-
Notifications
You must be signed in to change notification settings - Fork 122
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docker_secret isn't changing a secret when the data changes #30
Comments
This comment has been minimized.
This comment has been minimized.
!component |
Upon further investigation, it seems the issue may be that the secret lacks a label called |
Did you set the old value with the module as well? The problem is that it is not possible to retrieve the secret, so the module has to use |
I thought I did, but the lack of the label would indicate otherwise.
Is this really the intended behavior? It seems extremely dangerous. Correct me if I'm wrong: for every other Ansible module, if it succeeds and indicates If For example, if the secret needs to be changed but it is attached to the service, the module will fail whether |
The module does exactly do as documented, please read it's documentation: https://docs.ansible.com/ansible/latest/collections/community/general/docker_secret_module.html#synopsis
The author of the module obviously thought differently. Both sides have their pros and cons. I guess it would be possible to add an option which - when explicitly enabled - would yield the behavior you want, but changing the current behavior would be a breaking change and we try to avoid them. |
Thank you. I had looked at that page but missed the bit about the label.
What about issuing a warning in that scenario? Doesn't change the behavior but at least makes the user aware that the host state may not be correct. |
I think a warning would be ok. Feel free to create a PR (in this repo) for that! |
Done. Are the docker modules being moved out of |
Thanks! About your questions: yes and yes+no. The details of the move are described here: ansible-collections/overview#117 (reply in thread) If you are using Ansible 2.9, you need to switch to community.docker. If you are using ansible-base 2.10+, you don't have to change anything, except to make sure that community.docker is also installed when using community.general >= 2.0.0 (will be released in January 2021) or ansible-base 2.11+ (spring 2021). If you are using Ansible 2.10+, you don't need to change anything, as community.docker will be contained before the redirects happen (the redirects will appear in Ansible 2.11). For ansible-base 2.10+ and Ansible 2.10.x, you only need to do someting if you want to use community.docker now (which has all the deprecations applied that were scheduled for community.general 2.0.0). In any case, bugfixes and maybe also some features added in this repo will be backported to community.general, which means that your new warning will also show up in community.general. |
* add a warning when ansible_label is not found on a secret. addresses #30 * Update changelogs/fragments/31-docker-secret.yml Co-authored-by: Felix Fontein <[email protected]> Co-authored-by: Felix Fontein <[email protected]>
Fixed in #31 |
SUMMARY
docker_secret succeeds and indicates
changed: false
even though I've run the module with adata
argument that is different from the current secretISSUE TYPE
COMPONENT NAME
community.general.docker_secret
ANSIBLE VERSION
CONFIGURATION
OS / ENVIRONMENT
Ubuntu 20.04
STEPS TO REPRODUCE
Unfortunately, I've been unable to reproduce this in a generic way, but my current setup exhibits the problem.
I have no containers or services running:
I have an existing secret:
If I then run the module twice, each time with different data, at least one of them should succeed and change the secret:
EXPECTED RESULTS
The secret data should change
ACTUAL RESULTS
The secret data does not change, but the module reports success and unchanged
Running with extra verbosity:
The text was updated successfully, but these errors were encountered: