Bug 2171849

Summary: vault_password_file defined in the "/etc/ansible/ansible.cfg" is not honored.
Product: Red Hat Satellite Reporter: Satyajit Das <sadas>
Component: AnsibleAssignee: satellite6-bugs <satellite6-bugs>
Status: CLOSED CURRENTRELEASE QA Contact: Satellite QE Team <sat-qe-bz-list>
Severity: high Docs Contact:
Priority: high    
Version: 6.13.0CC: aruzicka, nalfassi, shwsingh, visawant
Target Milestone: UnspecifiedKeywords: Regression, Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-01 15:45:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Satyajit Das 2023-02-20 15:34:22 UTC 
Description of problem:

vault_password_file defined in the "/etc/ansible/ansible.cfg" is not honored.


Version-Release number of selected component (if applicable):

6.13


How reproducible:

100%


Steps to Reproduce:
1. Upload an Ansible role where variable values are encrypted with Ansible Vault.
2. Define vault_password_file in the "/etc/ansible/ansible.cfg"
3  set permission of ansible_vault_password password file to foreman-proxy:foreman-proxy
4. Rerun the Ansible role from the Satellite GUI

Actual results:

TASK [Apply roles] *************************************************************
 197:
ERROR! Attempting to decrypt but no vault secrets found  =====================> Failed to execute the role due to missing secret key.
 198:
PLAY RECAP *********************************************************************
 199:
client.example.com : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
 200:
Exit status: 2



Expected results:

Should execute with out any error.

Additional info:


As I have upgraded from 6.12 to 6.13 so the below file exists:-

/usr/share/foreman-proxy/.ansible.cfg  ===> Updating the vault_password_file  in this file works.


For new installations, this file(/usr/share/foreman-proxy/.ansible.cfg) does not exist. Moreover as per the comment in the below bug, Satellite 6.13 and above versions use ansible.cfg present in path "/etc/ansible/ansible.cfg". as the config file.

https://bugzilla.redhat.com/show_bug.cgi?id=1786358#c16
Comment 2 Adam Ruzicka 2023-02-21 17:18:50 UTC 
> For new installations, this file(/usr/share/foreman-proxy/.ansible.cfg) does not exist

I know I'm nitpicking, but I was under the impression that /usr/share/foreman-proxy/.ansible.cfg is a symlink to /etc/foreman-proxy/ansible.cfg . On new installations the file in /etc/foreman-proxy/ does not exist, but the (dangling) symlink is still kept it place, no matter if the installation is fresh or not. The dangling symlink shouldn't hurt, the combination of the symlink and the file in /etc/foreman-proxy/ansible.cfg does.

Anyway, dropping the symlink (or whatever /usr/share/foreman-proxy/.ansible.cfg is) from packaging could do the trick?

See https://github.com/theforeman/puppet-foreman_proxy/pull/777#issuecomment-1231619125 for details.
Comment 3 Brad Buckingham 2023-02-23 15:34:57 UTC 
Despite mention of Regression, is this a supported scenario with Ansible Vault?  ref : bug 2007388
Comment 4 Adam Ruzicka 2023-02-23 16:13:11 UTC 
If I recall correctly, we don't mention it anywhere in the documentation, but we have a KCS[1] describing how to set it up. Considering up until 6.13, people could make changes described in the KCS themselves, but the installer would undo them, I would say it is not officially supported yet.

[1] - https://access.redhat.com/solutions/4088231
Comment 7 nalfassi 2023-05-01 15:45:33 UTC 
I have verified that this BZ is no longer occurring on two Sat-6.13 machines (snap 14 and 18) after implementing the solution recommended in this article: https://access.redhat.com/solutions/4088231. 
To apply the solution, I used the appropriate Ansible configuration files "/etc/foreman-proxy/ansible.cfg" for Sat-6.13 and "/etc/ansible/ansible.cfg" for Sat-6.13 snap 18. 
The changes made to these files are persistent, as indicated in this BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1786358#c16. 
Consequently, I am closing this BZ since the problem is not reproducible anymore. If there is anything I have missed, please let me know, or you can reopen the case.