helm_pull: Silence false no_log warning #796
Conversation
|
Build succeeded. ✔️ ansible-galaxy-importer SUCCESS in 10m 16s |
|
Build succeeded. ✔️ ansible-galaxy-importer SUCCESS in 3m 59s |
|
Hi @colshine1, please update the integration test with the following: please add |
|
Build succeeded. ✔️ ansible-galaxy-importer SUCCESS in 4m 33s |
plugins/modules/helm_pull.py
Outdated
| @@ -189,7 +189,7 @@ def main(): | |||
| repo_password=dict( | |||
| type="str", no_log=True, aliases=["password", "chart_repo_password"] | |||
| ), | |||
| pass_credentials=dict(type="bool", default=False), | |||
| pass_credentials=dict(type="bool", default=False, no_log=True), | |||
There was a problem hiding this comment.
| pass_credentials=dict(type="bool", default=False, no_log=True), | |
| pass_credentials=dict(type="bool", default=False, no_log=False), |
This should be False since this is a false positive.
There was a problem hiding this comment.
This should be
Falsesince this is a false positive.
False is the default one and it will behave in the same way as now, it throws a warning Module did not set no_log for pass_credentials. So, it should be no_log=True
There was a problem hiding this comment.
No, explicitly setting no_log=False is the correct way to deal with a false positive.
There was a problem hiding this comment.
No, explicitly setting
no_log=Falseis the correct way to deal with a false positive.
Hm... I will check how it works
There was a problem hiding this comment.
I setup a sample test playbook:
- hosts: localhost
tasks:
- name: Download chart to controlhost
kubernetes.core.helm_pull:
chart_ref: "https://domain.com/helm_chart-0.0.1.tgz"
destination: "/tmp/"
untar_chart: false
repo_username: user
repo_password: password
pass_credentials: falseI run the playbook with -vvv to get the module parameters in the output, the output fails as I set fake credentials for this test.
Without any changes to the module the output is:
[WARNING]: Module did not set no_log for pass_credentials
fatal: [localhost]: FAILED! => {
"changed": false,
"command": "helm pull https://domain.com/helm_chart-0.0.1.tgz --username user --******** ******** --destination /tmp/",
"invocation": {
"module_args": {
"binary_path": null,
"chart_ca_cert": null,
"chart_devel": null,
"chart_ref": "https://domain.com/helm_chart-0.0.1.tgz",
"chart_ssl_cert_file": null,
"chart_ssl_key_file": null,
"chart_version": null,
"destination": "/tmp/",
"pass_credentials": false,
"provenance": false,
"repo_password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"repo_url": null,
"repo_username": "user",
"skip_tls_certs_check": false,
"untar_chart": false,
"verify_chart": false,
"verify_chart_keyring": null
}
},
"msg": "Failure when executing Helm command.",
"rc": 1,
"stderr": "Error: failed to fetch https://domain.com/helm_chart-0.0.1.tgz : 401 Unauthorized\n",
"stderr_lines": [
"Error: failed to fetch https://domain.com/helm_chart-0.0.1.tgz : 401 Unauthorized"
],
"stdout": "",
"stdout_lines": []
}setting no_log to False on line 192:
fatal: [localhost]: FAILED! => {
"changed": false,
"command": "helm pull https://domain.com/helm_chart-0.0.1.tgz --username user --******** ******** --destination /tmp/",
"invocation": {
"module_args": {
"binary_path": null,
"chart_ca_cert": null,
"chart_devel": null,
"chart_ref": "https://domain.com/helm_chart-0.0.1.tgz",
"chart_ssl_cert_file": null,
"chart_ssl_key_file": null,
"chart_version": null,
"destination": "/tmp/",
"pass_credentials": false,
"provenance": false,
"repo_password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"repo_url": null,
"repo_username": "user",
"skip_tls_certs_check": false,
"untar_chart": false,
"verify_chart": false,
"verify_chart_keyring": null
}
},
"msg": "Failure when executing Helm command.",
"rc": 1,
"stderr": "Error: failed to fetch https://domain.com/helm_chart-0.0.1.tgz : 401 Unauthorized\n",
"stderr_lines": [
"Error: failed to fetch https://domain.com/helm_chart-0.0.1.tgz : 401 Unauthorized"
