Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: support insights service account credentials for project update #15747

Open
wants to merge 1 commit into
base: devel
Choose a base branch
from
Open

feat: support insights service account credentials for project update #15747

wants to merge 1 commit into from
+7 −0

Conversation

adrisala
Copy link
Contributor

SUMMARY

Add support for service account credentials for the insights type. Added default parameter INSIGHTS_OIDC_ENDPOINT and extra variables client_id and client_secret that will be added to the Job if the SCM type is insights.

ISSUE TYPE
  • New or Enhanced Feature
COMPONENT NAME
  • API
AWX VERSION
24.6.2.dev219+gde669a16db

@adrisala adrisala self-assigned this Jan 15, 2025
@chrismeyersfsu
Copy link
Member

chrismeyersfsu commented Jan 15, 2025
edited
Loading

I'd rather solve this problem by allowing the templating engine to inject the creds rather than adding credential plugin specific code to awx.

BaseTask::run() calls self.build_credentials_list() and calls credential.credential_type.inject_credential() on each item in the list. For a project update, build_credentials_list() is NOT currently overridden so the BaseTask version gets called which just returns []. We can override build_credentials_list() in class RunProjectUpdate to return the insights credential. This will result in the templating engine generating the insights client_id, client_secret, and authentication variables via ansible extra vars.

Put the below in class RunProjectUpdate

    def build_credentials_list(self, project_update):
        if project_update.scm_type != 'insights' or not project_update.credential:
            return []
        return [project_update.credential]

Add the below to your project_update.yml to convince yourself that the data makes its way into the project update playbook.

        - name: Debug insights
          debug:
            msg: "{{ authentication | default('NA') }} - {{ client_id }} - {{ client_secret }}"

Now run an insights project with an insights credential attached with the client_id and client_secret filled out in input.

TASK [Debug insights] **********************************************************

ok: [localhost] => {

    "msg": "service_account - foo - bar"
}

If you prefer a git diff of the above changes:

diff --git a/awx/main/tasks/jobs.py b/awx/main/tasks/jobs.py
index 36493c4e21..6555bb5db8 100644
--- a/awx/main/tasks/jobs.py
+++ b/awx/main/tasks/jobs.py
@@ -1136,6 +1136,11 @@ class RunProjectUpdate(BaseTask):
         super(RunProjectUpdate, self).__init__(*args, **kwargs)
         self.job_private_data_dir = job_private_data_dir
 
+    def build_credentials_list(self, project_update):
+        if project_update.scm_type != 'insights' or not project_update.credential:
+            return []
+        return [project_update.credential]
+
     def build_private_data(self, project_update, private_data_dir):
         """
         Return SSH private key data needed for this project update.
diff --git a/awx/playbooks/project_update.yml b/awx/playbooks/project_update.yml
index 26a4891c14..0a8519aa9d 100644
--- a/awx/playbooks/project_update.yml
+++ b/awx/playbooks/project_update.yml
@@ -92,6 +92,10 @@
             state: directory
             mode: '0755'
 
+        - name: Debug insights
+          debug:
+            msg: "{{ authentication | default('NA') }} - {{ client_id }} - {{ client_secret }}"
+
         - name: Fetch Insights Playbook(s)
           insights:
             insights_url: "{{ insights_url }}"

@fosterseth
Copy link
Member

if it is easier, feel free to collapse this change into #15742, if you just want to manage one PR

@adrisala adrisala force-pushed the feat/jobs-insights-plugin-oauth branch 3 times, most recently from 587dbfc to 7e4bb8d Compare January 16, 2025 12:14
fosterseth
fosterseth reviewed Jan 16, 2025
View reviewed changes
awx/main/tasks/jobs.py Outdated Show resolved Hide resolved
@adrisala adrisala closed this Jan 16, 2025
@adrisala adrisala force-pushed the feat/jobs-insights-plugin-oauth branch from 7e4bb8d to a19e1ba Compare January 16, 2025 16:51
@adrisala adrisala reopened this Jan 16, 2025
@adrisala adrisala requested a review from fosterseth January 16, 2025 16:54
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chrismeyersfsu chrismeyersfsu Awaiting requested review from chrismeyersfsu

@AlanCoding AlanCoding Awaiting requested review from AlanCoding

@fosterseth fosterseth Awaiting requested review from fosterseth

At least 1 approving review is required to merge this pull request.

Assignees

@adrisala adrisala

Labels
community component:api
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@adrisala @chrismeyersfsu @fosterseth