Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

hashi_vault - [env] INI value for vault URL should take precedence over VAULT_ADDR env var #8

Closed
briantist opened this issue Nov 10, 2020 · 9 comments · Fixed by #41
Closed

hashi_vault - [env] INI value for vault URL should take precedence over VAULT_ADDR env var #8

briantist opened this issue Nov 10, 2020 · 9 comments · Fixed by #41
Assignees
@briantist
Labels
enhancement New feature or request
Projects
Environment Variable Standardization
Milestone
v1.0.0

Comments

@briantist
Copy link
Collaborator

briantist commented Nov 10, 2020
edited

SUMMARY

This is similar to ansible-collections/community.general#373

We take the value of VAULT_ADDR in the plugin to emulate the vault CLI and use the env var, which is commonly set. In ansible-collections/community.general#23 an INI entry was added, but if VAULT_ADDR is set the INI value won't be used.

Since VAULT_ADDR is a more general value, in the context of Ansible, we should prefer the INI value if both are set.

The fix would be similar to that in ansible-collections/community.general#902 , manually loading the value. Also adding an additional (spec defined) env var, ANSIBLE_HASHI_VAULT_ADDR which could override the INI.

General env var guidance for this plugin: #10

Plan:

  • ANSIBLE_HASHI_VAULT_ADDR was introduced in v0.2.0
  • VAULT_ADDR will had its precedence lowered in v1.0.0

⚠This is technically a breaking change
📝Impact Notes:

  • It is unlikely to break most existing configurations, but it is possible. All of the following conditions must be met for a configuration to break:
    • The url parameter is not being passed explicitly to the plugin in the lookup() call
    • url is set in both the INI file and via the VAULT_ADDR env var
    • the values of the url in the above places are different
  • With those conditions, the value of VAULT_ADDR is used before this change, and the other different value set in INI is used after this change.
  • For users who are aware of this change before they consume it, it can be worked around in advance via the following remediations:
    • If the mismatched env and INI values are unintentional, setting them to be the same (or choosing one place to set them) can be done with no ill effects before and after the change.
    • If the mismatch is intentional (in one environment the INI value is used, while in another invocation the env var is being used to intentionally override INI), then this can be worked around:
      • In community.hashi_vault v0.1.0: ideally upgrade to v0.2.0 then follow the next step, otherwise: set both VAULT_ADDR and the not-yet-used ANSIBLE_HASHI_VAULT_ADDR to the same value in those invocations. After updating to a post-change collection (either v0.2.0 or v1.0.0), remove the VAULT_ADDR setting.
      • In community.hashi_vault v0.2.0: set ANSIBLE_HASHI_VAULT_ADDR instead of VAULT_ADDR. No other changes are needed for v1.0.0.
ISSUE TYPE
  • Bug Report
COMPONENT NAME

hashi_vault.py

ANSIBLE VERSION
CONFIGURATION
OS / ENVIRONMENT
STEPS TO REPRODUCE
EXPECTED RESULTS

INI value is specific to ansible, and should be used over the more system wide VAULT_ADDR.

ACTUAL RESULTS

INI value will never be used if VAULT_ADDR is set.
@ansibullbot

This comment has been minimized.

Sign in to view
@briantist

This comment has been minimized.

Sign in to view
@felixfontein

This comment has been minimized.

Sign in to view
@briantist

This comment has been minimized.

Sign in to view
@felixfontein

This comment has been minimized.

Sign in to view
@briantist

This comment has been minimized.

Sign in to view
@briantist

This comment has been minimized.

Sign in to view
@felixfontein

This comment has been minimized.

Sign in to view
@briantist

This comment has been minimized.

Sign in to view
@dmsimard dmsimard transferred this issue from ansible-collections/community.general Dec 1, 2020
@briantist briantist mentioned this issue Dec 1, 2020
Open
@briantist briantist changed the title hashi_vault - INI value for vault URL should take precedence over VAULT_ADDR env var hashi_vault - [env] INI value for vault URL should take precedence over VAULT_ADDR env var Dec 6, 2020
@briantist briantist added the enhancement New feature or request label Dec 6, 2020
@briantist briantist added this to the v1.0.0 milestone Dec 13, 2020
@briantist briantist self-assigned this Dec 13, 2020
@briantist briantist mentioned this issue Dec 21, 2020
Closed
briantist added a commit to briantist/community.hashi_vault that referenced this issue Dec 21, 2020
@briantist
Change url parameter env vars
c79af54 
- Adds `ANSIBLE_HASHI_VAULT_ADDR` env
- Moves `VAULT_ADDR` env to `LOW_PRECEDENCE_ENV_VAR_OPTIONS`
- Resolves ansible-collections#8
@briantist briantist mentioned this issue Dec 23, 2020
Merged
@briantist briantist moved this from To do to In progress in Environment Variable Standardization Dec 23, 2020
@briantist briantist mentioned this issue Dec 26, 2020
Merged
@briantist briantist moved this from In progress to Done in Environment Variable Standardization Dec 30, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@briantist briantist

Labels
enhancement New feature or request
Projects
Environment Variable Standardization
Done
Milestone
v1.0.0
Development

Successfully merging a pull request may close this issue.

hashi_vault - lower VAULT_ADDR precedence briantist/community.hashi_vault
3 participants
@briantist @felixfontein @ansibullbot