search

ansible / awx-resource-operator

41 stars 31 forks source link

Example for creating a Container Registry Credential #130

Open genaumann opened 1 year ago

genaumann commented 1 year ago

Do you have an example of creating a "Container Registry" credential defined as YAML manifest? The examples do not cover my approach.

the-it-jaeger commented 10 months ago

I'm basically guessing, but based on this:

{
            "id": 17,
            "type": "credential_type",
            "url": "[/api/v2/credential_types/17/](https://aap.example.com/api/v2/credential_types/17/)",
            "related": {
                "credentials": "[/api/v2/credential_types/17/credentials/](https://aap.example.com/api/v2/credential_types/17/credentials/)",
                "activity_stream": "[/api/v2/credential_types/17/activity_stream/](https://aap-example.com/api/v2/credential_types/17/activity_stream/)"
            },
            "summary_fields": {
                "user_capabilities": {
                    "edit": true,
                    "delete": true
                }
            },
            "created": "2022-10-20T03:34:05.510601Z",
            "modified": "2022-10-20T03:34:05.510601Z",
            "name": "Container Registry",
            "description": "",
            "kind": "registry",
            "namespace": "registry",
            "managed": true,
            "inputs": {
                "fields": [
                    {
                        "id": "host",
                        "label": "Authentication URL",
                        "type": "string",
                        "help_text": "Authentication endpoint for the container registry.",
                        "default": "quay.io"
                    },
                    {
                        "id": "username",
                        "label": "Username",
                        "type": "string"
                    },
                    {
                        "id": "password",
                        "label": "Password or Token",
                        "type": "string",
                        "secret": true,
                        "help_text": "A password or token used to authenticate with"
                    },
                    {
                        "id": "verify_ssl",
                        "label": "Verify SSL",
                        "type": "boolean",
                        "default": true
                    }
                ],
                "required": [
                    "host"
                ]
            }

and also based on an existing Container Registry credential I examined, which had something like this:

"inputs": {
                "host": "registry.example.com",
                "password": "$encrypted$",
                "username": "example_registry_user",
                "verify_ssl": true
              }

I would say experiment with the inputs: field in the AnsibleCredential resource. Perhaps pass it JSON like the above but serialized.

If I get a chance to test this myself, I will report back.

the-it-jaeger commented 10 months ago

I've tried various permutations of inputs: but so far, no joy.

Here's the latest:

inputs: host=registry.example.com,password=reallyHardToGuessPassword,username=exampleuser,verify_ssl=true

resource-operator credential job pod logs:

[WARNING]: Unable to parse /runner/inventory as an inventory source
[WARNING]: No inventory was parsed, only implicit localhost is available
[WARNING]: provided hosts list is empty, only localhost is available. Note that
the implicit localhost does not match 'all'
PLAY [localhost] ***************************************************************
TASK [job_runner : Launch Project] *********************************************
skipping: [localhost]
TASK [job_runner : Launch Credential] ******************************************
included: /usr/share/ansible/roles/job_runner/tasks/credentials.yml for localhost
TASK [job_runner : Launch SSH Credential] **************************************
skipping: [localhost]
TASK [job_runner : Launch Bearer Credential] ***********************************
skipping: [localhost]
TASK [job_runner : Launch Username Credential] *********************************
skipping: [localhost]
TASK [job_runner : Launch Token Credential] ************************************
skipping: [localhost]
TASK [job_runner : Launch Generic Credential] **********************************
included: /usr/share/ansible/roles/job_runner/tasks/credentials/create_generic_credential.yml for localhost
TASK [job_runner : Create Credential] ******************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "argument 'inputs' is of type <class 'str'> and we were unable to convert to dict: dictionary requested, could not parse JSON or key=value"}
TASK [job_runner : Update status if creation resulted in an error] *************
changed: [localhost]
TASK [job_runner : End playbook run] *******************************************
PLAY RECAP *********************************************************************
localhost : ok=3 changed=1 unreachable=0 failed=0 skipped=5 rescued=1 ignored=0
genaumann commented 10 months ago

I have also tried some variants, but without success

the-it-jaeger commented 10 months ago

Connecting dots...

