Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

helm_pull: Silence false no_log warning #796

Open
wants to merge 5 commits into
base: main
Choose a base branch
from

Conversation

colshine1
Copy link

@colshine1 colshine1 commented Nov 22, 2024

SUMMARY

Apply no_log=True to pass_credentials to silence false positive warning.

Fixes similar issue to: #423

ISSUE TYPE
  • Bugfix Pull Request
COMPONENT NAME

changelog/fragements/796-false-positive-helmull.yaml
plugins/modules/helm_pull.py

Copy link

Copy link

Copy link
Contributor

@yurnov yurnov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

confirmed that even in module_utils we have no_logs=True and password not appear in module output, it's a false positive warning

@yurnov
Copy link
Contributor

yurnov commented Nov 24, 2024

Hi @colshine1,

please update the integration test with the following:
https://github.com/ansible-collections/kubernetes.core/blob/cd686316e9b3af6df67c19027b573b27468234e3/tests/integration/targets/helm_pull/tasks/main.yml#L170C1-L182C61

please add

              - '"Module did not set no_log for pass_credentials" not in _result.warnings'

Copy link

Copy link
Contributor

@yurnov yurnov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@@ -189,7 +189,7 @@ def main():
repo_password=dict(
type="str", no_log=True, aliases=["password", "chart_repo_password"]
),
pass_credentials=dict(type="bool", default=False),
pass_credentials=dict(type="bool", default=False, no_log=True),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
pass_credentials=dict(type="bool", default=False, no_log=True),
pass_credentials=dict(type="bool", default=False, no_log=False),

This should be False since this is a false positive.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be False since this is a false positive.

False is the default one and it will behave in the same way as now, it throws a warning Module did not set no_log for pass_credentials. So, it should be no_log=True

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, explicitly setting no_log=False is the correct way to deal with a false positive.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, explicitly setting no_log=False is the correct way to deal with a false positive.

Hm... I will check how it works

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I setup a sample test playbook:

- hosts: localhost
  tasks:
    - name: Download chart to controlhost
      kubernetes.core.helm_pull:
        chart_ref: "https://domain.com/helm_chart-0.0.1.tgz"
        destination: "/tmp/"
        untar_chart: false
        repo_username: user
        repo_password: password
        pass_credentials: false

I run the playbook with -vvv to get the module parameters in the output, the output fails as I set fake credentials for this test.

Without any changes to the module the output is:

[WARNING]: Module did not set no_log for pass_credentials
fatal: [localhost]: FAILED! => {
    "changed": false,
    "command": "helm pull https://domain.com/helm_chart-0.0.1.tgz --username user --******** ******** --destination /tmp/",
    "invocation": {
        "module_args": {
            "binary_path": null,
            "chart_ca_cert": null,
            "chart_devel": null,
            "chart_ref": "https://domain.com/helm_chart-0.0.1.tgz",
            "chart_ssl_cert_file": null,
            "chart_ssl_key_file": null,
            "chart_version": null,
            "destination": "/tmp/",
            "pass_credentials": false,
            "provenance": false,
            "repo_password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "repo_url": null,
            "repo_username": "user",
            "skip_tls_certs_check": false,
            "untar_chart": false,
            "verify_chart": false,
            "verify_chart_keyring": null
        }
    },
    "msg": "Failure when executing Helm command.",
    "rc": 1,
    "stderr": "Error: failed to fetch https://domain.com/helm_chart-0.0.1.tgz : 401 Unauthorized\n",
    "stderr_lines": [
        "Error: failed to fetch https://domain.com/helm_chart-0.0.1.tgz : 401 Unauthorized"
    ],
    "stdout": "",
    "stdout_lines": []
}

setting no_log to False on line 192:

fatal: [localhost]: FAILED! => {
    "changed": false,
    "command": "helm pull https://domain.com/helm_chart-0.0.1.tgz --username user --******** ******** --destination /tmp/",
    "invocation": {
        "module_args": {
            "binary_path": null,
            "chart_ca_cert": null,
            "chart_devel": null,
            "chart_ref": "https://domain.com/helm_chart-0.0.1.tgz",
            "chart_ssl_cert_file": null,
            "chart_ssl_key_file": null,
            "chart_version": null,
            "destination": "/tmp/",
            "pass_credentials": false,
            "provenance": false,
            "repo_password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "repo_url": null,
            "repo_username": "user",
            "skip_tls_certs_check": false,
            "untar_chart": false,
            "verify_chart": false,
            "verify_chart_keyring": null
        }
    },
    "msg": "Failure when executing Helm command.",
    "rc": 1,
    "stderr": "Error: failed to fetch https://domain.com/helm_chart-0.0.1.tgz : 401 Unauthorized\n",
    "stderr_lines": [
        "Error: failed to fetch https://domain.com/helm_chart-0.0.1.tgz : 401 Unauthorized"
    ],
    "stdout": "",
    "stdout_lines": []
}

setting no_log to False on line 192:

fatal: [localhost]: FAILED! => {
    "changed": false,
    "command": "helm pull https://domain.com/helm_chart-0.0.1.tgz --username user --******** ******** --destination /tmp/",
    "invocation": {
        "module_args": {
            "binary_path": null,
            "chart_ca_cert": null,
            "chart_devel": null,
            "chart_ref": "https://domain.com/helm_chart-0.0.1.tgz",
            "chart_ssl_cert_file": null,
            "chart_ssl_key_file": null,
            "chart_version": null,
            "destination": "/tmp/",
            "pass_credentials": false,
            "provenance": false,
            "repo_password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "repo_url": null,
            "repo_username": "user",
            "skip_tls_certs_check": false,
            "untar_chart": false,
            "verify_chart": false,
            "verify_chart_keyring": null
        }
    },
    "msg": "Failure when executing Helm command.",
    "rc": 1,
    "stderr": "Error: failed to fetch https://domain.com/helm_chart-0.0.1.tgz : 401 Unauthorized\n",
    "stderr_lines": [
        "Error: failed to fetch https://domain.com/helm_chart-0.0.1.tgz : 401 Unauthorized"
    ],
    "stdout": "",
    "stdout_lines": []
}

I added no_log=True to be consistent with this: https://github.com/Akasurde/kubernetes.core/blob/22013686e7f2f735d5de5850b612dce4daa04b1a/plugins/modules/helm_repository.py#L231. However, it looks like this no longer exists in the module so I'm happy to update based on whatever is the correct solution.

@@ -180,6 +180,7 @@
- '"--username ansible" in _result.command'
- '"--password ***" in _result.command'
- '"--keyring pubring.gpg" in _result.command'
- '"Module did not set no_log for pass_credentials" not in _result.warnings'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should be _result.stderr instead of _result.warnings, module helm_pull returns warnings into stderr

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated as requested

Copy link

Copy link

@yurnov
Copy link
Contributor

yurnov commented Dec 20, 2024

Hi @colshine1 or @gravesm, could you please rebase to master?

@yurnov
Copy link
Contributor

yurnov commented Dec 21, 2024

Strangely, I saw that message in my testing environment some time ago, but I'm not sure about the package versions. Today trying to reproduce the issue with ansible-core 2.16.14 and kubernetes.core both 3.2.0 and 5.0.0 versions, and the issue is not reproducible. So, probably that PR is not required anymore

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants