search

ansibleplaybookbundle / apb-base

Base image for APB development
Apache License 2.0
8 stars 14 forks source link

Multiline secrets are not correctly parsed #44

Open djuarezg opened 6 years ago

djuarezg commented 6 years ago

Bug:

What happened: If you follow https://github.com/openshift/ansible-service-broker/blob/master/docs/secrets.md and try to add a multiline secret as in:

---
apiVersion: v1
kind: Secret
metadata:
    name: test
    namespace: openshift-automation-service-broker
stringData:
    "test1": "test1"
    "test2": "test2"
    "test_multiline": |-
      -----BEGIN RSA PRIVATE KEY-----
      <FIRST LINE OF THE SSH KEY>
      <SECOND LINE OF THE SSH KEY>

the Ansible Playbook Bundle will see an error while loading the secrets YAML file, as if it was using newlines to separate secrets:

ERROR! Syntax Error while loading YAML.
  could not find expected ':'
The error appears to have been in '/tmp/secrets': line 6, column 1, but may
be elsewhere in the file depending on the exact syntax problem.
The offending line appears to be:
<FIRST LINE OF THE SSH KEY>
<SECOND LINE OF THE SSH KEY>
^ here

This happens as well if you use the base64 data secret.

What you expected to happen:

The secret should keep the newlines and be used as a parameter on the APB.

Mounted secrets are copied to /tmp/secrets so they can be passed as parameters to the playbook, but instead of producing this expected secrets file:

---
ACCESS_KEY: blah
SECRET_KEY: blah
SWARM_CLUSTER_KEYPAIR: |-
-----BEGIN RSA PRIVATE KEY-----
 blah
 blah
 blah
 -----END RSA PRIVATE KEY-----
openstack_admin__user: blah
openstack_admin_password: blah

They produce something like this, which will fail during parsing:

---
ACCESS_KEY: blah
SECRET_KEY: blah
SWARM_CLUSTER_KEYPAIR: -----BEGIN RSA PRIVATE KEY-----
 blah1 blah2
 blah3 ...
 -----END RSA PRIVATE KEY-----
openstack_admin__user: blah
openstack_admin_password: blah
djuarezg commented 6 years ago

This is caused by https://github.com/ansibleplaybookbundle/apb-base/blob/cc949ecfeee2e84bd626c73b4cbc54d496fc6738/files/usr/bin/entrypoint.sh#L48 which does not take into account whether it is one line or a multiblock string.

And on the latest versions it does not even add the extra parameters from the secrets to the playbook run.

djuarezg commented 6 years ago

Caused by: https://github.com/ansibleplaybookbundle/apb-base/blob/328103813573f4e401bd4f34de29e582ad22f197/files/usr/bin/entrypoint.sh#L50