community.hashi_vault
community.hashi_vault copied to clipboard
ansible-collections
ADD: unix socket support
SUMMARY
This PR is adding support to VAULT_ADDR/url for unix socket.
This allow, for example, to connect with vault-agent listening onto Unix socket.
Implementation is following guidance proposed by hvac: https://hvac.readthedocs.io/en/latest/advanced_usage.html#vault-agent-unix-socket-listener
ISSUE TYPE
- Feature Pull Request
COMPONENT NAME
HashiVaultHelper::get_vault_client
ADDITIONAL INFORMATION
Here is the task configuration
- name: Issue new PKI certificate
environment:
VAULT_ADDR: unix:///var/run/vault-agent.socket
community.hashi_vault.vault_pki_generate_certificate:
common_name: "{{ ansible_fqdn }}"
role_name: host
auth_method: none
register: cert
failed_when:
- "'certificate' not in cert.data.data"
- "'private_key' not in cert.data.data"
Before the change
TASK [vault : Issue new PKI certificate] ***************************************************************
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: requests.exceptions.InvalidSchema: No connection adapters were found for 'unix:///var/run/vault-agent.socket/v1/pki/issue/host'
fatal: [<REDACTED>]: FAILED! => {"changed": false, "failed_when_result": "The conditional check ''certificate' not in cert.data.data' failed. The error was: error while evaluating conditional ('certificate' not in cert.data.data): 'dict object' has no attribute 'data'. 'dict object' has no attribute 'data'", "module_stderr": "Shared connection to <REDACTED> closed.\r\n", "module_stdout": "Traceback (most recent call last):\r\n File \"/home/exoadmin/.ansible/tmp/ansible-tmp-1730810202.0243812-1387826-143459003234056/AnsiballZ_vault_pki_generate_certificate.py\", line 107, in <module>\r\n _ansiballz_main()\r\n File \"/home/exoadmin/.ansible/tmp/ansible-tmp-1730810202.0243812-1387826-143459003234056/AnsiballZ_vault_pki_generate_certificate.py\", line 99, in _ansiballz_main\r\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\r\n File \"/home/exoadmin/.ansible/tmp/ansible-tmp-1730810202.0243812-1387826-143459003234056/AnsiballZ_vault_pki_generate_certificate.py\", line 47, in invoke_module\r\n runpy.run_module(mod_name='ansible_collections.community.hashi_vault.plugins.modules.vault_pki_generate_certificate', init_globals=dict(_module_fqn='ansible_collections.community.hashi_vault.plugins.modules.vault_pki_generate_certificate', _modlib_path=modlib_path),\r\n File \"/usr/lib/python3.10/runpy.py\", line 224, in run_module\r\n return _run_module_code(code, init_globals, run_name, mod_spec)\r\n File \"/usr/lib/python3.10/runpy.py\", line 96, in _run_module_code\r\n _run_code(code, mod_globals, init_globals,\r\n File \"/usr/lib/python3.10/runpy.py\", line 86, in _run_code\r\n exec(code, run_globals)\r\n File \"/tmp/ansible_community.hashi_vault.vault_pki_generate_certificate_payload_da_vd70d/ansible_community.hashi_vault.vault_pki_generate_certificate_payload.zip/ansible_collections/community/hashi_vault/plugins/modules/vault_pki_generate_certificate.py\", line 286, in <module>\r\n File \"/tmp/ansible_community.hashi_vault.vault_pki_generate_certificate_payload_da_vd70d/ansible_community.hashi_vault.vault_pki_generate_certificate_payload.zip/ansible_collections/community/hashi_vault/plugins/modules/vault_pki_generate_certificate.py\", line 282, in main\r\n File \"/tmp/ansible_community.hashi_vault.vault_pki_generate_certificate_payload_da_vd70d/ansible_community.hashi_vault.vault_pki_generate_certificate_payload.zip/ansible_collections/community/hashi_vault/plugins/modules/vault_pki_generate_certificate.py\", line 270, in run_module\r\n File \"/usr/lib/python3/dist-packages/hvac/api/secrets_engines/pki.py\", line 381, in generate_certificate\r\n return self._adapter.post(\r\n File \"/usr/lib/python3/dist-packages/hvac/adapters.py\", line 126, in post\r\n return self.request(\"post\", url, **kwargs)\r\n File \"/usr/lib/python3/dist-packages/hvac/adapters.py\", line 364, in request\r\n response = super(JSONAdapter, self).request(*args, **kwargs)\r\n File \"/usr/lib/python3/dist-packages/hvac/adapters.py\", line 313, in request\r\n response = self.session.request(\r\n File \"/usr/lib/python3/dist-packages/requests/sessions.py\", line 544, in request\r\n resp = self.send(prep, **send_kwargs)\r\n File \"/usr/lib/python3/dist-packages/requests/sessions.py\", line 651, in send\r\n adapter = self.get_adapter(url=request.url)\r\n File \"/usr/lib/python3/dist-packages/requests/sessions.py\", line 744, in get_adapter\r\n raise InvalidSchema(\"No connection adapters were found for {!r}\".format(url))\r\nrequests.exceptions.InvalidSchema: No connection adapters were found for 'unix:///var/run/vault-agent.socket/v1/pki/issue/host'\r\n", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}
After the change
TASK [vault : Issue new PKI certificate] ***************************************************************
changed: [<REDACTED>]
Hi @bcachet thanks for opening this!
This error is not from your PR, it's failing in the whole collection and I'm not sure why yet so it will be addressed in a different PR at some point.
- https://github.com/ansible-collections/community.hashi_vault/actions/runs/11684228813/job/32545796062?pr=458#step:11:55
The other failures need to be looked into. I'd also like to see some tests added for this new functionality, ideally both units and integration but let's see how implementation goes for those tests.
The other failures need to be looked into. I'd also like to see some tests added for this new functionality, ideally both units and integration but let's see how implementation goes for those tests.
I added some unit tests around requests_unixsocket integration in HashiVaultHelper::get_vault_client.
I need to dive into how integration tests are working to be able to provide an integration test (I guess I will need to update docker-compose environment to add a vault-agent listening on Unix socket)
The error I mentioned before should be fixed in main now as of #459 , please rebase when you get a chance!
I would be interested in discussing about the integration tests strategy. @briantist What is the best channel/tool to have a discussion about it ?
I would be interested in discussing about the integration tests strategy. What is the best channel/tool to have a discussion about it ?
This PR is the best place to discuss it I think
Do you have any idea/proposal for an integration test around this change ? Should I add a vault agent alongside the vault server in the docker-compose environment ?
Codecov Report
:white_check_mark: All modified and coverable lines are covered by tests.
:white_check_mark: Project coverage is 99.22%. Comparing base (afc77bd) to head (5c4744a).
:warning: Report is 6 commits behind head on main.
Additional details and impacted files
@@ Coverage Diff @@
## main #458 +/- ##
=======================================
Coverage 99.21% 99.22%
=======================================
Files 110 110
Lines 5767 5797 +30
Branches 1088 1094 +6
=======================================
+ Hits 5722 5752 +30
Misses 36 36
Partials 9 9
Flags with carried forward coverage won't be shown. Click here to find out more.
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
:rocket: New features to boost your workflow:
- :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
![codecov[bot] avatar](https://avatars.githubusercontent.com/in/254?v=4 "Published by a pub.dev verified publisher"){kind=small}