ansible
Fix LDAP secret retrieval
Update load_ldap_password_secret.yml to fix LDAP secret retrieval
SUMMARY
When deploying a Tower via Operator and configuring LDAP binding on deployment, LDAP secret cannot be retrieved by the playbook despite following the instructions in the documentation
Fixed file /roles/installer/tasks/load_ldap_password_secret.yml to allow correct retrieval of LDAP secret by removing [0] in lines 12 and 14
ISSUE TYPE
Bug fix
ADDITIONAL INFORMATION
Reproduction steps:
- Clone repo and configure a deployment with LDAP binding on deployment
- Create the ldap secret with the instructions available here
- Confirm password is correctly set in the secret
- Start deployment and watch logs of
awx-operator-controller-manager - Deployment will fail with the following error
task path: /opt/ansible/roles/installer/tasks/load_ldap_password_secret.yml:10\nfatal: [localhost]: FAILED! => {\"msg\": \"The conditional check '\\\"ldap-password\\\" in ldap_password[\\\"resources\\\"][0][\\\"data\\\"]' failed. The error was: error while evaluating conditional (\\\"ldap-password\\\" in ldap_password[\\\"resources\\\"][0][\\\"data\\\"]): list object has no element 0. list object has no element 0\\n\\nThe error appears to be in '/opt/ansible/roles/installer/tasks/load_ldap_password_secret.yml': line 10, column 3, but may\\nbe elsewhere in the file depending on the exact syntax problem.\\n\\nThe offending line appears to be:\\n\\n\\n- name: Load LDAP bind password Secret content\\n ^ here\\n\"}
@lorenzo-maffeo-SAP the preceding task which sets ldap_password will always return a list, that is why that [0] index is there to return only the first entry in the list (because in this case since "name" is specified, not a label, we can gaurantee that there is only 1 item in the list, or 0.
In the case of your error, there are 0 secrets in the list. Can you confirm that the spec.ldap_password_secret specified is the name of a k8s secret that matches a secret in your k8s namespace?
Docs here:
- https://ansible.readthedocs.io/projects/awx-operator/en/latest/user-guide/advanced-configuration/trusting-a-custom-certificate-authority.html?h=ldap#trusting-a-custom-certificate-authority
@rooftopcellist the secret is correctly present with the right name, it has a single entry containing the password. I have followed step by step the instructions at https://ansible.readthedocs.io/projects/awx-operator/en/latest/user-guide/advanced-configuration/trusting-a-custom-certificate-authority.html?h=ldap#trusting-a-custom-certificate-authority to create the LDAP secret password and add it to the specs, deployment kept failing until I modified the code as per this PR. I have experienced this behaviour on 2 different Kubernetes clusters where I attempted deployment. At this point, if code is correct, it seems documentation is wrong: can you please try on your side to follow the steps in the documentation (without any deviation) and see if you can reproduce it?
@lorenzo-maffeo-SAP Does your Secret exist in the same namespace as AWX Operator and AWX?
@lorenzo-maffeo-SAP Does your Secret exist in the same namespace as AWX Operator and AWX?
Yes, correct. I have tried a complete new deployment on a local minikube cluster and still experience the same behaviour.
user@minikube-test [22:06:47] [~/code/awx-k8s] [master *]
-> % k get all -n awx
NAME READY STATUS RESTARTS AGE
pod/awx-demo-postgres-13-0 1/1 Running 0 4m29s
pod/awx-demo-task-856bf67c94-n2zsh 4/4 Running 0 3m29s
pod/awx-demo-web-755dcfd8c4-p5vg7 3/3 Running 1 (27s ago) 66s
pod/awx-operator-controller-manager-85c949b69-4926g 2/2 Running 0 4m37s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/awx-demo-postgres-13 ClusterIP None <none> 5432/TCP 4m29s
service/awx-demo-service NodePort 10.99.58.121 <none> 80:30834/TCP 3m31s
service/awx-operator-controller-manager-metrics-service ClusterIP 10.106.238.199 <none> 8443/TCP 8m58s
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/awx-demo-task 1/1 1 1 3m29s
deployment.apps/awx-demo-web 1/1 1 1 3m22s
deployment.apps/awx-operator-controller-manager 1/1 1 1 8m58s
NAME DESIRED CURRENT READY AGE
replicaset.apps/awx-demo-task-856bf67c94 1 1 1 3m29s
replicaset.apps/awx-demo-web-755dcfd8c4 1 1 1 3m22s
replicaset.apps/awx-operator-controller-manager-85c949b69 1 1 1 8m58s
NAME READY AGE
statefulset.apps/awx-demo-postgres-13 1/1 4m29s
user@minikube-test [22:06:52] [~/code/awx-k8s] [master *]
-> % k get secrets -n awx
NAME TYPE DATA AGE
awx-demo-admin-password Opaque 1 4m47s
awx-demo-app-credentials Opaque 3 3m41s
awx-demo-broadcast-websocket Opaque 1 4m44s
awx-demo-ldap-password Opaque 1 8m32s
awx-demo-postgres-configuration Opaque 6 4m39s
awx-demo-receptor-ca kubernetes.io/tls 2 3m51s
awx-demo-receptor-work-signing Opaque 2 3m45s
awx-demo-secret-key Opaque 1 8m52s
redhat-operators-pull-secret Opaque 1 8m59s
user@minikube-test [22:08:10] [~/code/awx-k8s] [master *]
-> % k -n awx get secret awx-demo-ldap-password -o jsonpath="{.data.ldap-password}" | base64 -d
MySuperSecurePassword%
user@minikube-test [22:08:41] [~/code/awx-k8s] [master *]
-> % grep -v ^# kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
# Find the latest tag here: https://github.com/ansible/awx-operator/releases
- github.com/ansible/awx-operator/config/default?ref=2.9.0
- awx-demo.yml
images:
- name: quay.io/ansible/awx-operator
newTag: 2.9.0
namespace: awx
user@minikube-test [22:08:52] [~/code/awx-k8s] [master *]
-> % grep -v ^# awx-demo.yml
---
apiVersion: awx.ansible.com/v1beta1
kind: AWX
metadata:
name: awx-demo
spec:
no_log: false
service_type: nodeport
ldap_password_secret: awx-ldap-password
extra_settings:
- setting: AUTH_LDAP_SERVER_URI
value: >-
"ldap://ldap.test.local:389"
- setting: AUTH_LDAP_BIND_DN
value: >-
"CN=Userxxx,CN=Users,DC=test,DC=local"
user@minikube-test [22:09:04] [~/code/awx-k8s] [master *]
-> % k apply -k .
