-
Notifications
You must be signed in to change notification settings - Fork 654
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Lint vault files #115
Comments
Sure, implementations welcome |
The approach in willthames/ansible-inventory-grapher#19 could likely be used here too. |
The problem still persists in ansible-lint 3.4.7. It does not seem to respect the settings from ansible.cfg, where the path to the vault password file is saved:
|
Latest version and still return "Decryption failed" |
Well, it would do, no one has actually implemented this yet. I've pointed to how one might go about this - and will favourably review pull requests implementing such a change. |
I've removed the v3.2 milestone, it will get in the next version after someone has implemented it. |
I know this hasn't been implemented, but just adding that the current error appears to be:
I know ansible-lint can't take a password directly, so I've tried both This means I'm choosing at the moment between linting, or committing secrets :( I haven't really used Python before so I'm a bit lost on how to implement this, but taking the example in https://github.com/willthames/ansible-inventory-grapher/pull/19/files would it be adding:
Having said that... # ansible-lint doesn't need/want to know about encrypted secrets, but it needs
# Ansible 2.3+ allows encrypted secrets within yaml files, so we pass a string
# as the password to enable such yaml files to be opened and parsed successfully.
DEFAULT_VAULT_PASSWORD = 'x' the |
@tdmalone what version are you running - 3.4.23 was released a couple of days ago which may or may not have included a fix (it definitely had a vault fix, just not sure if it's this vault fix) This issue could use a minimal test case. |
Thanks for the response! Yes I'm on 3.4.23. I should be able to put a test case together. I just realised however my specific problem is with an inline string rather than a file - does this need a separate issue? (Only just started using Ansible Vault, and trying to get my head around it!) |
Actually, I apologise - turns out it wasn't the vault strings I added... those are working fine. It was vault files someone else had added to the repo that I didn't know about. I actually don't need to be linting those, and have made my linting script a bit more targeted. So, having said all that, I'm still happy to try to put a test case together if it would help! Is it just complete vault files which the problem is with? |
The latest version of class ByteHolder(object):
"""Not sure what object VaultLib actually wants here, so this is a hack"""
def __init__(self, str):
super(ByteHolder, self).__init__()
self.bytes = str.encode('UTF-8')
def parse_yaml_from_file(filepath):
dl = DataLoader()
dl.set_vault_secrets([('default', ByteHolder(os.environ['ANSIBLE_VAULT_PASSWORD']))])
#if hasattr(dl, 'set_vault_password'):
# dl.set_vault_password(DEFAULT_VAULT_PASSWORD)
return dl.load_from_file(filepath) Cleaning up the code a bit for better error handling/etc. in our fork, but wanted to share the fix. |
Guys, is lint for vault files working or not ? |
I just hit this issue with linting vault files. I ran the following command:
and received the following message back:
There is a bigger problem though. It seems it causes the custom lint rules to not load at all. I run this command and
Here is the output:
From the verbose mode it seems it's running the tests, but doesn't use my custom lint rule (as defined in the
|
Same problem here. I have a
Linting fails
my version
|
Hi @ssbarnea @ansiblejunky , |
If Ansible is configured to be able decrypt the linter will work, we do have test at examples/playbooks/contains_secrets.yml which is passing. I will consider this bug fixed. Please do not open a new bug if you cannot pass |
@ssbarnea This issue is not fixed. The test at The issue is with vault files included inside roles. Here is a quick way to reproduce the bug:
However, as you can see,
However, if I move @ssbarnea please let me know if I should open a new bug, or if you're re-opening this one. |
I'd like to lint whole Ansible playbooks including vault files. An idea would be to provide
ansible-lint
thevault-pass
parameter. Currently linting a vault file leads to a (correct) error:The text was updated successfully, but these errors were encountered: