Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adds cloud credentials to AnsibleRunner (for EmbeddedAnsible) #18991

Merged
merged 7 commits into from
Jul 17, 2019
Merged

Adds cloud credentials to AnsibleRunner (for EmbeddedAnsible) #18991

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
80f39cf
[ansible_runner] write_password_file -> write_config_files
NickLaMuro Jul 17, 2019
f6e3a82
[ansible_runner] Add AmazonCredential
NickLaMuro Jul 16, 2019
7577172
[ansible_runner] Add AzureCredential
NickLaMuro Jul 17, 2019
ef4a40a
[ansible_runner] Add GoogleCredential
NickLaMuro Jul 16, 2019
9fcb382
[ansible_runner] Add OpenstackCredential
NickLaMuro Jul 17, 2019
0a4463a
[ansible_runner] Add RhvCredential
NickLaMuro Jul 17, 2019
bf698f8
[ansible_runner] Add VmwareCredential
NickLaMuro Jul 17, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion lib/ansible/runner.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -263,7 +263,7 @@ def credentials_info(credentials, base_dir)
env_vars.merge!(cred.env_vars)
extra_vars.merge!(cred.extra_vars)

cred.write_password_file
cred.write_config_files
end

[command_line, env_vars, extra_vars]
Expand Down
2 changes: 1 addition & 1 deletion lib/ansible/runner/credential.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ def extra_vars
{}
end

def write_password_file
def write_config_files
end

private
Expand Down
21 changes: 21 additions & 0 deletions lib/ansible/runner/credential/amazon_credential.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
module Ansible
class Runner
class AmazonCredential < Credential
def self.auth_type
"ManageIQ::Providers::EmbeddedAnsible::AutomationManager::AmazonCredential"
end

# Modeled off of aws injectors for awx:
#
# https://github.com/ansible/awx/blob/1242ee2b/awx/main/models/credential/injectors.py#L11-L15
#
def env_vars
{
"AWS_ACCESS_KEY_ID" => auth.userid || "",
"AWS_SECRET_ACCESS_KEY" => auth.password || "",
"AWS_SECURITY_TOKEN" => auth.auth_key
}.delete_nils
end
end
end
end
33 changes: 33 additions & 0 deletions lib/ansible/runner/credential/azure_credential.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
module Ansible
class Runner
class AzureCredential < Credential
def self.auth_type
"ManageIQ::Providers::EmbeddedAnsible::AutomationManager::AzureCredential"
end

# Modeled off of azure injectors for awx:
#
# https://github.com/ansible/awx/blob/1242ee2b/awx/main/models/credential/injectors.py#L45-L60
#
# NOTE: We don't currently support the AZURE_CLOUD_ENVIRONMENT variable
# as a configurable option.
#
def env_vars
if auth.options && auth.options[:client].present? && auth.options[:tenant].present?
{
"AZURE_CLIENT_ID" => (auth.options || {})[:client],
"AZURE_TENANT" => (auth.options || {})[:tenant],
"AZURE_SECRET" => auth.auth_key || "",
"AZURE_SUBSCRIPTION_ID" => (auth.options || {})[:subscription] || ""
}
else
{
"AZURE_AD_USER" => auth.userid || "",
"AZURE_PASSWORD" => auth.password || "",
"AZURE_SUBSCRIPTION_ID" => (auth.options || {})[:subscription] || ""
}
end
end
end
end
end
43 changes: 43 additions & 0 deletions lib/ansible/runner/credential/google_credential.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
module Ansible
class Runner
class GoogleCredential < Credential
def self.auth_type
"ManageIQ::Providers::EmbeddedAnsible::AutomationManager::GoogleCredential"
end

# Modeled off of gce injectors for awx:
#
# https://github.com/ansible/awx/blob/1242ee2b/awx/main/models/credential/injectors.py#L18-L42
#
def env_vars
{
"GCE_EMAIL" => auth.userid || "",
"GCE_PROJECT" => auth.project || "",
"GCE_CREDENTIALS_FILE_PATH" => gce_credentials_file
}
end

def write_config_files
write_gce_credentials_file
end

private

def write_gce_credentials_file
json_data = {
:type => "service_account",
:private_key => auth.auth_key || "",
:client_email => auth.userid || "",
:project_id => auth.project || ""
}

File.write(gce_credentials_file, json_data.to_json)
File.chmod(0o0600, gce_credentials_file)
end

def gce_credentials_file
File.join(base_dir, "gce_credentials")
end
end
end
end
27 changes: 15 additions & 12 deletions lib/ansible/runner/credential/machine_credential.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,16 +12,9 @@ def command_line
end
end

def write_password_file
password_hash = {
"^SSH [pP]assword:" => auth.password,
"^BECOME [pP]assword:" => auth.become_password,
"^Enter passphrase for [a-zA-Z0-9\-\/]+\/ssh_key_data:" => auth.ssh_key_unlock
}.delete_blanks

File.write(password_file, password_hash.to_yaml) if password_hash.present?

write_ssh_key if auth.auth_key.present?
def write_config_files
write_password_file
write_ssh_key_file
end

private
Expand All @@ -36,8 +29,18 @@ def become_args
}
end

def write_ssh_key
File.write(ssh_key_file, auth.auth_key)
def write_password_file
password_hash = {
"^SSH [pP]assword:" => auth.password,
"^BECOME [pP]assword:" => auth.become_password,
"^Enter passphrase for [a-zA-Z0-9\-\/]+\/ssh_key_data:" => auth.ssh_key_unlock
}.delete_blanks

File.write(password_file, password_hash.to_yaml) if password_hash.present?
end

def write_ssh_key_file
File.write(ssh_key_file, auth.auth_key) if auth.auth_key.present?
end
end
end
Expand Down
47 changes: 47 additions & 0 deletions lib/ansible/runner/credential/openstack_credential.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
module Ansible
class Runner
class OpenstackCredential < Credential
def self.auth_type
"ManageIQ::Providers::EmbeddedAnsible::AutomationManager::OpenstackCredential"
end

# Modeled off of openstack injectors for awx:
#
# https://github.com/ansible/awx/blob/1242ee2b/awx/main/models/credential/injectors.py#L70-L96
#
def env_vars
{ "OS_CLIENT_CONFIG_FILE" => os_credentials_file }
end

def write_config_files
write_os_credentials_file
end

private

def write_os_credentials_file
openstack_data = {
"clouds" => {
"devstack" => {
"verify" => false, # NOTE: We don't have a way of configuring this currently
"auth" => {
"auth_url" => auth.host || "",
"username" => auth.userid || "",
"password" => auth.password || "",
"project_name" => auth.project || "",
"domain_name" => auth.domain
}.delete_nils
NickLaMuro marked this conversation as resolved.
Show resolved Hide resolved
}
}
}

File.write(os_credentials_file, openstack_data.to_yaml)
File.chmod(0o0600, os_credentials_file)
end

def os_credentials_file
File.join(base_dir, "os_credentials")
end
end
end
end
55 changes: 55 additions & 0 deletions lib/ansible/runner/credential/rhv_credential.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
module Ansible
class Runner
class RhvCredential < Credential
def self.auth_type
"ManageIQ::Providers::EmbeddedAnsible::AutomationManager::RhvCredential"
end

# Modeled off of rhv injectors for awx:
#
# https://github.com/ansible/awx/blob/1242ee2b/awx/main/models/credential/__init__.py#L1035-L1054
#
def env_vars
{
"OVIRT_INI_PATH" => ovirt_ini_file,
"OVIRT_URL" => auth.host || "",
"OVIRT_USERNAME" => auth.userid || "",
"OVIRT_PASSWORD" => auth.password || "",
}
end

def write_config_files
write_ovirt_ini_file
end

private

def write_ovirt_ini_file
ovirt_data = %W[
[ovirt]
ovirt_url=#{auth.host}
ovirt_username=#{auth.userid}
ovirt_password=#{auth.password}
]

# NOTE: We currently DO NOT support ca_file support as is in `awx`.
#
# ansible/awx ref:
#
# https://github.com/ansible/awx/blob/1242ee2b/awx/main/models/credential/__init__.py#L1046
#
# To add, we need to update the GoogleCredential::API_OPTIONS in
# app/models and add the following line here:
#
# ovirt_data << "ovirt_ca_file=#{auth.auth_key}" if auth.auth_key

File.write(ovirt_ini_file, ovirt_data.join("\n"))
File.chmod(0o0600, ovirt_ini_file)
end

def ovirt_ini_file
File.join(base_dir, "ovirt.ini")
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Quick note here: I changed this from rhv_credentials (what it was in the previous version) since this is what the file is normally called:

https://github.com/openshift/openshift-ansible-contrib/blob/d16d2f73/reference-architecture/rhv-ansible/inventory/ovirt.ini.example#L21-L34

end
end
end
end
23 changes: 23 additions & 0 deletions lib/ansible/runner/credential/vmware_credential.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
module Ansible
class Runner
class VmwareCredential < Credential
def self.auth_type
"ManageIQ::Providers::EmbeddedAnsible::AutomationManager::VmwareCredential"
end

# Modeled off of vmware injectors for awx:
#
# https://github.com/ansible/awx/blob/1242ee2b/awx/main/models/credential/injectors.py#L63-L67
#
# NOTE: The VMWARE_VALIDATE_CERTS is currently not supported.
#
def env_vars
{
"VMWARE_USER" => auth.userid || "",
"VMWARE_PASSWORD" => auth.password || "",
"VMWARE_HOST" => auth.host || ""
}
NickLaMuro marked this conversation as resolved.
Show resolved Hide resolved
end
end
end
end
20 changes: 20 additions & 0 deletions spec/factories/authentication.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,14 @@
:parent => :embedded_ansible_credential,
:class => "ManageIQ::Providers::EmbeddedAnsible::AutomationManager::AmazonCredential"

factory :embedded_ansible_azure_credential,
:parent => :embedded_ansible_credential,
:class => "ManageIQ::Providers::EmbeddedAnsible::AutomationManager::AzureCredential"

factory :embedded_ansible_google_credential,
:parent => :embedded_ansible_credential,
:class => "ManageIQ::Providers::EmbeddedAnsible::AutomationManager::GoogleCredential"

factory :embedded_ansible_machine_credential,
:parent => :embedded_ansible_credential,
:class => "ManageIQ::Providers::EmbeddedAnsible::AutomationManager::MachineCredential"
Expand All @@ -95,10 +103,22 @@
:parent => :embedded_ansible_credential,
:class => "ManageIQ::Providers::EmbeddedAnsible::AutomationManager::CloudCredential"

factory :embedded_ansible_openstack_credential,
:parent => :embedded_ansible_credential,
:class => "ManageIQ::Providers::EmbeddedAnsible::AutomationManager::OpenstackCredential"

factory :embedded_ansible_rhv_credential,
:parent => :embedded_ansible_credential,
:class => "ManageIQ::Providers::EmbeddedAnsible::AutomationManager::RhvCredential"

factory :embedded_ansible_scm_credential,
:parent => :embedded_ansible_credential,
:class => "ManageIQ::Providers::EmbeddedAnsible::AutomationManager::ScmCredential"

factory :embedded_ansible_vmware_credential,
:parent => :embedded_ansible_credential,
:class => "ManageIQ::Providers::EmbeddedAnsible::AutomationManager::VmwareCredential"

factory :auth_key_pair_cloud, :class => "ManageIQ::Providers::CloudManager::AuthKeyPair"
factory :auth_key_pair_amazon, :class => "ManageIQ::Providers::Amazon::CloudManager::AuthKeyPair"
factory :auth_key_pair_openstack, :class => "ManageIQ::Providers::Openstack::CloudManager::AuthKeyPair"
Expand Down
Loading