Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added 'ignore_timestamps' parameter #381

Merged
merged 15 commits into from
Jan 20, 2022
Merged

Added 'ignore_timestamps' parameter #381

merged 15 commits into from
Jan 20, 2022

Conversation

JochenKorge
Copy link
Contributor

SUMMARY

added 'ignore_timestamps' parameter to openssh_cert so it can be used semi-idempotent with relative timestamps in valid_to/valid_from.

Defaults to false (to be consistent with older versions)

Fixes #379

ISSUE TYPE
  • Feature Pull Request
COMPONENT NAME

openssh_cert

ADDITIONAL INFORMATION

It´s my (second try on the) first pull-request and I´m new to python, so please be gentle ;)

Ajpantuso
Ajpantuso requested changes Jan 18, 2022
View reviewed changes
Copy link
Collaborator

@Ajpantuso Ajpantuso left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for your contribution! Please add a changelog fragment and review the initial comments. Also, I would suggest at least two test cases added here. The first will test that with ignore_timestamps: true, equivalent relative timestamps for valid_from/valid_to, and a valid_at value within an existing certificates valid time range a subsequent task does not generate a new certificate. The second test is the same, but with ignore_timestamps omitted which should generate a new certificate.

plugins/modules/openssh_cert.py Outdated Show resolved Hide resolved
plugins/modules/openssh_cert.py Outdated Show resolved Hide resolved
plugins/modules/openssh_cert.py Outdated Show resolved Hide resolved
plugins/modules/openssh_cert.py Outdated Show resolved Hide resolved
@JochenKorge JochenKorge requested a review from Ajpantuso January 18, 2022 15:57
@JochenKorge
Copy link
Contributor Author

Did the proposed changes, added third test for valid_at > valid_to (has to change the cert)

felixfontein
felixfontein reviewed Jan 18, 2022
View reviewed changes
changelogs/fragments/381_openssh_cert_add_ignore_timestamps.yml Outdated Show resolved Hide resolved
plugins/modules/openssh_cert.py Outdated Show resolved Hide resolved
plugins/modules/openssh_cert.py Outdated Show resolved Hide resolved
@JochenKorge
Copy link
Contributor Author

Out of curiosity, is there a way to run those tests local? I feel bad for spamming your repo.

@felixfontein
Copy link
Contributor

You can run them locally as follows: ansible-test sanity --docker -v to run the sanity tests, ansible-test integration --docker fedora35 -v openssh_cert for the integration tests. You need to have checked out the repo in the correct path structure, though.

@JochenKorge
Copy link
Contributor Author

Is there any reason to separate valid_at and ignore_timestamps other than it changes behavior?

Even the Documentation states:

Check if the certificate is valid at a certain point in time. If it is not the certificate will be regenerated. Time will always be interpreted as UTC. Mainly to be used with relative timespec for valid_from and / or valid_to. Note that if using relative time this module is NOT idempotent.

So I propose to merge ignore_timestamps as a crutch until the next big release and then change default behavior to the less surprising "if valid_at is set, ignore relative time"

Please correct me if I miss some use case where you need valid_at and ignore_timestamp false

@felixfontein
Copy link
Contributor

I don't see why this is a crutch. From my POV this is the correct change, and somehow coupling valid_at and ignore_timestamps would be simply wrong. There are use-cases where ignore_timestamp makes sense without (relative) valid_at. Also absolute timestamps do not mean that they are constants in the playbook, they could have been templated (the module doesn't know how they looked in the playbook).

felixfontein
felixfontein reviewed Jan 18, 2022
View reviewed changes
Copy link
Contributor

@felixfontein felixfontein left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Besides this, looks good!

plugins/modules/openssh_cert.py Show resolved Hide resolved
@felixfontein felixfontein mentioned this pull request Jan 18, 2022
Closed
2 tasks
Ajpantuso
Ajpantuso approved these changes Jan 19, 2022
View reviewed changes
Copy link
Collaborator

@Ajpantuso Ajpantuso left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks for implementing this!

@felixfontein felixfontein merged commit b339e71 into ansible-collections:main Jan 20, 2022
@felixfontein
Copy link
Contributor

@JochenKorge thanks for implementing this!
@Ajpantuso thanks for reviewing!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Ajpantuso Ajpantuso Ajpantuso approved these changes

@felixfontein felixfontein felixfontein approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

openssh_cert: valid_at has no effect (will always be regenerated)
3 participants
@JochenKorge @felixfontein @Ajpantuso