Monday, 2022-10-10

*** ysandeep|out is now known as ysandeep03:58
*** ysandeep is now known as ysandeep|afk06:23
*** ysandeep|afk is now known as ysandeep07:39
*** ysandeep is now known as ysandeep|lunch09:52
*** ysandeep|lunch is now known as ysandeep11:15
*** dviroel|out is now known as dviroel11:24
tomas_mensikHi! Could anyone please help me with strange issue with openstack.cloud.config issues? Despite my openstack client works fine with this clouds.yaml config, ansible config modules keeps failing. Other modules such as openstack.cloud.auth works! https://pastebin.com/9kfCihzs12:13
*** dviroel is now known as dviroel|biab12:29
*** dviroel|biab is now known as dviroel13:31
*** dviroel_ is now known as dviroel14:10
tomas_mensikFor the question above, here is opestack config example which should have all it needs - works for either openstack cli or cloud.auth: https://pastebin.com/0SPhSU7j14:31
*** ysandeep is now known as ysandeep|out14:35
*** dviroel is now known as dviroel|lunch15:03
tomas_mensikeureka! I have finally got openstack.cloud.config working! While I am still not sure it was the only issue, I certainly needed to unset either OS_CLOUD and OS_PASSWORD. Which is unfortunate because OS_PASSWORD environment variable was the only way how to securely provide password without leaving it in plaintext at secure.yaml.15:15
gtemaplaintext env vs plaintext secure.yaml15:16
jrosser_i think that these modules are very sensitive to which env vars are / are not set and having the wrong combination leads to wierd error messages15:18
gtemawhile working with cloud modules you should anyway avoid setting env vars and instead either rely on config file or pass whole conn structure which you read from some sort of vault if concerned15:19
gtemaand the second one is definitely preferred15:20
tomas_mensikyes, but switching to different cloud/profile using env vars is quite painful - and openstack solved that by moving to clouds.yaml config. At least that password should be possible to pass using ENV.15:22
gtemathat is a misuse of concepts. Passing creds is "native" for ansible modules. For running things locally clouds.yaml should be used15:23
gtemacause depending on whether you use "localhost" or "some_remote_host" you either have clouds.yaml or not. And this makes whole playbook pretty not portable15:24
tomas_mensikand plaintext ENV variable - sure does not sound like much difference, but its more difficult to steal secret from a running process (unless it gives it away itself) than from a file on disk.15:24
tomas_mensikfor that playbook portability - sure that is why openstack.cloud.config does exist, isn't it? I admit I always expected to have authentication on computer the playbook was run on - is it expected to read ENV vars from remote host of ansible inventory?15:35
gtemaevery module takes "cloud" param. This can be either "name" from clouds.yaml or whole structure same way as in clouds.yaml. So if you read it from inventory/vault/whatever_is_secure_for_you - all is done without concerns15:37
gtemaand this is exactly how AWX/Ansible was always designed - you have secrets in the tool that is executing playbook and they are passed securely to the module without writing to the FS15:38
tomas_mensikwell I was just expecting from ansible modules to have similar flexibility as openstack client/sdk has. Unfortunately it is not mentioned in documentation. And if you don't rely only on the ansible then it makes sense to keep as much of configuration on only one places - which is clouds.yaml for me.15:52
gtemapersonally disagree with that (from experience) - for every use case you should use the most suitable approach, and for ansible this is multi-fold. If you try to invoke you playbooks through AWX or similar thing (i.e. even inside Zuul jobs it is used this way) - you pass whole structure instead of writing clouds.yaml on a remote host15:54
*** dviroel|lunch is now known as dviroel|16:21
*** dviroel| is now known as dviroel16:21
fricklerI also would consider it more of a bug than a feature for OSC to take data from both OS_CLOUD and OS_PASSWORD. like what happens when the cloud entry is using app creds instead of user+pass?16:38
gtemasdk need to support so many different ways of configuring that it is no surprise things like that happen. Especially that OSC here may merge things on it's side rather 16:39
gtemathan delegating it all to sdk. Think it doesn't happen, but OSC is also doing few things around16:40
opendevreviewRafael Castillo proposed openstack/ansible-collections-openstack master: Refactor server_volume to be compatible with openstacksdk>=0.99.0  https://review.opendev.org/c/openstack/ansible-collections-openstack/+/85883417:19
opendevreviewRafael Castillo proposed openstack/ansible-collections-openstack master: Updates volume for 2.0.0  https://review.opendev.org/c/openstack/ansible-collections-openstack/+/85374918:05
*** dviroel_ is now known as dviroel18:28
*** dviroel is now known as dviroel|biab19:51
*** rcastillo_ is now known as rcastillo23:30

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!