],
"stdout": "",
"stdout_lines": []
}setting no_log to False on line 192:
fatal: [localhost]: FAILED! => {
"changed": false,
"command": "helm pull https://domain.com/helm_chart-0.0.1.tgz --username user --******** ******** --destination /tmp/",
"invocation": {
"module_args": {
"binary_path": null,
"chart_ca_cert": null,
"chart_devel": null,
"chart_ref": "https://domain.com/helm_chart-0.0.1.tgz",
"chart_ssl_cert_file": null,
"chart_ssl_key_file": null,
"chart_version": null,
"destination": "/tmp/",
"pass_credentials": false,
"provenance": false,
"repo_password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"repo_url": null,
"repo_username": "user",
"skip_tls_certs_check": false,
"untar_chart": false,
"verify_chart": false,
"verify_chart_keyring": null
}
},
"msg": "Failure when executing Helm command.",
"rc": 1,
"stderr": "Error: failed to fetch https://domain.com/helm_chart-0.0.1.tgz : 401 Unauthorized\n",
"stderr_lines": [
"Error: failed to fetch https://domain.com/helm_chart-0.0.1.tgz : 401 Unauthorized"
],
"stdout": "",
"stdout_lines": []
}I added no_log=True to be consistent with this: https://github.com/Akasurde/kubernetes.core/blob/22013686e7f2f735d5de5850b612dce4daa04b1a/plugins/modules/helm_repository.py#L231. However, it looks like this no longer exists in the module so I'm happy to update based on whatever is the correct solution.
| @@ -180,6 +180,7 @@ | |||
| - '"--username ansible" in _result.command' | |||
| - '"--password ***" in _result.command' | |||
| - '"--keyring pubring.gpg" in _result.command' | |||
| - '"Module did not set no_log for pass_credentials" not in _result.warnings' | |||
There was a problem hiding this comment.
should be _result.stderr instead of _result.warnings, module helm_pull returns warnings into stderr
There was a problem hiding this comment.
Updated as requested
|
Build succeeded. ✔️ ansible-galaxy-importer SUCCESS in 5m 14s |
|
Build succeeded. ✔️ ansible-galaxy-importer SUCCESS in 3m 32s |
|
Hi @colshine1 or @gravesm, could you please rebase to master? |
|
Strangely, I saw that message in my testing environment some time ago, but I'm not sure about the package versions. |
|
I tested the behavior again and was able to reproduce the issue with 5.0.0: Same with So, WARNING in place. And finally, this PR (with So, @gravesm, please rebase this PR to main and backport to |
|
Build succeeded. ✔️ ansible-galaxy-importer SUCCESS in 5m 25s |
|
Build succeeded. ✔️ ansible-galaxy-importer SUCCESS in 4m 11s |
|
Build succeeded (gate pipeline). ✔️ ansible-galaxy-importer SUCCESS in 3m 47s |
softwarefactory-project-zuul
bot
merged commit ecc64ca
into
ansible-collections:main
Backport to stable-3: 💚 backport PR created✅ Backport PR branch: Backported as #857 🤖 @patchback |
SUMMARY Apply no_log=True to pass_credentials to silence false positive warning. Fixes similar issue to: #423 ISSUE TYPE Bugfix Pull Request COMPONENT NAME changelog/fragements/796-false-positive-helmull.yaml plugins/modules/helm_pull.py Reviewed-by: Yuriy Novostavskiy Reviewed-by: Mike Graves <mgraves@redhat.com> Reviewed-by: Irum Malik (cherry picked from commit ecc64ca)
Backport to stable-5: 💚 backport PR created✅ Backport PR branch: Backported as #858 🤖 @patchback |
SUMMARY Apply no_log=True to pass_credentials to silence false positive warning. Fixes similar issue to: #423 ISSUE TYPE Bugfix Pull Request COMPONENT NAME changelog/fragements/796-false-positive-helmull.yaml plugins/modules/helm_pull.py Reviewed-by: Yuriy Novostavskiy Reviewed-by: Mike Graves <mgraves@redhat.com> Reviewed-by: Irum Malik (cherry picked from commit ecc64ca)
SUMMARY Version 3.3.0 of ansible-collection kubernetes.core came with several improvements and bugfixes ISSUE TYPE New release pull request Changelog Minor Changes k8s_drain - Improve error message for pod disruption budget when draining a node (#797). Bugfixes helm - Helm version checks did not support RC versions. They now accept any version tags. (#745). helm_pull - Apply no_log=True to pass_credentials to silence false positive warning.. (#796). k8s_drain - Fix k8s_drain does not wait for single pod (#769). k8s_drain - Fix k8s_drain runs into a timeout when evicting a pod which is part of a stateful set (#792). kubeconfig option should not appear in module invocation log (#782). kustomize - kustomize plugin fails with deprecation warnings (#639). waiter - Fix waiting for daemonset when desired number of pods is 0. (#756). ADDITIONAL INFORMATION Collection kubernets.core version 3.3.0 is compatible with ansible-core>=2.14.0 Reviewed-by: Alina Buzachis Reviewed-by: Yuriy Novostavskiy Reviewed-by: Mike Graves <mgraves@redhat.com>
SUMMARY This release came with new module helm_registry_auth, and improvements to the error messages in the k8s_drain module, new parameter insecure_registry for helm_template module and several bug fixes. ISSUE TYPE New release pull request Changelog Minor Changes Bump version of ansible-lint to minimum 24.7.0 (#765). Parameter insecure_registry added to helm_template as equivalent of insecure-skip-tls-verify (#805). connection/kubectl.py - Added an example of using the kubectl connection plugin to the documentation (#741). k8s_drain - Improve error message for pod disruption budget when draining a node (#797). Bugfixes helm - Helm version checks did not support RC versions. They now accept any version tags. (#745). helm_pull - Apply no_log=True to pass_credentials to silence false positive warning.. (#796). k8s_drain - Fix k8s_drain does not wait for single pod (#769). k8s_drain - Fix k8s_drain runs into a timeout when evicting a pod which is part of a stateful set (#792). kubeconfig option should not appear in module invocation log (#782). kustomize - kustomize plugin fails with deprecation warnings (#639). waiter - Fix waiting for daemonset when desired number of pods is 0. (#756). New Modules helm_registry_auth - Helm registry authentication module ADDITIONAL INFORMATION Collection kubernets.core version 3.1.0 is compatible with ansible-core>=2.15.0 Reviewed-by: Mike Graves <mgraves@redhat.com>
SUMMARY This release came with new module helm_registry_auth, and improvements to the error messages in the k8s_drain module, new parameter insecure_registry for helm_template module and several bug fixes. ISSUE TYPE New release pull request Changelog Minor Changes Bump version of ansible-lint to minimum 24.7.0 (ansible-collections#765). Parameter insecure_registry added to helm_template as equivalent of insecure-skip-tls-verify (ansible-collections#805). connection/kubectl.py - Added an example of using the kubectl connection plugin to the documentation (ansible-collections#741). k8s_drain - Improve error message for pod disruption budget when draining a node (ansible-collections#797). Bugfixes helm - Helm version checks did not support RC versions. They now accept any version tags. (ansible-collections#745). helm_pull - Apply no_log=True to pass_credentials to silence false positive warning.. (ansible-collections#796). k8s_drain - Fix k8s_drain does not wait for single pod (ansible-collections#769). k8s_drain - Fix k8s_drain runs into a timeout when evicting a pod which is part of a stateful set (ansible-collections#792). kubeconfig option should not appear in module invocation log (ansible-collections#782). kustomize - kustomize plugin fails with deprecation warnings (ansible-collections#639). waiter - Fix waiting for daemonset when desired number of pods is 0. (ansible-collections#756). New Modules helm_registry_auth - Helm registry authentication module ADDITIONAL INFORMATION Collection kubernets.core version 3.1.0 is compatible with ansible-core>=2.15.0 Reviewed-by: Mike Graves <mgraves@redhat.com>
SUMMARY
Apply no_log=True to pass_credentials to silence false positive warning.
Fixes similar issue to: #423
ISSUE TYPE
COMPONENT NAME
changelog/fragements/796-false-positive-helmull.yaml
plugins/modules/helm_pull.py