BradleyBoutcher can we make sure it's captured in a follow-up issue that we need to review the UX of using the role and then the lookup plugin within the collection?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#47

README.md Outdated
```

This example:
- Registers the host `{insert whatever the hostname is}` with Conjur, adding it into the Conjur
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the note insert whatever the hostname is is for you - what is the hostname? is it the value of inventory_hostname? should this be replaced with {{ inventory_hostname }}, or is there something more clear we could put here instead?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed - it should tie into the example above with {{ inventory_hostname }}

README.md Show resolved Hide resolved
CHANGELOG.md Outdated
Comment on lines 13 to 14
- Added retries to tasks/identity/Request identity from Conjur.
This will increase the reliability of host factory requests without introducing any extra delay
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we can leave it in there, and tag that project just before we tag this one to indicate the migration

README.md Outdated

This collection contains plugins to be used for CyberArk Conjur & DAP hosted in [ansible galaxy](https://galaxy.ansible.com/cyberark/conjur).
- [CyberArk Ansible Conjur Collection](#cyberark-ansible-conjur-collection)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can the TOC be updated to remove this top level item? it doesn't add anything, and it just indents the whole TOC over one

README.md Outdated
```yml
- hosts: servers
roles:
- role: cyberark.conjur-host-identity
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this definition the same once it's part of the collection?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure, but I should be able to answer this once I've finished testing more

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

might be good to know for sure before we merge, since this will land in the project README on merge

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@BradleyBoutcher I think this still needs to be verified ...

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Based on the documentations and my short experimenting, the correct syntax is cyberark.conjur.conjur_host_identity when using this role installed through the collection.

README.md Outdated
## Conjur Ansible Role
This Ansible role provides the ability to grant Conjur machine identity to a host. Based on that
identity, secrets can then be retrieved securely using the [Conjur Lookup
Plugin](#conjur_variable-lookup-plugin) or using the [Summon](https://github.com/cyberark/summon)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Plugin](#conjur_variable-lookup-plugin) or using the [Summon](https://github.com/cyberark/summon)
Plugin](#conjur-ansible-lookup-plugin) or using the [Summon](https://github.com/cyberark/summon)

README.md Show resolved Hide resolved
Copy link
Contributor

@sgnn7 sgnn7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Few nits

.gitignore Outdated
molecule/conjur.pem
*.tmp
vendor/
.pytest_cache
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: These should be grouped a bit better

README.md Outdated
```

## Conjur Ansible Role
**NOTE**: This role is currently not available in releases installed through Ansible Galaxy, but will be added in the next release. Follow [issue #30](https://github.com/cyberark/ansible-conjur-collection/issues/35) for updates.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: there should be an empty line between headers and text in this file

README.md Outdated
None.
<br>
<br>
* `conjur_appliance_url` (_Optional)_: URL of the running Conjur service
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* `conjur_appliance_url` (_Optional)_: URL of the running Conjur service
* `conjur_appliance_url` _(Optional)_: URL of the running Conjur service

I'm guessing these other ones need that too

README.md Outdated
* `summon.version`: version of Summon to install. Default is `0.8.2`.
* `summon_conjur.version`: version of Summon-Conjur provider to install. Default is `0.5.3`.

The variables marked with _`(Optional)`_ are required fields. All other variables are required for
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm... an optional value is required?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HA good catch

README.md Outdated
- Installs Summon with the Summon Conjur provider for secret retrieval from Conjur.

### Summon & Service Managers
With Summon installed, using Conjur with a Service Manager (like SystemD) becomes a snap. Here's a
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
With Summon installed, using Conjur with a Service Manager (like SystemD) becomes a snap. Here's a
With Summon installed, using Conjur with a Service Manager (like `systemd`) becomes a snap. Here's a

README.md Outdated
- Installs Summon with the Summon Conjur provider for secret retrieval from Conjur.

### Summon & Service Managers
With Summon installed, using Conjur with a Service Manager (like SystemD) becomes a snap. Here's a
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Needs empty newline before header

README.md Outdated

### Summon & Service Managers
With Summon installed, using Conjur with a Service Manager (like SystemD) becomes a snap. Here's a
simple example of a SystemD file connecting to Conjur:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
simple example of a SystemD file connecting to Conjur:
simple example of a `systemd` file connecting to Conjur:

Per Ansible Collection documentation,
the conjur_host_identity role
has been moved to a `role`
subdirectory. A `tests` subdirectory has been added
for this role, and all relevant tests moved there.
Copy link
Contributor

@izgeri izgeri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is one last item to review the supported platforms, but everything else LGTM. Thanks for sticking with this one @BradleyBoutcher! Looking forward to addressing the follow up issues and releasing an updated version of this collection.

@sgnn7 sgnn7 dismissed their stale review September 28, 2020 20:09

My review was partial and at this time outdated so it can be dismissed

@BradleyBoutcher BradleyBoutcher merged commit 01b0c87 into master Sep 29, 2020
@BradleyBoutcher BradleyBoutcher deleted the migrate-host-identity branch September 29, 2020 14:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

5 participants