https://github.com/ansible/awx-resource-operator/blob/f43c2c045280bae22f15cd8f432bd5ac6bebd0e8/roles/job_runner/tasks/credentials.yml#L37C1-L44C41

The above suggests, if we do not define any fields besides credential_inputs, a "generic credential" will be created which goes like...

https://github.com/ansible/awx-resource-operator/blob/f43c2c045280bae22f15cd8f432bd5ac6bebd0e8/roles/job_runner/tasks/credentials/create_generic_credential.yml#L3C1-L11C28

Based on the bearer credential type, inputs looks like this...

https://github.com/ansible/awx-resource-operator/blob/f43c2c045280bae22f15cd8f432bd5ac6bebd0e8/roles/job_runner/tasks/credentials/create_bearer_credential.yml#L3C1-L14

I keep trying to pass inputs: that make it look the same, but it's just not working 🤔

the-it-jaeger commented 10 months ago

I wonder if roles/job_runner/tasks/credentials/create_generic_credential.yml would benefit from some dict or to_yaml filtering or something. There just doesn't seem to be a way to pass multiple 'key: value' pairs into inputs: in a way that lines up and works.

    - name: Create Credential
      awx.awx.credential:
        name: "{{ lookup('env','CREDENTIAL_NAME') | default('present')  }}"
        description: "{{ lookup('env','CREDENTIAL_DESCRIPTION') }}"
        organization: "{{ lookup('env','CREDENTIAL_ORGANIZATION') }}"
        credential_type: "{{ lookup('env','CREDENTIAL_TYPE') }}"
        inputs: "{{ lookup('env','CREDENTIAL_INPUTS') | dict }}" #<---
        state: "{{ lookup('env','CREDENTIAL_STATE') }}"
      register: credentials
cooktheryan commented 10 months ago

I believe you would need an enhancement here https://github.com/ansible/awx-resource-operator/blob/devel/roles/credential/templates/job_definition.yml.j2 and potentially here https://github.com/ansible/awx-resource-operator/blob/devel/roles/job_runner/tasks/credentials.yml

On Fri, Aug 18, 2023 at 12:39 PM the-it-jaeger @.***> wrote:

I wonder if roles/job_runner/tasks/credentials/create_generic_credential.yml would benefit from some dict filtering or something. There just doesn't seem to be a way to pass multiple 'key: value' pairs into inputs: in a way that lines up and works.

- name: Create Credential
  awx.awx.credential:
    name: "{{ lookup('env','CREDENTIAL_NAME') | default('present')  }}"
    description: "{{ lookup('env','CREDENTIAL_DESCRIPTION') }}"
    organization: "{{ lookup('env','CREDENTIAL_ORGANIZATION') }}"
    credential_type: "{{ lookup('env','CREDENTIAL_TYPE') }}"
    inputs: "{{ lookup('env','CREDENTIAL_INPUTS') | dict }}" #<---
    state: "{{ lookup('env','CREDENTIAL_STATE') }}"
  register: credentials

— Reply to this email directly, view it on GitHub https://github.com/ansible/awx-resource-operator/issues/130#issuecomment-1684169116, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA5CZFGUHXZYROPESQBUIFTXV6LFBANCNFSM6AAAAAAZ2ATF4Y . You are receiving this because you are subscribed to this thread.Message ID: @.***>

the-it-jaeger commented 10 months ago

I made some progress:

apiVersion: tower.ansible.com/v1alpha1
kind: AnsibleCredential
metadata:
  name: helm-valip-quay-robot-credential
  namespace: ansible-automation-platform
spec:
  connection_secret: aap-controller-access-token
  inputs: >-
    host: registry.example.com        # Not working - getting set to quay.io (by default?)
  name: helm-valip-quay-robot-credential
  organization: helm-valip-iris
  password_secret: valip-quay-helm-valip-robot # Working
  username_secret: valip-quay-helm-valip-robot # Working
  type: Container Registry

image

the-it-jaeger commented 10 months ago

I opened #134 which I hope will make things work properly for Container Registry credentials. It seems we need a means to pass username, password, and host inputs into awx.awx.credential's input parameter.