namespace/awx unchanged
customresourcedefinition.apiextensions.k8s.io/awxbackups.awx.ansible.com unchanged
customresourcedefinition.apiextensions.k8s.io/awxrestores.awx.ansible.com unchanged
customresourcedefinition.apiextensions.k8s.io/awxs.awx.ansible.com unchanged
serviceaccount/awx-operator-controller-manager unchanged
role.rbac.authorization.k8s.io/awx-operator-awx-manager-role configured
role.rbac.authorization.k8s.io/awx-operator-leader-election-role unchanged
clusterrole.rbac.authorization.k8s.io/awx-operator-metrics-reader unchanged
clusterrole.rbac.authorization.k8s.io/awx-operator-proxy-role unchanged
rolebinding.rbac.authorization.k8s.io/awx-operator-awx-manager-rolebinding unchanged
rolebinding.rbac.authorization.k8s.io/awx-operator-leader-election-rolebinding unchanged
clusterrolebinding.rbac.authorization.k8s.io/awx-operator-proxy-rolebinding unchanged
configmap/awx-operator-awx-manager-config unchanged
service/awx-operator-controller-manager-metrics-service unchanged
deployment.apps/awx-operator-controller-manager unchanged
awx.awx.ansible.com/awx-demo configured
user@minikube-test [22:09:39] [~/code/awx-k8s] [master *]
-> % k delete pod/awx-demo-task-856bf67c94-2qcjt pod/awx-demo-web-755dcfd8c4-xpnz5 deployment.apps/awx-demo-task deployment.apps/awx-demo-web
pod "awx-demo-task-856bf67c94-2qcjt" deleted
pod "awx-demo-web-755dcfd8c4-xpnz5" deleted
deployment.apps "awx-demo-task" deleted
deployment.apps "awx-demo-web" deleted
user@minikube-test [22:10:06] [~/code/awx-k8s] [master *]
-> % k logs -f pod/awx-operator-controller-manager-85c949b69-56l92
[...]
TASK [installer : Load LDAP bind password Secret content] **********************\r\ntask path: /opt/ansible/roles/installer/tasks/load_ldap_password_secret.yml:10\nfatal: [localhost]: FAILED! => {\"msg\": \"The conditional check '\\\"ldap-password\\\" in ldap_password[\\\"resources\\\"][0][\\\"data\\\"]' failed. The error was: error while evaluating conditional (\\\"ldap-password\\\" in ldap_password[\\\"resources\\\"][0][\\\"data\\\"]): list object has no element 0. list object has no element 0
edit: I just noticed after posting this that the secret name is not the same, I copied the files from the system where I originally found the issue and most likely carried the same mistake along with it. Once I fixed the secret name, deployment worked fine
--------------------------- Ansible Task StdOut -------------------------------
TASK [installer : Load ldap bind password] *************************************
task path: /opt/ansible/roles/installer/tasks/install.yml:52
-------------------------------------------------------------------------------
{"level":"info","ts":"2024-06-11T20:29:50Z","logger":"logging_event_handler","msg":"[playbook task start]","name":"awx-demo","namespace":"awx","gvk":"awx.ansible.com/v1beta1, Kind=AWX","event_type":"playbook_on_task_start","job":"5267741342915667530","EventData.Name":"installer : Retrieve LDAP bind password Secret"}
--------------------------- Ansible Task StdOut -------------------------------
TASK [installer : Retrieve LDAP bind password Secret] **************************
task path: /opt/ansible/roles/installer/tasks/load_ldap_password_secret.yml:2
-------------------------------------------------------------------------------
{"level":"info","ts":"2024-06-11T20:29:50Z","logger":"proxy","msg":"Read object from cache","resource":{"IsResourceRequest":true,"Path":"/api/v1/namespaces/awx/secrets/awx-demo-ldap-password","Verb":"get","APIPrefix":"api","APIGroup":"","APIVersion":"v1","Namespace":"awx","Resource":"secrets","Subresource":"","Name":"awx-demo-ldap-password","Parts":["secrets","awx-demo-ldap-password"]}}