Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ansible integration: KSMCache class initializes cache file path before environment variable is set #675

Open
flybyray opened this issue Oct 16, 2024 · 2 comments

Comments

@flybyray
Copy link

flybyray commented Oct 16, 2024

kms_cache_file_name = os.path.join(os.environ.get("KSM_CACHE_DIR", ""), 'ksm_cache.bin')

cache_dir_key = KeeperAnsible.keeper_key(KeeperAnsible.KEY_CACHE_DIR)
if task_vars.get(cache_dir_key) is not None and os.environ.get(KeeperAnsible.ENV_CACHE_DIR) is None:
os.environ[KeeperAnsible.ENV_CACHE_DIR] = task_vars.get(cache_dir_key)

Current workarround i need to start all ansible processes with the KSM_CACHE_DIR variable set. But then all my ansible-vault keyfiles which use KSM need to have an override to set the current working directory again for their process context.

or maybe after line 177 an additional KSMCache.kms_cache_file_name = os.path.join(os.environ.get(KeeperAnsible.ENV_CACHE_DIR, ""), 'ksm_cache.bin') is needed:

                # We are using the cache, what directory should the cache file be stored in.
                cache_dir_key = KeeperAnsible.keeper_key(KeeperAnsible.KEY_CACHE_DIR)
                if task_vars.get(cache_dir_key) is not None and os.environ.get(KeeperAnsible.ENV_CACHE_DIR) is None:
                    os.environ[KeeperAnsible.ENV_CACHE_DIR] = task_vars.get(cache_dir_key)
                    KSMCache.kms_cache_file_name = os.path.join(os.environ.get(KeeperAnsible.ENV_CACHE_DIR, ""), 'ksm_cache.bin')
@jwalstra-keeper
Copy link
Contributor

We can do that. Yeah, by this point the KSMCache class has been loaded and kms_cache_file_name set in the class.

@flybyray
Copy link
Author

flybyray commented Oct 18, 2024

... can ...

There are multiple integrations used in an ansible setup with keeper. Currently they do not play nicely with each other in a DR event.
Maybe i can explain when i show you a concret error resulting from that stuff above

Error: Notation error - found multiple records with same UID ...

How that comes?

ksm when cache enabled without KSM_CACHE_DIR set would put a file ksm_cache.bin in the current directory.
keeper_ansible when cache enabled AND EVEN WHEN keeper_cache_dir is set as ansible variable would ignore the value of this variable because "kms_cache_file_name set in the class". Hence keeper_ansible would use the same ksm_cache.bin in the current directory as ksm would use.
But the cache files have different purpose. See your own documentation.

In DR event both need to have their own cache file if they do not share the VERY same parameters! Otherwise DR event is just D :-)

I am not sure if the addition of the one line in the code base is sufficient or usefull. Currently I decided to be very explicit with setting KSM_CACHE_DIR in several occurrences.

  1. when starting ansible...
  2. when creating a bash script for Ansible Vault Password Retrieval ), I put the KSM_CACHE_DIR in front of each ksm call.

But this is very error-prone if several supervisors have to be instructed to pay attention to it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants