-
Notifications
You must be signed in to change notification settings - Fork 141
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
helm_pull: Silence false no_log warning #796
base: main
Are you sure you want to change the base?
Conversation
Build succeeded. ✔️ ansible-galaxy-importer SUCCESS in 10m 16s |
Build succeeded. ✔️ ansible-galaxy-importer SUCCESS in 3m 59s |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
confirmed that even in module_utils we have no_logs=True
and password not appear in module output, it's a false positive warning
Hi @colshine1, please update the integration test with the following: please add
|
Build succeeded. ✔️ ansible-galaxy-importer SUCCESS in 4m 33s |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
plugins/modules/helm_pull.py
Outdated
@@ -189,7 +189,7 @@ def main(): | |||
repo_password=dict( | |||
type="str", no_log=True, aliases=["password", "chart_repo_password"] | |||
), | |||
pass_credentials=dict(type="bool", default=False), | |||
pass_credentials=dict(type="bool", default=False, no_log=True), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
pass_credentials=dict(type="bool", default=False, no_log=True), | |
pass_credentials=dict(type="bool", default=False, no_log=False), |
This should be False
since this is a false positive.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be
False
since this is a false positive.
False
is the default one and it will behave in the same way as now, it throws a warning Module did not set no_log for pass_credentials
. So, it should be no_log=True
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, explicitly setting no_log=False
is the correct way to deal with a false positive.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, explicitly setting
no_log=False
is the correct way to deal with a false positive.
Hm... I will check how it works
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I setup a sample test playbook:
- hosts: localhost
tasks:
- name: Download chart to controlhost
kubernetes.core.helm_pull:
chart_ref: "https://domain.com/helm_chart-0.0.1.tgz"
destination: "/tmp/"
untar_chart: false
repo_username: user
repo_password: password
pass_credentials: false
I run the playbook with -vvv to get the module parameters in the output, the output fails as I set fake credentials for this test.
Without any changes to the module the output is:
[WARNING]: Module did not set no_log for pass_credentials
fatal: [localhost]: FAILED! => {
"changed": false,
"command": "helm pull https://domain.com/helm_chart-0.0.1.tgz --username user --******** ******** --destination /tmp/",
"invocation": {
"module_args": {
"binary_path": null,
"chart_ca_cert": null,
"chart_devel": null,
"chart_ref": "https://domain.com/helm_chart-0.0.1.tgz",
"chart_ssl_cert_file": null,
"chart_ssl_key_file": null,
"chart_version": null,
"destination": "/tmp/",
"pass_credentials": false,
"provenance": false,
"repo_password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"repo_url": null,
"repo_username": "user",
"skip_tls_certs_check": false,
"untar_chart": false,
"verify_chart": false,
"verify_chart_keyring": null
}
},
"msg": "Failure when executing Helm command.",
"rc": 1,
"stderr": "Error: failed to fetch https://domain.com/helm_chart-0.0.1.tgz : 401 Unauthorized\n",
"stderr_lines": [
"Error: failed to fetch https://domain.com/helm_chart-0.0.1.tgz : 401 Unauthorized"
],
"stdout": "",
"stdout_lines": []
}
setting no_log to False on line 192:
fatal: [localhost]: FAILED! => {
"changed": false,
"command": "helm pull https://domain.com/helm_chart-0.0.1.tgz --username user --******** ******** --destination /tmp/",
"invocation": {
"module_args": {
"binary_path": null,
"chart_ca_cert": null,
"chart_devel": null,
"chart_ref": "https://domain.com/helm_chart-0.0.1.tgz",
"chart_ssl_cert_file": null,
"chart_ssl_key_file": null,
"chart_version": null,
"destination": "/tmp/",
"pass_credentials": false,
"provenance": false,
"repo_password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"repo_url": null,
"repo_username": "user",
"skip_tls_certs_check": false,
"untar_chart": false,
"verify_chart": false,
"verify_chart_keyring": null
}
},
"msg": "Failure when executing Helm command.",
"rc": 1,
"stderr": "Error: failed to fetch https://domain.com/helm_chart-0.0.1.tgz : 401 Unauthorized\n",
"stderr_lines": [
"Error: failed to fetch https://domain.com/helm_chart-0.0.1.tgz : 401 Unauthorized"
],
"stdout": "",
"stdout_lines": []
}
setting no_log to False on line 192:
fatal: [localhost]: FAILED! => {
"changed": false,
"command": "helm pull https://domain.com/helm_chart-0.0.1.tgz --username user --******** ******** --destination /tmp/",
"invocation": {
"module_args": {
"binary_path": null,
"chart_ca_cert": null,
"chart_devel": null,
"chart_ref": "https://domain.com/helm_chart-0.0.1.tgz",
"chart_ssl_cert_file": null,
"chart_ssl_key_file": null,
"chart_version": null,
"destination": "/tmp/",
"pass_credentials": false,
"provenance": false,
"repo_password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"repo_url": null,
"repo_username": "user",
"skip_tls_certs_check": false,
"untar_chart": false,
"verify_chart": false,
"verify_chart_keyring": null
}
},
"msg": "Failure when executing Helm command.",
"rc": 1,
"stderr": "Error: failed to fetch https://domain.com/helm_chart-0.0.1.tgz : 401 Unauthorized\n",
"stderr_lines": [
"Error: failed to fetch https://domain.com/helm_chart-0.0.1.tgz : 401 Unauthorized"
],
"stdout": "",
"stdout_lines": []
}
I added no_log=True to be consistent with this: https://github.com/Akasurde/kubernetes.core/blob/22013686e7f2f735d5de5850b612dce4daa04b1a/plugins/modules/helm_repository.py#L231. However, it looks like this no longer exists in the module so I'm happy to update based on whatever is the correct solution.
@@ -180,6 +180,7 @@ | |||
- '"--username ansible" in _result.command' | |||
- '"--password ***" in _result.command' | |||
- '"--keyring pubring.gpg" in _result.command' | |||
- '"Module did not set no_log for pass_credentials" not in _result.warnings' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should be _result.stderr
instead of _result.warnings
, module helm_pull returns warnings into stderr
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated as requested
Build succeeded. ✔️ ansible-galaxy-importer SUCCESS in 5m 14s |
Build succeeded. ✔️ ansible-galaxy-importer SUCCESS in 3m 32s |
Hi @colshine1 or @gravesm, could you please rebase to master? |
Strangely, I saw that message in my testing environment some time ago, but I'm not sure about the package versions. Today trying to reproduce the issue with ansible-core 2.16.14 and kubernetes.core both 3.2.0 and 5.0.0 versions, and the issue is not reproducible. So, probably that PR is not required anymore |
SUMMARY
Apply no_log=True to pass_credentials to silence false positive warning.
Fixes similar issue to: #423
ISSUE TYPE
COMPONENT NAME
changelog/fragements/796-false-positive-helmull.yaml
plugins/modules/helm_pull.py