MarkUnsafe is not applied to the full CR or full CR spec extra vars

[plnordquist]

Bug Report

What did you do?

When the custom resource content includes a go/ansible template block, Ansible chokes on the content of the custom resource when using either the full CR extra var _cr_name or the full CR spec extra var _cr_name_spec as defined by the Ansible Operator since Ansible treats the content as safe.

The issue here operator-framework/operator-sdk#5160 was marked as closed when the accompanying PR was merged operator-framework/operator-sdk#6376. That PR does not exist in this repository as the content was lifted from the main operator-sdk repo just days prior to the PR merge. The PR was then merged here operator-framework/operator-sdk@b8a271a6 and then the content from the main repository was deleted here operator-framework/operator-sdk@d21ed64.

What did you expect to see?

A template block in the CR content should not break the operator.

What did you see instead? Under which circumstances?

The following error occurs when attempting to access the _cr_name_spec var with an alertmanager template string in the cr spec:

fatal: [localhost]: FAILED! => {"msg": "An unhandled exception occurred while templating '{'foobar': '{{ $labels.instance }}'}'. Error was a <class 'ansible.errors.AnsibleError'>, original message: template error while templating string: unexpected char '$' at 3. String: {{ $labels.instance }}. unexpected char '$' at 3"}

The operator then places this content into the failure condition on the CR with the bad template string. Our operator also references the full CR _cr_name var to access parts of the status of the CR so that also fails even when the template string is removed from the spec content with a different but similar error:

fatal: [localhost]: FAILED! => {"msg": "The conditional check '_miscscripts_pnnl_gov_tenantnamespace.status.loadBalancerIP is defined' failed. The error was: An unhandled exception occurred while templating '{'apiVersion': 'miscscripts.pnnl.gov/v1beta1', 'kind': 'TenantNamespace', 'metadata': {'annotations': {'kubectl.kubernetes.io/last-applied-configuration': '{\"apiVersion\":\"miscscripts.pnnl.gov/v1beta1\",\"kind\":\"TenantNamespace\",\"metadata\":{\"annotations\":{},\"name\":\"example\"},\"spec\":null}\\n'}, 'creationTimestamp': '2023-11-06T20:18:35Z', 'finalizers': ['finalizer.tenantnamespace.miscscripts.pnnl.gov'], 'generation': 4, 'managedFields': [{'apiVersion': 'miscscripts.pnnl.gov/v1beta1', 'fieldsType': 'FieldsV1', 'fieldsV1': {'f:metadata': {'f:finalizers': {'.': {}, 'v:\"finalizer.tenantnamespace.miscscripts.pnnl.gov\"': {}}}}, 'manager': 'ansible-operator', 'operation': 'Update', 'time': '2023-11-06T20:18:35Z'}, {'apiVersion': 'miscscripts.pnnl.gov/v1beta1', 'fieldsType': 'FieldsV1', 'fieldsV1': {'f:status': {'.': {}, 'f:conditions': {}}}, 'manager': 'ansible-operator', 'operation': 'Update', 'subresource': 'status', 'time': '2023-11-06T20:18:35Z'}, {'apiVersion': 'miscscripts.pnnl.gov/v1beta1', 'fieldsType': 'FieldsV1', 'fieldsV1': {'f:status': {'f:diff': {}, 'f:loadBalancerIP': {}}}, 'manager': 'OpenAPI-Generator', 'operation': 'Update', 'subresource': 'status', 'time': '2023-11-06T20:21:29Z'}, {'apiVersion': 'miscscripts.pnnl.gov/v1beta1', 'fieldsType': 'FieldsV1', 'fieldsV1': {'f:metadata': {'f:annotations': {'.': {}, 'f:kubectl.kubernetes.io/last-applied-configuration': {}}}}, 'manager': 'kubectl-client-side-apply', 'operation': 'Update', 'time': '2023-11-06T20:37:14Z'}], 'name': 'example', 'resourceVersion': '3566', 'uid': 'feb6f3ef-bda4-4330-8b7f-6e60daa45182'}, 'status': {'conditions': [{'lastTransitionTime': '2023-11-06T20:23:43Z', 'message': '', 'reason': '', 'status': 'False', 'type': 'Successful'}, {'ansibleResult': {'changed': 0, 'completion': '2023-11-06T20:29:56.097284', 'failures': 1, 'ok': 1, 'skipped': 0}, 'lastTransitionTime': '2023-11-06T20:29:56Z', 'message': \"An unhandled exception occurred while templating '{'foobar': '{{ $labels.instance }}'}'. Error was a <class 'ansible.errors.AnsibleError'>, original message: template error while templating string: unexpected char '$' at 3. String: {{ $labels.instance }}. unexpected char '$' at 3\", 'reason': 'Failed', 'status': 'False', 'type': 'Failure'}, {'lastTransitionTime': '2023-11-06T20:37:14Z', 'message': 'Running reconciliation', 'reason': 'Running', 'status': 'True', 'type': 'Running'}], 'diff': 'Cg==', 'loadBalancerIP': '10.17.192.1'}}'. Error was a <class 'ansible.errors.AnsibleError'>, original message: template error while templating string: unexpected char '$' at 65. String: An unhandled exception occurred while templating '{'foobar': '{{ $labels.instance }}'}'. Error was a <class 'ansible.errors.AnsibleError'>, original message: template error while templating string: unexpected char '$' at 3. String: {{ $labels.instance }}. unexpected char '$' at 3. unexpected char '$' at 65\n\nThe error appears to be in '/opt/ansible/roles/tenantnamespace/tasks/main.yml': line 104, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: Set ingress ip if known\n  ^ here\n"}

Environment

Operator type:

/language ansible

Kubernetes cluster type:

vanilla

$ operator-sdk version

operator-sdk version: "v1.32.0", commit: "4dcbbe343b29d325fd8a14cc60366335298b40a3", kubernetes version: "1.26.0", go version: "go1.19.13", GOOS: "linux", GOARCH: "amd64"

$ kubectl version

WARNING: This version information is deprecated and will be replaced with the output from kubectl version --short.  Use --output=yaml|json to get the full version.
Client Version: version.Info{Major:"1", Minor:"25", GitVersion:"v1.25.15", GitCommit:"da6089da4974a0a180c226c9353e1921fa3c248a", GitTreeState:"clean", BuildDate:"2023-10-18T13:40:02Z", GoVersion:"go1.20.10", Compiler:"gc", Platform:"linux/amd64"}
Kustomize Version: v4.5.7
Server Version: version.Info{Major:"1", Minor:"24", GitVersion:"v1.24.17", GitCommit:"22a9682c8fe855c321be75c5faacde343f909b04", GitTreeState:"clean", BuildDate:"2023-08-23T23:37:25Z", GoVersion:"go1.20.7", Compiler:"gc", Platform:"linux/amd64"}

Possible Solution

Merge this PR operator-framework/operator-sdk#6376 into this repo. That should fix the full CR spec _cr_name_spec extra var unsafe although I haven't tested it. Any of these unsafe string fixes require the markUnsafe var to be set in the watches yaml content for each CR. I'm not actually sure about how to fix the full CR _cr_name extra var since it is being attached as the raw content here https://github.com/operator-framework/ansible-operator-plugins/blob/cbc2d46705c5beee42021429630c2e184c1283b6/internal/ansible/runner/runner.go#L365C28-L365C28.

Additional context

The workarounds for this seem to be to use the snake case vars that the operator defines since those can be marked unsafe. It also seems like the kubernetes.core.k8s_info task is able to read the content in safely and does not have these issues.

[openshift-ci]

@plnordquist: The label(s) language/ansible cannot be applied, because the repository doesn't have them.

In response to this:

Bug Report

What did you do?

When the custom resource content includes a go/ansible template block, Ansible chokes on the content of the custom resource when using either the full CR extra var _cr_name or the full CR spec extra var _cr_name_spec as defined by the Ansible Operator since Ansible treats the content as safe.

The issue here operator-framework/operator-sdk#5160 was marked as closed when the accompanying PR was merged operator-framework/operator-sdk#6376. That PR does not exist in this repository as the content was lifted from the main operator-sdk repo just days prior to the PR merge. The PR was then merged here operator-framework/operator-sdk@b8a271a6 and then the content from the main repository was deleted here operator-framework/operator-sdk@d21ed64.

What did you expect to see?

A template block in the CR content should not break the operator.

What did you see instead? Under which circumstances?

The following error occurs when attempting to access the _cr_name_spec var with an alertmanager template string in the cr spec:

fatal: [localhost]: FAILED! => {"msg": "An unhandled exception occurred while templating '{'foobar': '{{ $labels.instance }}'}'. Error was a <class 'ansible.errors.AnsibleError'>, original message: template error while templating string: unexpected char '$' at 3. String: {{ $labels.instance }}. unexpected char '$' at 3"}

The operator then places this content into the failure condition on the CR with the bad template string. Our operator also references the full CR _cr_name var to access parts of the status of the CR so that also fails even when the template string is removed from the spec content with a different but similar error:

fatal: [localhost]: FAILED! => {"msg": "The conditional check '_miscscripts_pnnl_gov_tenantnamespace.status.loadBalancerIP is defined' failed. The error was: An unhandled exception occurred while templating '{'apiVersion': 'miscscripts.pnnl.gov/v1beta1', 'kind': 'TenantNamespace', 'metadata': {'annotations': {'kubectl.kubernetes.io/last-applied-configuration': '{\"apiVersion\":\"miscscripts.pnnl.gov/v1beta1\",\"kind\":\"TenantNamespace\",\"metadata\":{\"annotations\":{},\"name\":\"example\"},\"spec\":null}\\n'}, 'creationTimestamp': '2023-11-06T20:18:35Z', 'finalizers': ['finalizer.tenantnamespace.miscscripts.pnnl.gov'], 'generation': 4, 'managedFields': [{'apiVersion': 'miscscripts.pnnl.gov/v1beta1', 'fieldsType': 'FieldsV1', 'fieldsV1': {'f:metadata': {'f:finalizers': {'.': {}, 'v:\"finalizer.tenantnamespace.miscscripts.pnnl.gov\"': {}}}}, 'manager': 'ansible-operator', 'operation': 'Update', 'time': '2023-11-06T20:18:35Z'}, {'apiVersion': 'miscscripts.pnnl.gov/v1beta1', 'fieldsType': 'FieldsV1', 'fieldsV1': {'f:status': {'.': {}, 'f:conditions': {}}}, 'manager': 'ansible-operator', 'operation': 'Update', 'subresource': 'status', 'time': '2023-11-06T20:18:35Z'}, {'apiVersion': 'miscscripts.pnnl.gov/v1beta1', 'fieldsType': 'FieldsV1', 'fieldsV1': {'f:status': {'f:diff': {}, 'f:loadBalancerIP': {}}}, 'manager': 'OpenAPI-Generator', 'operation': 'Update', 'subresource': 'status', 'time': '2023-11-06T20:21:29Z'}, {'apiVersion': 'miscscripts.pnnl.gov/v1beta1', 'fieldsType': 'FieldsV1', 'fieldsV1': {'f:metadata': {'f:annotations': {'.': {}, 'f:kubectl.kubernetes.io/last-applied-configuration': {}}}}, 'manager': 'kubectl-client-side-apply', 'operation': 'Update', 'time': '2023-11-06T20:37:14Z'}], 'name': 'example', 'resourceVersion': '3566', 'uid': 'feb6f3ef-bda4-4330-8b7f-6e60daa45182'}, 'status': {'conditions': [{'lastTransitionTime': '2023-11-06T20:23:43Z', 'message': '', 'reason': '', 'status': 'False', 'type': 'Successful'}, {'ansibleResult': {'changed': 0, 'completion': '2023-11-06T20:29:56.097284', 'failures': 1, 'ok': 1, 'skipped': 0}, 'lastTransitionTime': '2023-11-06T20:29:56Z', 'message': \"An unhandled exception occurred while templating '{'foobar': '{{ $labels.instance }}'}'. Error was a <class 'ansible.errors.AnsibleError'>, original message: template error while templating string: unexpected char '$' at 3. String: {{ $labels.instance }}. unexpected char '$' at 3\", 'reason': 'Failed', 'status': 'False', 'type': 'Failure'}, {'lastTransitionTime': '2023-11-06T20:37:14Z', 'message': 'Running reconciliation', 'reason': 'Running', 'status': 'True', 'type': 'Running'}], 'diff': 'Cg==', 'loadBalancerIP': '10.17.192.1'}}'. Error was a <class 'ansible.errors.AnsibleError'>, original message: template error while templating string: unexpected char '$' at 65. String: An unhandled exception occurred while templating '{'foobar': '{{ $labels.instance }}'}'. Error was a <class 'ansible.errors.AnsibleError'>, original message: template error while templating string: unexpected char '$' at 3. String: {{ $labels.instance }}. unexpected char '$' at 3. unexpected char '$' at 65\n\nThe error appears to be in '/opt/ansible/roles/tenantnamespace/tasks/main.yml': line 104, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: Set ingress ip if known\n  ^ here\n"}

Environment

Operator type:

/language ansible

Kubernetes cluster type:

vanilla

$ operator-sdk version

operator-sdk version: "v1.32.0", commit: "4dcbbe343b29d325fd8a14cc60366335298b40a3", kubernetes version: "1.26.0", go version: "go1.19.13", GOOS: "linux", GOARCH: "amd64"

$ kubectl version

WARNING: This version information is deprecated and will be replaced with the output from kubectl version --short.  Use --output=yaml|json to get the full version.
Client Version: version.Info{Major:"1", Minor:"25", GitVersion:"v1.25.15", GitCommit:"da6089da4974a0a180c226c9353e1921fa3c248a", GitTreeState:"clean", BuildDate:"2023-10-18T13:40:02Z", GoVersion:"go1.20.10", Compiler:"gc", Platform:"linux/amd64"}
Kustomize Version: v4.5.7
Server Version: version.Info{Major:"1", Minor:"24", GitVersion:"v1.24.17", GitCommit:"22a9682c8fe855c321be75c5faacde343f909b04", GitTreeState:"clean", BuildDate:"2023-08-23T23:37:25Z", GoVersion:"go1.20.7", Compiler:"gc", Platform:"linux/amd64"}

Possible Solution

Merge this PR operator-framework/operator-sdk#6376 into this repo. That should fix the full CR spec _cr_name_spec extra var unsafe although I haven't tested it. Any of these unsafe string fixes require the markUnsafe var to be set in the watches yaml content for each CR. I'm not actually sure about how to fix the full CR _cr_name extra var since it is being attached as the raw content here https://github.com/operator-framework/ansible-operator-plugins/blob/cbc2d46705c5beee42021429630c2e184c1283b6/internal/ansible/runner/runner.go#L365C28-L365C28.

Additional context

The workarounds for this seem to be to use the snake case vars that the operator defines since those can be marked unsafe. It also seems like the kubernetes.core.k8s_info task is able to read the content in safely and does not have these issues.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.